on 03-05-2011 9:44 PM
Hi,
I have an issue in SAP Portal & Windows AD enviorment SSO. It was working from last 8-9 months suddenly users are getting Login screen, When I am using Diagtool I am getting below messages. My Windows team is saying they have no issue on Wintel DC end and from UNIX stand also we are able to execute below commands successfully.
/usr/bin/kinit -V -k HTTP/xxxeppdbci.xxx.comXXXXX.XXXIS.COM
Authenticated to Kerberos v5
13:17:30:618 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is HTTP/XXXabcdbci.XXX.com#XYZAB.XXXIS.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
13:17:30:628 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KeyTabInputStream, readName(): XYZAB.XXXIS.COM
13:17:30:629 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KeyTabInputStream, readName(): HTTP
13:17:30:629 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KeyTabInputStream, readName(): XXXabcdbci.XXX.com
13:17:30:631 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KeyTab: load() entry length: 66; type: 3
13:17:30:632 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out principal's key obtained from the keytab
13:17:30:632 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out Acquire TGT using AS Exchange
13:17:30:636 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbAsReq calling createMessage
13:17:30:637 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbAsReq in createMessage
13:17:30:641 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbAsReq etypes are: 1
>>> KrbKdcReq send: kdc=ukldn001.XYZAB.XXXis.com UDP:88, timeout=30000, number of retries =3, #bytes=161
13:17:30:793 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KDCCommunication: kdc=ukldn001.XYZAB.XXXis.com UDP:88, timeout=30000,Attempt =1, #bytes=161
13:17:30:944 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbKdcReq send: #bytes read=193
13:17:30:944 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbKdcReq send: #bytes read=193
13:17:30:946 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KDCRep: init() encoding tag is 126 req type is 11
13:17:30:948 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>>KRBError:
13:17:30:949 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out sTime is Sat Mar 05 13:17:30 PST 2011 1299359850000
13:17:30:949 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out suSec is 418970
13:17:30:949 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out error code is 25
13:17:30:950 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out error Message is Additional pre-authentication required
13:17:30:950 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out realm is XYZAB.XXXIS.COM
13:17:30:950 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out sname is krbtgt/XYZAB.XXXIS.COM
13:17:30:951 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out eData provided.
13:17:30:951 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>>Pre-Authentication Data:
13:17:30:952 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out PA-DATA type = 11
13:17:30:952 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out PA-ETYPE-INFO etype = 1
13:17:30:952 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>>Pre-Authentication Data:
13:17:30:953 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out PA-DATA type = 2
13:17:30:953 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out PA-ENC-TIMESTAMP
13:17:30:953 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>>Pre-Authentication Data:
13:17:30:953 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out PA-DATA type = 15
13:17:30:954 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
13:17:30:954 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out Updated salt from pre-auth = XYZAB.XXXIS.COMHTTPXXXabcdbci.XXX.com
13:17:30:954 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>>KrbAsReq salt is XYZAB.XXXIS.COMHTTPXXXabcdbci.XXX.com
13:17:30:956 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
13:17:30:960 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbAsReq calling createMessage
13:17:30:960 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbAsReq in createMessage
13:17:30:961 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbAsReq etypes are: 1
>>> KrbKdcReq send: kdc=ukldn001.XYZAB.XXXis.com UDP:88, timeout=30000, number of retries =3, #bytes=248
13:17:30:961 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KDCCommunication: kdc=ukldn001.XYZAB.XXXis.com UDP:88, timeout=30000,Attempt =1, #bytes=248
13:17:31:364 Info Guest ~ngine_Application_Thread[impl:3]_Group] ~ap.engine.services.security.roles.audit ACCESS.OK: Authorization check for caller assignment to J2EE security role [SAP-J2EE-Engine : guests].
13:17:31:479 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbKdcReq send: #bytes read=1367
13:17:31:479 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbKdcReq send: #bytes read=1367
13:17:31:481 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
13:17:31:484 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>>crc32: b7fff843
13:17:31:484 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>>crc32: 10110111111111111111100001000011
13:17:31:487 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbAsRep cons in KrbAsReq.getReply HTTP/XXXabcdbci.XXX.com
13:17:31:492 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out Added server's keyKerberos Principal HTTP/XXXabcdbci.XXX.com#XYZAB.XXXIS.COMKey Version 1key EncryptionKey: keyType=3 keyBytes (hex dump)=
0000: 64 C7 85 52 86 6E 8A 68
13:17:31:493 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out [Krb5LoginModule] added Krb5Principal HTTP/XXXabcdbci.XXX.com#XYZAB.XXXIS.COM to Subject
13:17:31:493 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out Commit Succeeded
13:17:31:494 Info Guest ~ngine_Application_Thread[impl:3]_Group] ~es.security.authentication.logincontext LOGIN.OK
User: HTTP/XXXabcdbci.XXX.com#XYZAB.XXXIS.COM
Authentication Stack: com.sun.security.jgss.accept
Login Module Flag Initialize Login Commit Abort Details
1. com.sun.security.auth.module.Krb5LoginModule OPTIONAL ok true true
#1 debug = true
#2 doNotPrompt = true
#3 principal = HTTP/XXXabcdbci.XXX.com#XYZAB.XXXIS.COM
#4 refreshKrb5Config = true
#5 storeKey = true
#6 useKeyTab = true
#7 useTicketCache = false
Central Checks true
13:17:31:495 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out Found key for HTTP/XXXabcdbci.XXX.com#XYZAB.XXXIS.COM
13:17:31:496 Debug Guest SAPEngine_Application_Thread[impl:3]_11 ~on.loginmodule.spnego.SPNegoLoginModule Credentials for realm XYZAB.XXXIS.COM successfully acquired: HTTP/XXXabcdbci.XXX.com#XYZAB.XXXIS.COM
13:17:31:497 Debug Guest SAPEngine_Application_Thread[impl:3]_11 ~on.loginmodule.spnego.SPNegoLoginModule Access Denied - responseHeader is NULL
13:17:31:498 Debug Guest SAPEngine_Application_Thread[impl:3]_11 ~es.security.authentication.logincontext Login module com.sap.security.core.server.jaas.SPNegoLoginModule from authentication stack ticket does not authenticate the caller.
13:17:31:499 Path Guest SAPEngine_Application_Thread[impl:3]_11 ~.ticket.CreateTicketLoginModule.login() Entering method
13:17:31:499 Info Guest SAPEngine_Application_Thread[impl:3]_11 ~inmodule.ticket.CreateTicketLoginModule No authenticated user found.
13:17:31:499 Path Guest SAPEngine_Application_Thread[impl:3]_11 ~inmodule.ticket.CreateTicketLoginModule Exiting method with false
13:17:31:500 Debug Guest SAPEngine_Application_Thread[impl:3]_11 ~on.loginmodule.BasicPasswordLoginModule No user name provided.
13:17:31:500 Path Guest SAPEngine_Application_Thread[impl:3]_11 ~.ticket.CreateTicketLoginModule.login() Entering method
13:17:31:500 Info Guest SAPEngine_Application_Thread[impl:3]_11 ~inmodule.ticket.CreateTicketLoginModule No authenticated user found.
13:17:31:501 Path Guest SAPEngine_Application_Thread[impl:3]_11 ~inmodule.ticket.CreateTicketLoginModule Exiting method with false
Has the User used in SPNego got expired or password changed?
Has the Windows AD domain been changed? or Windows AD upgraded to newer version?
You can rerun the SPNego configuration and see if it corrects the problem. You may even reload SPNego datasource configuration file
Check below blog
/people/holger.bruchelt/blog/2008/01/09/configuring-and-troubleshooting-spnego--part-1
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.