Dear all,

I have succesfully configured the Kerberos SSO on one of our EP6(NW04)

SP15 system; the systen have the following carattheristics:

- 1 standalone EP6SP15(nw04) installed on a J2EE Add-in, url:

http://ptototipo.pgc.local

O.S.: windows 2003; SUN jdk 1.4.2; domain: Workgroup;

- 1 ADS(Forest PGC.LOCAL) used as datasource for the UME;

- 1 ADS(Forest FERLAB.LOCAL) in trust with the forest PGC.LOCAL;

- url: http://ptototipo.pgc.local; SPN

HTTP/prototipo.pgc.local@PGC.LOCAL

We have done the following step, as indicated in the help online for

configuring Kerberos SSO fo J2EE:

-created the user/SPN for the portal in the Forest PGC.LOCAL,

-created the keyatb file, created the krb5.conf file(kerberos

configuration),

-added the new j2ee server parameter for the sun jdk, configured the

datasource file, the login module

and the login modulestack;

-configured the client workstation for integrated windows autentication

if we call the portal url http://ptototipo.pgc.local:50000/irj/portal

from a user logged on the domain

PGC.LOCAL we logon in SSO in the portal

(UserPrincipalName=KerberosPrincipalName);

if we call the portal url http://ptototipo.pgc.local:50000/irj/portal

from a user logged on the domain

FERLAB.LOCAL and the user is created in the PGC.LOCAL too, we logon in

SSO in the portal(UserPrincipalName=KerberosPrincipalName)

because the two forest are in trust; so, all user logged in trusted

Forest and created in the UME datasource (ADS PGC.LOCAL),

can get a correct Kerberos Token for the SPN

HTTP/ptototipo.pgc.local@PGC.LOCAL

and login in SSO on the EP.

we have replicated the same situation in our quality system with the

following differences:

- the OS EP(EP6SP15NW04) server is AIX 5.4 and use the IBM jdk 1.4;

- the UME datasource is the ADS 2003 PGT.LOCAL;

- 1 ADS(Forest FERLAB.LOCAL) in trust with the forest PGT.LOCAL;

- portal url http://lineadirettatest.gruppofs.it; SPN

HTTP/lineadirettatest.gruppofs.it@PGT.LOCAL

We have done the same configuration for the j2ee and the ume specific

for the ibm jdk;

we can authenticate and logon in SS0 on the portal correctly with a

user authenticated on the domain PGT.LOCAL;

but if we try to logon to the portal with a user authenticated on the

FOREST FERLAB.LOCAL,

we cannot logon in SSO on the portal, in

the default trace file of the j2ee we get the following error

messagge: "...Decoding error in parsing of spnego token...";

we get this error because the user cannot get a correct kerberos token

for the SPN of the portal.

We activated the Kerberos event viewer output messagge and in the event

viewer we get the following error messagge

"0x7 - KDC_ERR_S_PRINCIPAL_UNKNOWN";

it seems that the user try o get a kerberos token for the SPN

HTTP/lineadirettatest.gruppofs.it@FERLAB.LOCAL

(with an incorrect suffix) and the SPN in not Found in the local

(FERLAB.LOCAL) kerberos database.

The kerberos configuration file for the 2 systems are the same(except for the domain name),

i have tried the 2 following configurationfile on the aix machine:

*****************************************

<UNIX> first file

*****************************************

.pgt.local = PGT.LOCAL

pgt.local = PGT.LOCAL

[libdefaults]

default_keytab_name = /usr/sap/PGQ/D00/j2ee/cluster/kerberos/keytab

default_realm = PGT.LOCAL

default_tgs_enctypes=des-cbc-md5;des-cbc-crc

default_tkt_enctypes=des-cbc-md5;des-cbc-crc

[logging]

[capaths]

[realms]

PGT.LOCAL = {

admin_server = d66w01tst.pgt.local

kdc = dg1dcsd66w01tst.pgt.local

}

*****************************************

<UNIX> second file

*****************************************

[domain_realm]

.pgt.local = PGT.LOCAL

pgt.local = PGT.LOCAL

.gruppofs.it = PGT.LOCAL

gruppofs.it = PGT.LOCAL

.ferlab.local = PGT.LOCAL

ferlab.local = PGT.LOCAL

[libdefaults]

default_keytab_name = /usr/sap/PGQ/DVEBMGS00/j2ee/cluster/kerberos/keytab

default_realm = PGT.LOCAL

dns_lookup_kdc = false

dns_lookup_realm = false

dns_fallback = false

default_tgs_enctypes=des-cbc-md5;des-cbc-crc

default_tkt_enctypes=des-cbc-md5;des-cbc-crc

[logging]

default = FILE:/usr/sap/PGQ/DVEBMGS00/j2ee/cluster/kerberos/log/krb5libs.log

kdc = FILE:/usr/sap/PGQ/DVEBMGS00/j2ee/cluster/kerberos/log/krb5kdc.log

admin_server = FILE:/usr/sap/PGQ/DVEBMGS00/j2ee/cluster/kerberos/log/kadmind.log

[capaths]

PGT.LOCAL = {

FERLAB.LOCAL = .

}

FERLAB.LOCAL = {

PGT.LOCAL = .

}

[realms]

PGT.LOCAL = {

admin_server = d66w01tst.pgt.local

kdc = dg1dcsd66w01tst.pgt.local

}

this is the output of the keytab file:

****************************************************

klist -e -f -k -K keytab

Key table: keytab

Number of entries: 2

[1] principal: host/lineadirettatest.gruppofs.it@PGT.LOCAL

KVNO: 1

Encryption type: DES CBC mode with MD5

Key: 0xd09d8c4fe386852f

[2] principal: HTTP/lineadirettatest.gruppofs.it@PGT.LOCAL

KVNO: 3

Encryption type: DES CBC mode with MD5

Key: 0xe32b3736de35e5d

**************************************************************

Does anyone know if there are some special configuration to do For the UNIX Machine/IBM

JDK/krb5.conf(other then the specific parameters for the ibm jdk specified in the online help) file to permit the multirealm

authentication as in the first system(Windows)?

alessio Pibiri