04-12-2010 5:26 PM
Hi all ,
i'm trying to understand why I got the following error on login modules, with Guest user:
LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
#1 trusteddn1 = OU=J2EE,CN=SM1
#2 trusteddn2 = CN=SM1
#3 trustediss1 = OU=J2EE,CN=SM1
#4 trustediss2 = CN=SM1
#5 trustedsys1 = SM1,000
#6 trustedsys2 = SM1,900
#7 ume.configuration.active = true
2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true Access Denied. No authorization header received.
#1 com.sap.spnego.jgss.name = Servers
#2 com.sap.spnego.uid.resolution.attr = kpnprefix
#3 com.sap.spnego.uid.resolution.dn = dn
#4 com.sap.spnego.uid.resolution.mode = prefixbased
3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false true
#1 ume.configuration.active = true
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok false false
5. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok false true
#1 ume.configuration.active = true
I see the error:
com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true Access Denied. No authorization header received.
#1 com.sap.spnego.jgss.name = Servers
#2 com.sap.spnego.uid.resolution.attr = kpnprefix
#3 com.sap.spnego.uid.resolution.dn = dn
#4 com.sap.spnego.uid.resolution.mode = prefixbased
but this is a guest user, this user don't have any AD user...
Can you please help me with this issue?
thank you
Best regards
João Macedo
04-15-2010 3:43 PM
Hi there,
This means that the engine is configured to use SPNego. And "No authorization header received" means that the browser did not send the Kerberos token in the form of the header expected by the engine "Authorization: YII........".
If you do not expect to log on with Kerberos you can ignore this message.
Cheers,
Dimitar
NetWeaver Development Support
04-15-2010 5:09 PM
Hi,
Thank you for you reply,
I'm trying to understand why the logion module fails.
Hi have the following messages:
LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
#1 trusteddn1 = OU=J2EE,CN=SM1
#2 trusteddn2 = CN=SM1
#3 trustediss1 = OU=J2EE,CN=SM1
#4 trustediss2 = CN=SM1
#5 trustedsys1 = SM1,000
#6 trustedsys2 = SM1,900
#7 ume.configuration.active = true
2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true Access Denied. No authorization header received.
#1 com.sap.spnego.jgss.name = QQQQQQQQQQQQQQQQQ
#2 com.sap.spnego.uid.resolution.attr = kpnprefix
#3 com.sap.spnego.uid.resolution.dn = dn
#4 com.sap.spnego.uid.resolution.mode = prefixbased
3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false true
#1 ume.configuration.active = true
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok false false
5. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok false true
#1 ume.configuration.active = true
getLoggedInUser
com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:178)
at java.security.AccessController.doPrivileged(AccessController.java:246)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:176)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
at java.security.AccessController.doPrivileged(AccessController.java:246)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:103)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:545)
at java.security.AccessController.doPrivileged(AccessController.java:246)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.sap.portal.navigation.Gateway.service(Gateway.java:101)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(AccessController.java:219)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
Caused by: com.sap.security.core.server.jaas.DetailedLoginException: Access Denied. No authorization header received.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:175)
... 42 more
do you know what could cause this issue?
This appens when I try to call irj/portal?show=true
Thank you
Best regards
João Macedo
04-15-2010 6:33 PM
Hi João,
The login module fails because for some reason the browser does not send the header. How did you configure SPNego on this server? I am pretty sure you did not use the SPNego wizard (Note 994791). In addition, you have to configure the service user in the active directory, as well as the browser you are using for access.
If you haven't done any of those things SPNego is not going to work. Did you follow any notes/guides/blogs when configuring the system?
Cheers,
Dimitar
NetWeaver Development Support
04-15-2010 11:24 PM
hI Dimitar
The Kerberos was installed by SAP team in our system, so, I believe thar all notes was followed.
We are now studing this with SAP in an OSS message.
Let see what we can find...
Thank you and Best regards
João Macedo
04-16-2010 10:45 AM
Hi João,
OK, if the Primary Support colleagues have problems they are going to forward to us anyway. If you tell me the message number I could have a look beforehand.
Cheers,
Dimitar
04-16-2010 10:53 AM
hello Dimitar
Message 42209.
This is not in primary support. Is in the security area.
Please take a look on the message, and we can discuss better, if you have any kind of tests that I can do to solve the issue.
Thank you
Best regards
João Macedo
04-16-2010 11:14 AM
Hi João,
I actually worked on this message. But it was reported about a totally different thing - about the logging in System.err, right? That's why it is being investigated by the Portal colleagues, because it has nothing to do with security.
You shouldn't report more than one problem in a single message, otherwise we get exactly what is happening here - your second question is taking a very long time to process simply because the Portal colleagues cannot answer it. So if you want to solve this problem, you should open a new message, describe exactly what the issue is (because I still don't know if the failing SPNego is a problem) and put it in BC-JAS-SEC.
Cheers,
Dimitar
04-16-2010 11:28 AM
Hello Dimitar
Thanks for your reply,
Yes, we have a bug in System.err messages, I taked a look to all source code, but I can't find any debug code
I'm thinking one more think, and this I think that you can help me:
We have the login component, that is made with the portal application com.sap.portal.runtime.logon_api.par, and we have another code for the login modules, that's right?
how can I get the code associated to login modules? Maybe in this code we had the System.err.println .... I tried to look for documentation how can I get this code, but I only found document, that explain how to do a customized login module.
yes, I have two questions on same messaje, my fault. One for debug, another for the Login Modules error when I enter ?show=true parameter. Should I create a new message to debug issue only?
Thank you
with best regards
João Macedo
04-16-2010 11:37 AM
Hi João,
You shouldn't open a new message for the debug traces, the original one was reported about them and it is being processed by the correct component (the Portal). If you want to report a problem with SPNego authentication, which is suggested by the failing SPNegoLoginModule module, then you should open a new one.
The source code of our login modules is not going to help you, I know that we do not write in System.err. Besides, the traces that you see are produced by some Portal code. I had a very deep look at the message and that's why I sent it to the colleagues. They should have a better idea and they are going to help you.
Cheers,
Dimitar
04-16-2010 12:57 PM
Hi Dimitar
we can see that in the file
\PORTAL-INF\umLogonPage.jsp
we had the code
if (srv.getDebug()) {
System.err.println("debug -> Service: "+srv);
System.err.println("debug -> Active: "+srv.getActive());
System.err.println("debug -> User: "+srv.getGlobalUser());
System.err.println("debug -> Servers: "+srv.getServers());
System.err.println("debug -> IUser: "+proxy.getActiveUser());
System.err.println("debug -> Server Name: "+proxy.getServerName());
}
We will delete this code and do a new upload of par file.
I will keep you informed.
with best regards
Jou00E3o Macedo
04-16-2010 1:07 PM
Hi João,
Great, I think this is going to solve your problem. Do you have any idea who might have put this code there?
Cheers,
Dimitar
04-16-2010 1:15 PM
Hi Dimitar
My question is not "Do you have any idea who might have put this code there?" but "why in portalapp.xml file I have debug=false and the in this if, the debug = true ????"
lets see what we can do, in this night we will update the portal app, i'm doing some tests in Demo environments right now...
I already add a post in the message.
Best regards
João Macedo
04-16-2010 1:27 PM
Hi João,
Unfortunately I can't answer why debug was on when you specified off in the portalapp.xml file since it is a part of the Portal framework. But the colleagues are going to answer your question in the message.
Cheers,
Dimitar
04-16-2010 1:34 PM
Hi Dimitar
Many thanls for your support today here in forum
We will see next why the ?show=true don't riderects the browser to the login page, when I am in a computer that the SSO works... another story xD
Cheers,
João Macedo
04-16-2010 1:39 PM
Hi João,
OK, I hope you figure it out soon If you have any problems with the Java engine you can always open a new thread or PM me.
Cheers,
Dimitar