“401 Unauthorized” error when tried to loging into SSO application

Hi all, recently I have faced one issue in one of our development node. The problem is “401 Unauthorized” when tried to login into sso integrated application and upto two days back it was working fine.

Environment details:  Oracle Application Server Single Sign-On – Version: 10.1.4.3 and OAM 10.1.4.3 running in same node. OAM_OSSO are integrated.

 I  got 401 Unauthorized error when I tried to access the oiddas application and I have seen the below exception in ssoServer.log

 Thu Jun 07 20:55:04 IST 2012 [ERROR] AJPRequestHandler-ApplicationServerThread-9 Could not get attributes for user, orcladmin

oracle.ldap.util.NoSuchUserException: User does not exist – SIMPLE NAME = orcladmin

        at oracle.ldap.util.Subscriber.getUser_NICKNAME(Subscriber.java:1160)

        at oracle.ldap.util.Subscriber.getUser(Subscriber.java:923)

        at oracle.ldap.util.Subscriber.getUser(Subscriber.java:870)

        at oracle.security.sso.server.ldap.OIDUserRepository.getUserProperties(OIDUserRepository.java:537)

        at oracle.security.sso.server.auth.SSOServerAuth.authenticate(SSOServerAuth.java:508)

        at oracle.security.sso.server.ui.SSOLoginServlet.processSSOPartnerRequest(SSOLoginServlet.java:1076)

        at oracle.security.sso.server.ui.SSOLoginServlet.doPost(SSOLoginServlet.java:547)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

        at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:826)

        at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:332)

        at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:830)

        at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:224)

        at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:133)

        at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)

        at java.lang.Thread.run(Thread.java:534)

 Please find the workaround as below 

  1. I have found one metalink Id(987877.1) which is deals the same issue. It’s says, issue in custom plugin configured for Oracle SSO (OSSO) and I have executed the following action plan.
    • Recompile the custom plugin with a different name e.g. SSOSMAuth, so that file SSOSMAuth.class is created instead of SSONeteAuth.class
    • Copy file SSOSMAuth.class to $ORACLE_HOME/sso/plugin
    • Edit file $ORACLE_HOME/sso/conf/policy.properties and set the following:
      MediumSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOSMAuth
    • Restart OC4J_SECURITY:
      $ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=OC4J_SECURITY
      $ORACLE_HOME/opmn/bin/opmnctl startproc process-type=OC4J_SECURITY
  2. I got the same error when tried to login again.
  3. After some workaround I found the root cause for this issue. The problem is common user search base (orclcommonusersearchbase attribute) was modified or new values were added.  More details as follow,
  4. At least one of the search bases configured (orclcommonusersearchbase attribute in the  cn=Common,cn=Products,cn=OracleContext,<realm DN> entry) does not exist in OID or wrongly configured. Here, Configured searchbase not exist in OID.
  5. The entries set for orclcommonusersearchbase attribute are used by SSO as search bases to locate the user entry. If the base does not exist in OID, the ldap search operation is failing with “Ldap error code 32: LDAP_NO_SUCH_OBJECT”. Ldap error code 32 means the base specified for the operation does not exist.
  6. Login to oidadmin tool and navigate to cn=Common,cn=Products,cn=OracleContext,<realm DC>
  7. Go to orclcommonusersearchbase attribute and correct / delete the incorrect values. All the entries defined in the orclcommonusersearchbase attribute must exist in OID.

 Or 

  1. Connect the OID using LDAPbrowser or JXplorer and navigate to cn=Common,cn=Products,cn=OracleContext and correct orclcommancusersearchbase attribute according to the environment. After this change I have restart the infra node and tried to login. The issue is vanished.

                

 Or using ldapmodify command:
a. Then create ldif plain file adding.ldif like:

dn: cn=Common,cn=Products,cn=OracleContext,dc=shamrockfoods,dc=com
changetype: modify
replace: orclcommonusersearchbase
orclcommonusersearchbase: cn=users, dc=dec,dc=co,dc=in

 b. Then run ldapmodify command:

ldapmodify -h hostname -p 389 -D cn=orcladmin -w <passwd> -v -f adding.ldif

c. Restart components in the infra node and test.

 

Hope this post helps you. Thanks…

 

About the Author sarath

An Oracle Identity and Access Management professional, having working on Oracle Access Manager Single Sign-On implementations, Installation/Configuration of Identity Server, Web Pass, Web Gate, Access Gate, Policy Manager, Access Server, Policy Domains, Authentication /Authorization schemes, Single Sign-On (single and multi-domain), OIM, OVD, OID, OAAM, OIF, High Availability/Failover/ SSL deployment.

Leave a Comment:

1 comments
Add Your Reply