Solved: Still asking for Username and Password after confi...

Former Member · ‎09-22-2009

I have configured SPNEGO entirely referring the steps given on SDN forums

1 - /people/holger.bruchelt/blog/2008/01/09/configuring-and-troubleshooting-spnego--part-1

2 - /people/holger.bruchelt/blog/2008/01/15/configuring-and-troubleshooting-spnego--part-2

3 - /people/holger.bruchelt/blog/2008/01/24/configuring-and-troubleshooting-spnego--part-3

and also referring help.sap

Still I am getting the Login page for LDAP users.

I also found the a thread wherein it was mentioned about the same problem and the work around for that.

Work around was

Login to your Visual Admin, then go to -->Security Provider -->com.sun.security.jgss.accept -->Krb5LoginModule

Add a Parameter isInitiator and Value false. Save it and take a bounce of J2EE.

I also tried the same. Still it is asking me for username and password.

Is there a need to do any changes in authschemes.xml after uploading the new configuration file krb5.xml?

Or is there any other reason why this is not working?

Need help.

Former Member · ‎09-22-2009

You can try to use the webdiag tool to collect traces and check where is the configuration failing

https://service.sap.com/sap/support/notes/1045019

Also you can use [this|https://wiki.sdn.sap.com/wiki/display/Security/SingleSign-onwithSPNego(NWAS+Java)] wiki page it has a nice collection of all the links useful for Configuring SPNego.

Also I hope that you have configured internet explorer to "Enable Windows Integrated Authentication" ( Go to Tools Menu-> Internet Options->Advanced Tab)

Thanks,

GLM

Former Member · ‎09-22-2009

You can try to use the webdiag tool to collect traces and check where is the configuration failing

https://service.sap.com/sap/support/notes/1045019

Also you can use [this|https://wiki.sdn.sap.com/wiki/display/Security/SingleSign-onwithSPNego(NWAS+Java)] wiki page it has a nice collection of all the links useful for Configuring SPNego.

Also I hope that you have configured internet explorer to "Enable Windows Integrated Authentication" ( Go to Tools Menu-> Internet Options->Advanced Tab)

Thanks,

GLM

Former Member · ‎09-23-2009

Yes thanks for this option.

I deployed Web Diagtool thru SDM on.

I used it and I found the following result in the traces..

~on.loginmodule.spnego.SPNegoLoginModule :: Access Denied - responseHeader is NULL

LOGIN.FAILED

User: N/A

Authentication Stack: ticket

Login Module Flag Initialize Login Commit Abort Details

1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true

#1 ume.configuration.active = true

2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true Access Denied. No authorization header received.

#1 com.sap.spnego.creds_in_thread = true

#2 com.sap.spnego.jgss.name = j2ee-D21@domain

#3 com.sap.spnego.uid.resolution.attr = kpnprefix

#4 com.sap.spnego.uid.resolution.dn = dn

#5 com.sap.spnego.uid.resolution.mode = prefixbased

3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false true

#1 ume.configuration.active = true

4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok false false

5. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok false true

#1 ume.configuration.active = true

In the above message you could see that for SPNegoLoginModule in details it says, Access Denied. No authorization header received.

Do I need to give any kind on authorisation to the service user that I created on ADS?

Infact I tried the same but still it is not working.

MarcelRabe · ‎09-24-2009

Did you verify that it's actually sending a Kerberos ticket instead of NTLM?

Former Member · ‎09-25-2009

Hi,

We are getting the same problem. Please help us also if you will get any solution of that.

Thanks & Regards

Manish

Former Member · ‎09-29-2009

Can you tell me how to verify whether the authentication is thru Kerberos ticket or thru NTLM?

tim_alsop · ‎09-29-2009

The best way, is to run a HTTP trace on worksation and you will see the HTTP negotiate protocol exchange between browser and SAP web server. There are a few free tools available for this and some commercial tools. You can google for http sniffer and you will see many tools available for download.

MarcelRabe · ‎09-30-2009

Hi,

the easiest way is to install something like HTTP Fox as a add-in in the Firefox browser (as it's free). Turn on the tracer and look in the HTTP headers. You should see something like:

Negotiate YKKwYBBAGCNwICCqKCBMQEggTAYIIEvAYJKoZIhvcSAQICAQBu

If NTLM is used you'll see something like 0x25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6 I think

See also note 934138

good luck

Marcel

tim_alsop · ‎09-30-2009

This is true, but you need to be aware that Firefox configuration of Integrated Windows Authentication works differently to IE. In other words, just because you see Negotiate in Firefox, this doesn't mean you will see same if you trace IE HTTP messages. It depends if the problem you have is due to server configuration, or browser/workstation setup.

Thanks,

Tim

Former Member · ‎10-08-2009

Hi,

I have checked it using the WebDiag trace tool.

It is showing NTLM token received.

That means it is doing NTLM authentication.

But I have done all the configuration for Kerberos authentication!

I am unable to understand still what more is remaining!!

Is anything related to Authschemes.xml????

MarcelRabe · ‎10-09-2009

Hi,

did you read the note? Ther's a few steps you have to take to make sure the Kerberos ticket is sent instead of NTLM. Try it from a couple of different locations as well. Also, use the kerbtray.exe tool to remove any tickets from the cache in case it sends the wrong Kerberos ticket.

Marcel

Former Member · ‎09-22-2009

Hi

Use this https://wiki.sdn.sap.com/wiki/display/Security/Single%20Sign-on%20with%20SPNego%20%28NWAS%20Java%29 for troubleshooting spnego.

Still asking for Username and Password after configuring SPNEGO mechanism