- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- NTLM token found in authorization header during SP...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
NTLM token found in authorization header during SPNego authentication
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-08-2008 7:58 AM
HI,
I am facing :NTLM token found in authorization header during SPNego authentication" error for some of the users.Can any one help to solve this.
errors:
NTLM token found in authorization header during SPNego authentication.
14:11:39:472 Warning Guest ~n_Thread[impl:3]_43 ~on.loginmodule.spnego.SPNegoLoginModule Authentication failed. Error during handshake. Check the trace file for details.
14:11:39:473 Warning Guest ~n_Thread[impl:3]_43 ~on.loginmodule.spnego.SPNegoLoginModule Error during handshake.
[EXCEPTION]
com.sap.security.core.server.jaas.spnego.SPNegoProtocolException: NTLM token received in authorization header.
at com.sap.security.core.server.jaas.SPNegoLoginModule.checkAuthorizationHeaderToken(SPNegoLoginModule.java:410)
at com.sap.security.core.server.jaas.SPNegoLoginModule.doHandshake(SPNegoLoginModule.java:686)
at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:362)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
at java.security.AccessController.doPrivileged(AccessController.java:231)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:177)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
at java.security.AccessController.doPrivileged(AccessController.java:231)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:145)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)
at java.security.AccessController.doPrivileged(AccessController.java:231)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(AccessController.java:207)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
14:11:39:474 Debug Guest ~n_Thread[impl:3]_43 ~on.loginmodule.spnego.SPNegoLoginModule set Satus Code On Fail = 401
14:11:39:474 Debug Guest ~n_Thread[impl:3]_43 ~es.security.authentication.logincontext Login module com.sap.security.core.server.jaas.SPNegoLoginModule from authentication stack spnego does not authenticate the caller.
14:11:39:474 Path Guest ~n_Thread[impl:3]_43 ~.ticket.CreateTicketLoginModule.login() Entering method
14:11:39:475 Info Guest ~n_Thread[impl:3]_43 ~inmodule.ticket.CreateTicketLoginModule No authenticated user found.
14:11:39:475 Path Guest ~n_Thread[impl:3]_43 ~inmodule.ticket.CreateTicketLoginModule Exiting method with false
14:11:39:475 Debug Guest ~n_Thread[impl:3]_43 ~on.loginmodule.BasicPasswordLoginModule No user name provided.
14:11:39:475 Path Guest ~n_Thread[impl:3]_43 ~.ticket.CreateTicketLoginModule.login() Entering method
14:11:39:475 Info Guest ~n_Thread[impl:3]_43 ~inmodule.ticket.CreateTicketLoginModule No authenticated user found.
14:11:39:475 Path Guest ~n_Thread[impl:3]_43 ~inmodule.ticket.CreateTicketLoginModule Exiting method with false
14:11:39:476 Path Guest ~n_Thread[impl:3]_43 ~engine.services.security.authentication Exception : Cannot authenticate the user
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-08-2008 9:10 AM
Krishnam,
SPNEGO = Simple and Protected GSSAPI Negotiation Mechanism.
In short, this means that when you use SPNEGO, a negotiation of security mechanism takes place. The implementation of SPNEGO in Microsoft Web browsers negotiates between Kerberos and NTLM mechanisms. This means that if both browser and Web server support Kerberos, this will be used, but if for some reason Kerberos is not possible the browser will try NTLM. You therefore might be getting NTLM tokens sent to the SAP server because the browser is unable to authenticate using Kerberos. The SAP SPNEGO login module only supports Kerberos tokens, not NTLM.
Common reasons why browser cannot support Kerberos are:
1. A request for a service ticket is sent to Active Directory DC, and ticket was not issued for some reason - checking traces or event logs will show this. You can also use kerbtray tool on workstation to check if the ticket was issued.
2. There might be a clock skew issue between workstation time and time on DC
3. You might be using a browser that does not support Kerberos
4. The wrong url is entered in browser, so browser is unable to construct the name of the service principal to request from the DC
I hope this helps.
Tim
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-08-2008 9:17 AM
hi,
In my case, i am getting errors for only some users.how to use kerbtray tool on workstation to check if the ticket was issued or not? do u have any documentation.
Thanks in advance,
Krishna
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-08-2008 9:22 AM
Hello Krishnam raju,
Please use the following link to get informaiton on how to use Kerbtray tool.
http://support.microsoft.com/kb/232179/en-us
or
http://www.ualberta.ca/CNS/auth/ADS-kerbtray.htm#kerbtray_using
Hope it is helpful
Regards,
Satish.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-08-2008 9:27 AM
Hi again,
Please use the following link to Troubleshooting Kerberos Errors
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
Regards,
Satish
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2008 2:30 PM
Hello All,
I am also getting the error message when i tried to configure WIndows integrated SSO with EP6. Web AS Java 7.0 SP13. I used the diagtool to check with the errot and below is the message. I have created the service user for active directory AD with DES encryption.
Can anybody please help me with this.
******************************************************
NTLM token found in authorization header during SPNego authentication.
09:51:23:898 Warning J2EE_GUEST ~on_Thread[impl:3]_0 ~on.loginmodule.spnego.SPNegoLoginModule Authentication failed. Error during handshake. Check the trace file for details.
09:51:23:899 Warning J2EE_GUEST ~on_Thread[impl:3]_0 ~on.loginmodule.spnego.SPNegoLoginModule Error during handshake.
[EXCEPTION]
com.sap.security.core.server.jaas.spnego.SPNegoProtocolException: NTLM token received in authorization header.
at com.sap.security.core.server.jaas.SPNegoLoginModule.checkAuthorizationHeaderToken(SPNegoLoginModule.java:410)
at com.sap.security.core.server.jaas.SPNegoLoginModule.doHandshake(SPNegoLoginModule.java:686)
at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:362)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:177)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:145)
-
getLoggedInUser
[EXCEPTION]
com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:178)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:177)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:145)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)
at java.security.AccessController.doPrivileged(Native Method)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
Caused by: com.sap.security.core.server.jaas.DetailedLoginException: Access Denied. No authorization header received.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:175)
... 41 more
************************************************************
The answers will definetely be rewarded.
Thanks,
Pradeep
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2008 2:35 PM
Pradeep,
Firstly, it is always better to open a new thread in SDN instead of borrowing another one which is similar.
Anyway, your browser is clearliy not able to get a Kerberos ticket so it is using NTLM token instead, but the SAP SPNEGO login module does not support NTLM protocol. The most common reason for this is due to DES being used for the service principal, or the browser does not have the correct information to ask Active Directory for the service ticket from the domain.
You should also refer to my answers given above.
Thanks,
Tim
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2008 2:35 PM
> The answers will definetely be rewarded.
And how exactly are you going to do that considering that this is not your question?
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2008 2:57 PM
Thanks Tim, i have posted a new thread for this issue. "Authentication failed. Error during handshake: SPNEGO AUthentication fails". Kindly provide me some inputs as to how to debug this issue or any other tools I can deploy and run to pin-point the issue.
I apologise, I am not so familiar with posting in sdn. Just picking up.:)
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2008 3:45 PM
>
> Thanks Tim, i have posted a new thread for this issue. "Authentication failed. Error during handshake: SPNEGO AUthentication fails". Kindly provide me some inputs as to how to debug this issue or any other tools I can deploy and run to pin-point the issue.
I have not seen this thread yet. did you post it in the security forum, or somewhere else on SDN ?
- SAP Managed Tags:
- Security
