07-02-2009 6:42 AM
Hi,
I would like to implement kerberos to java stack for SSO reason, but unfortunately, I faced with a trouble while configuring the system. Actually, I want to implement this for cross domain solution, but even in same AD domain I see some errors in diagtool output, below;
Creating new instance of SpNegoState (negstate= initial, mechanism.oid= null)
Acquiring credentials for realm YASARSAP.ASTRON.GRP
Looking for credentials for realm YASARSAP.ASTRON.GRP
Looking for credentials for j2ee-cr7 @ YASARSAP.ASTRON.GRP in {}
[Security Context : [Security Session (0) for J2EE_GUEST created at Wed Jul 01 17:39:15 EEST 2009]] created from parent [Security Context : [Security Session (0) for J2EE_GUEST created at Wed Jul 01 17:39:15 EEST 2009]]
Acquiring credentials for GSS name j2ee-cr7 @ YASARSAP.ASTRON.GRP
GSS name type is: 1
GSS name type 1 is :1.2.840.113554.1.2.1.1
GSS mechanism is: 1.2.840.113554.1.2.2
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is j2ee-cr7 @ YASARSAP.ASTRON.GRP tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Refreshing Keytab
>>> KeyTabInputStream, readName(): YASARSAP.ASTRON.GRP
>>> KeyTabInputStream, readName(): j2ee-cr7
>>> KeyTab: load() entry length: 54; type: 3
principal's key obtained from the keytab
Acquire TGT using AS Exchange
on Exception : Error in some of the login modules.
java.lang.Exception
at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175)
at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263)
.
.
.
Caused by: java.lang.NullPointerException
at java.lang.StringBuffer.append(StringBuffer.java:467)
.
.
.
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
LOGIN.FAILED
User: N/A
Authentication Stack: com.sun.security.jgss.accept
Login Module Flag Initialize Login Commit Abort Details
1. com.sun.security.auth.module.Krb5LoginModule OPTIONAL ok exception false null
#1 debug = true
#2 doNotPrompt = true
#3 principal = j2ee-cr7 @ YASARSAP.ASTRON.GRP
#4 refreshKrb5Config = true
#5 storeKey = true
#6 useKeyTab = true
#7 useTicketCache = false
Exception : Access Denied.
java.lang.Exception
at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175)
at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263)
at com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:116)
Acquiring credentials for realm YASARSAP.ASTRON.GRP failed
[EXCEPTION]
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
I emphasise that I am using well known browsers such as IE8 and Firefox 3.0 in order to avoid problems. As far as I understand that the browser cannot send a ticket to the browser. What do you suggest about the problem?
Thank you
Orkun Gedik
07-02-2009 9:08 AM
Please refer the below link:
http://www.scribd.com/doc/6558573/Kerberos-Ticket-Based-SinglesignOn-With-SAP-J2EE-Engine
Regards,
Pavan
07-02-2009 9:08 AM
Please refer the below link:
http://www.scribd.com/doc/6558573/Kerberos-Ticket-Based-SinglesignOn-With-SAP-J2EE-Engine
Regards,
Pavan
07-02-2009 10:09 AM
Hi Pavan,
Thank you for your response. But I need to use ABAP as UME reference system. According to the note in url that you've mentioned, requires to use LDAP as UME reference system. Am I correct?
Thank you
07-02-2009 10:29 AM
Hope the below link helps
http://help.sap.com/saphelp_nw70/helpdata/en/0b/d82c4142aef623e10000000a155106/content.htm
Regards,
Pavan
07-02-2009 11:36 AM
Thank Pavan,
My main problem is enabling kerberos for bsp application. Thus, I will be able to browse BSP applications via SSO. Do you have any suggestion about this issue?
07-02-2009 12:59 PM
Below link should be able to help you much better:
http://hosteddocs.ittoolbox.com/MicrosoftSAP100307.pdf
Regards,
Pavan
07-02-2009 1:17 PM
Check the below link also
/people/vaibhav.dua2/blog/2006/04/24/kerberos-implementation-with-ads-made-easy
Regards,
Pavan
07-02-2009 4:12 PM
07-02-2009 5:02 PM
Hi Orkun,
Please make sure that you are not using Java 1.4.2_14, 1.4.2_15 or 1.4.2_16.
All these versions contain a bug (Refer Note 1057474 - NullPointerException in KRB5LoginMoule).
Thanks,
Sridhar