05-05-2011 11:26 AM
Hi everyone,
This thread is a derived from this one:
We have created another one for simplicity and for joining all the information.
We have this landscape:
Microsoft Active Directory (Windows 2008 Server R2)
SAP EP 7.02 SP3 (running on Windows 2003 server)
We are trying to configure SPNEGO and follow a lot of guides founded in SDN without success.
When we access the portal, a Windows logon screen arises. We introduce the credential and EP login page appears. We re-enter the credentials
and access the portal.
Service User has "Use DES encryption" option checked and SPN conf is correct.
Viewing traces through NWA we see following error:
doLogon failed
EXCEPTION
com.sap.security.core.logon.imp.UMELoginException
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:1028)
at com.sap.security.core.logonadmin.ServletAccessToLogic.logon(ServletAccessToLogic.java:219)
at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.doLogon(SAPMLogonLogic.java:914)
at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.executeRequest(SAPMLogonLogic.java:227)
at com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doPost(SAPMLogonServlet.java:60)
at com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doGet(SAPMLogonServlet.java:78)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
I attach some wireshark traces on another post.
Thanks
05-05-2011 11:36 AM
Daniel,
By default, Active Directory on Windows Server 2008 R2 has DES encryption disabled.
Thanks,
Tim
05-05-2011 12:41 PM
Hi Tim,
I don't understand you. Do you mean that we have to explicitly activate DES on the AD Server?
We have activate DES encryption on service user. It's not enough?
Thanx
05-05-2011 1:06 PM
Hi,
You need to use the last release of SAP SPNEGO which is able to use RC4 or AES256 instead of DES which is obsolete and unsecure.
Yes, DES is deactivated by default on win 2008 AD because Microsoft thinks also that it is now unsecure.
Regards,
Olivier
05-05-2011 2:30 PM
Hi Olvier,
Where can I download latest SPNEGO? I downloaded the SPNego wizard from this URL (and it doesn't work in my landscape):
https://service.sap.com/sap/support/notes/1457499
(which is described in /people/holger.bruchelt/blog/2010/04/08/new-spnego-login-module--just-around-the-corner).
Have you noticed that we are using EP 7.02 SP3 (java 1.4) wich comes with a SPNEGO configuration tool in NWA?
How can I activate DES encryption in Windows 2008 Server? If it should be done editing windows registry to add other encryption types, we have allready done it.
Thanks a lot.
05-05-2011 4:51 PM
Hi Daniel,
I was thinking about this very same note ! So it seems that you use the latest release.
I don't know how to activate DES in a win 2008 AD. I think there is a Microsoft KB about it.
When I asked it to my internal Windows security team, they refused absolutely to do it telling me about the security hole it woul provide...
I don't use SAP SPENEGO implementation because at that time, SAP was only supporting the outdated DES encryption
We bought a SPNEGO/Kerberos implementation from an other software vendor which works perfectly for us.
Regards,
Olivier
05-12-2011 3:32 PM
Hi again,
We have had it working for a few minutes...
Problem was that in Services - Security Provider - Ticket policy, SPNEGO module was not checked as "Requesite". Once we change that flag and restarted EP it works from several machines in the domain.
The strange thing is that some minutes later, without changing anything nor in the domain controller, nor in the portal, nor in Internet Explorer know we allways get "NTLM Token received".
We have checked that:
- There's no time difference between AD and EP.
- We access the correct URL of EP
- We have not made any change on IE explorer (the same one we use for sucessfull test on the morning).
We are reviewing logs and traces in domain controller, but, has anyone a clue on what it's happening or has faced the same problem before?
05-12-2011 5:55 PM
More on that thread:
If I log in the Windows domain on a Windows 2008 R2 computer, authentication success: Just opening portal's URL, I get into it without entering any credentials (I suppose it also works on Windows 7 computers).
If I log in the Windows domain on a Windows 2003 computer authentication never works and I allways get SAP Portal Logon Page.
If I log in the machine (not domain) on Windows 2008 R2, when I access portal's URL, a windows credential screen appears and:
- If I enter "DOMAIN\user" kerberos authentication works
- If I enter "user" kerberos authentication doesn't work
If I log in the machine (not domain) on Windows 2008 R2, when I access portal's URL, a windows credential screen appears and whatever the user format it doesn't authenticate.
Resolution mode for Kerberos in portal is Simple using kpn = krb5principalname
05-18-2011 8:50 AM
We are finally closing this thread.
We have correct all errors but know the problem is what Olivier comments about only supporting DES encription (which may be a security problem).
Olivier, can you tell me which product you bought and how difficult was the setup?
05-18-2011 8:57 AM
Daniel,
You might want to look at http://ecohub.sap.com/catalog/#!solution:trustbrokeradapter
Thanks,
Tim
05-18-2011 10:39 AM