Hi ,

Thanks for your response, but I have done manual configuration accrding to the SAP documentation instead of the wizard. I had also gone through the link , but is it the problem with the keytab file itself?Is there any way of verifying the same? I had already run the klist command and it showed two entries which should be proper.

Could someone clarify if the key type and KV no have anything do with this?

Rgrds

Hi,

this is probably to a typo. Can you check all the places where you used it (configtool, visual admin, ...)

Regards,

Holger.

Hi Holger,

The value for principal for com.sun.security.auth.module.Krb5LoginModule is of the form-

HTTP/portal.domain.com@DOMAIN.COM when i followed the note suggested by you.Hope that is proper.

I cant make out any typo too.

Rgrds

Hi,

but you have to enter the principal also in the SPNego login module.

Did you check your settings there?

Regards,

Holger.

Holger,

The entry for SPNego login module is also the same as previous .Hope order of attributes in the module is irrelevant to the issue.

Is there any way to verify the keytab file.

When i run klist command, it gives 2 entries with details for kvno and keytype as follows

1) KVNO:1. keytype :3

2)KVNO:3.keytype:3

Also could it be a problem with the service user.

Thanks for your help on this.

Rgrds

Hi,

can you run a

klist -kfetK keytab

and check the results? With my keytab I got only one entry back and the value of the service principal was correct (also uppercase).

Regards,

Holger.

Holger,

I had checked with the command as suggested , but even that gives 2 entries as I had got earlier, one for host and http.

Both service principals also are fine here.

Would i need to check the service user too?

I was checking the SPNego Login module in user management->security stores and found it had no entries at all.

But there are entires for SPNego Login module in the policy configuration , Will this suffice or should there be entries in the security stores too.?

Thanks again.

Rgds

Hi,

the keytab file you created depends on the service user. So if you whatever SPNs you have defined for this user will also appear in the keytab file.

How did you configure SPNego. Did you follow the guide [here|http://help.sap.com/saphelp_nw70/helpdata/en/43/49a22dfd975f89e10000000a1553f6/frameset.htm]. Then you should have some settings for the SPNego module (please take a look [here|http://help.sap.com/saphelp_nw70/helpdata/en/43/4bf48061215f6be10000000a1553f6/frameset.htm]).

I really would recommend to use the Wizard if possible.

Regards,

Holger.

Hi Holger,

This is from the trace,

+com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#Guest#0####84c3b210c97011dca9d60002a54ea95e#SAPEngine_Application_Thread[impl:3]_4##0#0#Error##Java###Acquiring credentials for realm <REALM Name> failed

#GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)

+ at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:+

+

The problem seems to be in SPNegoLogin module.

Is it ok if I delete the module and and again add a new one with the attributes and add that to to the policy configuration.

I had earlier followed the link which you had sent itself.

The very same configuration worked for us in a different server.That is why I am confused about this one

thanks for being patient about this

Rgds

Hi,

yes, you can simply delete the login module and add it again.

But why are you not using the SPNego Wizard. This makes this configuration much more easier.

You could also check the service user again. Recreate the user and create a new keytab file.

Regards,

Holger.

Hi,

When running the ktpass command for host and HTTP we specify the j2ee server name. Is this also case sensitive?

because we normally access the portal using url as <portalname:port no> ,but now the computer name (j2ee server name which is the portalname in the url) seems to be a mixture of both lower and upper case, Which I could make out now.

Could this be a problem, Sorry if this sounds confusing..

I frankly cant think of anything else.

Rgds

Holger,

Sorry, I was not able to retreive the whole log from the server, but managed to get the spnego error in the log.

Hope this would provide some clue

com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#Guest#0####4887a8f0c9c611dca0c10002a54ea95e#SAPEngine_Application_Thread[impl:3]_22##0#0#Error##Java###Acquiring credentials for realm DOMAIN.DOM failed

[EXCEPTION]

#1#GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)

+ at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:82)+

+ at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)+

+ at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)+

+ at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)+

+ at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)+

+ at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)+

+ at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:236)+

+ at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)+

+ at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:337)+

I will try to get the log in the meantime,

Thank you

Rgds