Hi Tim,

10 points for both the speed and accuracy of the answer I did some investigation based upon the logs (defaulttrace.trc). I found an entry:

<i>com.ibm.security.krb5.internal.KrbException, status code: 31

message: Integrity check on decrypted field failed</i>

This message is explained in <a href="http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/rsec_SPNEGO_trouble_shoot.html">SPNEGO trust association interceptor (TAI) troubleshooting tips</a> and seems to match your statement.

So I'll try to implement the new keytab file and see how it works.

Rgds

Marcel

Update:

implementing a new keytab made no difference. The wizard creates the correct keytab so it is not necessary to replace the tab. The error still occurs however and is the result of a change in the userid that is assigned to the SPN. So maybe there is still some old configuration (although I moved the SPN from one account to the other.

Question: is the host/myhost.domain.com@DOMAIN.COM still required since we're using HTTP/myhost.domain.com?

Marcel,

If you are using the ktpass utility to create the key in the keytable file, then a domain user account is being used for authentication of the service. The user accounts password is used to derive a key, which MUST be the same as the key stored in the key table file for the same principal name. This means, if you use ktpass to extract the key and then you later change the password the key will no longer match, which means the keytab file is useless.

We have a product which uses computer accounts to store the key, and when a computer account is used instead of a user account the problem of password changing does not occur.

In your post you said you moved the SPN from one account to the other - when doing this you will have made the key in the keytab file invalid because the password used to derive the key will be invalid. I think this might be why you are getting a problem.

I hope this helps.

Thanks,

Tim

Hi Tim,

I have created a new keytab file (using the new account) with ktpass.exe and replaced the current one, but this made no difference. Also, SPNego Wizard takes care of the keytab file. It creates the keytab file based upon the account or principal name you enter.

My guess is that there's a problem with the UID since the configuration is done with the uid in mixed case, while the SPN is in uppercase. Check out the listings below:

<i>C:\Program Files\Resource Kit>setspn -l User_SapPortal

Registered ServicePrincipalNames for CN=USER_SAPPORTAL,OU=Service Accounts,OU=Users,OU=xxx,DC=xx,DC=xxx,DC=xxx,DC=xx:

HTTP/<FQDN server 1>

HTTP/<FQDN server 2>

C:\Program Files\Resource Kit>setspn -l USER_SAPPORTAL

Registered ServicePrincipalNames for CN=USER_SAPPORTAL,OU=Service Accounts,OU=Users,OU=xxx,DC=xx,DC=xxx,DC=xxx,DC=xx:

HTTP/<FQDN server 1>

HTTP/<FQDN server 2></i>

Does this make sense?

marcel

Marcel,

Yes, it makes perfect sense to me. The principal name is case sensitive.

I cannot provide much more help with this since I represent a company who sells a competing product. Our product does not use ktpass - we have our own utility which creates computer accounts in AD, and we support RC4 enc. type and other AD additions which are not supported by SAP SPNEGO login module. Of course, if somebody else who is watching this post can help you I hope you get it working, but I can only help you if you are interested to consider our TrustBroker Adapter product instead.

Thanks,

Tim