cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP SSO Configuration - NW JAVA 7.31

Go to solution
former_member186228
Active Participant

on ‎04-29-2013 4:40 PM

0 Kudos

Hi All,

I am trying to configure SSO between Microsoft active directory 2008 and SAP JAVA 7.31 on Windows 2008 Server.

Now we are trying to generate keytab file using Microsoft Windows KDC:

>ktpass -princ host/javahost.mydomain.com@MYDOMAIN.COM -pass ******* -out C:\krb5.keytab -mapUser newuser +DesOnly -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL

After that when we are moving the file krb5.keytab to "JAVAHOST" system and used the ktab command to add the SPN to a default keytab file. Created krb5.ini file and copied to c:\winnt\ location and executed the below command from SIDadm user.

>ktab.exe -a HTTP/javahost.mydomain.com@MYDOMAIN.COM ******* -k c:\winnt\krb5.keytab

Done!

Service key for HTTP/javahost.mydomain.com@MYDOMAIN.COM is saved in c:\winnt\krb5.keytab.

But when we check the klist command it shows the below output:

>C:\winnt>klist

Current LogonId is 0:0x1737b1

Cached Tickets: (0)

 

C:\winnt>ktab

No default key table exists.

Please let us know, where I am making mistake.

Thanks in Advance,

Regards,

Jithin


Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎04-29-2013 8:02 PM
0 Kudos

Is there a reason why you are not using the SPNEGO Wizard for creating the encryption key? You will have to specify the path to the keytab when using klist and ktab.

Show replies
Show replies
former_member186228
Active Participant
‎04-30-2013 1:19 PM
0 Kudos

Hi,

After your reply we only tried configuring SSO using SPNEGO.

I am following PDF attached to SAP note 1488409. We configured according to the document, but our SSO is not working.

Please let us know where are we making mistake, I am posting the steps I followed.

1. Created administrator user user1 and disabled "Use Kerberos DES encryption type for this Account" and checked "Password never expire option"

2. setspn -a HTTP/javahost.mydomain.com user1

3. Logged into javahost:port/nwa

4. configuration --> SPNEGO --> Add --> Manually --> Realm Name: MYDOMAIN.COM --> Next -->Principal Name: user1, Password : ******** --> Next --> Selected all 4 keys --> Mapping Mode : Principal@REALM , Source: User Attribute, User Attribute: email( as email id is maintained properly with the JAVA user database)

5. Generated Keytab file in Domain server:

ktab -a user1@MYDOMAIN.COM -k keytab

6. Imported the keytab into the JAVA system :

http://javahost:port/spnego

Kerberos Realm--> edit --> Keys--> Update Keys -> uploading keytab file --> browse --> selected file and IMPORT --> Save.

7. Activate the REALM.

8. Adjusted the authentication stack:

EvaluateTicketLoginModule     SUFFICIENT

SPNegoLoginModule              OPTIONAL

CreateTicketLoginModule       SUFFICIENT

BasicPasswordLoginModule     REQUIRED

CreateTicketLoginModule       REQUIRED

-->Save.

9. Did the settings in the browser, but SSO is not working.

Please let me know, if I have missed any steps.

Thanks in Advance.

Jitin M.

Former Member
‎05-01-2013 1:12 AM
0 Kudos

Use the diagtool to create a trace which you should then provide as an attachment, not embedded in the body of the message. See SAP note 958107 for details.

https://service.sap.com/sap/support/notes/958107

In the past the most common reasons for SPNEGO not working are failures to authenticate to KDC, incompatibility of the encryption keys or conflicting key versions.

former_member186228
Active Participant
‎05-02-2013 9:32 AM
0 Kudos

Dear Samuli,

     I have tried to run diagnostic tool, which is downloaded from SAP note 957666. while executing diagnostic tool it giving error message "D:\usr\sap\SA4\J00\j2ee\configtool/../cluster/server0/version.txt does not exist", We are using SAP netweaver 7.3 EHP1. There is no such file in above mentioned location.

     I have activated trace from "http://<hostname>:<port>/nwa/ -->Troubleshooting -->Logs and traces--> Security Troubleshooting Wizard". It is giving below error

Regards,

Jithin

error_log.xls.txt.zip
Former Member
‎05-02-2013 2:25 PM
0 Kudos

That is not an error but later in the trace you provided, you can find the following:

Encryption key selected to decrypt the Kerberos token: SPNEGOKey: code = 23, type = rc4-hmac

Checksum error! checksum: 0x7b84167a411977b06a4eaafab838a99e; calculated checksum: 0x6d99a0d41eacccd8a42e4bf79731cdee

Could not validate SPNEGO token.

In other words the generated key is wrong or the keytab has been corrupted.

former_member186228
Active Participant
‎05-02-2013 4:36 PM
0 Kudos

Dear Samuli,

I have generated the keytab again, and while selecting key unchecked the RC4-HMAC encryption. Now there is no error but sso is not working.  I am attaching trace file for your reference.(Download the file, remove .txt extension)

Also is it compulsory to configure LDAP?

Thanks,

Jithin

trace_2.xlsx.txt.zip
Former Member
‎05-02-2013 4:54 PM
0 Kudos

Are all the pre-requisites met for Windows Integrated authentication to work? Can you check that there are no certificates in your browser which might interfere with SPNEGO? Theoretically it is possible to configure SPNEGO without having a LDAP user data source (at least in Legacy mode), but it is not recommended and additional configuration is required. See the attached link for details.

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/49/75dd57d1653659e10000000a42189b/frameset.htm

former_member186228
Active Participant
‎05-06-2013 10:25 AM
0 Kudos

Hi,

We are using Windows Server 2008 R2 standard for Domain server, Redhat 6.1 for SAP Netweaver 7.3 EHP1 (java stack ) and windows XP as client. I am following PDF attached to SAP note 1488409.

In trace result showing a warning: NTLM token found in authorization header during SPNEGO authentication.

Please find the attached trace file,

Regards,

Jithin m

Trace_Log.xls.txt.zip
former_member186228
Active Participant
‎05-06-2013 3:02 PM
0 Kudos

Thanks Samuli,

Issue Resolved. SSO is working perfectly fine.

Best Regds,

Jithin

former_member203984
Participant
‎03-27-2014 5:31 PM
0 Kudos

Hi Jithin,

I am following the same steps as below (except the 4th step):

1. Created administrator user user1 and disabled "Use Kerberos DES encryption type for this Account" and checked "Password never expire option"

2. setspn -a HTTP/javahost.mydomain.com user1

3. Logged into javahost:port/nwa

4. configuration --> SPNEGO --> Add --> Manually --> Realm Name: MYDOMAIN.COM --> Next -->Principal Name: user1, Password : ******** --> Next --> Selected all 4 keys --> Mapping Mode : Principal@REALM , Source: User Attribute, User Attribute: email( as email id is maintained properly with the JAVA user database)

5. Generated Keytab file in Domain server:

ktab -a user1@MYDOMAIN.COM -k keytab

6. Imported the keytab into the JAVA system :

http://javahost:port/spnego

Kerberos Realm--> edit --> Keys--> Update Keys -> uploading keytab file --> browse --> selected file and IMPORT --> Save.

7. Activate the REALM.

8. Adjusted the authentication stack:

EvaluateTicketLoginModule     SUFFICIENT

SPNegoLoginModule              OPTIONAL

CreateTicketLoginModule       SUFFICIENT

BasicPasswordLoginModule     REQUIRED

CreateTicketLoginModule       REQUIRED

-->Save.

9. Did the settings in the browser, but SSO is not working.

I am getting a error as  "No key (etype: 18) for realm". Can you help me out?

Is that steps above are right?

Regards

G.Partheeban

former_member186228
Active Participant
‎03-28-2014 4:49 AM
0 Kudos

Dear Patheeban,

Try to add service principal name setspn -a HTTP/javahost also, then try.

Regards,

Jithin M

former_member203984
Participant
‎03-28-2014 12:34 PM
0 Kudos

Hi Jithin,

Do you mean "setspn -a HTTP/javahost.mydomain.com user1". I have done it?

Can you see this and reply

Also which keys to be selected?

Regards

G.Partheeban

former_member203984
Participant
‎04-08-2014 2:45 PM
0 Kudos

Hi all,

Issue resolved by applying the SP.

Regards

G.Partheeban

Answers (1)

Answers (1)

manna_das
Contributor
‎05-01-2013 7:05 AM
0 Kudos

Hello Jithin,

go to properties of User1 and add HTTP/Servername (Fully Qualified Domain Name) in ServicePrincipalName and go to http://localhost:51000/nwa

Go to Authentication > Login Modules > SPNego, under usermapping select Principal@Realm and Source = Virtual User.

Kind Regards

Manna Das

Show replies
Show replies
former_member186228
Active Participant
‎05-02-2013 9:42 AM
0 Kudos

Hi Manna Das,

There is no "Virtual User" option available  in SPNego,

Regards,

Jithin

manna_das
Contributor
‎05-02-2013 12:19 PM
0 Kudos

Hello Jithin,

We also implemented SSO few days back, in below screen shot u can see for Principal@Realm Source Virtual user is mapped.

Moreover u can check below links that it will work Mapping Mode will be Prinicipal@Realm with Source = virtual user

http://scn.sap.com/thread/3179320

http://scn.sap.com/thread/3240076

http://scn.sap.com/thread/3205345

Kind Regards

Manna Das

Ask a Question