Solved: Kerberos Configuration not working

Former Member · ‎12-03-2010

Hi all,

We are testing Kerberos for j2ee engine (for EP 7.1). It has UME integrated to LDAP. We have used the new Spnego wizard as the AD server is Windows 2008 R2. It did not work out well.

Whenever the configuration fails, We are unable to log in to the portal/nwa as administrator or any of the test users over the AD.

Is this due to the 'adjusting the policy configuration' part that we manipulate in the Visual Admin as a part of the Kerberos configuration? What should be the default policy configuration; without kerberos?

Any inputs will be greatly appreciated.

Thanks and regards,

Rosun

desiree_matas · ‎12-03-2010

Hi Rosun,

To better understand the problem that you have with the kerberos configuration, you should create a webdiagtool trace, as described in SAP note 1045019. This will help you to see where the problem is.

Regarding the policy configurations, I think this documention might be useful for you:

https://cw.sdn.sap.com/cw/docs/DOC-110960

Regards,

Désiré

desiree_matas · ‎12-03-2010

Hi Rosun,

To better understand the problem that you have with the kerberos configuration, you should create a webdiagtool trace, as described in SAP note 1045019. This will help you to see where the problem is.

Regarding the policy configurations, I think this documention might be useful for you:

https://cw.sdn.sap.com/cw/docs/DOC-110960

Regards,

Désiré

Former Member · ‎12-06-2010

Hi Desiree,

I am aware of the diagtool; yet to use it though.

I have the following default login modules in the policy configuration -> ticket -> Authentication

com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

BasicPasswordLoginModule REQUISITE {}

com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}

As a part of the configuration I am to add SPNEGOLoginModule too (as OPTIONAL). The problem is when Kerberos fails, the login completely fails even with the ID's (administrator or otherwise) and the passwords.

How to keep the BasicPasswordLoginModule intact when other ticket mechanisms fail?

I have gone through many links on policy configurations but to of no avail.

thanks and regards

Former Member · ‎12-08-2010

I had run the web diagtool. The First warning I am getting is as follows:

...

User not found by account attributes: [[namespace: com.sap.security.core.authentication, name: principal, value: TEST_USER2], [namespace: com.sap.security.core.authentication, name: realm, value: XXXXSAPTEST.COM]]

...

Former Member · ‎12-08-2010

Please check the following blog and series og blogs by Holger. I resolved most of my issues with ABAP as datasource using these blogs.

also the following one.

Edited by: venkatesh koukuntla on Dec 8, 2010 3:55 PM

Former Member · ‎12-09-2010

Hi venkatesh,

I am following his blogs. He would be talking about Spnego configuration. I am running an Spnego-add on. This is new and differ in parts from the previous one. This is more from a Windows 7/Windows server 2008 R2 perspective. Hence the confusion.

Thanks though.

Former Member · ‎12-29-2010

This issue is resolved. The problem was with the KTPASS command we have been running for the keytab files generation.

jorge_velasquez · ‎01-06-2012

Hi,

Could you please explain what commands do you used?

Regards