on 01-17-2011 3:22 PM
Hi All,
we have configured SPENGO wizard. we have followed the steps provided in the SAP note #1457499 and deployed the files in the SPNego_AddOn_700.zip and followed all the steps in the pdf.
We are getting below error --
Could not validate SPNEGO token.
[EXCEPTION]
java.lang.Exception: Invalid ticket endtime: 20110117223730Z
at com.sap.security.spnego.krb5.KrbApReq.throwValidationException(KrbApReq.java:112)
at com.sap.security.spnego.krb5.KrbApReq.validate(KrbApReq.java:100)
at com.sap.security.spnego.SPNEGOLoginModule.parseAndValidateSPNEGOToken(SPNEGOLoginModule.java:240)
at com.sap.security.spnego.SPNEGOLoginModule.processAuthorizationHeader(SPNEGOLoginModule.java:385)
at com.sap.security.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:102)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
at java.security.AccessController.doPrivileged(AccessController.java:246)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Please suggest what could be the issue.
Regards
Amit
Hi Amit,
java.lang.Exception: Invalid ticket endtime: 20110117223730Z
Seems like the time difference between the portal server and KDC server is too great (refer to [Configuring and troubleshooting SPNego -- Part 3|http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/8313] [original link is broken]; blog for further details).
Best regards,
Aliaksandr Zhukau
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi
web diagtool also shows the same error :--
Could not validate SPNEGO token.
[EXCEPTION]
java.lang.Exception: Invalid ticket endtime: 20110118140218Z
at com.sap.security.spnego.krb5.KrbApReq.throwValidationException(KrbApReq.java:112)
at com.sap.security.spnego.krb5.KrbApReq.validate(KrbApReq.java:100)
at com.sap.security.spnego.SPNEGOLoginModule.parseAndValidateSPNEGOToken(SPNEGOLoginModule.java:240)
at com.sap.security.spnego.SPNEGOLoginModule.processAuthorizationHeader(SPNEGOLoginModule.java:385)
at com.sap.security.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:102)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
at java.security.AccessController.doPrivileged(AccessController.java:246)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
at java.security.AccessController.doPrivileged(AccessController.java:246)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:149)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:523)
at java.security.AccessController.doPrivileged(AccessController.java:246)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:412)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(AccessController.java:219)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
Regards
Amit
Hi Amit,
20110118140218Z stands for 2011-01-18 14:02:18 ± 0:00 UTC ('Z' is the zone designator for the zero UTC offset).
Yes time difference was there but I have corrected it. still getting the same error. only 2 minutes difference is there between AD and portal server.
Are both servers in the same time zone?
Best regards,
Aliaksandr Zhukau
Hi,
there is some useful information available on SCN. Have you checked them out?
Good blog on troubleshooting spnego:
SCN Wiki:
http://wiki.sdn.sap.com/wiki/display/Security/SingleSign-OnwithSPNego%28NWAS+Java%29
SAP Note on troubleshooting spnego:
Hi Amit.
both the servers are in the same time zone (GMT +5:30 offset from CUT).
It is good, but com.sap.security.spnego.SPNEGOLoginModule.parseAndValidateSPNEGOToken parses a ticket as it is issued in GMT +0:00 zone. It may be caused by JDK itself or spnego login module, or KDC. To make sure that it comes from Java side it is worth to check a communication between portal and KDC with Wireshark. Anyway you have raised an OSS and SAP more likely will ask to do the same.
Best regards,
Aliaksandr Zhukau
Hi Guys,
The issue got resolved.
It is surprising for me if I keep EP server and AD server in GMT +5:30 I got invalid end time error.
but it worked for me when I keep EP server in IST -5:30 and AD on GMT +5:30. might be some Locale setting playing around.
Now I am facing checksum error when I am going to integrate the second AD in SPNEGO add on module. This AD server in on Windows 2003. We are using DES encryption for this second AD.
I have seem many forun regarding checksum error with RC4 encryption but I am getting this in DES encription.
Please suggest what can i try ??
Regards
Amit Saini
User | Count |
---|---|
84 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.