cancel
Showing results for 
Search instead for 
Did you mean: 

SPNEGO -Could not validate SPNEGO token.

Former Member
0 Kudos

Hi All,

we have configured SPENGO wizard. we have followed the steps provided in the SAP note #1457499 and deployed the files in the SPNego_AddOn_700.zip and followed all the steps in the pdf.

We are getting below error --

Could not validate SPNEGO token.

[EXCEPTION]

java.lang.Exception: Invalid ticket endtime: 20110117223730Z

at com.sap.security.spnego.krb5.KrbApReq.throwValidationException(KrbApReq.java:112)

at com.sap.security.spnego.krb5.KrbApReq.validate(KrbApReq.java:100)

at com.sap.security.spnego.SPNEGOLoginModule.parseAndValidateSPNEGOToken(SPNEGOLoginModule.java:240)

at com.sap.security.spnego.SPNEGOLoginModule.processAuthorizationHeader(SPNEGOLoginModule.java:385)

at com.sap.security.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:102)

at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)

at java.security.AccessController.doPrivileged(AccessController.java:246)

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)

at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

Please suggest what could be the issue.

Regards

Amit

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi Amit,

java.lang.Exception: Invalid ticket endtime: 20110117223730Z

Seems like the time difference between the portal server and KDC server is too great (refer to [Configuring and troubleshooting SPNego -- Part 3|http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/8313] [original link is broken]; blog for further details).

Best regards,

Aliaksandr Zhukau

Former Member
0 Kudos

Hi Zhukau,

Yes time difference was there but I have corrected it. still getting the same error. only 2 minutes difference is there between AD and portal server.

Former Member
0 Kudos

Hi Amit,

Did you run the diagtool? Could you post the test results here?

Best regards,

Aliaksandr Zhukau

Former Member
0 Kudos

Hi

web diagtool also shows the same error :--

Could not validate SPNEGO token.

[EXCEPTION]

java.lang.Exception: Invalid ticket endtime: 20110118140218Z

at com.sap.security.spnego.krb5.KrbApReq.throwValidationException(KrbApReq.java:112)

at com.sap.security.spnego.krb5.KrbApReq.validate(KrbApReq.java:100)

at com.sap.security.spnego.SPNEGOLoginModule.parseAndValidateSPNEGOToken(SPNEGOLoginModule.java:240)

at com.sap.security.spnego.SPNEGOLoginModule.processAuthorizationHeader(SPNEGOLoginModule.java:385)

at com.sap.security.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:102)

at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)

at java.security.AccessController.doPrivileged(AccessController.java:246)

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)

at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)

at java.lang.reflect.Method.invoke(Method.java:391)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)

at java.security.AccessController.doPrivileged(AccessController.java:246)

at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)

at javax.security.auth.login.LoginContext.login(LoginContext.java:557)

at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:149)

at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)

at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)

at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)

at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:523)

at java.security.AccessController.doPrivileged(AccessController.java:246)

at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:412)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)

at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)

at com.sap.portal.navigation.Gateway.service(Gateway.java:126)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)

at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)

at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)

at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)

at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(AccessController.java:219)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)

Regards

Amit

Former Member
0 Kudos

Hi Amit,

20110118140218Z stands for 2011-01-18 14:02:18 ± 0:00 UTC ('Z' is the zone designator for the zero UTC offset).

Yes time difference was there but I have corrected it. still getting the same error. only 2 minutes difference is there between AD and portal server.

Are both servers in the same time zone?

Best regards,

Aliaksandr Zhukau

Former Member
0 Kudos

Hi Zhukau,

Yes both the servers are in the same time zone (GMT +5:30 offset from CUT). maximun tolrance time maintained on AD is 5 minutes.

Regards

Amit

hofmann
Active Contributor
0 Kudos

Hi,

there is some useful information available on SCN. Have you checked them out?

Good blog on troubleshooting spnego:

SCN Wiki:

http://wiki.sdn.sap.com/wiki/display/Security/SingleSign-OnwithSPNego%28NWAS+Java%29

SAP Note on troubleshooting spnego:

https://service.sap.com/sap/support/notes/958107

https://service.sap.com/sap/support/notes/0000968191

Former Member
0 Kudos

Hi Hofmann,

we have seen almost all the links you provided to me but no success.

we have generated the trace from web diagtool and has raised a OSS.

waiting for the reply from SAP. Please help us regarding Invalid Tick End Time.

Regards

Amit

Former Member
0 Kudos

Hi Amit.

both the servers are in the same time zone (GMT +5:30 offset from CUT).

It is good, but com.sap.security.spnego.SPNEGOLoginModule.parseAndValidateSPNEGOToken parses a ticket as it is issued in GMT +0:00 zone. It may be caused by JDK itself or spnego login module, or KDC. To make sure that it comes from Java side it is worth to check a communication between portal and KDC with Wireshark. Anyway you have raised an OSS and SAP more likely will ask to do the same.

Best regards,

Aliaksandr Zhukau

Former Member
0 Kudos

Hi Guys,

Just for your updates..

SAP is involving development support as this is the new issue with SPNEGO add on module. Will update you as with SAP replies.

Regards

Amit

Former Member
0 Kudos

Hi Guys,

The issue got resolved.

It is surprising for me if I keep EP server and AD server in GMT +5:30 I got invalid end time error.

but it worked for me when I keep EP server in IST -5:30 and AD on GMT +5:30. might be some Locale setting playing around.

Now I am facing checksum error when I am going to integrate the second AD in SPNEGO add on module. This AD server in on Windows 2003. We are using DES encryption for this second AD.

I have seem many forun regarding checksum error with RC4 encryption but I am getting this in DES encription.

Please suggest what can i try ??

Regards

Amit Saini

anja_engelhardt2
Active Contributor
0 Kudos

Hi Amit,

to keep the forum simply and to help others that use the forum search - please open a new thread for this new issue, provide points and close this thread.

Anja

Answers (0)