09-22-2009 7:09 AM
I have configured SPNEGO entirely referring the steps given on SDN forums
1 - /people/holger.bruchelt/blog/2008/01/09/configuring-and-troubleshooting-spnego--part-1
2 - /people/holger.bruchelt/blog/2008/01/15/configuring-and-troubleshooting-spnego--part-2
3 - /people/holger.bruchelt/blog/2008/01/24/configuring-and-troubleshooting-spnego--part-3
and also referring help.sap
Still I am getting the Login page for LDAP users.
I also found the a thread wherein it was mentioned about the same problem and the work around for that.
Work around was
Login to your Visual Admin, then go to -->Security Provider -->com.sun.security.jgss.accept -->Krb5LoginModule
Add a Parameter isInitiator and Value false. Save it and take a bounce of J2EE.
I also tried the same. Still it is asking me for username and password.
Is there a need to do any changes in authschemes.xml after uploading the new configuration file krb5.xml?
Or is there any other reason why this is not working?
Need help.
09-22-2009 7:27 AM
You can try to use the webdiag tool to collect traces and check where is the configuration failing
https://service.sap.com/sap/support/notes/1045019
Also you can use [this|https://wiki.sdn.sap.com/wiki/display/Security/SingleSign-onwithSPNego(NWAS+Java)] wiki page it has a nice collection of all the links useful for Configuring SPNego.
Also I hope that you have configured internet explorer to "Enable Windows Integrated Authentication" ( Go to Tools Menu-> Internet Options->Advanced Tab)
Thanks,
GLM
09-22-2009 7:27 AM
You can try to use the webdiag tool to collect traces and check where is the configuration failing
https://service.sap.com/sap/support/notes/1045019
Also you can use [this|https://wiki.sdn.sap.com/wiki/display/Security/SingleSign-onwithSPNego(NWAS+Java)] wiki page it has a nice collection of all the links useful for Configuring SPNego.
Also I hope that you have configured internet explorer to "Enable Windows Integrated Authentication" ( Go to Tools Menu-> Internet Options->Advanced Tab)
Thanks,
GLM
09-23-2009 1:07 PM
Yes thanks for this option.
I deployed Web Diagtool thru SDM on.
I used it and I found the following result in the traces..
~on.loginmodule.spnego.SPNegoLoginModule :: Access Denied - responseHeader is NULL
LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
#1 ume.configuration.active = true
2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true Access Denied. No authorization header received.
#1 com.sap.spnego.creds_in_thread = true
#2 com.sap.spnego.jgss.name = j2ee-D21@domain
#3 com.sap.spnego.uid.resolution.attr = kpnprefix
#4 com.sap.spnego.uid.resolution.dn = dn
#5 com.sap.spnego.uid.resolution.mode = prefixbased
3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false true
#1 ume.configuration.active = true
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok false false
5. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok false true
#1 ume.configuration.active = true
In the above message you could see that for SPNegoLoginModule in details it says, Access Denied. No authorization header received.
Do I need to give any kind on authorisation to the service user that I created on ADS?
Infact I tried the same but still it is not working.
09-24-2009 9:13 AM
Did you verify that it's actually sending a Kerberos ticket instead of NTLM?
09-25-2009 7:17 AM
Hi,
We are getting the same problem. Please help us also if you will get any solution of that.
Thanks & Regards
Manish
09-29-2009 11:53 AM
Can you tell me how to verify whether the authentication is thru Kerberos ticket or thru NTLM?
09-29-2009 11:57 AM
The best way, is to run a HTTP trace on worksation and you will see the HTTP negotiate protocol exchange between browser and SAP web server. There are a few free tools available for this and some commercial tools. You can google for http sniffer and you will see many tools available for download.
09-30-2009 9:38 AM
Hi,
the easiest way is to install something like HTTP Fox as a add-in in the Firefox browser (as it's free). Turn on the tracer and look in the HTTP headers. You should see something like:
Negotiate YKKwYBBAGCNwICCqKCBMQEggTAYIIEvAYJKoZIhvcSAQICAQBu
If NTLM is used you'll see something like 0x25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6 I think
See also note 934138
good luck
Marcel
09-30-2009 9:40 AM
This is true, but you need to be aware that Firefox configuration of Integrated Windows Authentication works differently to IE. In other words, just because you see Negotiate in Firefox, this doesn't mean you will see same if you trace IE HTTP messages. It depends if the problem you have is due to server configuration, or browser/workstation setup.
Thanks,
Tim
10-08-2009 7:48 AM
Hi,
I have checked it using the WebDiag trace tool.
It is showing NTLM token received.
That means it is doing NTLM authentication.
But I have done all the configuration for Kerberos authentication!
I am unable to understand still what more is remaining!!
Is anything related to Authschemes.xml????
10-09-2009 9:23 AM
Hi,
did you read the note? Ther's a few steps you have to take to make sure the Kerberos ticket is sent instead of NTLM. Try it from a couple of different locations as well. Also, use the kerbtray.exe tool to remove any tickets from the cache in case it sends the wrong Kerberos ticket.
Marcel
09-22-2009 7:32 AM
Hi
Use this https://wiki.sdn.sap.com/wiki/display/Security/Single%20Sign-on%20with%20SPNego%20%28NWAS%20Java%29 for troubleshooting spnego.