Solved: Using windows account logon for SSO

Former Member · ‎06-23-2008

Hi All !

I'm implementing a SSO solution and the scenario is as follow:

I'm in a Windows 2003 domain with a BW 3.5 server, additional I installed a Java Add-In to implement SPNego authentification. The solution works fine! but the problem is that the user needs to provide user and password. When the user provide user id and password the SPNego resolve the account and create a logon ticket and is passed to BW very well.

</div>

I'm wondering if it is possible to eliminate the login question.

How can I get the logged user in windows?

I'm working with J2EE 6.40 SP21

Thanks in advance.

tim_alsop · ‎06-23-2008

Gerardo,

If you have implemented SPNEGO login module, and the browser is configured with "Integrated Windows Authentication" enabled, and you have logged onto a domain account before opening browser to access the SAP application, then you should not see any prompt for user or password - instead you should be logged on using the Kerberos credentials already available at workstation, which were issued when the user logged onto the domain.

Since your post suggests otherwise, I suggest you check your SPNEGO configuration to be sure you have completed all of the steps correctly, and enabled Integrated Windows Authentication in browser.

Thanks,

Tim

tim_alsop · ‎06-23-2008

Gerardo,

If you have implemented SPNEGO login module, and the browser is configured with "Integrated Windows Authentication" enabled, and you have logged onto a domain account before opening browser to access the SAP application, then you should not see any prompt for user or password - instead you should be logged on using the Kerberos credentials already available at workstation, which were issued when the user logged onto the domain.

Since your post suggests otherwise, I suggest you check your SPNEGO configuration to be sure you have completed all of the steps correctly, and enabled Integrated Windows Authentication in browser.

Thanks,

Tim

Former Member · ‎06-24-2008

Thanks Tim for your reply,

I have a look in the configurations and everything is fine, the test connection in the configtool is successful. But when I use the diagtool it send me the error:

GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type

Error during handshake (has already been reported). Authentication failed.

I think it could be by the UserPrincipalName account, I'm checking now the account in the active directory.

tim_alsop · ‎06-24-2008

Hi,

Normally, an account in MS AD on Windows Server 2003 version of Active Directory supports RC4 encryption keys, but can also support DES if required (although not preferred). If you use Active Directory on Windows Server 2008 then you can also use AES encryption keys.

The SAP SPNEGO login module is using the Java implementation of Kerberos which only supports DES (in JDK 1.4.x). If you want to support RC4 or AES with SPNEGO then you need to use a third party product called TrustBroker Adapter, from CyberSafe, instead of the SAP SPNEGO login module.

Since you are getting "KDC has no support for encryption type", this suggests that the encryption types used by the Java Kerberos library is not supported by the account in AD that you are using to authenticate with.

I hope this helps.

Thanks,

Tim

former_member698570 · ‎06-26-2008

Hi,

isn't it possible to define the encryption type in the krb.conf file on the J2EE Engine?

e.g.

default_tgs_enctypes=des-cbc-md5;des-cbc-crc

default_tkt_enctypes=des-cbc-md5;des-cbc-crc

Maybe this could help?

Cheers

Former Member · ‎06-27-2008

Done!

The problem was in the service principal name. I found 3 different blogs with different commands to set a spn but only 1 works.