Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Problem with SAP EP 7.02 SP3 and SPNEGO

Former Member

‎05-05-2011 11:26 AM

0 Kudos

Hi everyone,

This thread is a derived from this one:

We have created another one for simplicity and for joining all the information.

We have this landscape:

Microsoft Active Directory (Windows 2008 Server R2)

SAP EP 7.02 SP3 (running on Windows 2003 server)

We are trying to configure SPNEGO and follow a lot of guides founded in SDN without success.

When we access the portal, a Windows logon screen arises. We introduce the credential and EP login page appears. We re-enter the credentials

and access the portal.

Service User has "Use DES encryption" option checked and SPN conf is correct.

Viewing traces through NWA we see following error:

doLogon failed

EXCEPTION

com.sap.security.core.logon.imp.UMELoginException

at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:1028)

at com.sap.security.core.logonadmin.ServletAccessToLogic.logon(ServletAccessToLogic.java:219)

at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.doLogon(SAPMLogonLogic.java:914)

at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.executeRequest(SAPMLogonLogic.java:227)

at com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doPost(SAPMLogonServlet.java:60)

at com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doGet(SAPMLogonServlet.java:78)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)

at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)

at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)

at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)

at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)

I attach some wireshark traces on another post.

Thanks

10 REPLIES 10

tim_alsop
Active Contributor

‎05-05-2011 11:36 AM

0 Kudos

Daniel,

By default, Active Directory on Windows Server 2008 R2 has DES encryption disabled.

Thanks,

Tim

Former Member

‎05-05-2011 12:41 PM

0 Kudos

Hi Tim,

I don't understand you. Do you mean that we have to explicitly activate DES on the AD Server?

We have activate DES encryption on service user. It's not enough?

Thanx

Former Member
In response to Former Member

‎05-05-2011 1:06 PM

0 Kudos

Hi,

You need to use the last release of SAP SPNEGO which is able to use RC4 or AES256 instead of DES which is obsolete and unsecure.

Yes, DES is deactivated by default on win 2008 AD because Microsoft thinks also that it is now unsecure.

Regards,

Olivier

Former Member

‎05-05-2011 2:30 PM

0 Kudos

Hi Olvier,

Where can I download latest SPNEGO? I downloaded the SPNego wizard from this URL (and it doesn't work in my landscape):

https://service.sap.com/sap/support/notes/1457499

(which is described in /people/holger.bruchelt/blog/2010/04/08/new-spnego-login-module--just-around-the-corner).

Have you noticed that we are using EP 7.02 SP3 (java 1.4) wich comes with a SPNEGO configuration tool in NWA?

How can I activate DES encryption in Windows 2008 Server? If it should be done editing windows registry to add other encryption types, we have allready done it.

Thanks a lot.

Former Member
In response to Former Member

‎05-05-2011 4:51 PM

0 Kudos

Hi Daniel,

I was thinking about this very same note ! So it seems that you use the latest release.

I don't know how to activate DES in a win 2008 AD. I think there is a Microsoft KB about it.

When I asked it to my internal Windows security team, they refused absolutely to do it telling me about the security hole it woul provide...

I don't use SAP SPENEGO implementation because at that time, SAP was only supporting the outdated DES encryption

We bought a SPNEGO/Kerberos implementation from an other software vendor which works perfectly for us.

Regards,

Olivier

Former Member

‎05-12-2011 3:32 PM

0 Kudos

Hi again,

We have had it working for a few minutes...

Problem was that in Services - Security Provider - Ticket policy, SPNEGO module was not checked as "Requesite". Once we change that flag and restarted EP it works from several machines in the domain.

The strange thing is that some minutes later, without changing anything nor in the domain controller, nor in the portal, nor in Internet Explorer know we allways get "NTLM Token received".

We have checked that:

- There's no time difference between AD and EP.

- We access the correct URL of EP

- We have not made any change on IE explorer (the same one we use for sucessfull test on the morning).

We are reviewing logs and traces in domain controller, but, has anyone a clue on what it's happening or has faced the same problem before?

Former Member

‎05-12-2011 5:55 PM

0 Kudos

More on that thread:

If I log in the Windows domain on a Windows 2008 R2 computer, authentication success: Just opening portal's URL, I get into it without entering any credentials (I suppose it also works on Windows 7 computers).

If I log in the Windows domain on a Windows 2003 computer authentication never works and I allways get SAP Portal Logon Page.

If I log in the machine (not domain) on Windows 2008 R2, when I access portal's URL, a windows credential screen appears and:

- If I enter "DOMAIN\user" kerberos authentication works

- If I enter "user" kerberos authentication doesn't work

If I log in the machine (not domain) on Windows 2008 R2, when I access portal's URL, a windows credential screen appears and whatever the user format it doesn't authenticate.

Resolution mode for Kerberos in portal is Simple using kpn = krb5principalname

Former Member

‎05-18-2011 8:50 AM

0 Kudos

We are finally closing this thread.

We have correct all errors but know the problem is what Olivier comments about only supporting DES encription (which may be a security problem).

Olivier, can you tell me which product you bought and how difficult was the setup?

tim_alsop
Active Contributor
In response to Former Member

‎05-18-2011 8:57 AM

0 Kudos

Daniel,

You might want to look at http://ecohub.sap.com/catalog/#!solution:trustbrokeradapter

Thanks,

Tim

Former Member

‎05-18-2011 10:39 AM

0 Kudos

Thanks Tim.

Closing thread.