cancel
Showing results for 
Search instead for 
Did you mean: 

SPNEGO Configuration Wizard - Step 3 not working - Single Sign On not work.

Former Member
0 Kudos

Hi Experts,

We trying to setup the SSO between the AD and Portal. I made the follow configuration.

On Active Directory (AD)

- Created a Service User with password that never expires.

- selectd the option "Use DES encryption types for this account"

- Executed the command: setspn -A HTTP/servername username on the server name and on the DNS alias name.

On the configtool:

- I imported the dataSourceConfiguration_ads_readonly_db_with_krb5.XML file

- On the server name: <AD server host>

- Server Port: 389

- User: <service user created on AD>

- Password: <Password of service user created on AD>

- Checked the option "Use UME unique id with unique LDAP attribute and gave the service user created on AD as parameter.

- User path and Group Path were selected based on the AD info.

I tested the connection an the atuthentication that were sucessfull.

So I accessed Instance --> Server --> Services --> com.sap.security.core.ume.service and add the value krb5principalname;kpnprefix;dn on the ume.admin.addattrs key and set it

EP

- Openned EP 7 SP15 and called the SPNEGO Wizard, on the first step I just checked the Prerequisites.

- 2nd Step I provided Kerberos Realm: <domain name>

- KDC Host: <LDAP server>

- KDC Port: 88

- Service User Name: <service user name created on AD>

- Service User Password: <Password of service user name created on AD>

- LDAP Host: <LDAP server name>

- LDAP Port: 389

and clicked on Next.

On the 3rd step I selected the Resolution mode = prefixed base.

KPN Prefix: kpnprefix

kpnprefix: dn

and provided my user on AD to Test, but I got te error message: UME cannot resolve Kerberos principal name XXXX#XXXX.XXX.XX; check selected resolution mode.

Any idea about what can be missing or wrong?

Thanks

Armando

Edited by: Armando Martines Neto on Aug 8, 2008 11:40 AM

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi Armando,

I think you need to bounce J2EE after you changed the user name for LDAP and change or set the password. Try to bounce J2EE and then start the SPNego wizard again.

Hope this helps.

Regards,

Rick

Former Member
0 Kudos

Hi Rick, thanks for your response!

I did what you suggested but nothing happened! My guess is that something is missing on the AD configuration.

I made some tests and replaced the "Use UME unique id with unique LDAP attribute" value to samaccountname on configtool. After that, nobody was able to logon on Portal (tryed using LDAP Password and UME password) but the service user j2ee that was created on the AD was able to athenticate using the LDAP password. (this user wasn't created on the UME.. is it necessary?)

We made other tests changing te User Path and Group Path values on configtool, when we selected the ADS main node , we're able to authenticate with any user but if we select the node where the users and the groups are really inside on the AD, when authenticating the follow message displays: authentication failed : [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece]

does anybody have any idea? help is appreciated and will be rewarded!

Armando

Former Member
0 Kudos

Hi,

First make sure SPN is set correctly and able to access it. I dont remmeber the tool to verify , there is a tool for this from SAP, check SPNego config wizard note.

Thanks!

Former Member
0 Kudos

Hi Armando,

I was looking at your steps again and wheree you have setspn -A HTTP/servername username, did you put the FQDN for servername? In other words, I think it has to be setspn -a HTTP/servername.company.com username.

Give this a try and let me know.

Regards,

Rick

Former Member
0 Kudos

Hi Armando,

I forgot to mention this; see note 1045019 and download the diagtool. It can be very helpful to pinpoint where the problem is.

Regards,

Rick

Former Member
0 Kudos

Hi Rick,

I executed again the SPN command using the syntax mentioned by you but the same problem still happening, so I took a look at the note and deployed the diagtool on my portal but I'm having problem to authenticate on it as I'm having problem to authenticate on Portal. I Mean, it seems that the portal is not recognizing any user database (UME or LDAP). I'll try to upload again the XML and make some tests. I'll keep you posted.

thanks

Armando

Former Member
0 Kudos

Hi Experts,

An update, as I was not able to authenticate on the portal even after setting up everything again, so I went to check the settings on AD once more. On the note mentioned before there are some videos showing how to setup AD. One of the commands recommended to execute was ldifde -r (samaccountname=<serviceuser>) -f out.ldf and after that open the log with the command notepad out.ldf. When I took a look on the log II figure out that the User Principal Name has the value: HTTP/servername#domain.xxx.xxx and as showed on the video it should contain the <serviceuser>#domain.xxx.xx.

Does anybody know how to set the User Principal Name to the correct value?

Thanks

Armando

Edited by: Armando Martines Neto on Aug 13, 2008 3:02 PM

Former Member
0 Kudos

Another update.

I changed the User Principal Name and it seems that everything is correct now, but I'm still not able to authenticate on Portal with the configuration previous done.

Follow my Default Trace Log, does anybody have any idea?

#

#1.5 #001D096A64040086000000190000445A0004545BAC7E1E51#1218652619546#com.sap.engine.services.security.authentication.logonapplication#sap.com/com.sap.security.core.admin#com.sap.engine.services.security.authentication.logonapplication.doLogon#Guest#0##n/a##d06e1980696611ddb2d7001d096a6404#SAPEngine_Application_Thread[impl:3]_33##0#0#Error##Java###doLogon failed

[EXCEPTION]

#1#com.sap.security.core.logon.imp.UMELoginException: USER_AUTH_FAILED

at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:946)

at com.sap.security.core.logonadmin.ServletAccessToLogic.logon(ServletAccessToLogic.java:208)

at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.doLogon(SAPMLogonLogic.java:914)

at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.uidPasswordLogon(SAPMLogonLogic.java:578)

at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.executeRequest(SAPMLogonLogic.java:158)

at com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doPost(SAPMLogonServlet.java:60)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)

at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)

at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)

at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)

at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(AccessController.java:207)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)

============

Visual Admin Log

============

#1.5 #C0000A0A010F0000000000006690669000045458C5B6F640#1218640157799#/System/Server/VisualAdministrationTool##com.sap.engine.services.adminadapter.gui.tasks.LoginTask#######Thread[Thread-4,5,main]##0#0#Error#1#/System/Server/VisualAdministrationTool#Plain###Error while trying to login to 10.10.1.15: Cannot authenticate the user.#

#1.5 #C0000A0A010F0001000000006690669000045458C66DA7C8#1218640169773#/System/Server/VisualAdministrationTool##com.sap.engine.services.adminadapter.gui.tasks.LoginTask#######Thread[Thread-15,6,main]##0#0#Error#1#/System/Server/VisualAdministrationTool#Plain###Error while trying to login to 10.10.1.15: Cannot authenticate the user.#

#1.5 #C0000A0A010F0002000000006690669000045458C73879A8#1218640183065#/System/Server/VisualAdministrationTool##com.sap.engine.services.adminadapter.gui.tasks.LoginTask#######Thread[Thread-26,6,main]##0#0#Error#1#/System/Server/VisualAdministrationTool#Plain###Error while trying to login to 10.10.1.15: Cannot authenticate the user.#

#1.5 #C0000A0A010F0003000000006690669000045458C89083E0#1218640205612#/System/Server/VisualAdministrationTool##com.sap.engine.services.adminadapter.gui.tasks.LoginTask#######Thread[Thread-37,6,main]##0#0#Error#1#/System/Server/VisualAdministrationTool#Plain###Error while trying to login to servername.companyname.com.br: Cannot authenticate the user.#

#1.5 #C0000A0A010F0004000000006690669000045458C9384D00#1218640216608#/System/Server/VisualAdministrationTool##com.sap.engine.services.adminadapter.gui.tasks.LoginTask#######Thread[Thread-48,6,main]##0#0#Error#1#/System/Server/VisualAdministrationTool#Plain###Error while trying to login to servername.companyname.com.br: Cannot authenticate the user.#

===========

Default Tracer

===========

-


predecessor system -


com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:178)

at java.security.AccessController.doPrivileged(AccessController.java:231)

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)

at com.sap.engine.services.security.remoteimpl.login.RemoteLoginContextHelperImpl.login(RemoteLoginContextHelperImpl.java:72)

at com.sap.engine.services.security.remoteimpl.login.RemoteLoginContextHelperImplp4_Skel.dispatch(RemoteLoginContextHelperImplp4_Skel.java:64)

at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:319)

at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:200)

at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java:136)

at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(AccessController.java:207)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)

Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Authentication did not succeed.

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:175)

at java.security.AccessController.doPrivileged(AccessController.java:231)

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)

at com.sap.engine.services.security.remoteimpl.login.RemoteLoginContextHelperImpl.login(RemoteLoginContextHelperImpl.java:72)

at com.sap.engine.services.security.remoteimpl.login.RemoteLoginContextHelperImplp4_Skel.dispatch(RemoteLoginContextHelperImplp4_Skel.java:64)

at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:319)

at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:200)

at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java:136)

at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(AccessController.java:207)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)

-


predecessor system -


com.sap.engine.services.security.exceptions.BaseLoginException: Authentication did not succeed.

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:175)

at java.security.AccessController.doPrivileged(AccessController.java:231)

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)

at com.sap.engine.services.security.remoteimpl.login.RemoteLoginContextHelperImpl.login(RemoteLoginContextHelperImpl.java:72)

at com.sap.engine.services.security.remoteimpl.login.RemoteLoginContextHelperImplp4_Skel.dispatch(RemoteLoginContextHelperImplp4_Skel.java:64)

at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:319)

at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:200)

at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java:136)

at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(AccessController.java:207)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)

Answers (2)

Answers (2)

Former Member
0 Kudos

Hi Andreas,

Thanks for your reply...the problem was solved and I forgot to close this thread.

The problem that I was facing happened because I was using the same ID on Portal and AD. So when the portal tried to check my username os step 3 of SPnego wizard it was saying that the logon iD was not unique.

My workaround there was to use the Administrator ID to set up spnego wizard. so it worked fine.

Former Member
0 Kudos

hello,

the error message is

Cannot authenticate the user

it is with the service user -> did you create on the ADS with

the correct password ?

Pls note that the domain is case sensitive, f.e.

sapj2ee at DOMAIN.US instead of sapj2ee at domain.us

the domain is usually written in uppercase, as well no the

UME LDAP Data.

With the spneog wizard zip file comes a pdf file -> did you

configure the 3 prerequisites as outlined (b4 running the

spnego wizard) ?

thx, kr, andraes