Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SPNego - Windows integrated Single-Sign On not working - How to debug?

Former Member
0 Kudos

Dear board,

I've tried to configure SPNego - Windows Integrated SSO with no sucess yet. We do use SAP EP7 on Windows Server 2003 64bit with MS AD 2003. The following is done:

- Service Account is created, authentication works when done on pupose

- SPNego wizard completed sucessfully, WebAs Java restarted

- IE6: Windows integrated Logon is activated, IE shows Intranet when accessing the portal url ( I can't modify the IE Security Settings yet, but as we do use KERBEROS outside of SAP as well, my assumption was settings are fine)

- UID in windows, EP and ECC are equal

When I access the portal URL, I am prompted for used id and password. How can I trace methodically what is wrong? Some kind of checklist with links, url or SAP Notes would be great. I've also read references to a test application as well as some diag / trace tool.

Please post thoroughly as I am rather new to this topic and still missing important terms and knowledge.

Kind regards and thanks in advance,

Richard

1 ACCEPTED SOLUTION

former_member273222
Participant
0 Kudos

Here's a few links that may help...

Note 968191

Note 986060

Note 982044

Here's info on, and the location of, the diagnostic tool:

Note 958107

Here's a couple of step by step blogs:

/people/wai-hon.lam/blog/2006/04/20/windows-integrated-authentication-via-kerberos-on-an-ldap-data-source

/people/vaibhav.dua2/blog/2006/04/24/kerberos-implementation-with-ads-made-easy

Here's some relavent entries in the SAP Library:

http://help.sap.com/saphelp_nw2004s/helpdata/en/43/471720173f5f86e10000000a1553f6/content.htm

http://help.sap.com/saphelp_nw70/helpdata/en/43/4e80824d155f86e10000000a1553f6/frameset.htm

http://help.sap.com/saphelp_nw70/helpdata/en/43/49a2aefd975f89e10000000a1553f6/content.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/43/4e80824d155f86e10000000a1553f6/content.htm

I hope some of this helps. Kerberos can be a real pain.

9 REPLIES 9

Former Member
0 Kudos

Hi there,

now my central trace file contains errors, plese see below:

Login Module Flag Initialize Login Commit Abort Details

1. com.sun.security.auth.module.Krb5LoginModule OPTIONAL ok exception false null#

#1.5 #001A4BAF485A0064000000810000134000043C0C5737FC3E#1191923607711#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#J2EE_GUEST#0####7be002f1764d11dc884f001a4baf485a#SAPEngine_Application_Thread[impl:3]_4##0#0#Error##Java###Acquiring credentials for realm XXX.XXX.ORG failed

[EXCEPTION]

#1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)

at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)

at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)

at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)

at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)

at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:236)

How can I solve this?

Kind regards and many thanks,

Richard

former_member273222
Participant
0 Kudos

Here's a few links that may help...

Note 968191

Note 986060

Note 982044

Here's info on, and the location of, the diagnostic tool:

Note 958107

Here's a couple of step by step blogs:

/people/wai-hon.lam/blog/2006/04/20/windows-integrated-authentication-via-kerberos-on-an-ldap-data-source

/people/vaibhav.dua2/blog/2006/04/24/kerberos-implementation-with-ads-made-easy

Here's some relavent entries in the SAP Library:

http://help.sap.com/saphelp_nw2004s/helpdata/en/43/471720173f5f86e10000000a1553f6/content.htm

http://help.sap.com/saphelp_nw70/helpdata/en/43/4e80824d155f86e10000000a1553f6/frameset.htm

http://help.sap.com/saphelp_nw70/helpdata/en/43/49a2aefd975f89e10000000a1553f6/content.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/43/4e80824d155f86e10000000a1553f6/content.htm

I hope some of this helps. Kerberos can be a real pain.

Former Member
0 Kudos

Hi Glenn,

thanks for that, allthough I've found this information in the meantime as well. The problem still persists.

I have found hits pointing in the direction Internet Explorer settings for that kind of error. Nevertheless the IE settings appear to be as required.

How would an error message look like, when the "SPN Service Principal Name" registration was not performed?

Any ideas?

Kind regards and many thanks,

Richard

Former Member
0 Kudos

Dear board,

after the service principal name registration was done (once again maybe) the error message disappeared in the SPNego wizard when I retrieve the Principal in Step 2, the test resolution works as before in step 3 of the wizard.

At the moment, the error message in the central log file is still unchanged. Acquiring crendetials for realm xxx.xxx.org failed, no valid credentials provided.

#

#1.5 #001A4BAF485A0079000000040000207000043C8446E8BA7E#1192438730203#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#J2EE_GUEST#0####d8ce7ab07afc11dc8d93001a4baf485a#Thread[Thread-307,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#/System/Security/Authentication#Plain###LOGIN.FAILED

User: N/A

Authentication Stack: com.sun.security.jgss.accept

Login Module Flag Initialize Login Commit Abort Details

1. com.sun.security.auth.module.Krb5LoginModule OPTIONAL ok exception false null#

#1.5 #001A4BAF485A00580000007F0000207000043C8446E8C109#1192438730203#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#J2EE_GUEST#0####d8ce7ab17afc11dc8f50001a4baf485a#SAPEngine_Application_Thread[impl:3]_29##0#0#Error##Java###Acquiring credentials for realm XXX.XXX.ORG failed

[EXCEPTION]

#1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

Any ideas? I haven't used the diag tool yet, is there any other reasonable way how to debug the setup?

Kind regards and many thanks,

Richard

Former Member
0 Kudos

Dear board,

the issue is solved. It was caused by an error in the used Sun JDK Version 1.4.2_14/15/16. The downgrade to version 1.4.2_13 solved it, the SSO is now working fine.

I've got another question now. Once I klick on the Logout button in my Portal, I am continously logged in again. How can I prevent this easily?

What is the easiest way to set up another portal login page for Administrators for example?

Kind regards and many thanks,

Richard

former_member273222
Participant
0 Kudos

These properties allow you to change the logout redirect:

ume.logoff.redirect.url=http://server.com/logoutpage.html

ume.logoff.redirect.silent=true

If you point to a page that is not protected by a logon module stack with SPnego the users will not automatically log back in.

However, automatically logging in is what kerberos is all about, and normally "logging out" would be accomplished by logging out of the system that holds the kerberos ticket, (i.e. the user's workstation.)

As for have a different versions of logon pages, I don't really understand what you're looking for, what is the point? What makes them different? How would one page behave differently than another? If it's just that you can't pass a kerberos ticket for the Administrator user, just disable "Enable Integrated Windows Authentication" in your browser. You will fail the SPnego login module and will be sent to the logon screen where you can login as whomever you want.

Former Member
0 Kudos

Hi Glenn,

thanks for the message, I have found the UME parameters in the meantime. The requirement is to provide admin staff the possibility to login with alternate user ids to the system. Honestly, I do not find the disabling of windows integrated in the IE options really attractive.

How can I set up a logon page which is not using the SPNego login module?

Kind regards and many thanks,

Richard

former_member273222
Participant
0 Kudos

Here's a bit of a hack for you... Put a redirect file like this:

padmin.html -

<*script language="JavaScript">

window.location.href = '/logon/logonServlet?redirectURL=%2Firj%2Fportal';

<*/script>

<*html>

<*head>

<title>Loading Enterprise Portal...</title>

<*/head>

<*BODY>

<*/BODY>

<*/html>

in the root directory, (D:\usr\sap\<SID>\<SERVER>\j2ee\cluster\server0\apps\sap.com\com.sap.engine.docs.examples\servlet_jsp\_default\root) Obviously remove the *'s, I just had to put them there so the message would post.

Make sure sap.com/com.sap.engine.docs.examples_default is not protected by a SPnego login module. Also make sure that sap.com/com.sap.security.core.adminlogon component does not have SPnego in its security stack.

Now when you go to http://server:port/padmin.html you will be taken to a logon screen. If you authenticate, you go into the portal.

0 Kudos

Hi Glenn,

"Make sure sap.com/com.sap.engine.docs.examples_default is not protected by a SPnego login module. Also make sure that sap.com/com.sap.security.core.adminlogon component does not have SPnego in its security stack."

I do not understand your instructions properly, how can I ensure that the SPNego doesn't come into play when it is activated on the full host http://server:port?

Kind regards and many thanks,

Richard