Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Can`t Login to WAS/NWA (always redirected to login screen)

Former Member
0 Kudos

Dear Gurus,

We tried to implement SSO logon Tickets following [steps|https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/a0042af5-5406-2c10-f689-fcc3b2d13d2f], and now we can`t login to any netweaber tool (NWA, User Admin, etc).

The user/password validation is OK but always we are redirected to login screen.

We didn't find any errors on trace files (dev_icm, dev_wX).

We found this message on ../j2ee/cluster/server0/log/system/security.0.log after trying to login:

User: J2EE_ADMIN

Authentication Stack: ticket

Login Module Flag Initialize Login Commit Abort Details

1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok true true

2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok true

3. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok false

Central Checks true #

<snip>

And this message on HTTP log at ICM Monitor:

<snip>

I hope you can help us!!

Thanks in advance.

Federico.

Edited by: Julius Bussche on Jun 4, 2009 10:57 PM

Edited by: Julius Bussche on Jun 4, 2009 11:05 PM

Edited by: Julius Bussche on Jun 5, 2009 2:44 PM

1 ACCEPTED SOLUTION

former_member432219
Active Participant
0 Kudos

If you are presented repeatedly with the logon page without a message such 'user authentication failed' or similiar, despite the fact that the entered

credentials were correct (you can check this by logging onto the ABAP stack with the same credentials), then the problem possibly lies in the ticket creation or evaluation and/or misconfiguration of the ticket login module stack.

The attached log shows successful authentication by J2EE_ADMIN with an already existing logon ticket, not an authentication attempt with userID and password so this is not the most relevant trace entry for your problem with logging on wiith userID and password. It does show however at the time this trace entry was written that the 'ticket' login module stack was configured correctly and evaluation of tickets was working without problem at that time

Are you sure these trace entries are from the time of the last logon attempt?

Instead of looking in the security log, look in the servers defaultTrace file for traces written during the failed logon by userid and password. If you are comfortable with adjusting trace severities, follow note 701205 section "Logging and Tracing" and set the trace locations mentioned there to ALL before reproducing the failed logon for more debug info. Remember to set them back to default levels afterwards

You can check in the Visual Administrator, that the ticket login module stack includes the following modules in this order, with these flags, and at least these options.

EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true, *}

BasicPasswordLoginModule REQUISITE

CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}

  • list of additional ACL parameters such as trusteddn etc

Sorry about the format of this reply, not sure how to correct it, in preview the formatting is fine

Edited by: Patrick Whitty on Jun 5, 2009 12:05 PM

13 REPLIES 13

Former Member
0 Kudos

Please check your log files for confidential information before posting them. Let me know if there is anything else to be removed...

Check on the ABAP side in SU01 whether J2EE_ADMIN has the role SAP_J2EE_ADMIN for a start. Should be default though.

Cheers,

Julius

Former Member
0 Kudos

Thanks Julius for your security recomendations!

Role SAP_J2EE_ADMIN is assigned to J2EE_ADMIN, any other idea?

Thanks!

Federico.

0 Kudos

Sorry about the formatting also. Lengthy log files muck up the frames...

Try assign the role to your user and logon?

If you experience the same, then it is a config error somewhere.

Check STRUST (the bottom half is just a "clip board", not an installed certificate) and your sso2 parameters.

Perhaps you missed something.

I am not familiar with the document you have linked to.

Perhaps you want to double-check it against an SAP installation guide?

Cheers,

Julius

Former Member
0 Kudos

I can`t log on with any user even if the SAP_J2EE_ADMIN role is assigned.

On STRUST the certificates are showed and the status of the server under the PSE node is green.

I checked the guide again and I didn't find any missed step.

Thanks!

Federico.

former_member432219
Active Participant
0 Kudos

If you are presented repeatedly with the logon page without a message such 'user authentication failed' or similiar, despite the fact that the entered

credentials were correct (you can check this by logging onto the ABAP stack with the same credentials), then the problem possibly lies in the ticket creation or evaluation and/or misconfiguration of the ticket login module stack.

The attached log shows successful authentication by J2EE_ADMIN with an already existing logon ticket, not an authentication attempt with userID and password so this is not the most relevant trace entry for your problem with logging on wiith userID and password. It does show however at the time this trace entry was written that the 'ticket' login module stack was configured correctly and evaluation of tickets was working without problem at that time

Are you sure these trace entries are from the time of the last logon attempt?

Instead of looking in the security log, look in the servers defaultTrace file for traces written during the failed logon by userid and password. If you are comfortable with adjusting trace severities, follow note 701205 section "Logging and Tracing" and set the trace locations mentioned there to ALL before reproducing the failed logon for more debug info. Remember to set them back to default levels afterwards

You can check in the Visual Administrator, that the ticket login module stack includes the following modules in this order, with these flags, and at least these options.

EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true, *}

BasicPasswordLoginModule REQUISITE

CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}

  • list of additional ACL parameters such as trusteddn etc

Sorry about the format of this reply, not sure how to correct it, in preview the formatting is fine

Edited by: Patrick Whitty on Jun 5, 2009 12:05 PM

0 Kudos

> Sorry about the format of this reply, not sure how to correct it, in preview the formatting is fine.

It is the width of the logfile without a <space> to make a "soft return" in the frame which causes this.

Only work-around is using "hard returns" afterwards, or removing the logfile - which I have now done to retore the thread to a readable format.

Cheers,

Julius

Former Member
0 Kudos

Hi Patrick,

The entries are generated every time I try to login NWA. After reading note 701205 I thinks there is some proble with session MYSAPSSO2 cookie. How can I check it?

Thanks!

Federico.

0 Kudos

General information is in [SAP Note 701205|https://service.sap.com/sap/support/notes/701205].

Specifically check your domains if they are different. Search for the word "relax" in the note.

If you have saved the URL as a bookmark / favourite, then check that a session ID's are not included which is not longer active.

There are also a couple of load balancing topics which might cause re-authentication requests. This is for example the case with the SAP Service Marketplace (service.sap.com).

Without knowing how your systems are setup, we can only guess...

Good luck,

Julius

0 Kudos

Another thiught: Check your URL and login module stack for an automatic redirected to a logoff. Then the logon screen always appears.

This happened to me once before.

Check the URL via right-click => properties. If there is any "logoff" parameter, just delete it and hit Enter...

Cheers,

Julius

0 Kudos

Julius, I didn`t find any logoff properties.

Can we disable SSO?

Thanks!

0 Kudos

> Julius, I didn`t find any logoff properties.

It was worth half a thought.

> Can we disable SSO?

Sure, in SSO2 and RZ11, but consider the note above first and remember to turn the lights off...

Cheers,

Julius

0 Kudos

Finally we uninstall and re install the J2EE server, and now it's working fine.

Thanks!

Federico.

0 Kudos

Ah, you see the ancient wisdoms of printer support work for Java systems as well...