cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SFTP Channel Issue

Go to solution
Former Member

on ‎08-26-2013 12:33 PM

0 Kudos

Hi Gurus,

We are using the dual stack 7.3 version.

The issue we are facing is with an SFTP communication channel of a particular server which throws the following error:

Exception received: java.lang.UnsupportedOperationException: received authentication request from server which could not be processed: destination=xuser@ftp.xserver.com; name=; instruction=prompt=Enter password:

As you are aware, the password field is a mandatory field on the communication channel and has been entered and we are still getting this error.

Also, we are able to logon to the server externally using WINSCP.There has been no change on the SFTP server recently too.

Please advice.

Thank you,

Regards,

Rakesh.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

wolfgang_hegmann
Explorer
‎10-16-2013 5:09 PM
0 Kudos

Hello Rakesh,

I just came across this error message twice due to two different reasons.

Reason 1: user or pwd is incorrect or not known on the sftp server you are calling - o.k. this should not be your problem here. It is just important to know that it raises the same error in audit log.

Reason 2: the sftp server you are calling is configured for "keyboard-interactive authentication". So even with a ftp client (e.g. FileZilla) accessing the sftp server looks normal, PI experiences different behavior. In xpi_inspector you should see following:

Caused by: java.lang.UnsupportedOperationException: received authentication request from server which could not be processed: destination=user@server:22; name=; instruction=prompt=Enter password:

at com.sap.aii.adapter.sftp.ra.rar.integration.sftp.SSHConnection$MyUserInfo.promptKeyboardInteractive(SSHConnection.java:547)

at com.jcraft.jsch.UserAuthKeyboardInteractive.start(UserAuthKeyboardInteractive.java:139)

at com.jcraft.jsch.Session.connect(Session.java:420)

at com.sap.aii.adapter.sftp.ra.rar.integration.sftp.SSHConnection.<init>(SSHConnection.java:149)

at com.sap.aii.adapter.sftp.ra.rar.jca.CCIInteraction.sendSFTP(CCIInteraction.java:484)

Your options: Either the sftp server can be reconfigured "no keyboard interactive" or they give you a ssh-rsa-key logon.

Best regards,

Wolfgang

Show replies
Show replies
JaySchwendemann
Active Contributor
‎10-17-2013 7:26 AM
0 Kudos

Great tips, thanks for sharing.

Former Member
‎10-17-2013 3:28 PM
0 Kudos

Thanks for inputs Wolfgang.

This error has started occuring after a stack upgrade was done on the PI system.

The XPI Inspector logs don't have any references to Keyboard Interactive Authentication. Neither does it have any logs for SSH.

Strangely, the SFTP server is not even receiving any requests from PI.

Yes, the other option we have is to use key based authentication. For now, we have replaced the SFTP server as a workaround but we would like to find the root cause before we move forward.

Thanks again,

Regards,

Rakesh.

JaySchwendemann
Active Contributor
‎10-18-2013 9:05 AM
0 Kudos 
Rakesh Damera wrote:
Strangely, the SFTP server is not even receiving any requests from PI.

You may need to get your firewalls guys together with your guys that manage the sFTP server. Maybe also someone with command line access to the PIs OS would be needed.

Say you are running your PI on a unix, I would do an sftp from PIs shell to your sFTP server. If that is going through, network should not be a problem

If it is not going through, have your networks / firewall guys look where it fails

Even if sftp from shell is going through, there's a chance that it's failing when initiated from PI. Repeat monitoring with your networks / firewalls guys when attempting to send via PI.

Sorry to be kind of unspecific, but this kind of errors are often quite hard to tackle.

Former Member
‎10-18-2013 11:30 AM
0 Kudos

Yes Jens,

We are getting into a meeting with the BASIS and Network teams today to check that.

Appreciate your taking time to analyse the issue. Will keep you posted.

Thanks again.

Regards,

Rakesh.

JaySchwendemann
Active Contributor
‎10-29-2013 3:06 PM
0 Kudos

Rakesh, how did things turn out?

Former Member
‎10-31-2013 11:11 AM
0 Kudos

The SFTP team is a little slow with their responses.

As a work-around we have created a temporary server and we are routing/picking files from there.

Will keep you posted guys.

Rakesh.

Answers (7)

Answers (7)

Former Member
‎09-14-2016 10:00 AM
0 Kudos

Hi Rakesh,

We recently faced this issue in PO7.4 SP 06 and were able to resolve by replacing password based authentication to key based authentication.

This appears strange as when we don't use the PGP encryption the connection works fine even with username/password authentication but when we add the PGP module in the SFTP receiver channel it gives the same error as mentioned by you.

This appears to be some kind of bug in the PGP addon.

Best Regards,

Alok Yadav

Show replies
Show replies
Former Member
‎04-09-2014 11:20 AM
0 Kudos

Hello Achmad:

We've installed the version 1000.1.00.2.8.20140408103100 who corresponds to sp2 patch8 but the problem is not resolved in this version as it's mentioned in

The code of MyUserInfo.promptKeyboardInteractive in this sp throws the exception

"received authentication request from server which could not be processed: destination=" + destination + "; name=" + name + "; instruction=" + instruction + "prompt=";

This interface method needs to be implemented so that in it the result is that the password is returned (or an exception is throwed). You can implement it designing a control panel where the password is askered again if you're using this functionality with user interaction. But in the case of this adapter the password has been informed in the channel and keyboard-interactive functionality not applies. So we think in this method you only need to return the password stored in the channel configuration (propHandler.getPropertyValueAsString("password")).

Best regards.

Fernando.

Show replies
Show replies
achmad_dimyati5
Participant
‎04-09-2014 12:35 PM
0 Kudos

Hi Fernando,

My version is before it but should be contain the fix.

1000.1.00.2.6.20140213100500

OK, for further investigation, please using winscp client, activate the logging, make it debug 2.

You should get this inside the trace:

. 2014-02-23 12:00:25.782 Attempting keyboard-interactive authentication

. 2014-02-23 12:00:25.782 Waiting for the server to continue with the initialization

. 2014-02-23 12:00:25.782 Looking for incoming data

. 2014-02-23 12:00:25.782 Looking for network events

. 2014-02-23 12:00:25.937 Detected network event

. 2014-02-23 12:00:25.937 Enumerating network events for socket 888

. 2014-02-23 12:00:25.937 Enumerated 1 network events making 1 cumulative events for socket 888

. 2014-02-23 12:00:25.937 Handling network read event on socket 888 with error 0

. 2014-02-23 12:00:25.938 Prompt (6, SSH server authentication, Using keyboard-interactive authentication., Enter password: )

. 2014-02-23 12:00:39.810 Waiting for the server to continue with the initialization

. 2014-02-23 12:00:39.810 Looking for incoming data

. 2014-02-23 12:00:39.810 Looking for network events

. 2014-02-23 12:00:39.937 Detected network event

The keyboard-interactive can be configured to ask any questions, the standard one is to ask password again. You can see it's ask "Enter password:", for non keyboard interactive it will ask "password:' This info is related with the fix in note:  1859563 - Channel broken fix and advanced paramters for ignoring error.

If your SFTP server is asking different question then the patches can't be applied.

Best Regards,

Achmad

Former Member
‎04-09-2014 1:14 PM
0 Kudos

Hello Achmad:

Yes the SFTP server who we want to connect ask a different question:

....

. 2014-04-09 14:05:46.071 Enumerated 1 network events making 1 cumulative events for socket 768

. 2014-04-09 14:05:46.071 Handling network read event on socket 768 with error 0

. 2014-04-09 14:05:46.072 Prompt (7, SSH password, , &Contraseña)

. 2014-04-09 14:05:46.072 Using stored password.

. 2014-04-09 14:05:46.120 Sent password

.....

Our option is independent of server question.  Simply we've implemented the corresponding function for recovering the stored password.

Regards.

Fernando.

achmad_dimyati5
Participant
‎04-09-2014 2:50 PM
0 Kudos

Hi Fernando,

Based on your data, it's not using keyboard-interactive authentication but still with standard SFTP password authentication. The issue is the SFTP server is asking password with prompt: &Contraseña. You can submit this issue to SAP but I think they will said unsupported.

Could you ask them to change "&Contraseña" to English question "password:"? If can't your only alternative is private-public key authentication or stick with your solution.

Regarding private/public key authentication, the SFTP server also need to be configured to support it. You need to check with them.

You also can check it by configuring the steps in PI system based on below guides:

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/305eeb5b-81e7-2f10-d8aa-9216de04c...

http://wiki.scn.sap.com/wiki/display/XI/Generating+SSH+Keys+for+SFTP+Adapters+-+Type+1

http://wiki.scn.sap.com/wiki/display/XI/Generating+SSH+Keys+for+SFTP+Adapters+-+Type+2

After you got the private key, test it from winscp and you will see in the logging if the public key authentication has been activated or not.

Best Regards,

Achmad

Former Member
‎04-08-2014 5:44 PM
0 Kudos

Hello,

We had the similar problem when we try to connect to a sFTP Server.  But switching to certificate autentication didn't resolve our problem. We allways get de next error:

Exception caught by adapter framework: java.lang.UnsupportedOperationException: received authentication request from server which could not be processed:

destination=<user>@<host>:<port>; name=Password authentication; instruction=prompt=<user>'s password

The problem is that the client we want to connect to, tell us that in the server, they haven't the option to deactivate the keyboard-interactive. They have only two options to choose , or authentication with user/password who is keyboard-interactive or autentication with certificates. We tested both options with identical error (the error above).

We was investigating in the stadandard Adapter and we found the cause of the problem.

In the jar com.sap.aii.adapter.sftp.ra.jar I've found the class responsible of the connection,

SSHConnection.class.

Decompiling and analizing this class I've found that, when the connection is establishing the next subclass is used:

   
UserInfo ui = new MyUserInfo();
this.session.setUserInfo(ui);


And this class has the method promptKeyboardInteractive ( because implements the interface

UIKeyboardInteractive ), who is throwing the exception mentioned ()

public String[] promptKeyboardInteractive(String destination, String name, String instruction, String[] prompt, boolean[] echo)
    {
      String message = "received authentication request from server which could not be processed: destination=" + destination + "; name=" + name + "; instruction=" + instruction + "prompt=";
     
      String separator = ", ";
      for (int i = 0; i < prompt.length; i++) {
        message = message + prompt[i] + separator;
      }
      if (message.endsWith(separator))
      {
        int lastIndexOf = message.lastIndexOf(separator);
        message = message.substring(0, lastIndexOf);
      }
      throw new UnsupportedOperationException(message);
    }
   
This method of the interface UIKeyboardInteractive is used for custom implementations of this functionality, when the server ask for the password (because the keyboard-interactive behavior), and it's designed for human interaction. But in this case keyboard-iteractive doesn't applies, so if we substitute the code for the next code
      

public String[] promptKeyboardInteractive(String destination, String name, String instruction, String[] prompt, boolean[] echo)

    {
       String[] password = new String[1];
        try{
         password[0] = propHandler.getPropertyValueAsString("password");
        }catch(Exception ex)
        { throw new UnsupportedOperationException("Error : " + ex.toString());
        }
    return password

   }

The sftp channel works ok, and we can exchange files with the sftp server. Essentially when the keyboard-interactive functionality appears we inform the stored password, and not ask it again to the user.

I think in the next version of the adapter this functionality will be supported, but at the moment this work-around seems to be a good solution.

We've tested this change in the standard adapter in our development environment and the adapters works fine.

I don't know about the implications of changing an standard connection, except the obvius (not support, changes disappear when other standard version of the adapter is deployed). Dou you know if there are some other implications in the case of modifying a standard adapter, until the next release?

regards.

Fernando. 

Show replies
Show replies
achmad_dimyati5
Participant
‎04-09-2014 6:27 AM
0 Kudos

Hi Fernando,

Your problem exactly similar with mine. Please check this http://scn.sap.com/thread/3501844.

I thought it was banner issue but actually keyboard-interactive authentication.

And actually you almost there in the java code.

public String[] promptKeyboardInteractive(String destination, String name, String instruction, String[] prompt, boolean[] echo)

    {
       String[] password = new String[1];
        try{
         password[0] = propHandler.getPropertyValueAsString("password");
        }catch(Exception ex)
        { throw new UnsupportedOperationException("Error : " + ex.toString());
        }
    return password

   }

In the above code, it's not asking "password" but it's asking "Enter Password". You can see this in detail via SSH trace.

Best Regards,

Achmad

Former Member
‎01-08-2014 6:16 AM
0 Kudos

Hi All,

We couldn't really get to the depth of the issue as we were running out of time and eventually decided to deploy our certificates on the legacy's SFTP server for authentication. We switched from password based authentication to Certificate based authentication.

Thanks for all your inputs.

Regards,

Rakesh.

Show replies
Show replies
former_member182001
Explorer
‎01-09-2014 12:37 PM
0 Kudos

Hi,

there is a SAP Note that explains the issue:  1945020

The target SFTP server asks for Keyboard-interactive authentication that is not supported by the SFTP Adapter.

best regards,

Torsten Kerwien

Former Member
‎01-13-2014 12:47 PM
0 Kudos

Thanks for the note Torsten,

We weren't getting a lot of help from the SFTP server team and hence couldn't ask of their logs/server settings.

We went with the certificate based authentication to get this fixed.

Thanks again,

Rakesh.

achmad_dimyati5
Participant
‎02-18-2014 1:27 PM
0 Kudos

Hi Rakesh,

Any news about this? Did you find any solution. To find out if the SFTP server is running with keyboard-interactive authentication or not, please change the logging of WINSCP client to DEBUG (I used DEBUG 2). Then put the location of the log file.


If you connect from your PC even look like standard username/password, you will see it in the log file like these:

. 2014-02-18 14:26:37.588 Attempting keyboard-interactive authentication

. 2014-02-18 14:26:37.588 Waiting for the server to continue with the initialization

. 2014-02-18 14:26:37.588 Looking for incoming data

. 2014-02-18 14:26:37.588 Looking for network events

. 2014-02-18 14:26:37.806 Detected network event

. 2014-02-18 14:26:37.806 Enumerating network events for socket 900

. 2014-02-18 14:26:37.806 Enumerated 1 network events making 1 cumulative events for socket 900

. 2014-02-18 14:26:37.806 Handling network read event on socket 900 with error 0

. 2014-02-18 14:26:37.806 Prompt (6, SSH server authentication, Using keyboard-interactive authentication., Enter password: )

. 2014-02-18 14:26:37.806 Using stored password.

. 2014-02-18 14:26:37.837 Waiting for the server to continue with the initialization

. 2014-02-18 14:26:37.837 Looking for incoming data

. 2014-02-18 14:26:37.837 Looking for network events

. 2014-02-18 14:26:38.040 Detected network event

then you can ask your UNIX team to disabled the keyboard-interactive. Find file sshd_config (in AIX is in /etc/ssh/sshd_config). Put the original as follow:

PasswordAuthentication yes

#ChallengeResponseAuthentication yes

#UsePAM no

This setting will return back the SFTP server to standard password authentication.

Best Regards,

Achmad

Former Member
‎02-18-2014 2:46 PM
0 Kudos

Thanks for the tip Achmad,

We have switched to the Certificate based authentication now and it is working fine. Will remember to use the Debug2 option the next time around.

Thank again,

Regards,

Rakesh.

Former Member
‎11-06-2013 10:09 AM
0 Kudos

There has not been much progress. We are raising an OSS message now.

Regards,

Rakesh.

Show replies
Show replies
Former Member
‎10-29-2013 5:00 PM
0 Kudos

HI Rakesh,

Ran into similar issue with one of my client. I did the below steps to fix

1) Kill the existing sftp sessions in SFTP server.

2) Stop channels where your getting error (stop sftp service if possible).

3) Refresh cache if problem still exists.

Thanks

Kiran Nekkanti

Show replies
Show replies
JaySchwendemann
Active Contributor
‎08-26-2013 8:37 PM
0 Kudos

Hi there,

best use xpi_inspector to get a more in-depth view of the problem.

Chose 50 (XI Channel) and add your channel (the one that connects to FTPS server) to the XI Channels table. Then hit "Start" and reproduce the problem. Hit "Stop" and analyse the error.

If you can't find solution or need additional info, please come back with details.

HTH

Cheers

Jens

Show replies
Show replies
Former Member
‎08-28-2013 11:03 AM
0 Kudos

Thanks Jens,

I have tried that too, but there isn't a lot of useful information there as  I see the same error log as above.

As a confirmation, I can see that the password is being captured by PI,

Rakesh.

JaySchwendemann
Active Contributor
‎08-28-2013 1:49 PM
0 Kudos

So this CC was working and then ceaced working without obvious changes to PI or the SFTP server?

You might want to increase log level for FTP, though not sure if this is gonna give you more details when using XPI inspector afterwards

http://help.sap.com/saphelp_nwpi71/helpdata/en/64/0b59010a65de44be4f26cb57b9580d/content.htm

Of course, logging and tracing on the sFTP side would also be feasible, depending on whether you have access to the server and knowledge on how to set up tracing there.

One thing that comes into my mind: Would it possible that you set some kind of "user has to change password on first connect" policy on your sFTP side and that PI is not able to perform this? Are you really able to logon with the very same user using WINSCP that you specified in PI's CC?

HTH

Cheers

Former Member
‎08-28-2013 2:35 PM
0 Kudos

That is correct, it was working fine earlier.

So 'change password on first connect' doesn't look likely. I am thinking more on the lines of a prompt that asks the user to re-enter the password (which isnt the case when we are logging in using WINSCP though)

We have logged in a ticket with the team that maintains the SFTP server, hope to hear from them soon.

Thanks,

Rakesh.

Ask a Question