on 04-26-2006 11:47 AM
Hello
I've configured authentication with the SPNegoLoginModule
with basic authentication fallback.
But when I try to connect to EP with not registered user
it returns me a standard logon page (repeated twice!!!)
with an error 'Unknown message (ID = UNKNOWN_ERROR)'
In log file I see following
1 error: Decoding error in parsing of spnego token....
2 error: Error during handshake (has already been reported). Authentication failed.
3 error: doLogon failed [EXCEPTION] com.sap.security.core.logon.imp.UMELoginException
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:339)....
4 error: Message ID (UNKNOWN_ERROR) not found in properties files-UNKNOWN_ERROR
[EXCEPTION]
java.util.MissingResourceException: Can't find resource for bundle java.util.PropertyResourceBundle, key UNKNOWN_ERROR
at java.util.ResourceBundle.getObject(ResourceBundle.java:325).....
When I enter user/password in appeared logon page it
returns me the same page and adds 3 errors in log file:
1st is the same as 3 in previous case,
2 and 3 are identical with 4 error in prev. case.
My ticket logon stack looks as follows:
com.sap.security.core.server.jaas.EvaluateTicketLoginModule, Flag as Sufficient
ume.configuration.active = true
com.sap.security.core.server.jaas.SPNegoLoginModule, Flag as Optional
- ume.sap.spnego.uid.resolution.mode = simple
- com.sap.spnego.uid.resolution.attr = krb5principalname
- com.sap.spnego.jgss.name = host/...@...
- com.sap.spnego.creds_in_thread = true
com.sap.security.core.server.jaas.CreateTicketLoginModule, Flag as Sufficient
- ume.configuration.active = true
BasicPasswordLoginModule, Flag as Requisite
com.sap.security.core.server.jaas.CreateTicketLoginModule, Flag as Optional
- Ume.configuration.active = true
I use EP6.0 with SPS16
Can anybody help me?
Thanks
Vitali
Well, we applied the patch and instead of two logonscreens, it appears only one. This worked, but it didn't solve the problem, that a user can login automatically on one Computer and not on another computer, where an other user logs in automatically on both computers.
best regards,
christian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello SDN,
As I have already mentiond in this thread, we have found out the following issue in our company:
We are still facing a problem for ONLY some clients, who are not able to authenticate. The cause seems to be in our microsoft network.
We have investigated this issue and found out the following scenarios.
1. There is one group who does log off / log on every day to there pc clients. After some days, these user are loosing the trusting to our domain controller. Kerberos authentication is not working anymore. After a reboot of the client, the issue is fixe.
2. The second group has this issue permanently.
Can anybody confirm this issue in own company?
Thanks.
Best Regards,
Olaf Reiss
Hello Christian,
Thanks for you answer.
You described the second issue I have mentioned.
Have you ever take a look into the default.trc regarding this issue. We found out the spnego toke is empty. So, as mentioned in the note 1005209, the clients seems to use ntlm instead of spnego authentication.
We opend up a SAP oss message.
Result: The issue is located at the client site. Our configuration of the portalis fine.
So, we will open a support message to Microsoft to investigate this issue.
Best Regards,
Olaf Reiss
It is user and Client specific. Only few users on few Clients can't login automatically. On most clients, these users can login. And on those Clients, they can't, other users will login automatically with no problem. There is also a thread, mentioning that you should delete the users profile on the client. and in most cases, this works. but still there are few client-user combinations where even this workaround doesn't work. well, we'll have to try firefox for spnego to check if its IE related or if it's another Mircosoft issue.
best regards,
christian
Dear Christian,
we have also done some field tests in our company.
We can confirm this issue depends on the user profile. It seems to be not depending on the pc, but there is one exception.
Results of our field tests:
1. Login on antoher pc with non working user profile => Does not work.
2. Create a new profile on the local pc, where it WAS NOT WORKING with the old profile before => Does not work.
3. If another user logs on to the damaged pc with own profile => It works.
4. Create a new profile on antoher pc => It works.
So, now I am absolutly confused.
What helps in anyway is a new profile and a new installed pc.
Best Regards,
Olaf Reiss
hello,
we are on SPS 19 and have also on some clients this problem. on one client, the user logs in automatically and on another client, the user gets this double loginscreen. on monday we will apply ths pach from note 1005209 and see, if this resolves the problem on this few clients. but it seems to be more a client specific issue.
best regards,
christian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
> it returns me a standard logon page (repeated twice!!!)
> with an error 'Unknown message (ID = UNKNOWN_ERROR)'
I saw this once on a workstation hasnt been restarted for a long time (Xmas holidays), or if I purge my credentials with kerbtray. Logging the workstation off/on fixed the problem.
Apparently this is fixed with an upgrade: SAP Note 1005209 - "double logon screen"
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello SDN,
we have configured our portal with SPNego modul for authentication.
In general the kerberos authentication works for the most of our pc clients.
We are still facing a problem for ONLY some clients, who are not able to authenticate. The cause seems to be in our microsoft network.
We have investigated this issue and found out the following scenarios.
1. There is one group who does log off / log on every day to there pc clients. After some days, these user are loosing the trusting to our domain controller. Kerberos authentication is not working anymore. After a reboot of the client, the issue is fixe.
2. The second group has this issue permanently.
Can anyone of you confirm this situation at his own company?
We are still looking for a solution.
Thanks.
Best Regards,
Olaf Reiss
> > it returns me a standard logon page (repeated
> twice!!!)
> > with an error 'Unknown message (ID =
> UNKNOWN_ERROR)'
>
> I saw this once on a workstation hasnt been
> restarted for a long time (Xmas holidays), or if I
> purge my credentials with kerbtray. Logging the
> workstation off/on fixed the problem.
>
> Apparently this is fixed with an upgrade: SAP Note
> 1005209 - "double logon screen"
Yes, I'm replying to my own posting :-).
Several SDN messages have mentioned SAP Note Number 934138, and Microsoft hotfix KB899587 for Windows XP SP2 workstations. The bug that it fixes is that intermittently the kerberos tickets on the client get blown away (you can verify that with 'kerbtray' when you see the error).
Unfortunately that is an old hotfix. It updated kerberos.dll, but later security patches have replaced that DLL and so I was not allowed to rollback the version to use the fix (hotfixes are not retained by security patches, you only apply them as required). The fix will be available in XP SP3, but that hasn't shipped yet. However we were able to get a new version of the DLL that includes the latest security patches AND the hotfix, and now we're good to go. No, I'm not allowed to give it to you, you have ask Microsoft support for it yourself.
Regards,
Sean
Hi Sean,
Actually we are having the same problem of double logon screen and few users can login automatically and others have to provide the Id and Pwd.
We installed the hot fix KB899587 and now we are installing the note 1005209 next week .Is this going to fix the problem or do we need to get the new hotfix from microsoft
What was the HotFix and security patch you got from Microsoft and can you tell me how to get them.
Message was edited by:
praveen kommineni
null
praveen kommineni
Hello Vitali,
I don't know if your problem is solved. We had the same issues after we used the Spnego Wizzard (SAP Note 994791) and I found two SAP Notes (1005209, 982044) and another thread () with informations about the w2k_lsa_auth.dll. After the deployment of the two SDA File from the SAP Notes SSO din't work. So we changed the w2k_lsa_auth.dll from the j2sdk1.4.2_12-x64 and took the w2k_lsa_auth.dll of jdk1.5. -x64
After that everything was OK.
Server OS: Windows 2003 x64 Enterprise Edition
Database: MS SQL 2005
ADS LDAP: Windows 2003
Client OS: Windows XP Pro
Browser: Internet Explorer Ver.6
SAP Version: NetWeaver 2004 SP18
JDK: j2sdk1.4.2_12-x64
Kind regards
Alex
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Vitali,
My company is implementing SAP, in the middle of the next year will be our go live. Ive already done some tests with UME and ADS (directly authentication) and we would like to implement SSO. Im very interesting in implementing this solution; Id appreciate if you could send me this guide and the test tool.
If it was possible to answer, I have other questions about authentication and SSO.
Did you implement direct authentication in the ADS for the ECC? And SSO (Kerberos)?
Do you have any guide to do it?
About the integration between ECC (ITS) and EP, Ive seen any guides about integration using Sap Logon Ticket. If we implement SSO Kerberos in the EP, could we have problems to do this integration?
Thanks
cleitong@weg.net
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
As far as I can tell the only way to fix it is to turn off the option "Enable Integrated Windows Authentication" in the IE browser for users who do not use Kerberos. I talked to a guy at SAP and that is what he told me to do.
Also, if you hit the refresh button in the browser a single login screen appears.
Good luck,
Keith.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello everybody.
As far as I can understand the problem isn't in Portal configuration.
So may be the solution is:
" to configure 2 different authentication configurations. One is Kerberos-enabled, the other uses the common password logon. Create a copy of the portal entry page and assign one authscheme to the first entry page and the other to the second entry page. Then users must choose the correct URL for their respective scenario (e.g. users logged on in a W2K domain use the entry page configured for Kerberos login, other users the other URL)."
(From Installation guide provided by Kai Ullrich)
Hello everybody.
As far as I can understand the problem isn't in
Portal configuration.
So may be the solution is:
" to configure 2 different authentication
configurations. One is Kerberos-enabled, the other
uses the common password logon. Create a copy of the
portal entry page and assign one authscheme to the
first entry page and the other to the second entry
page. Then users must choose the correct URL for
their respective scenario (e.g. users logged on in a
W2K domain use the entry page configured for Kerberos
login, other users the other URL)."
(From Installation guide provided by Kai Ullrich)
Hello Vitali,
could you please kind to give me a hint where I may find the installation guide provided by Kai Ullrich?
Thanks in advanced.
Best regards,
Olaf Reiß
We are getting the same issue; did you solve your problem? Can you tell us the solution? If you have the test tool can you send it to me at mfasheh@deloitte.com? We are running on EP SP16, AIX JDK and AD 2003.
Thanks for your help,
Regards,
Mike Fasheh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Sorry for the late response,
Yes SAP responded and they told us since we are running on AIX JDK we had to execute the ktpass with -princ HTTP/<server.domain.name>@<domain.name.COM> rather than host/<server.domain.name>@<domain.name.COM>. In addition we had to update the ticket policy configuration 'com.sap.spnego.jgss.name' of SPNegoLoginModule to
'HTTP/<server.domain.name>@<domain.name.COM>'
Regards,
Mike
Vitali,
SAP released a test tool that you can use. Post your email so I can send it over to you.
James
jlorenzana@myitgroup.com
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Have you solved your problem? I am struggling with the exact sam thing. Please let us know if you figured out what to do. I'll do the same.
Thanks
DJ
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
What if you connect with a registered user.
Are you logged in directly to the portal ?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi, I am interested in SPNEGO, Could you provide me documentation or links?
We have two group of people, one that is anonymous, everyone that access from internet, and other that is the internal people of the customer, that acces from the domain to the portal; we need to know when is anonymous and when is internal in order to show a login page or not.
I mean that spnego is used for that, is true?
thanks in advanced.
Regards.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Optima
As far as I understand the SPNegoLoginModule with basic
authentication fallback should solve your problem.
But as you can see it doesn't works properly in my portal.
So I can only suggest you the usual link in help.sap.com
http://help.sap.com/saphelp_nw04/helpdata/en/43/4bd58c6c5e5f34e10000000a1553f6/frameset.htm
And may be some weblogs:
Hope it will help you.
hi vitali,
I am interested to implement the SPNego to replace our EP6 IisProxy. Could you send me the installation/configuration guide?
Basically, our EP6 retrieved the UM from our MS AD for authentication. Also we also have the back-end sysem connected to the EP6
Thanks
Regards,
azly_amn@hotmail.com
User | Count |
---|---|
81 | |
25 | |
12 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.