Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

"NTLM token found in authorization header during SPNego authentication"

jorge_velasquez
Contributor

‎01-03-2012 4:26 AM

0 Kudos

Hi,

I'm configuring SPNEGO and after open the broser a windows appear asking for login ID and Password but then the Portal principal page appears asking again for login ID and password.

In webtool I found this error:

"NTLM token found in authorization header during SPNego authentication".

Here seems to be the solution but I have doubts about it

http://wiki.sdn.sap.com/wiki/display/JSTSG/(SIM)Problems-P67

u2022Check if the AS Java SPNego service user Service Principal Name (SPN) is unique throughout the LDAP repository.

If there is another user with same SPN in MS ADS the KDC cannot provide Kerberos token for the J2EE web service to Internet Explorer.

I have 3 LDAP and I created the user sapjsf in each one. This could be the cause?

Do I have to create differents users? sapjsf, sapjsf2, sapjsf3? intead of sapjsf only

Any clue?

4 REPLIES 4

cathal_ohare
Employee
Employee

‎01-04-2012 12:46 PM

0 Kudos

HI,

The above information is correct in finding the solution as recieving ntml tokens instead of kerberos tokens is a result of either an AD or browser configuration issues.

When you created your service user on the domains (SAPJSF) in your case you would have set some SPN's to that user, the spn that you set can only be unique to that user. Also you need to check all the releative browser configurations. KBA 1649110. Discusses the issue in more detail.

Kind regards,

Cathal

jorge_velasquez
Contributor
In response to cathal_ohare

‎01-04-2012 1:42 PM

0 Kudos

Hi Cathal,

I created sapjsf in 3 ADS .. domain1.com, domain2.com, domain3.com.

But this issue was happing, so I deleted sapjsf and created one user per ADS:

ossuser1 domain1.com

ossuser2. domain2.com

ossuser3 domain3.com

I set SPN:

setspn -a http/hostname1.domain1.com ossuser1

setspn -a http/hostname1.domain1.com ossuser2

setspn -a http/hostname1.domain1.com ossuser3

my J2EE engine has hostname hostname1.domain1.com

The UME is conected for this 3 LDAD's and conection is sucessful.

If I create a user in this 3 LDAP they are created in Portal ( without roles)

I also created 3 ktab files with jdk 1.6 from my computer :

Ktab u2013k test.keytab u2013a ssouser1(at)domain1.com

In SPNEGO wizzard from /nwa I created each domain then added the keytab and the mapping is principal only and source loginID.

Any clue?

jorge_velasquez
Contributor
In response to cathal_ohare

‎01-06-2012 2:59 PM

0 Kudos

Issue is solved.

jorge_velasquez
Contributor

‎01-06-2012 3:00 PM

0 Kudos

1649110 - SPNego for Kerberos Authentication NTLM token received in authorization header