02-04-2013 4:18 PM
Hi experts,
I patched my Java system that I had configured SSO with spnego. In the pdf instructions in spnego appear that, before path the system I have to undeploy the component spnego, but... I did not do it; and now it does not work the SSO.
Can anyone help me? I try to undeploy and deploy again but I continue with the same problem.
I check with the diagtool and appear:
Unsupported callback.
[EXCEPTION]
javax.security.auth.callback.UnsupportedCallbackException: Unrecognized Callback
at com.sun.security.auth.callback.TextCallbackHandler.handle(TextCallbackHandler.java:118)
at javax.security.auth.login.LoginContext$SecureCallbackHandler$1.run(LoginContext.java:812)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext$SecureCallbackHandler.handle(LoginContext.java:808)
at com.sap.engine.services.security.login.FastLoginContext.notifyAuthState(FastLoginContext.java:537)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:247)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:331)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.sap.security.core.server.jaas.spnego.legacy.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:207)
at com.sap.security.core.server.jaas.spnego.legacy.util.ConfigurationHelper.access$000(ConfigurationHelper.java:30)
at com.sap.security.core.server.jaas.spnego.legacy.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:302)
No authenticated user found.
16:53:12:554 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_20 ~inmodule.ticket.CreateTicketLoginModule Exiting method with false
16:53:12:555 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_20 ~engine.services.security.authentication Exception : Cannot authenticate the user.
java.lang.Exception
at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175)
at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263)
at com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:163)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:178)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:187)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:331)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:206)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java
getLoggedInUser(request, response)
[EXCEPTION]
com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:178)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:187)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:331)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:206)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:181)
If I active com.sap.security.spnego.legacy = true it works during one day...
Any idea?
Thanks in advance,
Regards,
02-04-2013 7:11 PM
Share the excact versions of your portal prior to patching and after the patching. Also send the traces as attachments, not embedded in the message.
02-05-2013 12:33 PM
From SPS07 to SPS12.
After the patch, It does not work the spnego.
Regards,
02-06-2013 10:53 AM
I attach the logs of diagtools --> https://www.dropbox.com/s/ujfckx52trc749k/diagtool_130206_112136.zip
Thanks in advance,
Regards,
02-06-2013 5:47 PM
From the traces you have provided:
No supported mechanism found. Supported mechanisms are Kerberos V5 and Kerberos V5 Legacy
and
No supported mechanism found
The patching has introduced the new SPNEGO implementation, it is included in SP08 of NW701. In the new implementation DES encryption is used by default. It has to be supported by both the client (SPNEGO) and the server (AD). If you are unable to use DES and since AES is not supported in SPNEGO, you will have to reconfigure your encyption keys so that RC4-HMAC will be used. See chapter 8. of the document in SAP note 1488409 on how to proceed. I would strongly advice on enabling DES however. See the attached links for more details.
https://service.sap.com/sap/support/notes/1488409
02-07-2013 10:23 AM
Thanks, I know this notes and support of microsoft.
I have enable the DES encryption in all amchines with Windows 7... What could be the problem?
Yesterday worked fine (with the legacy activated), and today there are two person that it doesn´t work... why?
Thanks in advance,
Regards,
02-07-2013 2:44 PM
Do these two persons use different OSs or browsers then the users for which it works? Did it work for these two persons before? More than two days ago?
About the Legacy option. The SAP documentation says that the Legacy option should be used only temporary, it is not a permanent solution. I would make SSO work without it. There shouldn't be any issues having a fully DES based SSO in place with the new SPNEGO and recent OSs both on the portal server and on the clients accessing the portal server.
Apart from reconfiguring the encryption keys, I'm out of ideas. You might have missed something in the configuration.
02-08-2013 12:20 PM
This person sometimes work and sometimes not work... for example; yesterday it does not work to them and today it works...
If I quit the legacy; it does not work to nobody...
Thanks in advance,
Regards,