Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SPNego with Vista and Windows 7

MarcelRabe
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi,

we're having problems with Wndows Vista (SP1 and SP2) and Windows 7 clients accessing the portal/ume configured with SPNego. All other clients work fine. KDC is WIN2003

The error is the "KDC does not support encryption type (14)" error.

The clients have the registry entiries in HKLM\System\CCS\Control\Lsa\Parameters allowtgtsessionkey and maxpacketsize set to 0x1.

I've read in a couple of forums that there were problems with this for when UAC in Vista was enabled and when the user in question is a member of the Local Administrators group. Well this is the case but it should have been solved in SP1.

Any idea's?

Marcel

1 ACCEPTED SOLUTION

tim_alsop
Active Contributor
0 Kudos

Marcel,

I am familiar with the bug in Vista which was fixed in SP1. However, I think your problem is a different problem. Have you tried turning off UAC and trying SPNEGO logon to see if it works ? If it does, then you know that SAP SPNEGO is fine and the issue is with Windows/Browser/Kerberos.

Thanks,

Tim

18 REPLIES 18

Former Member
0 Kudos

This message was moderated.

tim_alsop
Active Contributor
0 Kudos

Marcel,

I am familiar with the bug in Vista which was fixed in SP1. However, I think your problem is a different problem. Have you tried turning off UAC and trying SPNEGO logon to see if it works ? If it does, then you know that SAP SPNEGO is fine and the issue is with Windows/Browser/Kerberos.

Thanks,

Tim

MarcelRabe
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Tim,

Thnx, unfortunatly it doesn't work with or without UAC. Strange that I cannot find anyone else with the same issue. Either no-one is using Vista (makes sense) or SPNego is not rolled out that much....Or of course it's something I'm doing wrong

rgds

Marcel

tim_alsop
Active Contributor
0 Kudos

Hi,

I use Vista x64 with SPNEGO to logon to SAP portal, almost every day, and I have also tested Windows 7 with SPNEGO. The difference is that I am not using the SAP supplied SPNEGO login module - I am using our own developed SPNEGO login module instead which works with any user store and does not use Java Kerberos libraries. From the error you are getting I doubt it is due to the login module though, but I can confirm it works well for us on the platforms mentioned.

Thanks,

Tim

MarcelRabe
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi TIm,

great, I appreciate the feedback. What about your browser? Are you using IE7, IE8, Firefox 2 or 3? It's getting kind or ridiculous since some of the workstations with Vista that didn't work last week, are working now, but not all. And they are all the same (image installations). And still no success with Windows 7. Did you completely turn of UAC on Windows 7?

Marcel

tim_alsop
Active Contributor
0 Kudos

I have been using IE7, but also tested with IE6 and Firefox 2 and 3.

I didn't turn off UAC - no need. SSO works without turning off UAC.

The error you mentioned relates to encryption type - perhaps you have software installed which is not supporting RC4 encryption that is used by default in Win2k3 AD ?

Thanks,

Tim

tim_alsop
Active Contributor
0 Kudos

Ah, ok. I think the Java implementation of Kerberos is causing this - it only supports DES (etype 3) encryption and AD expects RC4 (etype 23). So, looks like the Java library is being used to communicate with AD using etype 3 and the principal in AD is only configured to use etype 23.

As I mentioned earlier, I am not using the SAP SPNEGO login module - the login module I am using supports AES, RC4 and DES and does not require server to communciate with AD during SPNEGO logon. The only Kerberos protocol usage requried is between browser and AD, not between server and AD.

Thanks,

Tim

MarcelRabe
Product and Topic Expert
Product and Topic Expert
0 Kudos

Correct. But you can configure AD to use DES by setting up a user account to with support for DES encryption. The KDC error 14 is a very misleading one, it appears for various reasons and it hardly ever has anything to do with encryption.

Turns out that some of the image installations were upgraded to IE8 and they all seem to have the problem, so my quest continues. Thanks for the assistance. 8 points awarded.

Marcel

tim_alsop
Active Contributor
0 Kudos

Marcel,

I suspect that IE8 is sending the spnego token to server and including etype 23 or 18 (AES) and your account in AD is only setup to use DES (etype 3). This works for me because we are not using the SAP SPNEGO login module or using the Java Kerberos library which has the DES-ONLY restriction.

Perhaps if you use wireshark to capture network traffic between workstation and AD you will see which etypes are used when the HTTP/<host.domain> ticket is requested. If you need help analysing the wireshark trace, please feel free to send to me.

Thanks,

Tim

tim_alsop
Active Contributor
0 Kudos

>

> The error is the "KDC does not support encryption type (14)" error.

Where do you see this error ? Is it on workstation or in wireshark trace ?

> Marcel

MarcelRabe
Product and Topic Expert
Product and Topic Expert
0 Kudos

The KDC error appears in the security log when you use the Diagtool. The tool temporarily scews up the log level.

rgds

Marcel

Former Member
0 Kudos

Hello,

Did anyone manage to connect to a java sap server via SPNEGO (SSO) on windows 7 ?

Quentin

0 Kudos

Found a solution here :

[http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx|http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx]

we changed it to : DES-CBC-MD5

Quentin

0 Kudos

Ah, this makes sense. The SAP supplied SPNEGO login module is using the Kerberos protocol implementation included in Java which is outdated, so it only supports DES etype's. I didn't get this problem when I tested with Windows 7 becuase our SPNEGO / IWA login module supports the same etypes that are supported by MS AD, including RC4 and AES.

I think you will find that the decision by Microsoft to disable DES encryption by default, will also be followed in many other products that use Kerberos. If you plan to use SAP SPNEGO login module you need to take this into consideration and suffer the use of a weaker encryption type (e.g. 56-bit DES), compared to the stronger RC4 and AES etypes.

Thanks,

Tim

MarcelRabe
Product and Topic Expert
Product and Topic Expert
0 Kudos

Quentin,

thanks for your feedback. I suppose this did the trick for you?

It sounded very promising so I implemented this on two Windows 7 workstations and rebooted (of course). Unfortunatly after wake up still no luck. In the event viewer of the workstations I can see that there's still a problem reading/using the Kerberos ticket for SSO, but it looks much better than before.

Because prior to this change I could see using KerbTray that the wrong Kerberos ticket was created: HTTP/realhost.domain.com. After your suggested change it now correcly creates an entry for HTTP/alias.domain.com

Still investigating......

0 Kudos

Thanks Quentin

By default WIN7 doesn't have enabled the DES* encryption:

DES-CBC-MD5

DES-CBC-CRC

You have to go to enable these in your local PC:

Computer ConfigurationSecurity SettingsLocal PoliciesSecurity Options

this entry: Configure encryption types allowed for Kerberos

http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx

I hope you can solve your problem.

Best Regards

Oscar Leó

0 Kudos

Thanks, that helped me a lot, but it should also be mentioned, if your DC is a Windows 2003 Server, you wont find it in the policy editor, on a local PC just call "gpedit" from the run menu/cmd shell

0 Kudos

Hi People,

To complete the information, there's a SAP Note related to this issue. Maybe it would help on many cases. Solved mine.

Note 1396724 - SPNEGO fails with Vista SP3,Windows 7,Windows Server 2008 R2