10-08-2007 5:40 PM
Dear board,
I've tried to configure SPNego - Windows Integrated SSO with no sucess yet. We do use SAP EP7 on Windows Server 2003 64bit with MS AD 2003. The following is done:
- Service Account is created, authentication works when done on pupose
- SPNego wizard completed sucessfully, WebAs Java restarted
- IE6: Windows integrated Logon is activated, IE shows Intranet when accessing the portal url ( I can't modify the IE Security Settings yet, but as we do use KERBEROS outside of SAP as well, my assumption was settings are fine)
- UID in windows, EP and ECC are equal
When I access the portal URL, I am prompted for used id and password. How can I trace methodically what is wrong? Some kind of checklist with links, url or SAP Notes would be great. I've also read references to a test application as well as some diag / trace tool.
Please post thoroughly as I am rather new to this topic and still missing important terms and knowledge.
Kind regards and thanks in advance,
Richard
10-09-2007 7:59 PM
Here's a few links that may help...
Note 968191
Note 986060
Note 982044
Here's info on, and the location of, the diagnostic tool:
Note 958107
Here's a couple of step by step blogs:
/people/wai-hon.lam/blog/2006/04/20/windows-integrated-authentication-via-kerberos-on-an-ldap-data-source
/people/vaibhav.dua2/blog/2006/04/24/kerberos-implementation-with-ads-made-easy
Here's some relavent entries in the SAP Library:
http://help.sap.com/saphelp_nw2004s/helpdata/en/43/471720173f5f86e10000000a1553f6/content.htm
http://help.sap.com/saphelp_nw70/helpdata/en/43/4e80824d155f86e10000000a1553f6/frameset.htm
http://help.sap.com/saphelp_nw70/helpdata/en/43/49a2aefd975f89e10000000a1553f6/content.htm
http://help.sap.com/saphelp_nw04s/helpdata/en/43/4e80824d155f86e10000000a1553f6/content.htm
I hope some of this helps. Kerberos can be a real pain.
10-09-2007 11:09 AM
Hi there,
now my central trace file contains errors, plese see below:
Login Module Flag Initialize Login Commit Abort Details
1. com.sun.security.auth.module.Krb5LoginModule OPTIONAL ok exception false null#
#1.5 #001A4BAF485A0064000000810000134000043C0C5737FC3E#1191923607711#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#J2EE_GUEST#0####7be002f1764d11dc884f001a4baf485a#SAPEngine_Application_Thread[impl:3]_4##0#0#Error##Java###Acquiring credentials for realm XXX.XXX.ORG failed
[EXCEPTION]
#1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:236)
How can I solve this?
Kind regards and many thanks,
Richard
10-09-2007 7:59 PM
Here's a few links that may help...
Note 968191
Note 986060
Note 982044
Here's info on, and the location of, the diagnostic tool:
Note 958107
Here's a couple of step by step blogs:
/people/wai-hon.lam/blog/2006/04/20/windows-integrated-authentication-via-kerberos-on-an-ldap-data-source
/people/vaibhav.dua2/blog/2006/04/24/kerberos-implementation-with-ads-made-easy
Here's some relavent entries in the SAP Library:
http://help.sap.com/saphelp_nw2004s/helpdata/en/43/471720173f5f86e10000000a1553f6/content.htm
http://help.sap.com/saphelp_nw70/helpdata/en/43/4e80824d155f86e10000000a1553f6/frameset.htm
http://help.sap.com/saphelp_nw70/helpdata/en/43/49a2aefd975f89e10000000a1553f6/content.htm
http://help.sap.com/saphelp_nw04s/helpdata/en/43/4e80824d155f86e10000000a1553f6/content.htm
I hope some of this helps. Kerberos can be a real pain.
10-10-2007 12:35 PM
Hi Glenn,
thanks for that, allthough I've found this information in the meantime as well. The problem still persists.
I have found hits pointing in the direction Internet Explorer settings for that kind of error. Nevertheless the IE settings appear to be as required.
How would an error message look like, when the "SPN Service Principal Name" registration was not performed?
Any ideas?
Kind regards and many thanks,
Richard
10-15-2007 10:06 AM
Dear board,
after the service principal name registration was done (once again maybe) the error message disappeared in the SPNego wizard when I retrieve the Principal in Step 2, the test resolution works as before in step 3 of the wizard.
At the moment, the error message in the central log file is still unchanged. Acquiring crendetials for realm xxx.xxx.org failed, no valid credentials provided.
#
#1.5 #001A4BAF485A0079000000040000207000043C8446E8BA7E#1192438730203#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#J2EE_GUEST#0####d8ce7ab07afc11dc8d93001a4baf485a#Thread[Thread-307,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#/System/Security/Authentication#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: com.sun.security.jgss.accept
Login Module Flag Initialize Login Commit Abort Details
1. com.sun.security.auth.module.Krb5LoginModule OPTIONAL ok exception false null#
#1.5 #001A4BAF485A00580000007F0000207000043C8446E8C109#1192438730203#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#J2EE_GUEST#0####d8ce7ab17afc11dc8f50001a4baf485a#SAPEngine_Application_Thread[impl:3]_29##0#0#Error##Java###Acquiring credentials for realm XXX.XXX.ORG failed
[EXCEPTION]
#1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
Any ideas? I haven't used the diag tool yet, is there any other reasonable way how to debug the setup?
Kind regards and many thanks,
Richard
10-17-2007 3:43 PM
Dear board,
the issue is solved. It was caused by an error in the used Sun JDK Version 1.4.2_14/15/16. The downgrade to version 1.4.2_13 solved it, the SSO is now working fine.
I've got another question now. Once I klick on the Logout button in my Portal, I am continously logged in again. How can I prevent this easily?
What is the easiest way to set up another portal login page for Administrators for example?
Kind regards and many thanks,
Richard
10-17-2007 7:13 PM
These properties allow you to change the logout redirect:
ume.logoff.redirect.url=http://server.com/logoutpage.html
ume.logoff.redirect.silent=true
If you point to a page that is not protected by a logon module stack with SPnego the users will not automatically log back in.
However, automatically logging in is what kerberos is all about, and normally "logging out" would be accomplished by logging out of the system that holds the kerberos ticket, (i.e. the user's workstation.)
As for have a different versions of logon pages, I don't really understand what you're looking for, what is the point? What makes them different? How would one page behave differently than another? If it's just that you can't pass a kerberos ticket for the Administrator user, just disable "Enable Integrated Windows Authentication" in your browser. You will fail the SPnego login module and will be sent to the logon screen where you can login as whomever you want.
10-17-2007 7:21 PM
Hi Glenn,
thanks for the message, I have found the UME parameters in the meantime. The requirement is to provide admin staff the possibility to login with alternate user ids to the system. Honestly, I do not find the disabling of windows integrated in the IE options really attractive.
How can I set up a logon page which is not using the SPNego login module?
Kind regards and many thanks,
Richard
10-17-2007 8:14 PM
Here's a bit of a hack for you... Put a redirect file like this:
padmin.html -
<*script language="JavaScript">
window.location.href = '/logon/logonServlet?redirectURL=%2Firj%2Fportal';
<*/script>
<*html>
<*head>
<title>Loading Enterprise Portal...</title>
<*/head>
<*BODY>
<*/BODY>
<*/html>
in the root directory, (D:\usr\sap\<SID>\<SERVER>\j2ee\cluster\server0\apps\sap.com\com.sap.engine.docs.examples\servlet_jsp\_default\root) Obviously remove the *'s, I just had to put them there so the message would post.
Make sure sap.com/com.sap.engine.docs.examples_default is not protected by a SPnego login module. Also make sure that sap.com/com.sap.security.core.adminlogon component does not have SPnego in its security stack.
Now when you go to http://server:port/padmin.html you will be taken to a logon screen. If you authenticate, you go into the portal.
12-06-2007 9:55 AM
Hi Glenn,
"Make sure sap.com/com.sap.engine.docs.examples_default is not protected by a SPnego login module. Also make sure that sap.com/com.sap.security.core.adminlogon component does not have SPnego in its security stack."
I do not understand your instructions properly, how can I ensure that the SPNego doesn't come into play when it is activated on the full host http://server:port?
Kind regards and many thanks,
Richard