57.10 Troubleshooting WNA Configuration

This section provides information about the following errors:

57.10.1 Kinit Fails

While retrieving initial credentials, the client may not be found in the Kerberos database.

This is the Kerberos version of "User not found" and might be related to one of the following:

  • Misspelling or typo of the principal name

  • The principal was not added to the Kerberos database, the principal doesn't exist.

  • The user name does not exist in Active Directory or has not been registered as a Kerberos user.

  • The SPN is not unique.

  • On the Active Directory side one or more duplicate entries were found.

The solution would be to have the Active Directory Administrator search the LDAP tree for duplicate entries of the SPN, and remove them.

57.10.2 "An Incorrect Username or Password was Specified" Is Displayed

If unable to access a resource protected by Access Manager using the WNA authentication scheme, the error message is displayed.

When the error message, "An incorrect Username or Password was specified" is displayed, check the following.

  • An incorrect username or password was specified.

  • There is a mismatch in the encryption types being used.

  • The key version number (kvno) of the SPN mentioned in the keytab does not match the kvno of the mapped user in the identity store.

57.10.3 User Identity Store is Not Registered Correctly

By default, the OAM identity store is Embedded LDAP. If you are using a different identity store (for example, Active Directory or Oracle Unified Directory) be sure to register the identity store.

Managing Data Sources has complete details on identity stores and how to register them.

57.10.4 Two BASIC Authentication Prompts Are Displayed

If OAM is configured for WNA and the client browser is not configured for IWA, two BASIC authentication prompts might be displayed when accessing a WNA protected resource.

One prompt comes from the Weblogic Server and the second from OAM. To avoid this, the WebLogic Server must be configured to ignore HTTP Basic authentication requests.

  1. Stop all WebLogic managed server and the admin server.
  2. Create a copy of the config.xml file.


  3. Add the following parameter at the end of the "<security-configuration>" section in the config.xml file.


    Be sure to add this parameter BEFORE the <cross-domain-security-enabled>false</cross-domain-security-enabled> parameter.

  4. Restart the WebLogic environment.