cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SPNEGO not working at JAVA and Web GUI

former_member226585
Participant

on ‎06-18-2015 7:06 AM

0 Kudos

Dear colleagues, ask for help, I'm exhausted!

I spend setting Kerberos SSO means for system Solman 7.1 (NW 702). For abap part it succeeded. But for Java, Web GUI, and a window appears NWBC login and password. What could be wrong? I believe that spnego not work correctly.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎06-18-2015 7:25 PM
0 Kudos

Hi Evgeniy

We had this issue initially. My SAP GUI SSO with CommonCypto and Kerbose works fine but Web Gui/NWBC had issue.

We found the issue caused due to wrong SPN. We have to create SPN as http/<server name + FQDN>

Please check if your AD admin setup this precisely.

I hope this helps.

Thank you

Santosh.

Show replies
Show replies
former_member226585
Participant
‎06-19-2015 2:22 AM
0 Kudos

Hello, i check it, but SPN is fine. As you say - server name+FQDN.

Web gui use SPNEGO, right? This custom in tx SPNEGO, right? And we need create entry as well SPN, right? "SAPServiceSID@DOMAIN.LOCAL" right?

Former Member
‎06-19-2015 3:27 PM
0 Kudos

Did you read all these notes?  It's important for SPNEGO.

1832706 - SPNego ABAP: Fixes for Algorithms AES128, AES256, DES


1819808 - SPNego ABAP: Collective Corrections


1798979 - SPNego ABAP: Downport
--> the note gives you all the minimum levels of the kernel and SP versions you need to do SPnego ABAP
--> also lists a ton of notes to review at the very bottom.


1732610 - SPNego ABAP: Troubleshooting Note
--> good note to review if you are having problems with SPnego.

And you put in all the correct profile params?  Could you show us?

Also, what's in your SPNEGO (tcode)?

how about DOS command "klist", what does it say?

and did you install secure login client on your PC?  does the name in that match the SNC tab for your ID in SU01?

what kernel version are you at?

Former Member
‎06-18-2015 4:33 PM
0 Kudos

Evgeniy,

Watch out on this man.  We also did SPNEGO for Solman, but we ended up turning it off and just doing SNC for the SAPGUI.

We found that it broke some of the monitoring tools, the way that satellite systems communicate with Solman and the way solman talks to them.

Jobs just started failing, and the config screens inside solman just wouldn't work.

I still like SPNEGO,SNC, but for solman, really there isn't any point for us if it breaks those monitoring tools.  It would be too difficult and time consuming to explain to SAP support for a fix.  I have put in enough solman tickets to know it would just bounce between solman support and SSO support and it would waste time.

For our end users in solman, they use SAPGUI so just enabling SNC was good enough.

You could always do X.509 for others if they hit HTTP(s) connections to solman.  So that's what we've done, but we didn't use SAP secure login server.  We just did it internally.

NICK

Show replies
Show replies
former_member198633
Contributor
‎06-18-2015 8:23 AM
0 Kudos

Hello Evgeniy

First question is which SPNego are you using: legacy, addon, migrated?

This is the documentation for the new: link. For the old, use this: link.

It would be important to see the authentication trace. Please create a trace and check what the problem is: Web diagtool for collecting traces

These are some typical SPNego issues: link.

Best Regards,

Peter

Show replies
Show replies
Ask a Question