cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO Kerberos SPNego fails in step2

Go to solution
Former Member

on ‎08-26-2008 5:37 PM

0 Kudos

when configuring SSO using the SPNego wizard, in step2, I get the error below:

"Search by service user mapping attribute krb5principalname=host/m2003172dvm$@MYCOMPANY.COM failed; check the mapping attribute and the UME configuration"

I applied all the configuration from http://help.sap.com/erp2005_ehp_03/helpdata/EN/43/4bd58c6c5e5f34e10000000a1553f6/content.htm

and, from Config Tool, I can test the connection to the Active Directory successfully.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎09-12-2008 12:24 PM
0 Kudos

hello,

apparently the spnego wizard can not find the service user

in the configured user path and group path on the active

directory server ADS.

In the UME Ldap data (configtool) you need to configure as well

user path and group path -> if you click on "browse" you can see

if your service user is in the user path/group path. There is as well

the option deep directory or flat directory structure. Ask your

NT Administrators how this should be setup.

With "test authentification" you can find out if your service user

and other users can logon to the ADS.

kr,

andreas

Show replies
Show replies

Answers (1)

Answers (1)

Former Member
‎08-28-2008 10:25 PM
0 Kudos

> 

> when configuring SSO using the SPNego wizard, in step2, I get the error below:
> 
> "Search by service user mapping attribute krb5principalname=host/m2003172dvm$@MYCOMPANY.COM failed; check the mapping attribute and the UME configuration"
> 
> I applied all the configuration from http://help.sap.com/erp2005_ehp_03/helpdata/EN/43/4bd58c6c5e5f34e10000000a1553f6/content.htm
> 
> and, from Config Tool, I can test the connection to the Active Directory successfully.

Why is there a "host/" in front of your KRB5 principle name? What did you put in the field as the user? Shouldn't it only be the user@domain? the user name you have above "host/m2003172dvm$" looks really weird.

Show replies
Show replies
Ask a Question