on 06-25-2010 7:38 PM
I am setting up Kerberos Authentication for the first time in our environment. I have gone back through my configuration several times to make sure there are no typos, mistakes, ommissions, etc. For the life of me, I cannot find what I am missing.
I have mapped an AD user to an SAP user in the UME per the SAP documentation. But whenever I do a test login, I continue to get a Windows authentication popup. If I then manually enter the Windows domain credentials (same credentials that I am logged on with when testing), it successfully maps to the SAP user and opens the page. However, it will not seem to pass the response header containing the user ID automaticallly. Some of the messages showing up in the diagtool are as follows. these are select messages, not the whole trace and I'm not sure the cookie errors are even related to the null response header problem:
Get cookie MYSAPSSO2
Cookie MYSAPSSO2 is not found
Received no SAPLogonTicket. Authentication stack: [ticket]
Get Header Authorization
Set value to null
Access Denied - responseHeader is NULL
Hi,
Can you share more information? OS, SAP System, Patch level?
- spnego entry created in the windows AD?
- AD and SAP System are in the same domain?
- spnego is pointing to CNAME or A DNS entry? The spnego entry has to point to the A entry.
br,
Tobias
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Here is the information you asked about:
OS = Windows 2008, including Active Directory
SAP Version = Netweaver PI 7.1 EHP 1
AD and SAP are in the same domain.
Setspn command:
setspn u2013A HTTP/<hostname.domain> <DOMAIN>\j2ee-XQ1
krb5.conf file
[domain_realm]
[libdefaults]
default_keytab_name = H:\usr\sap\XQ1\SYS\global\kerberos\XQ1.keytab
default_realm = <DOMAIN NAME>
dns_lookup_kdc = true
default_tgs_enctypes=des-cbc-md5;des-cbc-crc
default_tkt_enctypes=des-cbc-md5;des-cbc-crc
[logging]
[realms]
ITELLIHS.PRIV = {
admin_server = <domain controller hostname>
kdc = <domain controller hostname>
}
Hi,
Is your AD 2008 configured to accept DES ? By default it is not and SAP kerberos implementation is not yet able to use an other encryption algorithm (it is annonced for future SP).
It is still possible to use DES but this is a security issue (DES has been compromised) and it des not work with windows 7 client work stations.
Regards,
Olivier
Thanks Olivier. I was able to get it working, apparently I had made a mistake in adjusting the IE settings on the workstation that I was testing from. I added the url's into the trusted systems area instead of the intranet zone area. Makes a big difference apparently.
Interesting about AD 2008 and DES though, I did not realize this. I would be surprised if anyone has changed this setting on our domain, but it seems to work. I will double check.
User | Count |
---|---|
84 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.