cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SPNego SSO not working on specific servers

Go to solution
Former Member

on ‎09-15-2008 3:34 PM

0 Kudos

Hello gurus,

we have installed BI 7.0 SP15 with Portal as the java side of the BI (double stack). We have CI + 3 dia instances.

we have configured the SPNego as described in SAP documents and for some reason only on two servers the SSO is working.

On the problematic servers we got error:

CreateContext failed: GSSException: Failure unspecified at GSS-API

level (Mechanism level: KDC has no support for encryption type (14))

I wasn't able to find any differences between the servers so the spnego configuration

looks fine on all the servers.

Any idea ?

Dimitry Haritonov

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎09-15-2008 3:46 PM
0 Kudos

Hi Dimitry,

Reason for the error : WebLogic Server is getting the SPNEGO ticket. But from error, it's clear the KDC has no support for encryption which WebLogic Server is looking for (Typically, the encryption type is specified in the krb5.conf/krb5.ini Kerberos configuration file).

Please refer to this link and search for the error that you are getting.

https://support.bea.com/application_content/product_portlets/support_patterns/wls/KerberosSPNEGOConf...

Hope this helps.

Cheers,

Sandeep Tudumu

Show replies
Show replies
Former Member
‎09-15-2008 3:50 PM
0 Kudos

what is the "WebLogic Server" ?

how is it connected to the J2EE and SPNego ?

Former Member
‎09-15-2008 4:05 PM
0 Kudos

ok so :

WebLogic Server security system as well as Windows Kerberos protocol

suggested solution:

  • Check the user account at KDC for "Use DES encryption types for this account" and it needs to be checked.

  • Log off from the client machine so that the credentials cache is flushed and all session tickets and all session keys are destroyed. After relogin the Kerberos client at user's machine will get new session ticket and key with proper encryption type.

but as I already stated I have 4 servers that only two of them have SPNego working correctly. All the servers use the same active directory user.

Also all the krb5.conf files are the same...

Any ideas ?

Dimitry Haritonov

Former Member
‎09-22-2008 2:27 PM
0 Kudos

the problem was that users weren't registered in the DC with set spn with all servers. solution: register the user to all server with:

*Setspn u2013a HTTP/<server_name> <spnego_user>

Answers (0)

Ask a Question