Oracle® Fusion Middleware Troubleshooting Guide for Oracle Mobile Security Suite Release 3.0.1 Part Number E51929-03 |
|
|
PDF · Mobi · ePub |
This chapter lists tips for troubleshooting Kerberos-enabled applications
The tips are as follows:
Web applications that are accessed through the Mobile Security Access Server must be configured for Kerberos with a Service Principal Name (SPN) for each application server that is accessed by an alias instead of its host name.
For example, if hostname
is bmax1.oracle.internal
but is accessed as http://sharepoint.oracle.internal
, the SPN must be http://sharepoint.
Additional certificate requirements apply for the Mobile Security Access Server certificate.
From a machine within the domain of the application server (Mobile Security Access Server can be used if it is joined to the same domain):
Open a command window.
At the command-line prompt, type:
setspn -l customer_application_hostname
Verify that there is an SPN for the URL the device is trying to access
If the SPN is missing, then type:
setspn -a customer_application_hostname
Verify the SPN by typing:
setspn -l customer_application_hostname
IIS applications such as SharePoint must be configured for Negotiate authentication, which can be followed by NTLM authentication if desired.
IIS applications use an application pool with an application-pool identity. This pool cannot be a local account on the web server. Typically, it can be set to a built-in account of NETWORK
that has permission to access the Active Directory for authentication. When a service account is used for the pool identity, ensure that the account has permission to access and authenticate to Active Directory.
Ensure that the authentication provider is set to Negotiate
.
Ensure that Windows authentication is set.
Ensure that Anonymous User is NOT set.
Note:
The following commands are useful to debug network issues with Wireshark:
In display filter, type:
kerberos
In display filter, type:
ntlmssp
In display filter, type:
http