WebLogic Kerberos (SSO) Authentication Issue : Error 401 Forbidden : No Configuration was registered that can handle the configuration named com. sun. security. jgss. krb5. accept

 I recently configured Kerberos (Single Sign-On) in WebLogic using steps mentioned  here, While accessing application using Active Directory account received error “Error 401 – Forbidden” . This post covers steps I did to troubleshoot this issue.

To see various different ways to configure Single Sign-On with WebLogic check Chris Johnson’s post here  . For step by step Kerberos Configuration for WebLogic on Windows check Chris’s another post here

Moving back to my issue here is what I did to troubleshoot

Debug: Enabled debug for authentication & authorization via WebLogic Console — Servers -> [Server Name] -> Debug -> WebLogic -> Security -> atn (for Authentication) and atz (for Authorization) and click Enable

The Error : Checked in Managed Server (one on which application was deployed) Log file and found error

_______
<21-Mar-2011 10:04:57 o’clock GMT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service. JAASAuthenticationConfigurationServiceImpl. getAppConfigurationEntry(com.sun.security.jgss.krb5.accept)>
<21-Mar-2011 10:04:57 o’clock GMT> <Debug> <SecurityAtn> <BEA-000000> <Exception com.bea.common.security.internal.utils.negotiate. NegotiateTokenException: java.lang.IllegalArgumentException: 
No Configuration was registered that can handle the configuration named com.sun.security.jgss.krb5.accept
com.bea.common.security.internal.utils.negotiate. NegotiateTokenException: java.lang. IllegalArgumentException: No Configuration was registered that can handle the configuration named com.sun.security.jgss.krb5.accept
 at com.bea.common. security.internal.utils.negotiate. SPNEGONegotiateToken.get Username(SPNEGONegotiateToken.java:186)
 at weblogic.security. providers.authentication. NegotiateIdentityAsserterProvider Impl.assertChallengeIdentity(NegotiateIdentityAsserterProviderImpl.java:213)
 at com.bea.common.security.internal.legacy. service.ChallengeIdentity AssertionProviderImpl$ ChallengeIdentityAsserterV2Adapter. assertChallengeIdentity (ChallengeIdentity AssertionProviderImpl.java:130)
 at com.bea.common.security.internal.service. ChallengeIdentityAssertionToke nServiceImpl. assertChallengeIdentity(ChallengeIdentityAssertion TokenServiceImpl.java:120)
____________ 

Checks :

1. Verified that KRB5.ini is under c:\windows (WebLogic is running on Windows Server)
2. Kerberos Configuration File (KRB5LOGIN.conf) defined at WebLogic Server Startup is available
3. Keytab file defined under KRB5LOGIN.conf is correct

.

Issue: Principal in kerberos configuration file was ” where as it was expecting character in format ”  (Check double quotes format)

.

Fix
Change principal in KRB5LOGIN.conf from

principal=”HTTP/SERVERNAME.MYDOMAIN@MYDOMAIN;

to

principal=HTTP/SERVERNAME.MYDOMAIN@MYDOMAIN

Note:  The double quotes between principal name

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

3 comments
Guillermo says June 28, 2012

I recently configured OIM 11g – Solaris but i can not integrate OIM with Solaris via SSHPUBKEY, the error is:

java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named com.sun.security.jgss.krb5.initiate
at com.bea.common.security.jdkutils.JAASConfiguration.getAppConfigurationEntry(JAASConfiguration.java:130)
at sun.security.jgss.LoginConfigImpl.getAppConfigurationEntry(LoginConfigImpl.java:139)
at javax.security.auth.login.LoginContext.init(LoginContext.java:243)
at javax.security.auth.login.LoginContext.(LoginContext.java:499)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:244)
at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:136)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:328)
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:325)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:128)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:172)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:209)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at com.jcraft.jsch.jgss.GSSContextKrb5.init(GSSContextKrb5.java:129)

Reply
isnoroot says October 29, 2012

Dear Atul,
it is mentioned in the notes you referred to to take special notion of the text one copies from the documents into the krb5Login.conf. Nevertheless your blog post saved me from staring at my screen looking for spaces and semicolons, while in fact you were right and the quotes should be payed special attention.
Thanks for that one!

Reply
chandra says August 23, 2016

i am using weblogic application and suddenly the below error is coming, even there is not changes in application end.

Caused by: java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named com.sun.security.jgss.krb5.initiate
at com.bea.common.security.jdkutils.JAASConfiguration.getAppConfigurationEntry(JAASConfiguration.java:124)
at sun.security.jgss.LoginConfigImpl.getAppConfigurationEntry(LoginConfigImpl.java:139)
at javax.security.auth.login.LoginContext.init(LoginContext.java:243)
at javax.security.auth.login.LoginContext.(LoginContext.java:499)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:244)
at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:136)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:328)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:325)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:128)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:172)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:209)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at com.jcraft.jsch.jgss.GSSContextKrb5.init(GSSContextKrb5.java:129)
at com.jcraft.jsch.UserAuthGSSAPIWithMIC.start(UserAuthGSSAPIWithMIC.java:135)
at com.jcraft.jsch.Session.connect(Session.java:419)
at com.jcraft.jsch.Session.connect(Session.java:150)
at org.apache.commons.vfs.provider.sftp.SftpClientFactory.createConnection(SftpClientFactory.java:210)

Reply
Add Your Reply

Not found