Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Configuring SSO auth via KDC (Unix MIT Kerberos) and J2EE (SPNego)

Former Member
0 Kudos

Hi All,

I am trying to make the following configuration work :

SSO communication between users authenticvated thru Unix KDC (MIT Kerberos) and SAP J2EE (NW04 SP16, IBM JDK) via SPNego module. UME is configured to use R3_RW (ABAP) as a users DataSource.

I made all configuration as per help.sap.com and OSS note 935644 but it's still not working. When I am trying to open any of the J2EE application I see that J2EE is trying to authenticate the user via SPNEGO but unsuccessfully all the time. I am getting the following messages in the defaulttrace :

1) INFO:

Creating new instance of SpNegoState ([gsscontext = [not printable], negstate = undefined, oid = [null]])

2) DEBUG:

Login module com.sap.security.core.server.jaas.SPNegoLoginModule from authentication stack ticket does not authenticate the caller.

I have only one general question if the Unix MIT Kerberos v5 supported KDC for SPNEGO config on SAP J2EE ? (I saw only references to Microsoft ADC)

Thanks and regards,

Mike

1 ACCEPTED SOLUTION

tim_alsop
Active Contributor
0 Kudos

Mike,

Can you provide me with more information on how you have configured your workstation/browser to use MIT KDC ?

For browser -> Web server authentication to work with Kerberos you must use the Microsoft Credentials Cache on the workstation, and the only way to populate the MS Cache using an MIT KDC is to use the ksetup.exe utility, and logon to PC using MIT KDC principal.

You can use cross-realm trust between MIT and MS AD KDC, and this can be made to work, but you didn't mention this in your description so I assume you are not using MS AD.

Thanks,

Tim

12 REPLIES 12

tim_alsop
Active Contributor
0 Kudos

Mike,

Can you provide me with more information on how you have configured your workstation/browser to use MIT KDC ?

For browser -> Web server authentication to work with Kerberos you must use the Microsoft Credentials Cache on the workstation, and the only way to populate the MS Cache using an MIT KDC is to use the ksetup.exe utility, and logon to PC using MIT KDC principal.

You can use cross-realm trust between MIT and MS AD KDC, and this can be made to work, but you didn't mention this in your description so I assume you are not using MS AD.

Thanks,

Tim

Former Member
0 Kudos

Hi Tim,

Thanks for a quick reply,

We are planning to use it for Mac OSX clients (only) so I believe Microsoft Credential Cache is not required. But we do have Kerberos API on our client machines delivered as a part of Mac OSX installation. I was able to obtain my credentials for the valid realm executing klist from my laptop.

Regards,

Mike

tim_alsop
Active Contributor
0 Kudos

Mike,

As far as I am aware the browser available for Mac OSX which support "integrated windows authentication" are not 100% interoperable with Web servers which are coded to support this method of authentication, and tested to work with Windows clients. e.g. I know of a few specific issues with Safari which might cause problems.

I am not suggesting that the problems you are getting with the login module are caused by the browser, but you need to be aware that SAP have coded their login module and tested it mostly/only with Windows workstations and browsers which use SSPI, so you might (I am sure somebody from SAP will confirm) be the first company to try it with Mac OSX browsers, which use GSS-API to interface with the Macintosh kerberos libraries.

Hopefully Wolfgang, or somebody else from SAP will answer this forum post and let you know if Mac OSX is supported by SAP as a client/browser.

Thanks,

Tim

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

> Hopefully Wolfgang, or somebody else from SAP will

> answer this forum post and let you know if Mac OSX is

> supported by SAP as a client/browser.

I'll ask one of my colleagues (who is more familiar with the SPNEGO support of the SAP J2EE server) to comment.

But in general I agree:

it is close to impossible to test all combinations of web browsers (and client-sided Kerberos implementation) with the various server platforms (supported for SAP J2EE servers).

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

I've got a reply which I want to forward:

<i>"From the attached errors it is not clear if it is compatibility issue or configuration one. I'd advise the customer to apply <a href="http://service.sap.com/~iron/fm/011000358700000431401997E/0958107">SAP Note 958107</a> and provide the generated diagtool.log for analysis."</i>

Former Member
0 Kudos

Thanks for both of you,

I already checked the config via diagtool and this tool was able to get krb5 config from j2ee. Yesterday I opened the OSS message for the same issue so SAP replied that only IE6.0 (or higher) is supported for Kerberos/SPNego config I am trying to setup. Although I don't know if it's only a matter of support or my design is technically incompatible.

Regards,

Mike

tim_alsop
Active Contributor
0 Kudos

So, it looks like SAP have confirmed they will not support your environment because you are not using Internet Explorer on Windows. Is this correct ?

Without knowing more about the spnego implementation in your browser and which GSS mechanism OIDs are supported, and whether the SAP login module supports these OIDs, and what encryption types are used etc. it is hard to know if your setup will work. Clearly a lot more information is needed to determine this.

If you would like me to help you with debug, I can explain how this can be done, but I need to discuss with you off SDN. This is because I represent a vendor, and we have a supported, and SAP certified product which I beleive will give you what you need.

Regards,

Tim

Former Member
0 Kudos

Hi Tim!

I see you have forgotten this topic:

SPNego is working not only with IE and it supports more than enough GSS mech OIDs.

tim_alsop
Active Contributor
0 Kudos

Rumen,

I hadn't forgotten. The thread you mentioned was related to Firefox support on Windows. This thread is discussing browsers on Mac OSX. I knwo for a fact that IE and Safari and Firefox on Mac OSX do not support exactly the same Kerberos/SPNEGO implementations as the IE and Firefox on Windows. They should, but don't.

Thanks,

Tim

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

Well, that exactly is causing the well-known <i>interoperability issues</i> which are critical for SNC certification ... (see <a href="http://service.sap.com/~iron/fm/011000358700000431401997E/0150380">SAP Note 150380</a>).

tim_alsop
Active Contributor
0 Kudos

Wolfgang,

This thread is not related to SNC, but you are correct - there are many interop issues when using MIT kerberos with SAP SNC as outlined in the SAP Note 150380, and some of the same issues might be relavant when using HTTP and the SAP JAAS login module with MIT.

Thanks,

Tim

Former Member
0 Kudos

Hi,

Just to update this topic, I was able to successfully integrate MacOS-Safari with SPNego on IBM JDK and MIT Kerberos. Working fine so far but used to have a few issues. All was done following the help.sap.com steps for SPNego implementation. Additionally for making Safari communicate with SPNego, I had to installl Kerberos Extra from MIT kerberos site

Thanks to everybody,

Regards,

Mike

null