Hi,

The following error message indicates, that you did not configure the headervar login module correctly:

com.sap.security.core.server .jaas.HeaderVariableLoginModule REQUIRED

Cannot load login module class.

Please have a look at the <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/68/5ddc40132a8531e10000000a1550b0/frameset.htm">docs for the module</a>. I would guess,that you did not add the module to Security Provider Service (as stated in the prerequisites part).

Regards,

Patrick

Hi ,

I have already added the header variable login module into security provider services by doing following things:

-

a. In the Visual Administrator, choose Security Provider.

b. Choose the User Management tab and choose Manage Security Stores.

The currently active user store and the login modules for that user store are displayed.

c.Choose Add Login Module.

A dialog box prompting you to choose an editor for the login module option appears.

d. Choose OK.

A dialog box prompting you to add a login module appears.

e.Fill in the fields as follows:

Class Name

com.sap.security.core.server

.jaas.HeaderVariableLoginModule

Display Name

HeaderVariableLoginModule

F.Choose OK.

The HeaderVariableLoginModule now appears in the list of login modules for the active user store

-

And also i have added header variable login module to existing ticket login module by following :

-

com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

HeaderVariableLoginModule REQUISITE {ume.configuration.active=true, Header=OB_USER}

com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE {ume.configuration.active=true}

BasicPasswordLoginModule REQUISITE {}

com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}

-

and also try with different flags ( i.e. REQUISTE , OPTIONAL )

But in the security log i can see the [userid=null] it means it is not fetching the headervariable which i pass.

Please help me in this..

my security logs are follows :

#1.5#0002E3527F2500520000057800001E88000428E09707D2C5#1170844978393#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#Guest#0#####SAPEngine_Application_Thread[impl:3]_8##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | LOGIN.ERROR | null | | Login Method=[default], UserID=[null], IP Address=[10.77.199.64], Reason=[Authentication did not succeed.]#

#1.5#0002E3527F2500610000025100001E88000428E1955F504D#1170849245452#/System/Security/Authentication#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#Guest#0#####SAPEngine_Application_Thread[impl:3]_11##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED

User: N/A

Authentication Stack: ticket

Login Module Flag Initialize Login Commit Abort Details

com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true

com.sap.security.core.server .jaas.HeaderVariableLoginModule REQUISITE Cannot load login module class.

com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok false true

com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok exception true Authentication did not succeed.

com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true #

#1.5#0002E3527F2500610000025200001E88000428E1955FA709#1170849245467#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#Guest#0#SAP J2EE Engine JTA Transaction : [12affffffacffffffbe001d16]####SAPEngine_Application_Thread[impl:3]_11##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | USERACCOUNT.MODIFY | UACC.PRIVATE_DATASOURCE.un:user1k1 | | SET_ATTRIBUTE: islocked=[true], SET_ATTRIBUTE: lockreason=[1]#

#1.5#0002E3527F2500610000025300001E88000428E1955FB465#1170849245467#/System/Security/Authentication#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#Guest#0#####SAPEngine_Application_Thread[impl:3]_11##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED

User: N/A

Authentication Stack: ticket

Login Module Flag Initialize Login Commit Abort Details

com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true

com.sap.security.core.server .jaas.HeaderVariableLoginModule REQUISITE Cannot load login module class.

com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok false true

com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok exception true Authentication did not succeed.

com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true #

#1.5#0002E3527F2500610000025400001E88000428E1955FB97F#1170849245467#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#Guest#0#####SAPEngine_Application_Thread[impl:3]_11##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | LOGIN.ERROR | null | | Login Method=[default], UserID=[null], IP Address=[10.77.199.64], Reason=[Authentication did not succeed.]#

i have downloaded SAP NetWeaver 04s SP9

download link is : https://www.sdn.sap.com/irj/sdn/downloaditem?rid=/library/uuid/cfc19866-0401-0010-35b2-dc8158247fb6

Hi ,

I have remove and added again header var login module and also added to ticket login stack

but still i am not able to login into EP via proxy.

my security log is now :

#1.5#0002E3527F2500610000030B00001E88000428F328C21163#1170924732633#/System/Security/Authentication#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#Guest#0#####SAPEngine_Application_Thread[impl:3]_11##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED

User: N/A

Authentication Stack: ticket

Login Module Flag Initialize Login Commit Abort Details

com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true

com.sap.security.core.server.jaas.HeaderVariableLoginModule REQUISITE ok false false

com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok false true

com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok exception true Authentication did not succeed.

com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true #

#1.5#0002E3527F2500610000030C00001E88000428F328C21665#1170924732633#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#Guest#0#####SAPEngine_Application_Thread[impl:3]_11##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | LOGIN.ERROR | null | | Login Method=[default], UserID=[null], IP Address=[10.77.199.64], Reason=[Authentication did not succeed.]#

i can see here userid=null ..

Can you please tell me why it come null .. why header is not fetch correctly by headervar module.

i have added the headervar login module to ticket login module stack like this :

com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

com.sap.security.core.server.jaas.HeaderVariableLoginModule REQUISITE {ume.configuration.active=true, Header=HTTP_OB_USER}

com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}

BasicPasswordLoginModule REQUISITE {}

com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}

Regards,

Bhavin

Hi ,

Link what you mention is not working. i mean i am unable to acces this link can you please check the link what you mention ?

Actually we are passing header name "OB_USER" to HeaderVar login module.

I have enable the pearl and find the http request heders below :

SCRIPT_NAME = /cgi-bin/printenv.pl<BR> SERVER_NAME = ps3853<BR> SERVER_ADMIN = you@example.com<BR> HTTP_ACCEPT_ENCODING = gzip, deflate<BR> HTTP_CONNECTION = Keep-Alive<BR> REQUEST_METHOD = GET<BR> HTTP_ACCEPT = image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, /<BR> SCRIPT_FILENAME = /home/qa/bhavin/apache2_0_5/htdocs/cgi-bin/printenv.pl<BR> SERVER_SOFTWARE = Apache/2.0.52 (Unix)<BR> REMOTE_USER = user1k1<BR> QUERY_STRING = <BR> REMOTE_PORT = 1626<BR> <b>HTTP_OB_USER</b> = user1k1<BR> HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 2.0.50727; .NET CLR 1.0.3705; InfoPath.1)<BR> SERVER_PORT = 9800<BR> SERVER_SIGNATURE =

Apache/2.0.52 (Unix) Server at ps3853 Port 9800

<BR> HTTP_ACCEPT_LANGUAGE = en-us<BR> HTTP_COOKIE = ObSSOCookie=9kneq84pVCglFjYZuU7D%2FxX9D%2Fh8e7DGvbuzBZ9rWDnAQ%2B1vsU9%2FKqRFYlvRwLRzXvLrFo%2F3bCIXNkTr%2BXVHJUzGFHTOUEeJvyEFhv%2Fo7NgppwwQEMLgNDlzcsFIVndM5QfSQieFAGWOJ3ZoRyZJzo%2F3YHYFu1rRioAX481cltxW%2BFO7idvIOaoP%2BdFsgC9zKPuuPAI9QIKN5s9ckhY5veUoGm0GKY5LRwS7vgvs62sNBKEyOgHfyhpqxWczGGITAnjp%2BTSj%2F4n%2BpSa4th2ENwiJfuj3ixQA3CuIBJXTNQXNWWI2GD%2B%2BNnk4Is7MrsUkPM1iU5jrmmssWY7W3GxRFLup7V5qP3JPzaAN7jcF8h317SLipdYzk%2FfenpHnu6x8r0DTRsRUP8INncrIJIoCZCnPKJ1oL%2FONSk8hJd1K2nO6c8jtWCZUFE0JfJFGLNF%2FmJXt0hRvhEaw5WcEcjFXnAC8Gb65p%2FRPNWx5NNDC1PDCivRTdaWysXeXU8n9TFBIfE%2BctHA%2FwZRXem%2B3h%2Fmf7g%3D%3D; OBBasicAuth=fromCache; saplb_*=(J2EE19573900)19573950; PortalAlias=portal; JSESSIONID=(J2EE19573900)ID0896868050DB01672514996077683785End<BR> REMOTE_ADDR = 10.77.199.162<BR> SERVER_PROTOCOL = HTTP/1.1<BR> PATH = /usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/qa/bin<BR> REQUEST_URI = /cgi-bin/printenv.pl<BR> GATEWAY_INTERFACE = CGI/1.1<BR> SERVER_ADDR = 10.77.199.64<BR> DOCUMENT_ROOT = /home/qa/bhavin/apache2_0_5/htdocs<BR> HTTP_HOST = ps3853:9800<BR>

Here you can find HTTP_OB_USER = user1k1 which is user to authenticate but in security log i can see the userid =null.

I am not sure whether it is http trace that you want .. if not then please help me to make trace of http request.

Regards,

Bhavin

Hi i have configure my login module as you said

com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT

com.sap.security.core.server.jaas.HeaderVariableLoginModule REQUISITE

com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT

com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE

com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL

but still i am facing problem in login

my security log in now :

#1.5#0002E3527F250058000007E400001E880004290761926384#1171011585104#/System/Security/Authentication#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#Guest#0#####SAPEngine_Application_Thread[impl:3]_10##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED

User: N/A

Authentication Stack: ticket

Login Module Flag Initialize Login Commit Abort Details

com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true

com.sap.security.core.server.jaas.HeaderVariableLoginModule REQUISITE ok false false

com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false true

com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok exception true Authentication did not succeed.

com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true #

#1.5#0002E3527F250058000007E500001E880004290761926846#1171011585104#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#Guest#0#####SAPEngine_Application_Thread[impl:3]_10##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | LOGIN.ERROR | null | | Login Method=[default], UserID=[null], IP Address=[10.77.199.64], Reason=[Authentication did not succeed.]#

Regards,

Bhavin

Actually we have user1k1 user on SAP EP and also our Directory Server.

We are having our back end database on Direcotry Server.

which have username : user1k1

and also SAP EP user manager have user : user1k1

I am having webserver on linux machine.and also configure proxy setup for SAP EP.

i.e : if i access the /irj resource through the proxy server it shows me the SAP EP logon page. and SAP EP is reside on different machine.

This should ideal situation :

We have our product which authenticate and authorize the users. when i access /irj resource through proxy server our product ask credential and and valid user will send the header (OB_USER) and SAP EP headervariable login module should read the header and authenticate the user.

But When i access the /irj resouce with proxy server i am not able to login with our user into SAP EP. it shows authentication denied and even i provide credential which is reside in SAP EP.

I am only able to login with the user by direct access the URL not by proxy server.

Regards,

Bhavin

Hello,

I tried to access the portal resource /irj via proxy server but i get portal login screen with user authentication failed.

and i tried to give username : user1k1 and password to failed login page. it allows me to go inside to portal.

this is my log.

#1.5#0002E3527F25005800000A3F00001E88000429551CBB937E#1171345437742#/System/Security/Authentication#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#user1k1#86466#####SAPEngine_Application_Thread[impl:3]_10##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.OK

User: user1k1

Authentication Stack: ticket

Login Module Flag Initialize Login Commit Abort Details

com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false false

com.sap.security.core.server.jaas.HeaderVariableLoginModule SUFFICIENT ok false false

com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok false false

com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok true true

com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true true

Central Checks true #

#1.5#0002E3527F25005800000A4000001E88000429551CBB96B8#1171345437742#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#user1k1#86466#####SAPEngine_Application_Thread[impl:3]_10##0#0#Info#1#com.sap.security.core.util.SecurityAudit#Plain###user1k1 | LOGIN.OK | USER.PRIVATE_DATASOURCE.un:user1k1 | | IP Address=[10.77.199.64]#

<b>One thing is when our Directory server username and password is same as Portal User store username and passowrd then when i try to access the /irj via proxy it directly allows to go inside the portal without poping portal's login.

</b>

so it means proxy is not a problem.

So can you please give me some more suggestion to solve the issue?

Regards,

Bhavin

Hello,

I have tired with the login stack you suggest. but i am failed to log in.

I don think this issue with login stack.

Here is my log in that login id=null i cant understand that y this is setting null to userid though i m sending you header variable.

#1.5#0002E3527F2500520000085D00001E8800042957353D81CF#1171354438850#/System/Security/Authentication#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#Guest#0#####SAPEngine_Application_Thread[impl:3]_8##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED

User: N/A

Authentication Stack: ticket

Login Module Flag Initialize Login Commit Abort Details

com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true

com.sap.security.core.server.jaas.HeaderVariableLoginModule REQUISITE ok false false

com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false true

com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok exception true Authentication did not succeed.

com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true #

#1.5#0002E3527F2500520000085E00001E8800042957353D86F4#1171354438850#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#Guest#0#####SAPEngine_Application_Thread[impl:3]_8##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | LOGIN.ERROR | null | | Login Method=[default], UserID=[null], IP Address=[10.77.199.64], Reason=[Authentication did not succeed.]#

Regards,

Bhavin

Hello ,

I have enable HTTP TRACE for header .

This is my HTTP Trace :

[1171364112305][Feb 13, 2007 4:25:12 PM ] - CLIENT: 339712, REQUEST:

{GET /irj/portalapps/com.sap.portal.runtime.logon/layout/sapLogo.gif HTTP/1.1

Host: ps3853:9800

Accept: /

Referer: http://ps3853:9800/irj/portal

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 2.0.50727; .NET CLR 1.0.3705; InfoPath.1)

Cookie: ObSSOCookie=B%2FqlQgNoRP9KU2PyHsmioq%2BgeW1w8qQvKJSGF9lkFB0ZS%2BKkg%2FEiwT3QhiHZe%2BpjT%2FjCbi7zaF8o9fJf6IVFR%2Fd0KkV6Idzc2%2F7xO%2FRTnBB3TqjHM6tkot5QHl7WL3rAlKchvp7IBUxAoi25pL8UOWrzIQt5mFE6feeM%2Bw5Bmr%2FoYcLPhJ%2FP9tR6ocK%2BEU0bO0f7XMgz%2FmwIoLZtTM8JQ9ArJ19bEP2G712l5JkyG7OVB1%2B2fGirU4YzwfNy7vK1YkibixHQoMh%2BJ8jKLpTMCGJBAvVnazUjaOGpULx9ChicpBJwT%2BJ2ck9EH0IpYSZtuHKmBJ9SqP%2F6zcMa7k8VM8frFFt8htkIIs9uMcOnIfcDjiu7rjD1s%2BW1tavo6wLPBfCAlLEt1wmAyvTFLXR0ho3B7VqaYdCcGhQyPeaPTG1e6epTtnuMwX7JXpfhoBqDhz4maqn4LnJr%2FcvPXzPNN8RWiXmHtiLuHfbhtX6Se7goh79dbarjOLpbLgqMlaChynuWUZaa24%2Fuuyo7qByngA%3D%3D; OBBasicAuth=fromCache; saplb_*=(J2EE19573900)19573950; PortalAlias=portal; JSESSIONID=(J2EE19573900)ID1169086150DB00938859532017568428End

Authorization: Basic dXNlcjFrMTpvYmxpeDM0NQ==

<b>OB_USER</b>: user1k1

Max-Forwards: 10

X-Forwarded-For: 10.77.199.162

X-Forwarded-Host: ps3853:9800

X-Forwarded-Server: ps3853.persistent.co.in

}

[1171364112305][Feb 13, 2007 4:25:12 PM ] - CLIENT: 340480, REPLY:

{HTTP/1.1 200 OK

Server: SAP J2EE Engine/7.00

Content-Type: image/gif

Last-Modified: Fri, 02 Feb 2007 07:21:57 GMT

Cache-Control: max-age=86400

Content-Length: 43

Date: Tue, 13 Feb 2007 10:55:12 GMT

}

[1171364112305][Feb 13, 2007 4:25:12 PM ] - CLIENT: 340480, RESPONSE TIME: 0

[1171364112320][Feb 13, 2007 4:25:12 PM ] - CLIENT: 339712, REPLY:

{HTTP/1.1 200 OK

Server: SAP J2EE Engine/7.00

Content-Type: image/gif

Last-Modified: Fri, 02 Feb 2007 07:59:00 GMT

Cache-Control: max-age=86400

Content-Length: 1426

Date: Tue, 13 Feb 2007 10:55:12 GMT

}

[1171364112320][Feb 13, 2007 4:25:12 PM ] - CLIENT: 339712, RESPONSE TIME: 15

Here i can see the header variable OB_USER( in bold ) which is sent to sap EP.

Can you please analysis the trace and tell me where i am wrong?

Regards,

Bhavin

hello,

Actually my login stack doesn't mention header properly...

Thanks a lot for you all support.

Now i can login with headervar but not able to logoff so currently configuring it.

Regards,

Bhavin