Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Configuring Kerberos Authentication on J2EE Engine errors

Former Member

‎12-28-2006 4:48 PM

0 Kudos

We have configured Kerberos authentication on our J2EE Engine (NW04s SP8), Active Directory (Windows 2003). We are running the diagtool and SPNegoLoginModule Test Configuration Web Application to test our configuration.

When we run the diagtool, we get an 'ERROR: HTTP request was not successful. Returned code is 200'. We found the following errors when looking at the default trace:

- USER_AUTH_FAILED: User account for loginid "zuser@ABC2.COM" not found.

- Can not refresh user zuser@ABC.COM

- Replay cache for zuser@ABC2.COM is null

- Error in some of the login modules

- Login Module from authentication stack errors while authenticating the caller. Most probably the authentication stack is not set up correctly.

- Credentials of zuser@ABC.COM cannot be delegated.

- SPNego authentication succeeds. Authenticated user name is zuser@ABC2.COM

When we run the SPNegoLoginModule Test Configuration Web Application, we get 'Cannot acquire credentials' on the third screen i.e. the application is able to find the user and krb5 file.

Any suggestions of why this is not working? Everything is looking good on the active directory side. We have re-looked at the login modules and there seems to be not problem there as well.

Any help will be greatly appreciated.

1 REPLY 1

Former Member

‎12-28-2006 8:11 PM

0 Kudos

Please find our policy configurations used for the

SPNego/Kerberos authentication from the diagtool log.

[com.sun.security.jgss.accept] (size: 2)

1. (REQUISITE) com.sun.security.auth.module.Krb5LoginModule

#1 useKeyTab=true

#2 keyTab=C:\SSO-files\portal-sso.keytab

#3 useTicketCache=true

#4 storeKey=true

#5 principal=host/hostname_of_J2EE.abc2.com@ABC2.COM

#6 Debug=true (Unknown option)

#7 doNotPrompt=true

2. ( OPTIONAL ) com.sap.security.core.server.jaas.SPNegoMappingLoginModule

#1 com.sap.spnego.uid.resolution.attr = krb5principalname

[Info] Dec 27, 2006 3:43:55 PM

{[ticket]}(size: 5)

1. ( SUFFICIENT ) com.sap.security.core.server.jaas.EvaluateTicketLoginModule

#1 ume.configuration.active = true

2. ( OPTIONAL ) com.sap.security.core.server.jaas.SPNegoLoginModule

#1 com.sap.spnego.creds_in_thread = true

#2 com.sap.spnego.uid.resolution.attr = Kpnprefix

#3 com.sap.spnego.jgss.name = host/hostname_of_J2EE.abc2.com@ABC2.COM

#4 com.sap.spnego.uid.resolution.mode = Prefixbased

#5 com.sap.spnego.uid.resolution.dn = dn

3. ( SUFFICIENT ) com.sap.security.core.server.jaas.CreateTicketLoginModule

#1 Ume.configuration.active = true

4. ( REQUISITE ) com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule

5. ( OPTIONAL ) com.sap.security.core.server.jaas.CreateTicketLoginModule

#1 ume.configuration.active = true

Also find LoginModuleTest from diagtool log:

(Krb5LoginModule) com.sun.security.auth.module.Krb5LoginModule

#1 debug=true

#2 useKeyTab=true

#3 keyTab=c:\SSO-files\portal-sso.keytab

#4 useTicketCache=true

#5 storeKey=true

#6 principal=host/hostname_of_J2EE.abc2.com@ABC2.COM

#7 doNotPrompt=true

(SPNegoMappingLoginModule) com.sap.security.core.server.jaas.SPNegoMappingLoginModule

#1 com.sap.spnego.uid.resolution.attr = krb5principalname

(MappingModule) com.sap.security.core.server.jaas.SPNegoMappingLoginModule

#1 com.sap.spnego.uid.resolution.attr = krb5principalname

(SPNegoLoginModule) com.sap.security.core.server.jaas.SPNegoLoginModule

#1 com.sap.spnego.creds_in_thread = true

#2 com.sap.spnego.uid.resolution.attr = kpnprefix

#3 com.sap.spnego.jgss.name = portal-sso@ABC2.COM

#4 com.sap.spnego.uid.resolution.mode = prefixbased

#5 com.sap.spnego.uid.resolution.dn = dn