01-03-2012 4:26 AM
Hi,
I'm configuring SPNEGO and after open the broser a windows appear asking for login ID and Password but then the Portal principal page appears asking again for login ID and password.
In webtool I found this error:
"NTLM token found in authorization header during SPNego authentication".
Here seems to be the solution but I have doubts about it
http://wiki.sdn.sap.com/wiki/display/JSTSG/(SIM)Problems-P67
u2022Check if the AS Java SPNego service user Service Principal Name (SPN) is unique throughout the LDAP repository.
If there is another user with same SPN in MS ADS the KDC cannot provide Kerberos token for the J2EE web service to Internet Explorer.
I have 3 LDAP and I created the user sapjsf in each one. This could be the cause?
Do I have to create differents users? sapjsf, sapjsf2, sapjsf3? intead of sapjsf only
Any clue?
01-04-2012 12:46 PM
HI,
The above information is correct in finding the solution as recieving ntml tokens instead of kerberos tokens is a result of either an AD or browser configuration issues.
When you created your service user on the domains (SAPJSF) in your case you would have set some SPN's to that user, the spn that you set can only be unique to that user. Also you need to check all the releative browser configurations. KBA 1649110. Discusses the issue in more detail.
Kind regards,
Cathal
01-04-2012 1:42 PM
Hi Cathal,
I created sapjsf in 3 ADS .. domain1.com, domain2.com, domain3.com.
But this issue was happing, so I deleted sapjsf and created one user per ADS:
ossuser1 domain1.com
ossuser2. domain2.com
ossuser3 domain3.com
I set SPN:
setspn -a http/hostname1.domain1.com ossuser1
setspn -a http/hostname1.domain1.com ossuser2
setspn -a http/hostname1.domain1.com ossuser3
my J2EE engine has hostname hostname1.domain1.com
The UME is conected for this 3 LDAD's and conection is sucessful.
If I create a user in this 3 LDAP they are created in Portal ( without roles)
I also created 3 ktab files with jdk 1.6 from my computer :
Ktab u2013k test.keytab u2013a ssouser1(at)domain1.com
In SPNEGO wizzard from /nwa I created each domain then added the keytab and the mapping is principal only and source loginID.
Any clue?
01-06-2012 2:59 PM
01-06-2012 3:00 PM
1649110 - SPNego for Kerberos Authentication NTLM token received in authorization header