“401 Unauthorized” error when tried to loging into SSO application

When tried to login into sso integrated application getting “401 Unauthorized” error.
Environment details:  Oracle Application Server Single Sign-On – Version: 10.1.4.3 and OAM 10.1.4.3 running in same node. OAM_OSSO are integrated.
I got 401 Unauthorized error when I tried to access the oiddas application and I have seen the below exception in ssoServer.log
        [ERROR] AJPRequestHandler-ApplicationServerThread-9 Could not get attributes for user, orcladmin
        oracle.ldap.util.NoSuchUserException: User does not exist – SIMPLE NAME = orcladmin
        at oracle.ldap.util.Subscriber.getUser_NICKNAME(Subscriber.java:1160)
        at oracle.ldap.util.Subscriber.getUser(Subscriber.java:923)
        at oracle.ldap.util.Subscriber.getUser(Subscriber.java:870)
        at oracle.security.sso.server.ldap.OIDUserRepository.getUserProperties(OIDUserRepository.java:537)
        at oracle.security.sso.server.auth.SSOServerAuth.authenticate(SSOServerAuth.java:508)
        at oracle.security.sso.server.ui.SSOLoginServlet.processSSOPartnerRequest(SSOLoginServlet.java:1076)
        at oracle.security.sso.server.ui.SSOLoginServlet.doPost(SSOLoginServlet.java:547)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:826)
        at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:332)
        at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:830)
        at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:224)
        at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:133)
        at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
        at java.lang.Thread.run(Thread.java:534)

        Please find the workaround as below

        I have found one metalink Id(987877.1) which is deals the same issue. It’s says, issue in custom plugin configured for Oracle SSO (OSSO) and I have executed the following action plan.
Recompile the custom plugin with a different name e.g. SSOSMAuth, so that file SSOSMAuth.class is created instead of SSONeteAuth.class
       
        Copy file SSOSMAuth.class to $ORACLE_HOME/sso/plugin
        Edit file $ORACLE_HOME/sso/conf/policy.properties and set the following:
        MediumSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOSMAuth
        Restart OC4J_SECURITY:
        $ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=OC4J_SECURITY
        $ORACLE_HOME/opmn/bin/opmnctl startproc process-type=OC4J_SECURITY
    I got the same error when tried to login again.
    After some workaround I found the root cause for this issue. The problem is common user search base (orclcommonusersearchbase attribute) was modified or new values were added.  More details as follow,
    At least one of the search bases configured (orclcommonusersearchbase attribute in the  cn=Common,cn=Products,cn=OracleContext,<realm DN> entry) does not exist in OID or wrongly configured. Here, Configured searchbase not exist in OID.
    The entries set for orclcommonusersearchbase attribute are used by SSO as search bases to locate the user entry. If the base does not exist in OID, the ldap search operation is failing with “Ldap error code 32: LDAP_NO_SUCH_OBJECT”.
    Ldap error code 32 means the base specified for the operation does not exist.
    Login to oidadmin tool and navigate to cn=Common,cn=Products,cn=OracleContext,<realm DC>
    Go to orclcommonusersearchbase attribute and correct / delete the incorrect values. All the entries defined in the orclcommonusersearchbase attribute must exist in OID.
  • June 22, 2018 | 24 views
  • Comments