cancel
Showing results for 
Search instead for 
Did you mean: 

SPNEGO/Fail on the Configuration steps on the DC

Former Member
0 Kudos

We are looking to use AD authentication to pass through into the UME in NWA CE 7.1

When following the steps we have created the service user in AD and then are looking to register service principal names (SPNs) for the J2EE Engine host name and alias and map them to the service user xxxxx

We then get the following response:

C:\Program Files\Support Tools>setspn -A HTTP/<server name> <account name>

Usage: setspn [switches data] computername

Where "computername" can be the name or domain\name

Switches:

-R = reset HOST ServicePrincipalName

Usage: setspn -R computername

-A = add arbitrary SPN

Usage: setspn -A SPN computername

-D = delete arbitrary SPN

Usage: setspn -D SPN computername

-L = list registered SPNs

Usage: setspn [-L] computername

Examples:

setspn -R daserver1

It will register SPN "HOST/daserver1" and "HOST/{DNS of daserver1}"

setspn -A http/daserver daserver1

It will register SPN "http/daserver" for computer "daserver1"

setspn -D http/daserver daserver1

It will delete SPN "http/daserver" for computer "daserver1"

What is happening and what is our next step?

Colin Cooper

Accepted Solutions (0)

Answers (1)

Answers (1)

0 Kudos

Hello Colin,

You can find all steps to configure the SPNego on following SAP help documentation:

http://help.sap.com/saphelp_nwpi71/helpdata/en/45/40a0de773a7527e10000000a114a6b/frameset.htm

I hope it helps you.

Kind regards,

Lisandro Magnus

Former Member
0 Kudos

Lisandro,

We have been following those steps and are in Step 1 Prerequisites.

The responses shown in my post are what we get back once we have executed the setspn -a HTTP/portal.customer.de j2ee-<SID> command.

We were expecting a response that would show that that service is registered.

Is the response we got back normal?

Colin Cooper

Former Member
0 Kudos

Hello Colin,

The response you get back indicates that the setspn tool detected an error in the attributes.

When the command is succesfull, you will get a message saying that registering the SPN is succesfull.

When using the setspn.exe tool, make sure you are logged on with Domain admin rights. I always run the tool on the domain controller itself.

Try including the domain name when you enter the service account, the command should read like this:

setspn -a HTTP/portal.customer.de DOMAIN\j2ee-SID

Replace portal.customer.de with the DNS name for your server, repeat the command with the different DNS names if you have more then one DNS name.

Replace DOMAIN with the name of your windows domain.

Replace j2ee-SID with the User Logon Name of your service account.

Make sure there are no spaces or special signs in the User Logon Name !

On Windows servers, the usage of SPNs is not case sensitive, but when calling the service from non-window systems, it is !

For more info on the setspn tool, look here:

[http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx]

I hope this helps.

Dagwin

Former Member
0 Kudos

Dagwin,

Thanks for your suggestion.

We are logged in as the domain admin and run the command on the domain controller machine. We can try adding the domain name before the user name.

We tried recreating the situation in a test instance where we used an invalid user account and in this instance we get a response telling us that it cannot locate the account. However in the system we don't get this response which suggests that the user has been located but that something else is not correct. The output we get is the same as if we issue the command without parameters!

Any ideas?

Thanks

Colin Cooper

Former Member
0 Kudos

Hi,

If you get the same output as without parameters it means the command is still not correct...

This usually happens when the program doesn't recognize one of the parameters used.

Any special characters in the account name like a . or a space or something in the account or host name? If so, try putting the name between "<name>". It's better to avoid this however.

Try this command to see if it's already registered or not:

setspn -l <hostname_server>

You might try creating a new account where you only fill in the last name.

The "Full name" of an account is created automatically from the last name and first name. Changing last and/or first name later will NOT change the full name of the account, which can cause problems.

Kind regards,

Dagwin

Former Member
0 Kudos

looks like that has solved the problem.

Thanks

Colin Cooper