12-28-2006 4:48 PM
We have configured Kerberos authentication on our J2EE Engine (NW04s SP8), Active Directory (Windows 2003). We are running the diagtool and SPNegoLoginModule Test Configuration Web Application to test our configuration.
When we run the diagtool, we get an 'ERROR: HTTP request was not successful. Returned code is 200'. We found the following errors when looking at the default trace:
- USER_AUTH_FAILED: User account for loginid "zuser@ABC2.COM" not found.
- Can not refresh user zuser@ABC.COM
- Replay cache for zuser@ABC2.COM is null
- Error in some of the login modules
- Login Module from authentication stack errors while authenticating the caller. Most probably the authentication stack is not set up correctly.
- Credentials of zuser@ABC.COM cannot be delegated.
- SPNego authentication succeeds. Authenticated user name is zuser@ABC2.COM
When we run the SPNegoLoginModule Test Configuration Web Application, we get 'Cannot acquire credentials' on the third screen i.e. the application is able to find the user and krb5 file.
Any suggestions of why this is not working? Everything is looking good on the active directory side. We have re-looked at the login modules and there seems to be not problem there as well.
Any help will be greatly appreciated.
12-28-2006 8:11 PM
Please find our policy configurations used for the
SPNego/Kerberos authentication from the diagtool log.
[com.sun.security.jgss.accept] (size: 2)
1. (REQUISITE) com.sun.security.auth.module.Krb5LoginModule
#1 useKeyTab=true
#2 keyTab=C:\SSO-files\portal-sso.keytab
#3 useTicketCache=true
#4 storeKey=true
#5 principal=host/hostname_of_J2EE.abc2.com@ABC2.COM
#6 Debug=true (Unknown option)
#7 doNotPrompt=true
2. ( OPTIONAL ) com.sap.security.core.server.jaas.SPNegoMappingLoginModule
#1 com.sap.spnego.uid.resolution.attr = krb5principalname
[Info] Dec 27, 2006 3:43:55 PM
{[ticket]}(size: 5)
1. ( SUFFICIENT ) com.sap.security.core.server.jaas.EvaluateTicketLoginModule
#1 ume.configuration.active = true
2. ( OPTIONAL ) com.sap.security.core.server.jaas.SPNegoLoginModule
#1 com.sap.spnego.creds_in_thread = true
#2 com.sap.spnego.uid.resolution.attr = Kpnprefix
#3 com.sap.spnego.jgss.name = host/hostname_of_J2EE.abc2.com@ABC2.COM
#4 com.sap.spnego.uid.resolution.mode = Prefixbased
#5 com.sap.spnego.uid.resolution.dn = dn
3. ( SUFFICIENT ) com.sap.security.core.server.jaas.CreateTicketLoginModule
#1 Ume.configuration.active = true
4. ( REQUISITE ) com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule
5. ( OPTIONAL ) com.sap.security.core.server.jaas.CreateTicketLoginModule
#1 ume.configuration.active = true
Also find LoginModuleTest from diagtool log:
(Krb5LoginModule) com.sun.security.auth.module.Krb5LoginModule
#1 debug=true
#2 useKeyTab=true
#3 keyTab=c:\SSO-files\portal-sso.keytab
#4 useTicketCache=true
#5 storeKey=true
#6 principal=host/hostname_of_J2EE.abc2.com@ABC2.COM
#7 doNotPrompt=true
(SPNegoMappingLoginModule) com.sap.security.core.server.jaas.SPNegoMappingLoginModule
#1 com.sap.spnego.uid.resolution.attr = krb5principalname
(MappingModule) com.sap.security.core.server.jaas.SPNegoMappingLoginModule
#1 com.sap.spnego.uid.resolution.attr = krb5principalname
(SPNegoLoginModule) com.sap.security.core.server.jaas.SPNegoLoginModule
#1 com.sap.spnego.creds_in_thread = true
#2 com.sap.spnego.uid.resolution.attr = kpnprefix
#3 com.sap.spnego.jgss.name = portal-sso@ABC2.COM
#4 com.sap.spnego.uid.resolution.mode = prefixbased
#5 com.sap.spnego.uid.resolution.dn = dn