12-03-2010 9:47 AM
Hi all,
We are testing Kerberos for j2ee engine (for EP 7.1). It has UME integrated to LDAP. We have used the new Spnego wizard as the AD server is Windows 2008 R2. It did not work out well.
Whenever the configuration fails, We are unable to log in to the portal/nwa as administrator or any of the test users over the AD.
Is this due to the 'adjusting the policy configuration' part that we manipulate in the Visual Admin as a part of the Kerberos configuration? What should be the default policy configuration; without kerberos?
Any inputs will be greatly appreciated.
Thanks and regards,
Rosun
12-03-2010 2:33 PM
Hi Rosun,
To better understand the problem that you have with the kerberos configuration, you should create a webdiagtool trace, as described in SAP note 1045019. This will help you to see where the problem is.
Regarding the policy configurations, I think this documention might be useful for you:
https://cw.sdn.sap.com/cw/docs/DOC-110960
Regards,
Désiré
12-03-2010 2:33 PM
Hi Rosun,
To better understand the problem that you have with the kerberos configuration, you should create a webdiagtool trace, as described in SAP note 1045019. This will help you to see where the problem is.
Regarding the policy configurations, I think this documention might be useful for you:
https://cw.sdn.sap.com/cw/docs/DOC-110960
Regards,
Désiré
12-06-2010 9:04 AM
Hi Desiree,
I am aware of the diagtool; yet to use it though.
I have the following default login modules in the policy configuration -> ticket -> Authentication
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
BasicPasswordLoginModule REQUISITE {}
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
As a part of the configuration I am to add SPNEGOLoginModule too (as OPTIONAL). The problem is when Kerberos fails, the login completely fails even with the ID's (administrator or otherwise) and the passwords.
How to keep the BasicPasswordLoginModule intact when other ticket mechanisms fail?
I have gone through many links on policy configurations but to of no avail.
thanks and regards
12-08-2010 1:08 PM
I had run the web diagtool. The First warning I am getting is as follows:
...
User not found by account attributes: [[namespace: com.sap.security.core.authentication, name: principal, value: TEST_USER2], [namespace: com.sap.security.core.authentication, name: realm, value: XXXXSAPTEST.COM]]
...
12-08-2010 2:52 PM
12-09-2010 4:02 AM
Hi venkatesh,
I am following his blogs. He would be talking about Spnego configuration. I am running an Spnego-add on. This is new and differ in parts from the previous one. This is more from a Windows 7/Windows server 2008 R2 perspective. Hence the confusion.
Thanks though.
12-29-2010 4:13 AM
This issue is resolved. The problem was with the KTPASS command we have been running for the keytab files generation.
01-06-2012 12:41 AM