02-06-2007 10:56 AM
I am trying to log into netweaver sap EP ( sp 9 ) using header variable but it shows authentication failed.
I have download and install sap netweaver java trial version and installed it.
Actually we have our own security provider (Oracle Access Manager ) and we want user can authenticate to SAP EP ( sp 9 ) via Oracle Access Manager.
I have apache web server on linux machine. and i have configure reverse proxy such that every request comes for /irj will go to the SAP EP portal which is installed in windows machine.
I have also made header variable login module and add to ticket login module stack.
when i am trying to access /irj via proxy server i am failed to log in to SAP EP.
Please Help me in this issue...
Does anybody have exact steps to configure external authentication by headervariable for SAP netweaver EP.
02-06-2007 2:27 PM
Hi,
The following error message indicates, that you did not configure the headervar login module correctly:
com.sap.security.core.server .jaas.HeaderVariableLoginModule REQUIRED
Cannot load login module class.
Please have a look at the <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/68/5ddc40132a8531e10000000a1550b0/frameset.htm">docs for the module</a>. I would guess,that you did not add the module to Security Provider Service (as stated in the prerequisites part).
Regards,
Patrick
02-06-2007 11:14 AM
here is my authscheme.xml
<?xml version="1.0" encoding="UTF-8"?>
<!-- Configuration File for Authentication Schemes -->
<!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/authschemes.xml#4 $ from $DateTime: 2004/01/20 17:27:21 $ ($Change: 14181 $) -->
<document>
<authschemes>
<!-- authschemes, the name of the node is used -->
<authscheme name="uidpwdlogon">
<!-- multiple login modules can be defined -->
<authentication-template>
ticket
</authentication-template>
<priority>20</priority>
<!-- the frontendtype TARGET_FORWARD = 0, TARGET_REDIRECT = 1, TARGET_JAVAIVIEW = 2 -->
<frontendtype>2</frontendtype>
<!-- target object -->
<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
</authscheme>
<authscheme name="certlogon">
<authentication-template>
client_cert
</authentication-template>
<priority>21</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
</authscheme>
<authscheme name="basicauthentication">
<authentication-template>
ticket
</authentication-template>
<priority>20</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.basicauthentication</frontendtarget>
</authscheme>
<authscheme name="header">
<authentication-template>
header
</authentication-template>
<priority>5</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.header</frontendtarget>
</authscheme>
<!-- Reserved 'anonymous' authscheme added for being in the list of authschemes -->
<authscheme name="anonymous">
<priority>-1</priority>
</authscheme>
</authschemes>
<!-- References for Authentication Schemes, this section must be after authschemes -->
<authscheme-refs>
<authscheme-ref name="default">
<authscheme>header</authscheme>
</authscheme-ref>
<authscheme-ref name="UserAdminScheme">
<authscheme>uidpwdlogon</authscheme>
</authscheme-ref>
</authscheme-refs>
</document>
and here is my security.log
#1.5#0002E3527F2500610000016700001E88000428C770FF5740#1170736966108#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#Guest#0#####SAPEngine_Application_Thread[impl:3]_11##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | LOGIN.ERROR | null | | Login Method=[default], UserID=[null], IP Address=[10.77.199.64], Reason=[Authentication did not succeed.]#
#1.5#0002E3527F2500520000046700001E88000428C77100C378#1170736966202#/System/Security/Authentication#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#Guest#0#####SAPEngine_Application_Thread[impl:3]_8##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
com.sap.security.core.server .jaas.HeaderVariableLoginModule REQUIRED Cannot load login module class.
com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok false true
com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok exception true Authentication did not succeed.
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true #
#1.5#0002E3527F2500520000046800001E88000428C77101136B#1170736966233#/System/Security/Authentication#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#Guest#0#####SAPEngine_Application_Thread[impl:3]_8##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
com.sap.security.core.server .jaas.HeaderVariableLoginModule REQUIRED Cannot load login module class.
com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok false true
com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok exception true Authentication did not succeed.
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true #
#1.5#0002E3527F2500520000046900001E88000428C771011865#1170736966233#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#Guest#0#####SAPEngine_Application_Thread[impl:3]_8##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | LOGIN.ERROR | null | | Login Method=[default], UserID=[null], IP Address=[10.77.199.64], Reason=[Authentication did not succeed.]#
#1.5#0002E3527F2500620000006200001E88000428C7739E351B#1170737010076#/System/Security/Authentication#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#Guest#0#####SAPEngine_Application_Thread[impl:3]_14##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
com.sap.security.core.server .jaas.HeaderVariableLoginModule REQUIRED Cannot load login module class.
com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok false true
com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok exception true Authentication did not succeed.
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true #
#1.5#0002E3527F2500620000006300001E88000428C7739EA7B8#1170737010107#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#Guest#0#SAP J2EE Engine JTA Transaction : [12affffffacffffffbe001641]####SAPEngine_Application_Thread[impl:3]_14##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | USERACCOUNT.MODIFY | UACC.PRIVATE_DATASOURCE.un:user1k1 | | SET_ATTRIBUTE: lockreason=[1], SET_ATTRIBUTE: islocked=[true]#
#1.5#0002E3527F2500620000006400001E88000428C7739EB50F#1170737010107#/System/Security/Authentication#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#Guest#0#####SAPEngine_Application_Thread[impl:3]_14##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
com.sap.security.core.server .jaas.HeaderVariableLoginModule REQUIRED Cannot load login module class.
com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok false true
com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok exception true Authentication did not succeed.
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true #
#1.5#0002E3527F2500620000006500001E88000428C7739EBA15#1170737010107#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#Guest#0#####SAPEngine_Application_Thread[impl:3]_14##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | LOGIN.ERROR | null | | Login Method=[default], UserID=[null], IP Address=[10.77.199.64], Reason=[Authentication did not succeed.]#
#1.5#0002E3527F250060000000A500001E88000428CCCEC5963D#1170760014289#/System/Security/Authentication##com.sap.engine.services.security.authentication.logincontext#Administrator#27965#####SAPEngine_Application_Thread[impl:3]_12##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.OK
User: Administrator
Authentication Stack: SAP-J2EE-Engine
Login Module Flag Initialize Login Commit Abort Details
com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule SUFFICIENT ok true true
Central Checks true #
i have configure tickit loginmodule stak like ..
Evaluateticketloginmodule
Headervarlogin module
create ticket login module
basicpasswordloginmodule
createticket login module.
please help me as soon as possible..
02-06-2007 11:23 AM
Hi,
the documentation for the header login module is here:
http://help.sap.com/saphelp_nw2004s/helpdata/en/d0/a3d940c2653126e10000000a1550b0/content.htm
Double check that the login module is registered correctly in the user store. Hope this helps.
Regards,
Yonko
02-06-2007 2:27 PM
Hi,
The following error message indicates, that you did not configure the headervar login module correctly:
com.sap.security.core.server .jaas.HeaderVariableLoginModule REQUIRED
Cannot load login module class.
Please have a look at the <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/68/5ddc40132a8531e10000000a1550b0/frameset.htm">docs for the module</a>. I would guess,that you did not add the module to Security Provider Service (as stated in the prerequisites part).
Regards,
Patrick
02-07-2007 4:41 AM
Hi ,
I have already added the header variable login module into security provider services by doing following things:
-
a. In the Visual Administrator, choose Security Provider.
b. Choose the User Management tab and choose Manage Security Stores.
The currently active user store and the login modules for that user store are displayed.
c.Choose Add Login Module.
A dialog box prompting you to choose an editor for the login module option appears.
d. Choose OK.
A dialog box prompting you to add a login module appears.
e.Fill in the fields as follows:
Class Name
com.sap.security.core.server
.jaas.HeaderVariableLoginModule
Display Name
HeaderVariableLoginModule
F.Choose OK.
The HeaderVariableLoginModule now appears in the list of login modules for the active user store
-
And also i have added header variable login module to existing ticket login module by following :
-
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
HeaderVariableLoginModule REQUISITE {ume.configuration.active=true, Header=OB_USER}
com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE {ume.configuration.active=true}
BasicPasswordLoginModule REQUISITE {}
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
-
and also try with different flags ( i.e. REQUISTE , OPTIONAL )
But in the security log i can see the [userid=null] it means it is not fetching the headervariable which i pass.
Please help me in this..
02-07-2007 8:22 AM
Hi,
is the following error message gone:
com.sap.security.core.server .jaas.HeaderVariableLoginModule REQUIRED Cannot load login module class.
?
BTW:which trial version did you download. To my knowledge, there is no EP6 SP9 download.
Regards,
Patrick
02-07-2007 11:56 AM
my security logs are follows :
#1.5#0002E3527F2500520000057800001E88000428E09707D2C5#1170844978393#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#Guest#0#####SAPEngine_Application_Thread[impl:3]_8##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | LOGIN.ERROR | null | | Login Method=[default], UserID=[null], IP Address=[10.77.199.64], Reason=[Authentication did not succeed.]#
#1.5#0002E3527F2500610000025100001E88000428E1955F504D#1170849245452#/System/Security/Authentication#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#Guest#0#####SAPEngine_Application_Thread[impl:3]_11##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
com.sap.security.core.server .jaas.HeaderVariableLoginModule REQUISITE Cannot load login module class.
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok false true
com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok exception true Authentication did not succeed.
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true #
#1.5#0002E3527F2500610000025200001E88000428E1955FA709#1170849245467#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#Guest#0#SAP J2EE Engine JTA Transaction : [12affffffacffffffbe001d16]####SAPEngine_Application_Thread[impl:3]_11##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | USERACCOUNT.MODIFY | UACC.PRIVATE_DATASOURCE.un:user1k1 | | SET_ATTRIBUTE: islocked=[true], SET_ATTRIBUTE: lockreason=[1]#
#1.5#0002E3527F2500610000025300001E88000428E1955FB465#1170849245467#/System/Security/Authentication#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#Guest#0#####SAPEngine_Application_Thread[impl:3]_11##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
com.sap.security.core.server .jaas.HeaderVariableLoginModule REQUISITE Cannot load login module class.
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok false true
com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok exception true Authentication did not succeed.
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true #
#1.5#0002E3527F2500610000025400001E88000428E1955FB97F#1170849245467#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#Guest#0#####SAPEngine_Application_Thread[impl:3]_11##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | LOGIN.ERROR | null | | Login Method=[default], UserID=[null], IP Address=[10.77.199.64], Reason=[Authentication did not succeed.]#
i have downloaded SAP NetWeaver 04s SP9
download link is : https://www.sdn.sap.com/irj/sdn/downloaditem?rid=/library/uuid/cfc19866-0401-0010-35b2-dc8158247fb6
02-08-2007 7:37 AM
Hi,
the very same error is still in there:
com.sap.security.core.server .jaas.HeaderVariableLoginModule REQUISITE <b>Cannot load login module class.</b>
As long as this is not fixed, the login will not work.
Please remove and add the module to the security service and then to the logon stack again. Maybe there is a typo.
Regards,
Patrick
02-08-2007 9:56 AM
Hi ,
I have remove and added again header var login module and also added to ticket login stack
but still i am not able to login into EP via proxy.
my security log is now :
#1.5#0002E3527F2500610000030B00001E88000428F328C21163#1170924732633#/System/Security/Authentication#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#Guest#0#####SAPEngine_Application_Thread[impl:3]_11##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
com.sap.security.core.server.jaas.HeaderVariableLoginModule REQUISITE ok false false
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok false true
com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok exception true Authentication did not succeed.
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true #
#1.5#0002E3527F2500610000030C00001E88000428F328C21665#1170924732633#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#Guest#0#####SAPEngine_Application_Thread[impl:3]_11##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | LOGIN.ERROR | null | | Login Method=[default], UserID=[null], IP Address=[10.77.199.64], Reason=[Authentication did not succeed.]#
i can see here userid=null ..
Can you please tell me why it come null .. why header is not fetch correctly by headervar module.
i have added the headervar login module to ticket login module stack like this :
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
com.sap.security.core.server.jaas.HeaderVariableLoginModule REQUISITE {ume.configuration.active=true, Header=HTTP_OB_USER}
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
BasicPasswordLoginModule REQUISITE {}
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
Regards,
Bhavin
02-08-2007 10:24 AM
so the first issue is now fixed, as the module now loads.
Can make a HTTP trace and show what the request header looks like for the system ?
Info on <a href="http://educontent.wdf.sap.corp:1080/teched05/powerpoints/AGS200.pdf">how to trace</a> can be found in the docs.
Regards,
Patrick
02-09-2007 6:07 AM
Hi ,
Link what you mention is not working. i mean i am unable to acces this link can you please check the link what you mention ?
Actually we are passing header name "OB_USER" to HeaderVar login module.
I have enable the pearl and find the http request heders below :
SCRIPT_NAME = /cgi-bin/printenv.pl<BR> SERVER_NAME = ps3853<BR> SERVER_ADMIN = you@example.com<BR> HTTP_ACCEPT_ENCODING = gzip, deflate<BR> HTTP_CONNECTION = Keep-Alive<BR> REQUEST_METHOD = GET<BR> HTTP_ACCEPT = image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, /<BR> SCRIPT_FILENAME = /home/qa/bhavin/apache2_0_5/htdocs/cgi-bin/printenv.pl<BR> SERVER_SOFTWARE = Apache/2.0.52 (Unix)<BR> REMOTE_USER = user1k1<BR> QUERY_STRING = <BR> REMOTE_PORT = 1626<BR> <b>HTTP_OB_USER</b> = user1k1<BR> HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 2.0.50727; .NET CLR 1.0.3705; InfoPath.1)<BR> SERVER_PORT = 9800<BR> SERVER_SIGNATURE =
Apache/2.0.52 (Unix) Server at ps3853 Port 9800
<BR> HTTP_ACCEPT_LANGUAGE = en-us<BR> HTTP_COOKIE = ObSSOCookie=9kneq84pVCglFjYZuU7D%2FxX9D%2Fh8e7DGvbuzBZ9rWDnAQ%2B1vsU9%2FKqRFYlvRwLRzXvLrFo%2F3bCIXNkTr%2BXVHJUzGFHTOUEeJvyEFhv%2Fo7NgppwwQEMLgNDlzcsFIVndM5QfSQieFAGWOJ3ZoRyZJzo%2F3YHYFu1rRioAX481cltxW%2BFO7idvIOaoP%2BdFsgC9zKPuuPAI9QIKN5s9ckhY5veUoGm0GKY5LRwS7vgvs62sNBKEyOgHfyhpqxWczGGITAnjp%2BTSj%2F4n%2BpSa4th2ENwiJfuj3ixQA3CuIBJXTNQXNWWI2GD%2B%2BNnk4Is7MrsUkPM1iU5jrmmssWY7W3GxRFLup7V5qP3JPzaAN7jcF8h317SLipdYzk%2FfenpHnu6x8r0DTRsRUP8INncrIJIoCZCnPKJ1oL%2FONSk8hJd1K2nO6c8jtWCZUFE0JfJFGLNF%2FmJXt0hRvhEaw5WcEcjFXnAC8Gb65p%2FRPNWx5NNDC1PDCivRTdaWysXeXU8n9TFBIfE%2BctHA%2FwZRXem%2B3h%2Fmf7g%3D%3D; OBBasicAuth=fromCache; saplb_*=(J2EE19573900)19573950; PortalAlias=portal; JSESSIONID=(J2EE19573900)ID0896868050DB01672514996077683785End<BR> REMOTE_ADDR = 10.77.199.162<BR> SERVER_PROTOCOL = HTTP/1.1<BR> PATH = /usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/qa/bin<BR> REQUEST_URI = /cgi-bin/printenv.pl<BR> GATEWAY_INTERFACE = CGI/1.1<BR> SERVER_ADDR = 10.77.199.64<BR> DOCUMENT_ROOT = /home/qa/bhavin/apache2_0_5/htdocs<BR> HTTP_HOST = ps3853:9800<BR>
Here you can find HTTP_OB_USER = user1k1 which is user to authenticate but in security log i can see the userid =null.
I am not sure whether it is http trace that you want .. if not then please help me to make trace of http request.
Regards,
Bhavin
02-09-2007 7:48 AM
Hi,
sorry did add the wrong link, but this wasn't the error anyway. Your logon stack config is wrong.
it should read:
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT
com.sap.security.core.server.jaas.HeaderVariableLoginModule OPTIONAL
com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT
com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL
Please see <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/68/5ddc40132a8531e10000000a1550b0/frameset.htm">the docs for header based authentication</a> for details.
Regards,
Patrick
Message was edited by:
Patrick Hildenbrand
02-09-2007 9:02 AM
Hi i have configure my login module as you said
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT
com.sap.security.core.server.jaas.HeaderVariableLoginModule REQUISITE
com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT
com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL
but still i am facing problem in login
my security log in now :
#1.5#0002E3527F250058000007E400001E880004290761926384#1171011585104#/System/Security/Authentication#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#Guest#0#####SAPEngine_Application_Thread[impl:3]_10##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
com.sap.security.core.server.jaas.HeaderVariableLoginModule REQUISITE ok false false
com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false true
com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok exception true Authentication did not succeed.
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true #
#1.5#0002E3527F250058000007E500001E880004290761926846#1171011585104#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#Guest#0#####SAPEngine_Application_Thread[impl:3]_10##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | LOGIN.ERROR | null | | Login Method=[default], UserID=[null], IP Address=[10.77.199.64], Reason=[Authentication did not succeed.]#
Regards,
Bhavin
02-09-2007 9:20 AM
are you able to use password based authenticaiton to log on as user1k1 ?
regards,
Patrick
02-09-2007 11:12 AM
Actually we have user1k1 user on SAP EP and also our Directory Server.
We are having our back end database on Direcotry Server.
which have username : user1k1
and also SAP EP user manager have user : user1k1
I am having webserver on linux machine.and also configure proxy setup for SAP EP.
i.e : if i access the /irj resource through the proxy server it shows me the SAP EP logon page. and SAP EP is reside on different machine.
This should ideal situation :
We have our product which authenticate and authorize the users. when i access /irj resource through proxy server our product ask credential and and valid user will send the header (OB_USER) and SAP EP headervariable login module should read the header and authenticate the user.
But When i access the /irj resouce with proxy server i am not able to login with our user into SAP EP. it shows authentication denied and even i provide credential which is reside in SAP EP.
I am only able to login with the user by direct access the URL not by proxy server.
Regards,
Bhavin
02-09-2007 3:23 PM
Please first try to get the basic authenticaiton working over the proxy. If this does not work, there might be an issue with the proxy config. Based on the logon stack, you should be able to at least use form based authentication over the proxy.
regards,
Patrick
02-13-2007 5:51 AM
Hello,
I tried to access the portal resource /irj via proxy server but i get portal login screen with user authentication failed.
and i tried to give username : user1k1 and password to failed login page. it allows me to go inside to portal.
this is my log.
#1.5#0002E3527F25005800000A3F00001E88000429551CBB937E#1171345437742#/System/Security/Authentication#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#user1k1#86466#####SAPEngine_Application_Thread[impl:3]_10##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.OK
User: user1k1
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false false
com.sap.security.core.server.jaas.HeaderVariableLoginModule SUFFICIENT ok false false
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok false false
com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok true true
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true true
Central Checks true #
#1.5#0002E3527F25005800000A4000001E88000429551CBB96B8#1171345437742#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#user1k1#86466#####SAPEngine_Application_Thread[impl:3]_10##0#0#Info#1#com.sap.security.core.util.SecurityAudit#Plain###user1k1 | LOGIN.OK | USER.PRIVATE_DATASOURCE.un:user1k1 | | IP Address=[10.77.199.64]#
<b>One thing is when our Directory server username and password is same as Portal User store username and passowrd then when i try to access the /irj via proxy it directly allows to go inside the portal without poping portal's login.
</b>
so it means proxy is not a problem.
So can you please give me some more suggestion to solve the issue?
Regards,
Bhavin
02-13-2007 7:28 AM
Hi,
per your last message, your logon stack is wrong again, it should read:
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT
com.sap.security.core.server.jaas.HeaderVariableLoginModule <b>OPTIONAL</b>
com.sap.security.core.server.jaas.CreateTicketLoginModule <b>SUFFICIENT</b>
com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL
regards,
Patrick
Message was edited by:
Patrick Hildenbrand
02-13-2007 8:17 AM
Hello,
I have tired with the login stack you suggest. but i am failed to log in.
I don think this issue with login stack.
Here is my log in that login id=null i cant understand that y this is setting null to userid though i m sending you header variable.
#1.5#0002E3527F2500520000085D00001E8800042957353D81CF#1171354438850#/System/Security/Authentication#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#Guest#0#####SAPEngine_Application_Thread[impl:3]_8##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
com.sap.security.core.server.jaas.HeaderVariableLoginModule REQUISITE ok false false
com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false true
com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok exception true Authentication did not succeed.
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true #
#1.5#0002E3527F2500520000085E00001E8800042957353D86F4#1171354438850#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#Guest#0#####SAPEngine_Application_Thread[impl:3]_8##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | LOGIN.ERROR | null | | Login Method=[default], UserID=[null], IP Address=[10.77.199.64], Reason=[Authentication did not succeed.]#
Regards,
Bhavin
02-13-2007 8:36 AM
Hi,
the HeaderLogin Modul does not detect your header. Thus it will not set the user in the shared space and the BasicPassword was called, as you did not enter a password or did enter the wrong one, the user was NULL in the end.
Please enable tracing on the J2EE engine to look how the header var looks to the J2EE engine. You can find the docs how to enable this under <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/8e/af3442d692ae04e10000000a1550b0/frameset.htm">Enabling HTTP Traces</a> in the docs.
BTW: seams I mixed up the stack now myself. The right config for the HeaderVariableLoginModule should be
HeaderVariableLoginModule OPTIONAL {ume.configuration.active=true, windows_integrated=false, Header=HTTP_OB_USER}
In the configuration from me above, you will not see a password based logon screen.
Regards,
Patrick
02-13-2007 12:35 PM
Hello ,
I have enable HTTP TRACE for header .
This is my HTTP Trace :
[1171364112305][Feb 13, 2007 4:25:12 PM ] - CLIENT: 339712, REQUEST:
{GET /irj/portalapps/com.sap.portal.runtime.logon/layout/sapLogo.gif HTTP/1.1
Host: ps3853:9800
Accept: /
Referer: http://ps3853:9800/irj/portal
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 2.0.50727; .NET CLR 1.0.3705; InfoPath.1)
Cookie: ObSSOCookie=B%2FqlQgNoRP9KU2PyHsmioq%2BgeW1w8qQvKJSGF9lkFB0ZS%2BKkg%2FEiwT3QhiHZe%2BpjT%2FjCbi7zaF8o9fJf6IVFR%2Fd0KkV6Idzc2%2F7xO%2FRTnBB3TqjHM6tkot5QHl7WL3rAlKchvp7IBUxAoi25pL8UOWrzIQt5mFE6feeM%2Bw5Bmr%2FoYcLPhJ%2FP9tR6ocK%2BEU0bO0f7XMgz%2FmwIoLZtTM8JQ9ArJ19bEP2G712l5JkyG7OVB1%2B2fGirU4YzwfNy7vK1YkibixHQoMh%2BJ8jKLpTMCGJBAvVnazUjaOGpULx9ChicpBJwT%2BJ2ck9EH0IpYSZtuHKmBJ9SqP%2F6zcMa7k8VM8frFFt8htkIIs9uMcOnIfcDjiu7rjD1s%2BW1tavo6wLPBfCAlLEt1wmAyvTFLXR0ho3B7VqaYdCcGhQyPeaPTG1e6epTtnuMwX7JXpfhoBqDhz4maqn4LnJr%2FcvPXzPNN8RWiXmHtiLuHfbhtX6Se7goh79dbarjOLpbLgqMlaChynuWUZaa24%2Fuuyo7qByngA%3D%3D; OBBasicAuth=fromCache; saplb_*=(J2EE19573900)19573950; PortalAlias=portal; JSESSIONID=(J2EE19573900)ID1169086150DB00938859532017568428End
Authorization: Basic dXNlcjFrMTpvYmxpeDM0NQ==
<b>OB_USER</b>: user1k1
Max-Forwards: 10
X-Forwarded-For: 10.77.199.162
X-Forwarded-Host: ps3853:9800
X-Forwarded-Server: ps3853.persistent.co.in
}
[1171364112305][Feb 13, 2007 4:25:12 PM ] - CLIENT: 340480, REPLY:
{HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Type: image/gif
Last-Modified: Fri, 02 Feb 2007 07:21:57 GMT
Cache-Control: max-age=86400
Content-Length: 43
Date: Tue, 13 Feb 2007 10:55:12 GMT
}
[1171364112305][Feb 13, 2007 4:25:12 PM ] - CLIENT: 340480, RESPONSE TIME: 0
[1171364112320][Feb 13, 2007 4:25:12 PM ] - CLIENT: 339712, REPLY:
{HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Type: image/gif
Last-Modified: Fri, 02 Feb 2007 07:59:00 GMT
Cache-Control: max-age=86400
Content-Length: 1426
Date: Tue, 13 Feb 2007 10:55:12 GMT
}
[1171364112320][Feb 13, 2007 4:25:12 PM ] - CLIENT: 339712, RESPONSE TIME: 15
Here i can see the header variable OB_USER( in bold ) which is sent to sap EP.
Can you please analysis the trace and tell me where i am wrong?
Regards,
Bhavin
02-13-2007 1:04 PM
Hmm,
above you stated the header is HTTP_OB_USER not OB_USER as the trace shows.
> Can you please tell me why it come null .. why header is not fetch correctly by headervar module.
>
>i have added the headervar login module to ticket login module stack like this :
>
> com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
> com.sap.security.core.server.jaas.HeaderVariableLoginModule REQUISITE {ume.configuration.active=true, Header=HTTP_OB_USER}
> com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
> BasicPasswordLoginModule REQUISITE {}
> com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
>
>
>Regards,
>Bhavin
regards,
Patrick
02-14-2007 5:27 AM
hello,
Actually my login stack doesn't mention header properly...
Thanks a lot for you all support.
Now i can login with headervar but not able to logoff so currently configuring it.
Regards,
Bhavin
02-14-2007 7:15 AM
hi,
actually you can't, as any time you log off, you are immediatly authenticated again (by the gw in front of the portal). What can be done is using the <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/44/aada5230be5e77e10000000a155369/frameset.htm">logoff URL</a>.
BTW: if your problem is solved, please set the status of the message accordingly. Thanks.
regards,
Patrick