on 04-29-2013 4:40 PM
Hi All,
I am trying to configure SSO between Microsoft active directory 2008 and SAP JAVA 7.31 on Windows 2008 Server.
Now we are trying to generate keytab file using Microsoft Windows KDC:
>ktpass -princ host/javahost.mydomain.com@MYDOMAIN.COM -pass ******* -out C:\krb5.keytab -mapUser newuser +DesOnly -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL
After that when we are moving the file krb5.keytab to "JAVAHOST" system and used the ktab command to add the SPN to a default keytab file. Created krb5.ini file and copied to c:\winnt\ location and executed the below command from SIDadm user.
>ktab.exe -a HTTP/javahost.mydomain.com@MYDOMAIN.COM ******* -k c:\winnt\krb5.keytab
Done!
Service key for HTTP/javahost.mydomain.com@MYDOMAIN.COM is saved in c:\winnt\krb5.keytab.
But when we check the klist command it shows the below output:
>C:\winnt>klist
Current LogonId is 0:0x1737b1
Cached Tickets: (0)
C:\winnt>ktab
No default key table exists.
Please let us know, where I am making mistake.
Thanks in Advance,
Regards,
Jithin
Is there a reason why you are not using the SPNEGO Wizard for creating the encryption key? You will have to specify the path to the keytab when using klist and ktab.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
After your reply we only tried configuring SSO using SPNEGO.
I am following PDF attached to SAP note 1488409. We configured according to the document, but our SSO is not working.
Please let us know where are we making mistake, I am posting the steps I followed.
1. Created administrator user user1 and disabled "Use Kerberos DES encryption type for this Account" and checked "Password never expire option"
2. setspn -a HTTP/javahost.mydomain.com user1
3. Logged into javahost:port/nwa
4. configuration --> SPNEGO --> Add --> Manually --> Realm Name: MYDOMAIN.COM --> Next -->Principal Name: user1, Password : ******** --> Next --> Selected all 4 keys --> Mapping Mode : Principal@REALM , Source: User Attribute, User Attribute: email( as email id is maintained properly with the JAVA user database)
5. Generated Keytab file in Domain server:
ktab -a user1@MYDOMAIN.COM -k keytab
6. Imported the keytab into the JAVA system :
Kerberos Realm--> edit --> Keys--> Update Keys -> uploading keytab file --> browse --> selected file and IMPORT --> Save.
7. Activate the REALM.
8. Adjusted the authentication stack:
EvaluateTicketLoginModule SUFFICIENT
SPNegoLoginModule OPTIONAL
CreateTicketLoginModule SUFFICIENT
BasicPasswordLoginModule REQUIRED
CreateTicketLoginModule REQUIRED
-->Save.
9. Did the settings in the browser, but SSO is not working.
Please let me know, if I have missed any steps.
Thanks in Advance.
Jitin M.
Use the diagtool to create a trace which you should then provide as an attachment, not embedded in the body of the message. See SAP note 958107 for details.
https://service.sap.com/sap/support/notes/958107
In the past the most common reasons for SPNEGO not working are failures to authenticate to KDC, incompatibility of the encryption keys or conflicting key versions.
Dear Samuli,
I have tried to run diagnostic tool, which is downloaded from SAP note 957666. while executing diagnostic tool it giving error message "D:\usr\sap\SA4\J00\j2ee\configtool/../cluster/server0/version.txt does not exist", We are using SAP netweaver 7.3 EHP1. There is no such file in above mentioned location.
I have activated trace from "http://<hostname>:<port>/nwa/ -->Troubleshooting -->Logs and traces--> Security Troubleshooting Wizard". It is giving below error
Regards,
Jithin
That is not an error but later in the trace you provided, you can find the following:
Encryption key selected to decrypt the Kerberos token: SPNEGOKey: code = 23, type = rc4-hmac
Checksum error! checksum: 0x7b84167a411977b06a4eaafab838a99e; calculated checksum: 0x6d99a0d41eacccd8a42e4bf79731cdee
Could not validate SPNEGO token.
In other words the generated key is wrong or the keytab has been corrupted.
Dear Samuli,
I have generated the keytab again, and while selecting key unchecked the RC4-HMAC encryption. Now there is no error but sso is not working. I am attaching trace file for your reference.(Download the file, remove .txt extension)
Also is it compulsory to configure LDAP?
Thanks,
Jithin
Are all the pre-requisites met for Windows Integrated authentication to work? Can you check that there are no certificates in your browser which might interfere with SPNEGO? Theoretically it is possible to configure SPNEGO without having a LDAP user data source (at least in Legacy mode), but it is not recommended and additional configuration is required. See the attached link for details.
http://help.sap.com/saphelp_nw73ehp1/helpdata/en/49/75dd57d1653659e10000000a42189b/frameset.htm
Hi,
We are using Windows Server 2008 R2 standard for Domain server, Redhat 6.1 for SAP Netweaver 7.3 EHP1 (java stack ) and windows XP as client. I am following PDF attached to SAP note 1488409.
In trace result showing a warning: NTLM token found in authorization header during SPNEGO authentication.
Please find the attached trace file,
Regards,
Jithin m
Hi Jithin,
I am following the same steps as below (except the 4th step):
1. Created administrator user user1 and disabled "Use Kerberos DES encryption type for this Account" and checked "Password never expire option"
2. setspn -a HTTP/javahost.mydomain.com user1
3. Logged into javahost:port/nwa
4. configuration --> SPNEGO --> Add --> Manually --> Realm Name: MYDOMAIN.COM --> Next -->Principal Name: user1, Password : ******** --> Next --> Selected all 4 keys --> Mapping Mode : Principal@REALM , Source: User Attribute, User Attribute: email( as email id is maintained properly with the JAVA user database)
5. Generated Keytab file in Domain server:
ktab -a user1@MYDOMAIN.COM -k keytab
6. Imported the keytab into the JAVA system :
Kerberos Realm--> edit --> Keys--> Update Keys -> uploading keytab file --> browse --> selected file and IMPORT --> Save.
7. Activate the REALM.
8. Adjusted the authentication stack:
EvaluateTicketLoginModule SUFFICIENT
SPNegoLoginModule OPTIONAL
CreateTicketLoginModule SUFFICIENT
BasicPasswordLoginModule REQUIRED
CreateTicketLoginModule REQUIRED
-->Save.
9. Did the settings in the browser, but SSO is not working.
I am getting a error as "No key (etype: 18) for realm". Can you help me out?
Is that steps above are right?
Regards
G.Partheeban
Hello Jithin,
go to properties of User1 and add HTTP/Servername (Fully Qualified Domain Name) in ServicePrincipalName and go to http://localhost:51000/nwa
Go to Authentication > Login Modules > SPNego, under usermapping select Principal@Realm and Source = Virtual User.
Kind Regards
Manna Das
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Jithin,
We also implemented SSO few days back, in below screen shot u can see for Principal@Realm Source Virtual user is mapped.
Moreover u can check below links that it will work Mapping Mode will be Prinicipal@Realm with Source = virtual user
http://scn.sap.com/thread/3179320
http://scn.sap.com/thread/3240076
http://scn.sap.com/thread/3205345
Kind Regards
Manna Das
User | Count |
---|---|
92 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.