cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP NWSSO2.0 SP03 SPNEGO not working( No Webgui/NWBC or Portal )

Go to solution
Former Member

on ‎10-15-2014 8:55 PM

0 Kudos

Login testing the service WebGUi

1. SICF->Default_Host->sap->bc->gui->sap->its->webgui –test the service

Getting this Prompt for first AD user ID and Password and then SAP user ID and Password.

2. Same thing happens with NWBC and BW-Portal Login- it Prompts for AD ID and then SAP ID and passowrd.

Where as ABAP SSO work perfect.

Here are my configuration steps.

  • Our OS: Windows Server 2012
  • DB: MSSQL 2012
  • AD: Microsoft Active Directory
  • SAP NW7.4 with SPS5
  • SAP Installation – Central System
  • SSO product- SAP NW SSO2.0 SP03
  • SID – SB1, SE1 ….
  • DOMAIN: MYCOMPANYNAME.COM ( Just an example, not the real name)

NWSSO Configuration Steps.

1.  Service User in the MSADfor AS-ABAP or AS-JAVA/Portal with following information

  • User ID: SAPService<SID>(existing individual<SID> Service user id)

  • Set the User cannot change the password

  • Set Password never expire

2.  Created SPN for this Service User

  • For ABAP -SAP/SAPService<SID>

  • Web (HTTP/ Hostname for ABAP apps server)

3.  Installed Secure Login Library on SAP Server

  •  Created a folder name (SLL)in /user/sap/<SID>/DVEBMGS00 ($(DIR_INSTANCE)\SLL)

   • Verified SLLibrary:(Version - 8.4.18.0)

(Starting NW7.4 sapcrypto library is coming and check the version is same at SLL directory and in the Kernel Dir.

4.  Define the following SNC parameters using RZ10

   snc/identity/as = p:CN=SAPServiceSB1@mycompany.com

   snc/enable  = 1

   snc/accept_insecure_cpic = 1

   snc/accept_insecure_rfc = 1

   snc/accept_insecure_gui = 1

   snc/data_protection/min = 3

   snc/data_protection/max = 3

   snc/data_protection/use = 3

   snc/permit_insecure_start = 1

   snc/r3int_rfc_qop = 8

   snc/r3int_rfc_secure = 0

   snc/force_login_screen = 0

   spnego/enable = 1

   spnego/krbspnego_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll

   snc/gssapi_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll

5.  Kerberos KeyTab was generated successfully for SPNEGO/SNC and verified 

        #sapgenpse seclogin -l –v

6.  Configured Credential file and verified

7.  Install Secure Login Client and defined SNC name as p:CN=SAPServiceSB1@mycompany.com

8.  Configure User Mapping in SAP AS ABAP – SNC name – p:CN=<USERID>@MYCOMPANY.COM

9.  Restarted the SAP server and my ABAP SSO is working perfectly.

10.     SPNEGO Configuration:

     a.  Define Kerberos KeyTab for SPNEGO using tcode – SPNEGO

     b.  Created UPN - SAPServiceSB1@MYCOMPANY.COM with the password of this server ID.

For WebGui all the required Service are activate and published via SICF and also per http://scn.sap.com/docs/DOC-29485

Created SAP Message and SAP also confirmed all your setting looks and Kerbros being case sensitive but since my ABAP SSO is working so that possibility is also ruled out.

Are there any different steps or know issue with above setting for SPNEGO. I have not mention the steps for Portal because first lets get the Webgui or NWBC resolve which usages the SPNEGO configuration.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎10-16-2014 6:45 AM
0 Kudos

Hi,

Please check the general troubleshooting note: https://service.sap.com/sap/support/notes/1732610

and https://service.sap.com/sap/support/notes/1819808

Did you test the connection using IE or FIrefox. You need some configuration to allow SPNego in browser.

Check that you have the right ABAP patch to support SPNego.

If this did not help, please enable SPNego traces like described in SAP SSO implementation guide chapter 4.7.5.5 and the traces in Secure Login Library in chapter 4.8.1

The Implementation guide can be found in help.sap.com/sapsso

KR

Valerie

Show replies
Show replies
Former Member
‎10-16-2014 5:14 PM
0 Kudos

I was checking the troubleshooting Note-1732610 and I ran command #klist in my PC and got this Kerbros Server name which does not exist, surprise from where this server:krbtgt is coming

I have one question:

In the SPNEGO command - Help it say -Create a keytab file using the ktpass command in Active Directory.

I don't remember we did this step not it was show in any documentation of NWSSO2.0. Is thsi keytab required to be created in AD with this format, then which user ID shoudl be used for mapusr - is it the ServeiceID or what ?

Format:
ktpass /princ http/<ABAP_host_name>@<domain> /pass <password> /out c:/keytab /mapUser <Active_Directory_logon_name>@<domain> /crypto All /ptype KRB5_NT_PRINCIPAL

Former Member
‎10-17-2014 7:16 AM
0 Kudos

Hi,

You don't need to create a keytab with ktpass if you have done it with transaction "spnego" and sapgenpse.

The service user "krbtgt" is the one used for windows login. This is OK. Did you check if the domain part is the one you use to create the keytab using transaction spnego or sapgenpse command?

Did you configured the traces? Did you check if your IE/Firefox are well configured?

KR

Valerie

Former Member
‎10-18-2014 1:15 AM
0 Kudos

Hi,

I ran the trace - SSL, SPNEGO and Workprocess. found this erro

ERROR(0xA2600214) in KERBEROS module. Function sec_kerberos_spnego_ParseToken failed: Authentication token is of type NTLM instead of SPNEGO

[

Checked all configuration, and SPNEGO , check AD- SPN and its algorithm setting every thing looks perfect. Check my browser as mention in the note.

( As Mention that my SAPGui ABAP SSO is working perfectly),

One Observation in the SPN setting for the Service ID used. there no check on Account Options ( Encryption) - Do we have to select one ( DES is not supported any more)

Former Member
‎10-20-2014 7:38 AM
0 Kudos

Hi,

This is what I found concerning the error code you get:

A2600214 Authentication token is of type NTLM instead of SPNEGO

The browser has send a NTLM token instead of a Kerberos token. This is caused by a client that can not obtain a Kerberos token from the KDC. Please check that the browser configuration is correct, the Service Principal Name (SPN) is unique and the SPN entry is registered for all AS_ABAP aliases.

Could you please check for SPN duplicate in AD with the command:

setspn -Q <your SPN>

Could you please also chek if the SNC user mapping is correct in transaction su01. Sometime the SNC name configured is different depending of if your are using SAP GUI or SPNEgo for ABAP.

KR

Valerie

Former Member
‎10-27-2014 8:42 PM
0 Kudos

Thanks Valerie,

in the SPN HTTP/hostname.FQDN was missing for this service user.  When I asked my AD administrator screen shot of this User SPN then I found out. After Adding this entry and check the browser requirements and setting WebGui started working.

But my AS-JAVA/Portal is still not working.

Former Member
‎11-05-2014 4:28 PM
0 Kudos

By Adjusting User Mapping Mode in SPNEGO  from PrincipleandREALM to Principle only my Portal SSO started working.

matthias_lambrecht
Explorer
‎01-15-2015 3:10 PM
0 Kudos

Dear Brajendra Tewary,

I am facing exacle the same problem here but I cannot see any option to change the user mapping mode in SPNEGO. I can only add/modify the User Principal Names but there's no function to change the user mapping mode.

Any ideas? SPNEGO is the tcode, isn't it?

Thank you

Matthias

s0002529520
Explorer
‎03-06-2015 9:53 AM
0 Kudos

Hi Matthias,

Did you manage to resolve the issue?  I have the same problem and my SNC (SAPGUI) part works, but the SPNego (http) side also has the same NTLM error.  I can also see the error in the SPNEGO transaction logs in the ABAP server.  But I also cannot find a way to change the mapping mode on the ABAO side?

I also checked all the browser settings and the Microsoft note, but all those things are correct.

Regards

Johan

matthias_lambrecht
Explorer
‎03-06-2015 10:35 AM
0 Kudos

Hi Johan,

Yes, I was able to fix the problem.

The service principal name of the AD account was incomplete. I already had an entry "SAP/xxxxx" but for SPNEGO "HTTP/xxxxx" entries are required.

Example: HTTP/server.domain.net

After adding those entries SSO via SPNEGO was working.

Regards

Matthias

s0002529520
Explorer
‎03-06-2015 10:40 AM
0 Kudos

Thanks Matthias.  I have both the SAP/ and HTTP/ SPNs set on the AD user and the HTTP ons is set to HTTP/server.domain.com as per the servers FQDN.  But I still get the NTLM token error.  But thanks for the reply.  I will post if I find a solution.

Former Member
‎03-06-2015 10:51 AM
0 Kudos

Hi Johan,

The issue you get is related to you AD configuration and your client workstation. Did you check the output of  the "klist" on your client? Did you check if you have duplicate on your AD with the command "setspn -Q "Your SPN" ? Did you have a multiple domains landscape and you have only configure the keytab for the parent domain and not the child domains in ABAP transaction "spnego"?

KR

Valerie

s0002529520
Explorer
‎03-06-2015 11:23 AM
0 Kudos

Hi Valerie,

Thanks for the reply.  Yes I have checked that the SPN is unique and it is set to the FQDN of the ABAP server.  We only have 1 domain at the client and not multiple domains. In SPNEGO the keytab is configured for the domain with the service user and SPNEGO also picks up the SPNs correctly and the SPN uniqueness check and Token check in SPNEGO also works.

I also checked the klist output and it has a whole list of Kerberos ticket outputs for various encryption types for my user including for e.g. AES-256-CTS-HMAC-SHA1-96 which is one of the algorithms in SPNEGO.

So I don't know what else to check...

Former Member
‎03-06-2015 1:06 PM
0 Kudos

Hi Johan,

If SNC using SAP GUI works, I assume that you have installed Secure Login Client.
You can use the SAP Note https://service.sap.com/sap/support/notes/2010613 to check your configuration.

KR

Valerie

s0002529520
Explorer
‎03-06-2015 1:12 PM
0 Kudos

Yes I do have SLL client installed for SNC to work.  I actually just got it working and it was a combination of the items you and Matthias mentioned, as well as clearing all tokens with klist and then also the SAP user was locked (stupid I know).

Thanks for everyone's responses and help on this one.  It doesn't seem like this SDN post is marked as a question, so I'm not able to award points, but if someone can advise I will gladly award points for the excellent help.

Thanks again to a community that collaborates and helps in such a manner!

Johan

Answers (0)

Ask a Question