Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Access Denied. No authorization header received. - Guest User

former_member1098367
Participant

‎04-12-2010 5:26 PM

0 Kudos

Hi all ,

i'm trying to understand why I got the following error on login modules, with Guest user:

LOGIN.FAILED

User: N/A

Authentication Stack: ticket

Login Module Flag Initialize Login Commit Abort Details

1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true

#1 trusteddn1 = OU=J2EE,CN=SM1

#2 trusteddn2 = CN=SM1

#3 trustediss1 = OU=J2EE,CN=SM1

#4 trustediss2 = CN=SM1

#5 trustedsys1 = SM1,000

#6 trustedsys2 = SM1,900

#7 ume.configuration.active = true

2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true Access Denied. No authorization header received.

#1 com.sap.spnego.jgss.name = Servers

#2 com.sap.spnego.uid.resolution.attr = kpnprefix

#3 com.sap.spnego.uid.resolution.dn = dn

#4 com.sap.spnego.uid.resolution.mode = prefixbased

3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false true

#1 ume.configuration.active = true

4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok false false

5. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok false true

#1 ume.configuration.active = true

I see the error:

com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true Access Denied. No authorization header received.

#1 com.sap.spnego.jgss.name = Servers

#2 com.sap.spnego.uid.resolution.attr = kpnprefix

#3 com.sap.spnego.uid.resolution.dn = dn

#4 com.sap.spnego.uid.resolution.mode = prefixbased

but this is a guest user, this user don't have any AD user...

Can you please help me with this issue?

thank you

Best regards

João Macedo

15 REPLIES 15

Former Member

‎04-15-2010 3:43 PM

0 Kudos

Hi there,

This means that the engine is configured to use SPNego. And "No authorization header received" means that the browser did not send the Kerberos token in the form of the header expected by the engine "Authorization: YII........".

If you do not expect to log on with Kerberos you can ignore this message.

Cheers,

Dimitar

NetWeaver Development Support

former_member1098367
Participant
In response to Former Member

‎04-15-2010 5:09 PM

0 Kudos

Hi,

Thank you for you reply,

I'm trying to understand why the logion module fails.

Hi have the following messages:

LOGIN.FAILED

User: N/A

Authentication Stack: ticket

Login Module Flag Initialize Login Commit Abort Details

1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true

#1 trusteddn1 = OU=J2EE,CN=SM1

#2 trusteddn2 = CN=SM1

#3 trustediss1 = OU=J2EE,CN=SM1

#4 trustediss2 = CN=SM1

#5 trustedsys1 = SM1,000

#6 trustedsys2 = SM1,900

#7 ume.configuration.active = true

2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true Access Denied. No authorization header received.

#1 com.sap.spnego.jgss.name = QQQQQQQQQQQQQQQQQ

#2 com.sap.spnego.uid.resolution.attr = kpnprefix

#3 com.sap.spnego.uid.resolution.dn = dn

#4 com.sap.spnego.uid.resolution.mode = prefixbased

3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false true

#1 ume.configuration.active = true

4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok false false

5. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok false true

#1 ume.configuration.active = true

getLoggedInUser

com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:178)

at java.security.AccessController.doPrivileged(AccessController.java:246)

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:176)

at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)

at java.lang.reflect.Method.invoke(Method.java:391)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)

at java.security.AccessController.doPrivileged(AccessController.java:246)

at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)

at javax.security.auth.login.LoginContext.login(LoginContext.java:557)

at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:103)

at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)

at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)

at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)

at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:545)

at java.security.AccessController.doPrivileged(AccessController.java:246)

at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)

at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)

at com.sap.portal.navigation.Gateway.service(Gateway.java:101)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)

at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)

at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)

at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)

at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(AccessController.java:219)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)

Caused by: com.sap.security.core.server.jaas.DetailedLoginException: Access Denied. No authorization header received.

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:175)

... 42 more

do you know what could cause this issue?

This appens when I try to call irj/portal?show=true

Thank you

Best regards

João Macedo

Former Member
In response to Former Member

‎04-15-2010 6:33 PM

0 Kudos

Hi João,

The login module fails because for some reason the browser does not send the header. How did you configure SPNego on this server? I am pretty sure you did not use the SPNego wizard (Note 994791). In addition, you have to configure the service user in the active directory, as well as the browser you are using for access.

If you haven't done any of those things SPNego is not going to work. Did you follow any notes/guides/blogs when configuring the system?

Cheers,

Dimitar

NetWeaver Development Support

former_member1098367
Participant
In response to Former Member

‎04-15-2010 11:24 PM

0 Kudos

hI Dimitar

The Kerberos was installed by SAP team in our system, so, I believe thar all notes was followed.

We are now studing this with SAP in an OSS message.

Let see what we can find...

Thank you and Best regards

João Macedo

Former Member
In response to Former Member

‎04-16-2010 10:45 AM

0 Kudos

Hi João,

OK, if the Primary Support colleagues have problems they are going to forward to us anyway. If you tell me the message number I could have a look beforehand.

Cheers,

Dimitar

former_member1098367
Participant
In response to Former Member

‎04-16-2010 10:53 AM

0 Kudos

hello Dimitar

Message 42209.

This is not in primary support. Is in the security area.

Please take a look on the message, and we can discuss better, if you have any kind of tests that I can do to solve the issue.

Thank you

Best regards

João Macedo

Former Member
In response to Former Member

‎04-16-2010 11:14 AM

0 Kudos

Hi João,

I actually worked on this message. But it was reported about a totally different thing - about the logging in System.err, right? That's why it is being investigated by the Portal colleagues, because it has nothing to do with security.

You shouldn't report more than one problem in a single message, otherwise we get exactly what is happening here - your second question is taking a very long time to process simply because the Portal colleagues cannot answer it. So if you want to solve this problem, you should open a new message, describe exactly what the issue is (because I still don't know if the failing SPNego is a problem) and put it in BC-JAS-SEC.

Cheers,

Dimitar

former_member1098367
Participant
In response to Former Member

‎04-16-2010 11:28 AM

0 Kudos

Hello Dimitar

Thanks for your reply,

Yes, we have a bug in System.err messages, I taked a look to all source code, but I can't find any debug code

I'm thinking one more think, and this I think that you can help me:

We have the login component, that is made with the portal application com.sap.portal.runtime.logon_api.par, and we have another code for the login modules, that's right?

how can I get the code associated to login modules? Maybe in this code we had the System.err.println .... I tried to look for documentation how can I get this code, but I only found document, that explain how to do a customized login module.

yes, I have two questions on same messaje, my fault. One for debug, another for the Login Modules error when I enter ?show=true parameter. Should I create a new message to debug issue only?

Thank you

with best regards

João Macedo

Former Member
In response to Former Member

‎04-16-2010 11:37 AM

0 Kudos

Hi João,

You shouldn't open a new message for the debug traces, the original one was reported about them and it is being processed by the correct component (the Portal). If you want to report a problem with SPNego authentication, which is suggested by the failing SPNegoLoginModule module, then you should open a new one.

The source code of our login modules is not going to help you, I know that we do not write in System.err. Besides, the traces that you see are produced by some Portal code. I had a very deep look at the message and that's why I sent it to the colleagues. They should have a better idea and they are going to help you.

Cheers,

Dimitar

former_member1098367
Participant
In response to Former Member

‎04-16-2010 12:57 PM

0 Kudos

Hi Dimitar

we can see that in the file

\PORTAL-INF\umLogonPage.jsp

we had the code

if (srv.getDebug()) {

System.err.println("debug -> Service: "+srv);

System.err.println("debug -> Active: "+srv.getActive());

System.err.println("debug -> User: "+srv.getGlobalUser());

System.err.println("debug -> Servers: "+srv.getServers());

System.err.println("debug -> IUser: "+proxy.getActiveUser());

System.err.println("debug -> Server Name: "+proxy.getServerName());

}

We will delete this code and do a new upload of par file.

I will keep you informed.

with best regards

Jou00E3o Macedo

Former Member
In response to Former Member

‎04-16-2010 1:07 PM

0 Kudos

Hi João,

Great, I think this is going to solve your problem. Do you have any idea who might have put this code there?

Cheers,

Dimitar

former_member1098367
Participant
In response to Former Member

‎04-16-2010 1:15 PM

0 Kudos

Hi Dimitar

My question is not "Do you have any idea who might have put this code there?" but "why in portalapp.xml file I have debug=false and the in this if, the debug = true ????"

lets see what we can do, in this night we will update the portal app, i'm doing some tests in Demo environments right now...

I already add a post in the message.

Best regards

João Macedo

Former Member
In response to Former Member

‎04-16-2010 1:27 PM

0 Kudos

Hi João,

Unfortunately I can't answer why debug was on when you specified off in the portalapp.xml file since it is a part of the Portal framework. But the colleagues are going to answer your question in the message.

Cheers,

Dimitar

former_member1098367
Participant
In response to Former Member

‎04-16-2010 1:34 PM

0 Kudos

Hi Dimitar

Many thanls for your support today here in forum

We will see next why the ?show=true don't riderects the browser to the login page, when I am in a computer that the SSO works... another story xD

Cheers,

João Macedo

Former Member
In response to Former Member

‎04-16-2010 1:39 PM

0 Kudos

Hi João,

OK, I hope you figure it out soon If you have any problems with the Java engine you can always open a new thread or PM me.

Cheers,

Dimitar