Solved: Login problem after SPNEGO configuration

jorge_velasquez · ‎01-01-2012

Hi Experts,

I'm configuring SPNEGO Addon, after Adjusting Policy Configuration:

1. Log on to the Visual Administrator

2. Navigate to ServerXXX -> Services -> Security Provider

3. Select the "ticket" template and make sure it does not have a reference to another policyconfiguration

4. Add the SPNEGOLoginModule login module to the list of login modules

4.1. If the old SPNegoLoginModule is present, remove it and put the new

SPNEGOLoginModule in its position. Normally its flag should be OPTIONAL

4.2. If the old SPNegoLoginModule is not present, simply add the new

SPNEGOLoginModule to the list. Normally its position should be 2 and its flag u2013

OPTIONAL. You also need to add the CreateTicketLoginModule module right afterit - with position 3 and flag SUFFICIENT

I can't login to Portal. I put user ID and password and the browser do nothing.

It's not the cookies or something like that.

Any clue?

hemanth2 · ‎01-01-2012

Dear Jorge,

Hope you are doing good.

Do check the below blogs for more on the configuration:

<http://wiki.sdn.sap.com/wiki/display/Security/SingleSign-onwithSPNego%28NWAS+Java%29>

and

<>

If the issue perists, run the web diag tool specially developed for kerberos issues as outlined in # 958107 - Using Diagtool for Troubleshooting Kerberos with "Security" -> "All" and reproduce the issue. You should be able to get the reason of the error from this.

Thank you and have a nice day :).

_____________

Kind Regards,

Hemanth

SAP AGS

hemanth2 · ‎01-01-2012

Dear Jorge,

Hope you are doing good.

Do check the below blogs for more on the configuration:

<http://wiki.sdn.sap.com/wiki/display/Security/SingleSign-onwithSPNego%28NWAS+Java%29>

and

<>

If the issue perists, run the web diag tool specially developed for kerberos issues as outlined in # 958107 - Using Diagtool for Troubleshooting Kerberos with "Security" -> "All" and reproduce the issue. You should be able to get the reason of the error from this.

Thank you and have a nice day :).

_____________

Kind Regards,

Hemanth

SAP AGS

jorge_velasquez · ‎01-01-2012

Hi Hemanth Kumar,

The issue is solved:

1659382 - After entering correct user ID and password the logon page is displayed without an error message

The login modules should be evaluate,basic and create. If I modify this order the issue appear again.

I put spnego as number 4 in the list, but I have to test this to see if works.

Any clue? the SPNEGO configuration guide is not right?

Regards

hemanth2 · ‎01-01-2012

Dear Jorge,

Hope you are doing good.

Great to hear that the issue is resolved. As the note 1659382 helped, please do rate it (via the Overall Rating at the top right hand corner of the KBA- 5 stars is the best :).

Normally when the SPNEGO is used, below is the logon module list:

Login Modules Flag Options

EvaluateTicketLoginModule SUFFICIENT ume.configuration.active=true

SPNegoLoginModule OPTIONAL com.sap.spnego.jgss.name=<KPN>

CreateTicketLoginModule SUFFICIENT ume.configuration.active=true

BasicPasswordLoginModule REQUISITE

CreateTicketLoginModule OPTIONAL ume.configuration.active=true

However, if you face issues, the diagtool should give us more info.

Thank you and have a nice day :).

_____________

Kind Regards,

Hemanth

SAP AGS

jorge_velasquez · ‎01-02-2012

Hi,

What should I put in =<KPN>,

SPNegoLoginModule OPTIONAL "com.sap.spnego.jgss.name=<KPN>" (this is not a value in conf guide, it is empty)

On the other hand, SPNEGO will work if I put it as number four on the list?

Regards.

Former Member · ‎01-02-2012

Hello,

The value of <KPN> will be of "Principal" which you have defined in the KPN(Kerberos Principal Name) step under SPNego configuration wizard i.e., http://<host>:<port>/spnego

THe value of KPN looks like HTTP/<HOST>@<Kerberos realm> where HOST is one of the ktpass hosts configured by the Active Directory User.

Regards,

Aparna.

jorge_velasquez · ‎01-02-2012

Hello,

What about the order on the list, seems that SPNEGOLoginModule should be at second place, but the error will happen again if do that.

Regards

hemanth2 · ‎01-04-2012

Dear Jorge,

Hope you are doing good.

Yes, the SPNEGO should be on the second line as in my previous reply. If you use just the evaluate,basic and create modules, then SPNEGO is not being used.

If the issue is with KPN, there can be cases where there is more than one user with the same KPN. Do check this. Else, set the

spnego as he logon module and run the diagtool and the error should be clearly visible.

Paste the error and we should be able to fnd the root cause.

Thank you and have a nice day :).

_____________

Kind Regards,

Hemanth

jorge_velasquez · ‎01-04-2012

Hi ,

The error in Diagtool is "NTLM token found in authorization header during SPNego authentication"

I created sapjsf in 3 ADS .. domain1.com, domain2.com, domain3.com.

But this issue was happing, so I deleted sapjsf and created one user per ADS:

ossuser1 domain1.com

ossuser2. domain2.com

ossuser3 domain3.com

I set SPN:

setspn -a http/hostname1.domain1.com ossuser1

setspn -a http/hostname1.domain1.com ossuser2

setspn -a http/hostname1.domain1.com ossuser3

my J2EE engine has hostname hostname1.domain1.com

The UME is conected for this 3 LDAD's and conection is sucessful.

If I create a user in this 3 LDAP they are created in Portal ( without roles)

I also created 3 ktab files with jdk 1.6 from my computer :

Ktab u2013k test.keytab u2013a ssouser1(at)domain1.com

In SPNEGO wizzard from /nwa I created each domain then added the keytab and the mapping is principal only and source loginID.

Any clue?

hemanth2 · ‎01-04-2012

Dear Jorge,

Hope you are doing good.

Great that you run the tool.

Regarding the error: "NTLM token found in authorization header during SPNego authentication",do check:

<http://wiki.sdn.sap.com/wiki/display/JSTSG/(SIM)Problems-P67>

Also have a look at SAP Note No. 934138: IE browser sends NTLM token instead of Kerberos.

Please can you try to change the SPNEGOLoginModule and change the flag to REQUISITE and check if the issue persists.

If the issue persists, check note #1313880 - SPNego with DNS aliases and follow the recommendation incase it is applicable to your case. You may try to swich encyrption from DES to RC4-HMAC as in some cases the client does not support DES.

Review notes:

1457499 SPNego add-on

1396724 SPNEGO fails with Vista SP2,Windows 7,Windows Server 2008 R2

Thank you and have a nice day :).

_____________

Kind Regards,

Hemanth

jorge_velasquez · ‎01-04-2012

Hi Hemanth,

I have read the note 934138: IE browser sends NTLM token instead of Kerberos.

a) Portal host don't hace alias

b)xp is updated no need to apply fix.

c)Check if the AS Java SPNego service user Service Principal Name (SPN) is unique through the LDAP repository:

- I deleted sapjsf and created 3 users per LDAP ossuser1, ossuser2,ossuser3.

I changed SPNEGOLoginModule to flag requisite nothing happened.

I also removed DES from the list letting RC4-HMAC .

On the other hand I am using Principal only and Logid ID as mapping in SPNEGO Wizzard from /nwa.

Regards

jorge_velasquez · ‎01-06-2012

solved!

1649110 - SPNego for Kerberos Authentication NTLM token received in authorization header

Former Member · ‎02-16-2013

Hi jorge

I have configure SPNego in SAP EP 7.30 SP8 and Active Directory 2003. we have only one principle use id and I have configure SPNego perfactly but getting - I am facing error in Diagtool is "NTLM token found in authorization header during SPNego authentication"

I have gone through 1649110 and 934138 and do all the thing from portal side.

I am requesting you please share your solution in SAP note- 1649110 which help you to fix ur issue.

Please......

Thanks

Keshari