# Oracle Internet Directory (IDM OID) patchset 10.1.4.2 and WNA Ouch! We recently installed the OID 10.1.4.2 patch to solve some issues with Server Chaining to Microsoft Active Directory (MS AD). There were two object classes that did not get mapped for groups and there were problems that OID would not find any group that was not directly in the dn that was chained to AD. If you chained cn=ad,cn=groups,dc=mycompany,dc=com to cn=groups,ou=myDept,dc=mycompany,dc=com but you had a group in subcontainer cn=anotherLevel,cn=ad,cn=groups,dc=mycompany,dc=com OID would not find it. The patch almost worked as expected--we got one of the two object classes promised and we could find the groups in subcontainers. Unfortunately the patchset broke Windows Native Authentication (WNA). The problem is that the patch introduced a new java JDK, version 1.4.2.\_14. After many hours of troubleshooting we found Oracle bug 6658334--WNA FAILS AFTER APPLYING IDM 10.1.4.2.0 PATCHSET. The solution appears to be to downgrade the Sun JDK to 1.4.2\_13. We did this and it works, but oh what a headache. You might get an error stack that looks like this: > > DAS servlet init enter > oiddas: Release 10.1.4.0.1 Production Started > <$ORACLE\_HOME>/j2ee/OC4J\_SECURITY/applications/oiddas/ui/WEB-INF/lib/oiddas.jar archive > DAS servlet init exit > Getting creds for HTTP/ ... > Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null KeyTab is > <$ORACLE\_HOME>/j2ee/OC4J\_SECURITY/config/sso.keytab refreshKrb5Config is > false principal is HTTP/ tryFirstPass is false > useFirstPass is false storePass is false clearPass is false > principal's key obtained from the keytab > principal is HTTP/ > KerberosAuthenticator: GSSException raised in constructor - > No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT > credentials failed!) > GSSException: No valid credentials provided (Mechanism > level: Attempt to obtain new ACCEPT credentials failed!) > at > sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCreden > tial.java:189) > at > sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.j > ava:80) > . . . > 30 Caused by: javax.security.auth.login.LoginException: > java.lang.NullPointerException > at java.lang.StringBuffer.append(StringBuffer.java:467) > at > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginMo > dule.java:576) > at > com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)