cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Problem with Kerberos Authentication

Former Member

on ‎06-25-2010 7:38 PM

0 Kudos

I am setting up Kerberos Authentication for the first time in our environment. I have gone back through my configuration several times to make sure there are no typos, mistakes, ommissions, etc. For the life of me, I cannot find what I am missing.

I have mapped an AD user to an SAP user in the UME per the SAP documentation. But whenever I do a test login, I continue to get a Windows authentication popup. If I then manually enter the Windows domain credentials (same credentials that I am logged on with when testing), it successfully maps to the SAP user and opens the page. However, it will not seem to pass the response header containing the user ID automaticallly. Some of the messages showing up in the diagtool are as follows. these are select messages, not the whole trace and I'm not sure the cookie errors are even related to the null response header problem:

Get cookie MYSAPSSO2

Cookie MYSAPSSO2 is not found

Received no SAPLogonTicket. Authentication stack: [ticket]

Get Header Authorization

Set value to null

Access Denied - responseHeader is NULL

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

hofmann
Active Contributor
‎06-25-2010 8:12 PM
0 Kudos

Hi,

Can you share more information? OS, SAP System, Patch level?

- spnego entry created in the windows AD?

- AD and SAP System are in the same domain?

- spnego is pointing to CNAME or A DNS entry? The spnego entry has to point to the A entry.

br,

Tobias

Show replies
Show replies
Former Member
‎06-25-2010 8:45 PM
0 Kudos

Here is the information you asked about:

OS = Windows 2008, including Active Directory

SAP Version = Netweaver PI 7.1 EHP 1

AD and SAP are in the same domain.

Setspn command:

setspn u2013A HTTP/<hostname.domain> <DOMAIN>\j2ee-XQ1

krb5.conf file

[domain_realm]

[libdefaults]

default_keytab_name = H:\usr\sap\XQ1\SYS\global\kerberos\XQ1.keytab

default_realm = <DOMAIN NAME>

dns_lookup_kdc = true

default_tgs_enctypes=des-cbc-md5;des-cbc-crc

default_tkt_enctypes=des-cbc-md5;des-cbc-crc

[logging]

[realms]

ITELLIHS.PRIV = {

admin_server = <domain controller hostname>

kdc = <domain controller hostname>

}

Former Member
‎06-28-2010 8:43 AM
0 Kudos

Hi,

Is your AD 2008 configured to accept DES ? By default it is not and SAP kerberos implementation is not yet able to use an other encryption algorithm (it is annonced for future SP).

It is still possible to use DES but this is a security issue (DES has been compromised) and it des not work with windows 7 client work stations.

Regards,

Olivier

Former Member
‎06-29-2010 7:11 PM
0 Kudos

Thanks Olivier. I was able to get it working, apparently I had made a mistake in adjusting the IE settings on the workstation that I was testing from. I added the url's into the trusted systems area instead of the intranet zone area. Makes a big difference apparently.

Interesting about AD 2008 and DES though, I did not realize this. I would be surprised if anyone has changed this setting on our domain, but it seems to work. I will double check.

former_member432219
Active Participant
‎06-29-2010 9:29 PM
0 Kudos

Hi Kevin and Olivier

Refer to SAP Note 1457499 - 'SPNego add-on' for details of enhancements in this area

Edited by: Patrick Whitty on Jun 29, 2010 10:33 PM

Former Member
‎06-30-2010 8:57 AM
0 Kudos

Hi Patrick,

Yes that's the note I was speaking about when telling SAP has announced AD 2008 and win 7 support.

Anyway it was too late for us and we had to buy a 3rd party software...

Regards,

Olivier

Ask a Question