cancel
Showing results for 
Search instead for 
Did you mean: 

Problems with connection using SPNego

Former Member
0 Kudos

Hello

I've configured authentication with the SPNegoLoginModule

with basic authentication fallback.

But when I try to connect to EP with not registered user

it returns me a standard logon page (repeated twice!!!)

with an error 'Unknown message (ID = UNKNOWN_ERROR)'

In log file I see following

1 error: Decoding error in parsing of spnego token....

2 error: Error during handshake (has already been reported). Authentication failed.

3 error: doLogon failed [EXCEPTION] com.sap.security.core.logon.imp.UMELoginException

at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:339)....

4 error: Message ID (UNKNOWN_ERROR) not found in properties files-UNKNOWN_ERROR

[EXCEPTION]

java.util.MissingResourceException: Can't find resource for bundle java.util.PropertyResourceBundle, key UNKNOWN_ERROR

at java.util.ResourceBundle.getObject(ResourceBundle.java:325).....

When I enter user/password in appeared logon page it

returns me the same page and adds 3 errors in log file:

1st is the same as 3 in previous case,

2 and 3 are identical with 4 error in prev. case.

My ticket logon stack looks as follows:

com.sap.security.core.server.jaas.EvaluateTicketLoginModule, Flag as Sufficient

ume.configuration.active = true

com.sap.security.core.server.jaas.SPNegoLoginModule, Flag as Optional

- ume.sap.spnego.uid.resolution.mode = simple

- com.sap.spnego.uid.resolution.attr = krb5principalname

- com.sap.spnego.jgss.name = host/...@...

- com.sap.spnego.creds_in_thread = true

com.sap.security.core.server.jaas.CreateTicketLoginModule, Flag as Sufficient

- ume.configuration.active = true

BasicPasswordLoginModule, Flag as Requisite

com.sap.security.core.server.jaas.CreateTicketLoginModule, Flag as Optional

- Ume.configuration.active = true

I use EP6.0 with SPS16

Can anybody help me?

Thanks

Vitali

Accepted Solutions (0)

Answers (11)

Answers (11)

christiansche
Active Participant
0 Kudos

Well, we applied the patch and instead of two logonscreens, it appears only one. This worked, but it didn't solve the problem, that a user can login automatically on one Computer and not on another computer, where an other user logs in automatically on both computers.

best regards,

christian

olaf_reiss
Participant
0 Kudos

Hello SDN,

As I have already mentiond in this thread, we have found out the following issue in our company:

We are still facing a problem for ONLY some clients, who are not able to authenticate. The cause seems to be in our microsoft network.

We have investigated this issue and found out the following scenarios.

1. There is one group who does log off / log on every day to there pc clients. After some days, these user are loosing the trusting to our domain controller. Kerberos authentication is not working anymore. After a reboot of the client, the issue is fixe.

2. The second group has this issue permanently.

Can anybody confirm this issue in own company?

Thanks.

Best Regards,

Olaf Reiss

christiansche
Active Participant
0 Kudos

We have only the problem, that certain people cannot automatically login on certain computers, where ist doesn't matter, if the computer was just booted or is running several days.

best regards,

christian

olaf_reiss
Participant
0 Kudos

Hello Christian,

Thanks for you answer.

You described the second issue I have mentioned.

Have you ever take a look into the default.trc regarding this issue. We found out the spnego toke is empty. So, as mentioned in the note 1005209, the clients seems to use ntlm instead of spnego authentication.

We opend up a SAP oss message.

Result: The issue is located at the client site. Our configuration of the portalis fine.

So, we will open a support message to Microsoft to investigate this issue.

Best Regards,

Olaf Reiss

Former Member
0 Kudos

Hi,

is the problem user-specific or computer-specific?

Try out the constallations.

Perhaps it´s ....ONLY.... the settings of IE.

Greetingz

Larz

christiansche
Active Participant
0 Kudos

It is user and Client specific. Only few users on few Clients can't login automatically. On most clients, these users can login. And on those Clients, they can't, other users will login automatically with no problem. There is also a thread, mentioning that you should delete the users profile on the client. and in most cases, this works. but still there are few client-user combinations where even this workaround doesn't work. well, we'll have to try firefox for spnego to check if its IE related or if it's another Mircosoft issue.

best regards,

christian

olaf_reiss
Participant
0 Kudos

Dear Christian,

we have also done some field tests in our company.

We can confirm this issue depends on the user profile. It seems to be not depending on the pc, but there is one exception.

Results of our field tests:

1. Login on antoher pc with non working user profile => Does not work.

2. Create a new profile on the local pc, where it WAS NOT WORKING with the old profile before => Does not work.

3. If another user logs on to the damaged pc with own profile => It works.

4. Create a new profile on antoher pc => It works.

So, now I am absolutly confused.

What helps in anyway is a new profile and a new installed pc.

Best Regards,

Olaf Reiss

christiansche
Active Participant
0 Kudos

hello,

we are on SPS 19 and have also on some clients this problem. on one client, the user logs in automatically and on another client, the user gets this double loginscreen. on monday we will apply ths pach from note 1005209 and see, if this resolves the problem on this few clients. but it seems to be more a client specific issue.

best regards,

christian

Former Member
0 Kudos

hi

Christian Schebesta were you able to solve the Kerberos issue after applying the note 1005209.please let me know

we also have the same problem and planning to apply the same note.

Former Member
0 Kudos

> it returns me a standard logon page (repeated twice!!!)

> with an error 'Unknown message (ID = UNKNOWN_ERROR)'

I saw this once on a workstation hasn’t been restarted for a long time (Xmas holidays), or if I purge my credentials with kerbtray. Logging the workstation off/on fixed the problem.

Apparently this is fixed with an upgrade: SAP Note 1005209 - "double logon screen"

olaf_reiss
Participant
0 Kudos

Hello SDN,

we have configured our portal with SPNego modul for authentication.

In general the kerberos authentication works for the most of our pc clients.

We are still facing a problem for ONLY some clients, who are not able to authenticate. The cause seems to be in our microsoft network.

We have investigated this issue and found out the following scenarios.

1. There is one group who does log off / log on every day to there pc clients. After some days, these user are loosing the trusting to our domain controller. Kerberos authentication is not working anymore. After a reboot of the client, the issue is fixe.

2. The second group has this issue permanently.

Can anyone of you confirm this situation at his own company?

We are still looking for a solution.

Thanks.

Best Regards,

Olaf Reiss

Former Member
0 Kudos

Hi @ all,

we have another constellation.

On the same machine two different employees log on. The first one logs on to portal automatically. The second one gets a double screens. After refreshing the page (F5 e.g.) the logon works correctly.

Curious isn´t it?

Greetingz

Lars

Former Member
0 Kudos

> > it returns me a standard logon page (repeated

> twice!!!)

> > with an error 'Unknown message (ID =

> UNKNOWN_ERROR)'

>

> I saw this once on a workstation hasn’t been

> restarted for a long time (Xmas holidays), or if I

> purge my credentials with kerbtray. Logging the

> workstation off/on fixed the problem.

>

> Apparently this is fixed with an upgrade: SAP Note

> 1005209 - "double logon screen"

Yes, I'm replying to my own posting :-).

Several SDN messages have mentioned SAP Note Number 934138, and Microsoft hotfix KB899587 for Windows XP SP2 workstations. The bug that it fixes is that intermittently the kerberos tickets on the client get blown away (you can verify that with 'kerbtray' when you see the error).

Unfortunately that is an old hotfix. It updated kerberos.dll, but later security patches have replaced that DLL and so I was not allowed to rollback the version to use the fix (hotfixes are not retained by security patches, you only apply them as required). The fix will be available in XP SP3, but that hasn't shipped yet. However we were able to get a new version of the DLL that includes the latest security patches AND the hotfix, and now we're good to go. No, I'm not allowed to give it to you, you have ask Microsoft support for it yourself.

Regards,

Sean

Former Member
0 Kudos

Hi Sean,

Actually we are having the same problem of double logon screen and few users can login automatically and others have to provide the Id and Pwd.

We installed the hot fix KB899587 and now we are installing the note 1005209 next week .Is this going to fix the problem or do we need to get the new hotfix from microsoft

What was the HotFix and security patch you got from Microsoft and can you tell me how to get them.

Message was edited by:

praveen kommineni

null

praveen kommineni

olaf_reiss
Participant
0 Kudos

Hi Praveen,

SAP note 1005209 does only fix the doubled logon screen, but does not fix the issue itself. So the issue becomes a little bit more nice ;o)

After applying this patch, you will get still one logon screen when the authentication fails instead of two.

Best Regards,

Olaf Reiss

Former Member
0 Kudos

Hi

Its true the Note 1005209 solved the double login issue but we are still getting single login screen with unknown error.

So is there any solution for this.

Former Member
0 Kudos

Hi Guys we were able to solve the Issue

We opened an oss note to SAP and they asked us to apply sap Note 982044

We applied the note and the problem was solved.

alexander_zybul
Discoverer
0 Kudos

Hello Vitali,

I don't know if your problem is solved. We had the same issues after we used the Spnego Wizzard (SAP Note 994791) and I found two SAP Notes (1005209, 982044) and another thread () with informations about the w2k_lsa_auth.dll. After the deployment of the two SDA File from the SAP Notes SSO din't work. So we changed the w2k_lsa_auth.dll from the j2sdk1.4.2_12-x64 and took the w2k_lsa_auth.dll of jdk1.5. -x64

After that everything was OK.

Server OS: Windows 2003 x64 Enterprise Edition

Database: MS SQL 2005

ADS LDAP: Windows 2003

Client OS: Windows XP Pro

Browser: Internet Explorer Ver.6

SAP Version: NetWeaver 2004 SP18

JDK: j2sdk1.4.2_12-x64

Kind regards

Alex

Former Member
0 Kudos

Hello Vitali,

My company is implementing SAP, in the middle of the next year will be our go live. I’ve already done some tests with UME and ADS (directly authentication) and we would like to implement SSO. I’m very interesting in implementing this solution; I’d appreciate if you could send me this guide and the test tool.

If it was possible to answer, I have other questions about authentication and SSO.

Did you implement direct authentication in the ADS for the ECC? And SSO (Kerberos)?

Do you have any guide to do it?

About the integration between ECC (ITS) and EP, I’ve seen any guides about integration using Sap Logon Ticket. If we implement SSO Kerberos in the EP, could we have problems to do this integration?

Thanks

cleitong@weg.net

Former Member
0 Kudos

As far as I can tell the only way to fix it is to turn off the option "Enable Integrated Windows Authentication" in the IE browser for users who do not use Kerberos. I talked to a guy at SAP and that is what he told me to do.

Also, if you hit the refresh button in the browser a single login screen appears.

Good luck,

Keith.

Former Member
0 Kudos

Hello everybody.

As far as I can understand the problem isn't in Portal configuration.

So may be the solution is:

" to configure 2 different authentication configurations. One is Kerberos-enabled, the other uses the common password logon. Create a copy of the portal entry page and assign one authscheme to the first entry page and the other to the second entry page. Then users must choose the correct URL for their respective scenario (e.g. users logged on in a W2K domain use the entry page configured for Kerberos login, other users the other URL)."

(From Installation guide provided by Kai Ullrich)

Former Member
0 Kudos

HI VITALI,

I am facing the same problem and not even a single user is able to access the portal,

Can you send me the configuration that u have done so that i can tally with mine and see if it works for me.

Regards,

Naveen Gupta

Former Member
0 Kudos

Hi Naveen

I just have followed the steps provided by SPNego Installation Guide.

Give me your e-mail and I send you all documentation that I have including SPNego Config Test Web App tool.

Former Member
0 Kudos

Hi Vitali,

My mail id is enjoyabap@gmail.com.

Thanks in advance for the help.

Regards,

Naveen Gupta

Former Member
0 Kudos

Hi Vitali,

do you have any idea of how to create a copy and assign two different authschemes and URLs to these entry pages?

Could you forward me this Installation guide of yours?

Thanks in advance,

Günther.

gunther.mittermayer@accenture.com

olaf_reiss
Participant
0 Kudos

Hello everybody.

As far as I can understand the problem isn't in

Portal configuration.

So may be the solution is:

" to configure 2 different authentication

configurations. One is Kerberos-enabled, the other

uses the common password logon. Create a copy of the

portal entry page and assign one authscheme to the

first entry page and the other to the second entry

page. Then users must choose the correct URL for

their respective scenario (e.g. users logged on in a

W2K domain use the entry page configured for Kerberos

login, other users the other URL)."

(From Installation guide provided by Kai Ullrich)

Hello Vitali,

could you please kind to give me a hint where I may find the installation guide provided by Kai Ullrich?

Thanks in advanced.

Best regards,

Olaf Reiß

Former Member
0 Kudos

send me e-mail to Vitali_Chasalau@epam.com and I send you this installation guide

Former Member
0 Kudos

Please send me this test tool and any help with these errors. Send them to jcook@rfmd.com

Thanks,

Jeff

0 Kudos

We are getting the same issue; did you solve your problem? Can you tell us the solution? If you have the test tool can you send it to me at mfasheh@deloitte.com? We are running on EP SP16, AIX JDK and AD 2003.

Thanks for your help,

Regards,

Mike Fasheh

Former Member
0 Kudos

Mike,

Did you end up getting a fix for the "UNKNOWN_ERROR" on the portal logon using SPNego?

Any help would be appreciated.

Regards

Brian Lane

0 Kudos

Sorry for the late response,

Yes SAP responded and they told us since we are running on AIX JDK we had to execute the ktpass with -princ HTTP/<server.domain.name>@<domain.name.COM> rather than host/<server.domain.name>@<domain.name.COM>. In addition we had to update the ticket policy configuration 'com.sap.spnego.jgss.name' of SPNegoLoginModule to

'HTTP/<server.domain.name>@<domain.name.COM>'

Regards,

Mike

Former Member
0 Kudos

Vitali,

SAP released a test tool that you can use. Post your email so I can send it over to you.

James

jlorenzana@myitgroup.com

Former Member
0 Kudos

Hi,

can you send it to me also

rantakoski@hotmail.com

- Kristian

Former Member
0 Kudos

Hi,

Have you solved your problem? I am struggling with the exact sam thing. Please let us know if you figured out what to do. I'll do the same.

Thanks

DJ

Former Member
0 Kudos

What if you connect with a registered user.

Are you logged in directly to the portal ?

Former Member
0 Kudos

Yes, registered users are logged directly to the portal without any errors.

Former Member
0 Kudos

Hi, I am interested in SPNEGO, Could you provide me documentation or links?

We have two group of people, one that is anonymous, everyone that access from internet, and other that is the internal people of the customer, that acces from the domain to the portal; we need to know when is anonymous and when is internal in order to show a login page or not.

I mean that spnego is used for that, is true?

thanks in advanced.

Regards.

Former Member
0 Kudos

Hi Optima

As far as I understand the SPNegoLoginModule with basic

authentication fallback should solve your problem.

But as you can see it doesn't works properly in my portal.

So I can only suggest you the usual link in help.sap.com

http://help.sap.com/saphelp_nw04/helpdata/en/43/4bd58c6c5e5f34e10000000a1553f6/frameset.htm

And may be some weblogs:

Hope it will help you.

Former Member
0 Kudos

hi vitali,

I am interested to implement the SPNego to replace our EP6 IisProxy. Could you send me the installation/configuration guide?

Basically, our EP6 retrieved the UM from our MS AD for authentication. Also we also have the back-end sysem connected to the EP6

Thanks

Regards,

azly_amn@hotmail.com