SPNEGO authetification

Hi,
I have a dual stack installation (ABAP+J2EE) with an ABAP UME. I wish to implement LDAP authetification and understand that the configuration cannot be changed due to limitation imposed when the UME is ABAP. SPNEGO(kerberos) authentification is not ideal in our case (although it can be done) but I require the users to be prompted for username and password a second time opening portal session once they have been authetificated via the LAN due to security policy for ESS.
Is it possible to invoke a second challenge once authentificated via the LAN in a kerberos (SPNEGO) setup in the above scenario?
Thanks

>
Hamish Raza wrote:
> Hi,
>
> I have a dual stack installation (ABAP+J2EE) with an ABAP UME. I wish to implement LDAP authetification and understand that the configuration cannot be changed due to limitation imposed when the UME is ABAP. SPNEGO(kerberos) authentification is not ideal in our case (although it can be done) but I require the users to be prompted for username and password a second time opening portal session once they have been authetificated via the LAN due to security policy for ESS.
The SAP supplied SPNEGO login module which implements the Negotiate protocol causes the user to be logged into portal using the Kerberos credentials on workstation which were issued when they logged onto workstation with an AD domain account. Instead, it sounds like you actually need Kerberos authentication, so that the user can enter an Active Directory account name and password into browser when they logon to portal, and this account name and password is checked with Active Directory before the user is given an SSO2 ticket and subsequently logged in ? If this is correct, I don't think SAP supports this, but I know for a fact that at least one SAP partner product provides this exact functionality.
Also, the same product mentioned above will give SPNEGO support when ABAP UME is used, and does not require LDAP UME.
>
> Is it possible to invoke a second challenge once authentificated via the LAN in a kerberos (SPNEGO) setup in the above scenario?
See my above answer.
>
> Thanks

Similar Messages

  • SPNEGO vs NTLM issue

    Hi,
    I'm trying to configure SSO for my web application using IIS as webserver
    and the IIS-Weblogic proxy plugin provided by bea. I use Weblogic 8.1 SP4.
    I followed the procedure described in the dev2dev documentation and now I am
    stuck with a ntlm vs spnego issue.
    Here is what I get from a full security debug in my Weblogic log:
    <2005-06-09 13 h 50 EDT> <Debug> <SecurityDebug> <000000>
    <PrincipalAuthenticator.assertIdentity - Token Type: Authorization>
    <2005-06-09 13 h 50 EDT> <Debug> <SecurityDebug> <000000> <Found NTLM token
    when expecting SPNEGO>
    <2005-06-09 13 h 50 EDT> <Debug> <SecurityDebug> <000000>
    <PrincipalAuthenticator.assertIdentity - IdentityAssertionException>
    My iis plugin log shows that everything seems to be ok, the client first
    receives a 401 response and then sends a [WWW-Authenticate] Negociate
    header, including a Kerberos token in base 64. The only problem is that it
    seems that this token is ntlm instead of spnego:
    Thu Jun 09 13:50:07 2005 WLS info in sendRequest: myweblogicserver.com
    recycled? 0
    Thu Jun 09 13:50:07 2005 Hdrs from WLS:[WWW-Authenticate]=[Negotiate]
    Thu Jun 09 13:50:07 2005 Hdrs to client:[WWW-Authenticate]=[Negotiate]
    Thu Jun 09 13:50:07 2005 Going to send headers to the client. Status :401
    Unauthorized xxx
    Thu Jun 09 13:50:07 2005 Hdrs from client:[Authorization]=[Negotiate
    TlRMTVNTUAABAAAAB7IIogYABgAxAAAACQAJACgAAAAFASgKAAAAD1NTUU5UMTY1NlNTUVZJRQ==]
    Thu Jun 09 13:50:07 2005 Hdrs to WLS:[Authorization]=[Negotiate
    TlRMTVNTUAABAAAAB7IIogYABgAxAAAACQAJACgAAAAFASgKAAAAD1NTUU5UMTY1NlNTUVZJRQ==]
    Thu Jun 09 13:50:07 2005 Hdrs from WLS:[WWW-Authenticate]=[Negotiate]
    Thu Jun 09 13:50:07 2005 Hdrs to client:[WWW-Authenticate]=[Negotiate]
    Thu Jun 09 13:50:07 2005 Going to send headers to the client. Status :401
    Unauthorized xxx
    as a result of all this, I get a basic authentication prompt when I try to
    access my web application.
    any help would be greatly appreciated.
    Thanks!

    Hi,
    Thanks for your information. I finally managed to solve my ntlm/spnego
    issue. In fact, it seems that I had no problem other than trying to test it
    from the same computer on which my WLS is installed. When I invoke my web
    application from another computer on the network, I dont get this
    ntlm/spnego issue.
    But now I have another problem. First, when I try to access my web
    application, WLS prompts me (in the server window) for the password of the
    SPN account for my server. I though it was supposed to use the keytab file
    for it, but anyway, this is maybe a part of my problem.
    If I type the correct password, it continues, but I get this chained
    exception:
    >
    GSSException: No valid credentials provided (Mechanism level: Attempt to
    obtain new ACCEPT credentials failed!)
    Caused by: javax.security.auth.login.LoginException: Pre-authentication
    information was invalid (24)
    Caused by: KrbException: Pre-authentication information was invalid (24)
    Caused by: KrbException: Identifier doesn't match expected value (906)The root cause seems to be "Identifier doesnt match expected value".. I
    really dont know what it means. I am still trying to solve this so any help
    would be appreciated and I will also post any other information I get on the
    subject.
    Thanks
    <regis piccand> a ?crit dans le message de news:
    [email protected]..
    Hi,
    I am currently trying to achieve the same configuration, and I noticed
    that this happens when, in the setup of the Single Passe Negotiate
    Identity Asserter, you choose the SPNEGO.AtnAssertion type (which seems to
    be here only for compatibility reason - see
    http://e-docs.bea.com/wles/docs42/adminguide/providers.html#1150785).
    Removing this type helped in my case. However, I am now stuck with a GSS
    exception No Valid Credentials provided (see my post at
    http://forums.bea.com/bea/thread.jspa?threadID=600004578&tstart=0)
    Hope this helps,
    Kind regards,
    Regis

  • Logoff not working after SPNego Authentication

    Hi Experts,
    Configured SPNego authentication sucessfully.
    But after clicking logoff button again logged in back again.
    As per some advice, done as follows
    Example: Portal SSO URL: http://portal.example.com
    Create a URL like http://nonssoportal.example.com (Create the name in the DNS and point it to the IP of your portal server)
    Changed the logoff paramter to point to the new URL. After restart once logoff clicks went to new URL but still SSO ticket authenticating.
    I need to get the login page again so that i can login with administrator or other test user IDs.
    Please post your suggestions.
    Regards,
    Raja. G

    Hi,
    Created the alias for that server and made the logoff URL as http://<alias of the server>:<port>/irj/portal.
    Now am able to achieve the login page however it is asking for the windows authentication while logging off.
    If we click cancel then we can able to achieve the login page.
    Any idea to avoid the popup for asking windows credentials?
    Regards,
    Raja. G

  • SSO (single sign on) on NetWeaver 7.0 Enterprise Portal based on spnego with Microsoft Active Directory

    Hi,
    we are using SAP Netweaver Enterprise Portal 7.0 (SP25) based on Windows 2008 R2/Oracle 11g.
    When we setup the Portal, we used the UME of the ECC - ABAP.
    The portal is used internally only.
    Now we want to provide SSO.
    User authenticate against Windows Active Directory (Windows 2003).
    We thought SSO via spnego would be the best solution.
    Any better alternates, we should use?
    We are following the SAP documentation:
    SAP-Bibliothek - Benutzerauthentifizierung und Single Sign-On
    We still want to create users in ABAP and assign them the portal roles. LDAP access should only have read access, to verify the security token from Active Directory.
    When we setup the portal from scratch using ABAP as its UME, in the system configuration, LDAP can't be selected/add as data source.
    In case we understand the documentation correctly, we would now need to add LDAP via the configtool for read access.
    What is not clear to us, when we active now LDAP via config tool, if we would now lose the ABAP connection.
    Is there a tutorial for SSO Netweaver 7.0 EP, like for EP 7.3, available?
    In 7.3 SSO is pretty simple to get it running, thanks to the many tutorials here and on the internet.
    Thanks for your help.
    Best regards
    Carlos Behlau

    Hi,
    I was able to generate the key via ktab program.
    But when I am enable SSO, nothing is happening when I try to log-on via SSO to the portal.
    I installed WebDiag tool on the portal server and ran trace.
    The users are located in domain: company.com of activate directory.
    The Java AS are located in domain: sap.company.com of activate directory.
    The sap.company.com domain acts as child of company.com.
    When I check the WebDiag trace, I see for the SPNegoLoginModule - the entry "... no key (etype: 23) for realm sap.company.com available ..."
    I would except company.com as realm key, as the keytabs have been generated on the domain controller of company.com.
    Is it possible to get SSO with child domain running?
    Based on the statement of the network folks, child and father domain having a trust.
    Thanks for your help.
    Best regards
    Carlos

  • Could not validate SPNEGO token.java.lang.Exception: Checksum error.

    Hello consultant:
    We are trying configurated SSO usind SPNEGO  module
    We have a portal 7.0 ehp1 and Active Directory Microsoft versión 2003 native
    we have followed the steps described in note Sap 1457499"Note 1457499 - SPNego add-on"
    When we have logged with user Active Directory and we try access to portal we obtain following error:
    Authorization check user error
    We have Deploy the Web diagtool from SAP Note 1045019 on the J2EE server, run it and perform the
    following steps:
    1. Select "Component" = "security" and "Activity" = "all"
    2. Click the "Go" button, followed by the "Add All" button
    3. Select "Component" = "All" and in the "Search pattern" field write "com.sap.security.spnego"
    4. Click the "Go" button, followed by the "Add All" button
    5. Start the tool
    Then we have reproduce the problem and stop the tool. The generated zip file will contain following error:
    15:45:20:078 Error J2EE_GST_PRD SAPEngine_Application_Thread[impl:3]_15 ~p.security.spnego.krb5.crypto.DesCrypto Checksum error! checksum: 0xc46bfed8d0dbc54221ee75405c8cd5ac; calculated checksum: 0x6ead7e801608b729a6957597327f2ba5
    15:45:20:078 Error J2EE_GST_PRD SAPEngine_Application_Thread[impl:3]_15 ~m.sap.security.spnego.SPNEGOLoginModule Could not validate SPNEGO token.
    java.lang.Exception: Checksum error.
    at com.sap.security.spnego.krb5.crypto.DesCrypto.decrypt(DesCrypto.java:43)
    at com.sap.security.spnego.krb5.KrbEncryptedData.decrypt(KrbEncryptedData.java:81)
    at com.sap.security.spnego.krb5.KrbApReq.decrypt(KrbApReq.java:67)
    at com.sap.security.spnego.SPNEGOLoginModule.parseAndValidateSPNEGOToken(SPNEGOLoginModule.java:234)
    at com.sap.security.spnego.SPNEGOLoginModule.processAuthorizationHeader(SPNEGOLoginModule.java:385)
    at com.sap.security.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:102)
    at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
    at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
    at java.security.AccessController.doPrivileged(AccessController.java:246)
    at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
    at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:88)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:61)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
    at java.lang.reflect.Method.invoke(Method.java:391)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
    at java.security.AccessController.doPrivileged(AccessController.java:246)
    at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
    at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:912)
    at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:367)
    at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:126)
    at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:181)
    at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:541)
    at java.security.AccessController.doPrivileged(AccessController.java:246)
    at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:430)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
    at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
    at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
    at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
    at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
    at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
    at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
    at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
    at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
    at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
    at java.security.AccessController.doPrivileged(AccessController.java:219)
    at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
    at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
    Could you help us?
    Many thanks for your collaboration

    << Do not post the same question across a number of forums >>

  • SPNEGO Login module Stack issue: Could not validate SPNEGO token

    Hello to all,
    We are deploying a SAP Netweavear 7.3 Enterprise Portal with SPNego login module activated.
    We are performing some tests (performances and concurrent accesses).
    During the tests we have found several times the folloiwing Issue linked to the spnego.
    Could not validate SPNEGO token.
    [EXCEPTION]
    java.lang.NumberFormatException: multiple points
    at sun.misc.FloatingDecimal.readJavaFormatString(FloatingDecimal.java:1082)
    at java.lang.Double.parseDouble(Double.java:510)
    at java.text.DigitList.getDouble(DigitList.java:151)
    at java.text.DecimalFormat.parse(DecimalFormat.java:1303)
    at java.text.SimpleDateFormat.subParse(SimpleDateFormat.java:1934)
    at java.text.SimpleDateFormat.parse(SimpleDateFormat.java:1312)
    at java.text.DateFormat.parse(DateFormat.java:335)
    at com.sap.security.core.server.jaas.spnego.util.Utils.generalizedTimeStringToData(Utils.java:167)
    at com.sap.security.core.server.jaas.spnego.krb5.KrbTicketEncryptedData.parseDecryptedData(KrbTicketEncryptedData.java:67)
    at com.sap.security.core.server.jaas.spnego.krb5.KrbEncryptedData.decrypt(KrbEncryptedData.java:94)
    at com.sap.security.core.server.jaas.spnego.krb5.KrbApReq.decrypt(KrbApReq.java:68)
    at com.sap.security.core.server.jaas.SPNegoLoginModule.parseAndValidateSPNEGOToken(SPNegoLoginModule.java:315)
    at com.sap.security.core.server.jaas.SPNegoLoginModule.processAuthorizationHeader(SPNegoLoginModule.java:474)
    at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:160)
    at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:254)
    at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:65)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:254)
    at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:352)
    at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.loginWithRequestCredentials(AuthenticationService.java:337)
    at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:321)
    at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:60)
    at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:163)
    at com.sap.portal.prt.dispatcher.DispatcherServlet.service(DispatcherServlet.java:132)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
    at com.sap.engine.services.servlets_jsp.server.Invokable.invoke(Invokable.java:152)
    at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doCached(RequestDispatcherImpl.java:655)
    at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:488)
    at com.sap.portal.navigation.Gateway.service(Gateway.java:147)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
    at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:202)
    at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:103)
    at com.sap.portal.http.EnrichNavRequestFilter.doFilter(EnrichNavRequestFilter.java:49)
    at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:79)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:432)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:210)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:441)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:430)
    at com.sap.engine.services.servlets_jsp.filters.DSRWebContainerFilter.process(DSRWebContainerFilter.java:38)
    at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
    at com.sap.engine.services.servlets_jsp.filters.ServletSelector.process(ServletSelector.java:81)
    at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
    at com.sap.engine.services.servlets_jsp.filters.ApplicationSelector.process(ApplicationSelector.java:276)
    at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
    at com.sap.engine.services.httpserver.filters.WebContainerInvoker.process(WebContainerInvoker.java:81)
    at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
    at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
    at com.sap.engine.services.httpserver.filters.ResponseLogWriter.process(ResponseLogWriter.java:60)
    at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
    at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
    at com.sap.engine.services.httpserver.filters.DefineHostFilter.process(DefineHostFilter.java:27)
    at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
    at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
    at com.sap.engine.services.httpserver.filters.MonitoringFilter.process(MonitoringFilter.java:29)
    at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
    at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
    at com.sap.engine.services.httpserver.filters.SessionSizeFilter.process(SessionSizeFilter.java:26)
    at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
    at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
    at com.sap.engine.services.httpserver.filters.MemoryStatisticFilter.process(MemoryStatisticFilter.java:57)
    at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
    at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
    at com.sap.engine.services.httpserver.filters.DSRHttpFilter.process(DSRHttpFilter.java:43)
    at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
    at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
    at com.sap.engine.services.httpserver.server.Processor.chainedRequest(Processor.java:475)
    at com.sap.engine.services.httpserver.server.Processor$FCAProcessorThread.process(Processor.java:269)
    at com.sap.engine.services.httpserver.server.rcm.RequestProcessorThread.run(RequestProcessorThread.java:56)
    at com.sap.engine.core.thread.execution.Executable.run(Executable.java:122)
    at com.sap.engine.core.thread.execution.Executable.run(Executable.java:101)
    at com.sap.engine.core.thread.execution.CentralExecutor$SingleThread.run(CentralExecutor.java:328)
    The user rlinked to this user is Guest.
    could you please advice us how to solve this reccuring issue?
    Kind regards
    Julien LEFEVRE

    Hello Cathal,
    Thank you for your answer.
    In fact the new spnego wizard of the SAP Enterprise Portal 7.3 is used to get the the two keys files. The SAP Jvm is used in fact with the 1.6.1.
    And in fact , it functions perfectly sometimes. but during the test of massive access ( More than 30 conurent users), I have this error that comes frequently.
    Best regards
    Julien LEFEVRE

  • Help-kerberos works with spnego keytab file but not in netbeans and Metro

    Hi,
    Appreciate if someone can shed some light on this problem and guide on what else am I missing.
    I'm trying to call .NET based WCF webservice (MS Dynamics CRM - OrganizationSvc) from a java client. Started looking at Metro framework for interoperability. I was able to generate all the proxy classes and was able to write the code to invoke web service. However the challenge was using Kerberos based authentication and related setup.
    I primarily followed the link below which was very helpful but had to dig more to get more specific details.
    http://blogs.sun.com/enterprisetechtips/entry/building_kerberos_based_secure_services
    Tried to follow netbeans route and hit some roadblocks in verifying the setup (krb5.conf & login.conf & wsit-client.xml). So, came across SPNEGO and used their examples, made changes accordingly and after experimenting with various configuration settings(krb5.conf and login.conf), finallyI was able to run HelloKDC & HelloKeytab files successfully.
    krb5.conf_
    [libdefaults]
    default_realm = NA.CONVERGYS.COM
    [realms]
    NA.CONVERGYS.COM = {
    kdc = CDCWW13.na.convergys.com
    admin_server = CDCWW13.na.convergys.com
    [domain_realm]
    .na.convergys.com = NA.CONVERGYS.COM
    login.conf_
    spnego-server {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="C:/WINDOWS/orldwv705_feb03.keytab"
    doNotPrompt=false
    storeKey=true
    principal="HOST/ORLDWV705.na.convergys.com"
    debug=true;
    C:\spnego-r7>klist -k C:\WINDOWS\orldwv705_feb03.keytab
    Key tab: C:\WINDOWS\orldwv705_feb03.keytab, 1 entry found.
    [1] Service principal: HOST/[email protected]
    KVNO: 7
    With these settings, I was able to successfully make the call & Hello Keytab was able to get the Ticket and authenticate.
    http://spnego.sourceforge.net/index.html
    http://spnego.sourceforge.net/client_keytab.html
    http://spnego.sourceforge.net/troubleshoot_hellokeytab.html
    However, when I run the example in Netbeans with the setup mentioned in the link below, I run into following exception...
    http://metro.java.net/guide/Developing_with_NetBeans.html#wsit_example_with_nb-creating_wsit_client
    http://metro.java.net/guide/_Configuring_Kerberos_for_Glassfish_and_Tomcat.html
    1) noticed that sc:KerberosConfig element in wsit-client.xml does not get updated automatically in netbeans ide, so manually edited to put the entries.
    2) also followed the setup required in glassfish domain.xml & login.conf xml.
    3) also noticed that netbeans setup requires us to use C:\Windows\krb5.ini file which is nothing but krb5.conf file referred elsewhere.)
    wsit-client.xml_
    <wsp:Policy wsu:Id="ClientKerberosPolicy"
    xmlns:sc="http://schemas.sun.com/2006/03/wss/client"
    xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
    xmlns:scc="http://schemas.sun.com/ws/2006/05/sc/client"
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsp:ExactlyOne>
    <wsp:All>
    <sc:KerberosConfig wspp:visibility="private"
    loginModule="KerberosClient"
    servicePrincipal="HOST/ORLDWV705.na.convergys.com"
    credentialDelegation="true" />
    </wsp:All>
    </wsp:ExactlyOne>
    </wsp:Policy>
    ERROR
    INFO: WSP5018: Loaded WSIT configuration from file: file:/C:/Documents%20and%20Settings/rchoppal/My%20Documents/NetBeansProjects/TestOrgSvc/build/web/WEB-INF/classes/META-INF/wsit-client.xml.
    WARNING: [failed to localize] WSP_0075_PROBLEMATIC_ASSERTION_STATE({http://schemas.microsoft.com/xrm/2011/Contracts/Services}AuthenticationPolicy, UNKNOWN)
    WARNING: [failed to localize] WSP_0019_SUBOPTIMAL_ALTERNATIVE_SELECTED(PARTIALLY_SUPPORTED)
    INFO: >>>KinitOptions cache name is C:\Documents and Settings\rchoppal\krb5cc_rchoppal
    INFO: >>> KrbCreds found the default ticket granting ticket in credential cache.
    SEVERE: WSITPVD0050: Error while Securing Request Message.
    com.sun.xml.wss.XWSSecurityException: Unexpected Exception in Kerberos login - unable to continue
    at com.sun.xml.ws.security.impl.kerberos.KerberosLogin.login(KerberosLogin.java:94)
    at com.sun.xml.wss.impl.misc.WSITProviderSecurityEnvironment.doKerberosLogin(WSITProviderSecurityEnvironment.java:3049)
    at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.populateKerberosContext(WSITClientAuthContext.java:911)
    at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:318)
    at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:291)
    at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
    Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
    at sun.security.krb5.Credentials.acquireDefaultCreds(Credentials.java:451) (i tried to search open source code, but this line did'nt match exactly)
    at sun.security.krb5.Credentials.acquireTGTFromCache(Credentials.java:272)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:589)
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
    at com.sun.xml.ws.security.impl.kerberos.KerberosLogin.login(KerberosLogin.java:85)
    SEVERE: SEC2004: Container-auth: wss: Error securing request
    javax.xml.ws.WebServiceException: WSITPVD0050: Error while Securing Request Message.
    at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:299)
    at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
    Caused by: javax.xml.ws.soap.SOAPFaultException: Unexpected Exception in Kerberos login - unable to continue
    at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1617)
    at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1633)
    ... 42 more
    WARNING: StandardWrapperValve[TestOrgSvcServlet]: PWC1406: Servlet.service() for servlet TestOrgSvcServlet threw exception
    javax.xml.ws.WebServiceException: Cannot secure request for {http://schemas.microsoft.com/xrm/2011/Contracts}CustomBinding_IOrganizationService
    at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:165)
    Caused by: javax.xml.ws.WebServiceException: WSITPVD0050: Error while Securing Request Message.
    at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:299)
    at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
    ... 40 more
    Caused by: javax.xml.ws.soap.SOAPFaultException: Unexpected Exception in Kerberos login - unable to continue
    at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1617)
    at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1633)
    ... 42 more
    Edited by: user6748004 on Feb 3, 2011 5:36 PM
    Edited by: user6748004 on Feb 3, 2011 5:38 PM

    Hi Gasha,
    The only change I did after this, was to try and use 'KerberosServer' configuration from the wsit-client.xml. Atleast, this enabled the glassfish application to load the configuration related to keytab etc, and use it to communicate with the WCF service for negotiation.
    <sc:KerberosConfig wspp:visibility="private"
    loginModule="KerberosServer"
    servicePrincipal="HOST/ORLDWV705.na.convergys.com"
    credentialDelegation="true" />
    login.conf has
    KerberosServer {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="C:/WINDOWS/orldwv705_feb03.keytab"
    doNotPrompt=false
    storeKey=true
    principal="HOST/ORLDWV705.na.convergys.com"
    debug=true;
    fyi.. Used the following way to create the keytab
    Keytab was created using below instructions
    ktpass -princ HOST/[email protected]
    -mapUser [email protected]
    -mapOp set
    -pass *
    -crypto DES-CBC-MD5
    -pType KRB5_NT_PRINCIPAL
    -out orldwv705.keytab
    Targeting domain controller: CDCWW13.na.convergys.com
    Successfully mapped HOST/ORLDWV705.na.convergys.com to svcMSCRMDev.
    Key created.
    Output keytab to orldwv705.keytab:
    Keytab version: 0x502
    keysize 75 HOST/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x3 (DES-CBC-MD5) keylength 8 (0x0bc27ca83891dc2a)
    Also realised that we need to add 'HTTP/ORLDWV705.na.convergys.com' & 'http/ORLDWV705.na.convergys.com' using set SPN commands on the AD of the server where CRM is installed.
    With these changes, the negotiate authentication seems to have happened using the Kerberos token from the keytab, but later ran into an error for which I was not able to get any clue to go forward. Someone in another post about this error suggested that it worked once they changed principal names, but when I tried I did'nt get any success.
    This is where I'm struck now. What I don't know is if there is another setup from which we can try a similar interoperability example for ex.. weblogic 10.1 & eclipse which is more close to our real environment.
    SEVERE: SEC2004: Container-auth: wss: Error securing request
    java.lang.IllegalArgumentException: Missing argument
    at javax.crypto.spec.SecretKeySpec.<init>(DashoA13*..)
    at com.sun.xml.ws.security.impl.kerberos.KerberosContext.getSecretKey(KerberosContext.java:91)
    at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:525)
    Edited by: user6748004 on Apr 8, 2011 10:39 AM

  • HTTP/SPNEGO for "SSO" on MS Windows

    HTTP/SPNEGO for "SSO" on MS Windows
    Hi all of you !
    The scene is simple : I got a software (All in plain java ) and some simple web access to this system. ( it's not a real web server wich will be in need for Apache or some big container it's just a few access to some informations of the software )
    The client company is all MS Windows, and it's used to some SSO approach,
    they got a AD server on Win2003, all laptops are under winXP Pro and got IE at least version 6
    Now The question is this ;
    I got
    -a guy (properly authentified) who is
    - using IE (properly setted)
    - on a computer (properly attached to AD)
    to access a ressource URL of my app
    It's quite simple to send him a http 401 or 407 so IE go back to the AD server and get its token
    BUT how can I manage in java to extract the account used by the client
    from the SPENEGO token ? this is all I need
    I cant find any help on this, So please if someone can help me in this...
    I'm lost ... Thanks in adavnce for a simple hint or a url linking me on the good path

    I forget :
    Ok for the configuration, thanks to some of your posts (thanks all)
    I know all the importants steps to be followed
    For exemple I quote danielshrem last post on the thread http://forum.java.sun.com/thread.jspa?forumID=545&threadID=760214
    <quote>
    Hey Seema,
    Indeed my server's principal was not the correct one, now everything is cool with rc4 encryption.
    for all u dudes out there in need of Java HTTP kerberos auth here's a few simple configuration procedures:
    1. on the Domain Controller add an HTTP SPN to the account running the web service (use setspn.exe). the SPN has to be in format HTTP/host@Realm or HTTP/host (this SPN worked for me). if u dont know exactly which SPN u need u can sniff an HTTP session on ethereal look for Kerberos AP Req-->ticket-->Server Name. from what i gather this is the principal the clients use.
    2. on the DC add a mapping to the newly created SPN (use ktpass.exe)
    3. on the host running the service create a keytab file containing the newly created HTTP principal (use java's ktab.exe)
    4. make sure the SPN is set up OK by running kinit and pass the newly created keytab file and the newly created SPN.
    once u recieve an ok result you are good to go (login and authenticate users)
    hope this helps
    Daniel.
    </quote>
    My problem (I know it must sounds stupid) : how do I extract the login account from this ?

  • Please help. Negotiate field in http header - Kerberos, SPNEGO, Base64... ?

    Hello to you all.
    I'm trying to implement a Kerberized SSO solution in Win2000
    environment. The web servers are apaches, the clients are IE5.5+
    But I had encountered the following problem:
    I wrote a servlet in java on the web server that sends 401 http error
    + "Negotiate" in the www-authenticate field. Then the client sends me
    back in the same field "Negotiate " and a long string that ends with
    '==' and it's somehow encoded...
    That's the problematic point. I saw it's encoded in base64, but
    decoding it didn't brought me to anything. Furthermore, I read that
    it's a spnego protocol. What am I doing with that? Does JDK1.4 gives
    enough to work with that?
    All I know that in that string is the TGS sent to me... and that's all
    I need to authenticate my client, don't I?!
    Do you know what should I do with that string? Can you tell me what am
    I missing? Should I decode it with the '==' or without? What does it
    mean anyway?
    I'd really appriciate if you help me.
    Thanks very much in advance,
    Danik.

    Close... SPNEGO is a GSSAPI mechanism for negotiating another mechanism. JDK 1.4 comes with a Kerberos mechanism provider out of the box, but not SPNEGO. Even though Microsoft's "Negotiate" auth method ends up negotiating Kerberos, you need to have a SPNEGO provider installed to effectively tell it to use Kerberos.
    The '==' is Base64 padding (the Base64-encoded string will end in '=' or '==' if the input content length is not divisible by 3). You would include it when decoding. The byte array you get from decoding is fed to the acceptSecContext method in org.ietf.jgss.GSSContext -- but you will get an "unknown mechanism" error if you don't have a SPNEGO mechanism provider.
    If you don't have the inclination to write a provider yourself (I know I wouldn't), and you have some cash to spend (I know I don't), you can get a SPNEGO provider from:
    http://www.wedgetail.com/jcsi/sso/FAQ.html
    They actually provide a complete solution for doing exactly what you are attempting.
    If you are just looking to provide single sign-on to a web application for Windows clients, and you don't necessarily need to do it via Kerberos, jCIFS provides a solution for performing NTLM authentication (the precursor to Negotiate, which authenticates against NT/Samba domains). You can get jCIFS from
    http://jcifs.samba.org
    The site is temporarily transitioning to a new ISP, so the latest version (0.7.5) can actually be found at:
    http://users.erols.com/mballen/jcifs
    The client side of NTLM is also supported in JDK 1.4.2, which would allow single sign-on for applets or Java applications.

  • SPNego Not Working

    Hello,
    We wanted to have desktop single sign on by using SPNEgo and we have configured everything as said in SAP Help document and we could not achieve single sign on. Not sure where we are going wrong.
    When we run the Diagtool, we are getting the error "Cannot login user" and " Error sending krb5 token".
    Need your inputs and suggestions and corrections in this. Below are the details.
    <b>Landscape information:</b>
    Active Directory – Windows 2003 SP1
    Active Directory Domain – ED.ET.COM
    Portal – EP 7.0 (NW2004s SPS8)
    Portal OS – AIX 5.3
    Database – DB2 UDB
    Portal/J2EE Engine domain – comp.com
    JDK – IBM JDK
    Client / Workstation – Windows XP SP1 (Domain – ED.ET.COM)
    Portal sysid – B01
    <b>Steps</b>
    1. Created the User j2ee-b01 in the active directory, with password never expires option
    2.     Created keytab files using windows ktpass.
    <b>ktpass -princ host/[email protected] -pass password –out g023us08.keytab -mapUser j2ee-b01 +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL
    ktpass –princ HTTP/[email protected] –pass password –out g023us08.keytab -in g023us08.keytab -mapUser j2ee-b01 +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL</b>
    3. setspn –A HTTP/g023us08.comp.com j2ee-b01
    4. Placed the g023us08.keytab and krb5.conf under /usr/sap/B01/certfiles.
    5.Jave parameters are added in the configtool
    6. Resolution mode = <b>simple</b> and in the UME added the attribute "<b>krb5principalname</b>"  and physicalAtrrbibute  "<b>userprincipalname</b>".
    7. Configured of login to use SPNego Login Module.
    8.The maintained parameters for SPNegoLoginModule are
    com.sap.spnego.jgss.name = [email protected]
    com.sap.spnego.uid.resolution.mode = simple
    com.sap.spnego.uid.resolution.attr = krb5principalname
    <b>Krb5.conf contents.</b>
    [domain_realm]
    .comp.com = ED.ET.COM
    [libdefaults]
       default_keytab_name = /usr/sap/B01/certfiles/g023us08.keytab
       default_realm = ED.ET.COM
       dns_lookup_kdc = true
       default_tgs_enctypes=des-cbc-md5;des-cbc-crc
       default_tkt_enctypes=des-cbc-md5;des-cbc-crc
    [realms]
       ED.ET.COM = {
          admin_server = g1432dc01.ed.et.com
          kdc = g1432dc01.ed.et.com
    [appdefaults]
    pam = {
       debug = false
       ticket_lifetime = 36000
       renew_lifetime = 36000
       forwardable = true
       krb4_convert = false
    Thanks in Advance.
    Regards,
    Praveen<b></b><b></b>

    Hi Praveen,
    I did a compare of your configuration with mine.
    My ktpass commands are same as yours, but I did not use the mapuser option in the first one. There is no dash in front of it too.
    Ex :
    ktpass -princ host/[email protected] -pass password -out c:\keytab_p1d +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL
    ktpass -princ HTTP/[email protected] -pass password -out c:\keytab_p1d -in c:\keytab_p1d mapUser kerb_p1d +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL
    In my Krb5.conf, I put the ip of the admin_server and kdc
    instead of pc name, but it should be valid.
    To verify that your datasource changes are good, check in the portal useradmin if the new attribute krb5principalname shows up in the "customized information" tab.
    You got an error at
    com.sap.spnego.jgss.name
    It should be :
    com.sap.spnego.jgss.name  =  HTTP/[email protected]
    Also, you did not give your other login modules config, like krb5loginmodule and mappingmodule.
    Please note that all the config is case sensitive.
    Brad

  • Direct links to the KM doesn't work under Kerberos (SPNego)

    Hello,
    We are running NW04 SP16 and successfully implemented Kerberos
    authentication using the SPNego module.
    The problem we are facing is this: If we put a URL to a certain KM file
    at the browser, like this:
    http://<host>:50000/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/....
    The user is being prompted for User name and password and even after
    entering the correct ones it doesn't work. If the same user is opening
    this link from inside the portal (from an iView for example) the link
    is working. When we used NTLM this option used to work.
    I have implemented SAP Note 993579 yet it didn't solve the problem.
    I also tried changing the Authentication Schema property of the com.sap.km.document template iView to "default" yet this as well didn't help.
    Any suggestions?
    Regards,
    Roy

    Hey Detlev,
    Yes I am referring to the same oject.
    The thing is that Brad says that the changing of the authentication schema needs to be done together with the note. I first tried the note and in order to track changes I reverted the note and tried the authentication schema change separately. I didn't try to implement both of them together. I will try it and let you know...
    Regards,
    Roy

  • SPNego not working for EP UME DB

    Hi,
    We have try to implement SPNego in EP 7.0 EHP2 SP9, We follow all steps maintain  as per document attached to  SAP Note 1488409.
    But User is still prompted for logon screen.
    Below is Hardware detail:  (all are in same domain)
    Active directory : Windows 2008 Enterprise Server R2
    Portal Server: Windows 2008 Server Standard
    Client : Windows Vista Ultimate SP2
    Below is the steps which I performed to configure :
    KDC Configuration:
    Windows Domain: windomain.corp
    FQDN Portal:  ephost.windomain.corp
    SID Portal: p11
    - Create a service user j2ee-p11-ephost with password never expired
    - Disable Data Encryption Standard (DES) support for this account
    - Register SPN as below
    setspn u2013a HTTP/ephost.windomain.corp j2ee-p11-ephost
    UME Configuration :
    Mapping Mode: Principal only
    mapped to: logon ID
    Configure Encryption Key:
    -Using JDK1.6 we generated keytab file.
    ktab u2013a j2ee-p11-ephost @ windomain.corp u2013k keytab
    -Finally we add the generated keytab in Created Realm
    -Enable the Realm
    Adjust The Authentication Stack:
    - In visual Administrator ServerXX -> Services -> Security Provider Service -> ticket
    We add SPNegoLoginModule with OPTIONAL flag
    -> Restart the Portal server.
    Please help me.
    Thanks & Regards,
    Kaushal

    Hi,
    I think there was a problem on configuration with SPNego module configure in Visual Admin tool.
    (Visual admin -> SID -> ServerXX -> Services -> Security provider  -> ticket)
    Below is how my login modules look like
    com.sap.security.core.server.jaas.EvaluateTicketLoginModule : SUFFICIENT: ume.configuration.active = tue
    SPNegoLoginModule : OPTIONAL  :  No Options define !!
    BasicpasswordLoginModule:  REQUISITE
    com.sap.security.core.server.jaas.CreateTicketLoginModule: OPTIONAL : ume.configuration.active = tue
    Am i forgort something to put in options for SPNegoLoginModule ?
    Thanks & Regards,
    Kaushal

  • SPNEGO in portal with abap data source + mapping on login & alias id

    Hello
    I successfully set up the new spnego autentification (with AD)  on our EP7 portal.
    Spnego module is configured with Mapping mod u201Cprincipal onlyu201D with source  u201Clogin idu201D.
    SSO is working perfectly for all users with the same u2018sap loginu2019 as the AD login.  ( they can use portal to connect on all sap ECC6 server true iview without login& password )
    But for user with login name different between AD and SAP , this doesnu2019t work. They have to enter their sap login & password on the portal. So spnego is not working for them.
    Such user have different login name between AD et SAP because abap system limit user length to 12 caracters.   So I could not change abap username. 
    And I could not change their AD login name. ( too much impact).
    Exemple :
    p.nametoolong  = 13  character  on  AD but too long for abap
    p.name = 6 ok for abap but different from AD login name.
    So if I could not change login id I have to work on user mapping.
    The Portal UME use our abab CUA as datasource. So I could not set up user mapping inside the u201Cuser management u201C
    A solution could be that Spnego mapping use as source  the u201Calias idu201D and not the u201Clogin idu201D.
    So I have to set all the u201Calias idu201D. I can do a script for copying in su01 all u201Clogin idu201D to u201Calias idu201D and then edit the u201Calias idu201D of user with a different AD login. ( by the way do you know a tx for that ? )
    But this is a little dirtyu2026 is there a simple way to do that ?
    it would be perfect if i could do mapping on user id or on alias id if it set. So that i should only manage the alias id user with a AD name different... is that possible ?
    thank you  !
    cdlt
    GSV
    Edited by: Patrick FABRIES on Oct 4, 2011 12:08 PM
    Edited by: Patrick FABRIES on Oct 4, 2011 12:11 PM

    Hi Patrick,
    Even if you perform this operation, the situation will worsen overtime.
    By the way, if you still want to do it, this is pretty simple: call 'BAPI_USER_CHANGE' with the username and pass:
    ALIAS = <new alias>
    ALIASX = 'X'
    Isn't there another attribute that you could use as a pivot: e-mail, maybe?
    Best regards,
    Guillaume

  • How to deactivate SPNego after running the SPNego Wizard in NW2004s

    Hello,
    We have a NW2004s Platform with Usage Type AS Java and DI.  The SPNego  is configured using the SPNego Wizard and its working absoutely fine. The problem is this that we would liek to use the Basicc authentication also side by side. In NW2004, when SPNego is manually configured (without wizard), the URL for SPNego needs to be configured so that you get the SPnego at all. If you call the normal URL for example for Portal http://portal:50000/irj, you get the Basic Authentication. But as soon as the SPNego is configured through the Wizard, the mentioned URL is automatically configured to the SPNego!    During configuring the SPNego Wizard, UIDPW or Basic is set as a Fallback Authentication..but Fallback means Fallback, i.e., when SPNego doesnot function..What is when the two schemes are required to work simultaneously ?
    I did change the Ticket in the Security Keystore in the Visual admin and set it to "basic" again (for the Configuration of the Wiizard, it was set to spnego) ,  it does return a login screen, but you cannot get acces through any of the users, not even with Administrator/j2ee_admin.
    I did deactivate the service user as well, but in vain.
    Has anyone experience with this. Should we make changes in the prios in the authschemes.xml ??  Would it not the working spnego in any way..
    I look forward to any helpful hints.
    Thanks,
    Rahila Zahir

    Later I found th solution. Just had to switch back to Basic in the Login Modules in Visual Admin--Security Provider Service. I was confusing it earlier with the NW2004.
    Cheers,
    Rahila Zahir
    Edited by: Rahila Zahir on Jan 5, 2008 1:15 AM

  • SSO (SPNego) Configured, but  Anonymous user´s page doesn´t work

    Hello,
    I configured Single Sign-On between Portal and windows using SPNego (working OK) but when we try to connect to Portal using anonymous user I ca´n´t do it ( my pc user is automatically loged), Any idea to filter the anonymous user?
    Kind regards

    Hi,
    What you need to do is create an alias of the server on the DNS.
    Example:
    http://portal.client.com:50000 is the normal portal access with SPNEGO. You have set the SPN to this server (setspn) to use SPNEGO
    On the DNS you need to create another alias to the same server but you don't map it to the SPN user.
    http://portalNOSPNEGO.cliente.com:50000
    As it is not mapped to use kerberos... it won't use the SSO.
    If you want to access anonymous user or with any other user on your domain you will access the new portal URL http://portalNOSPNEGO.client.com:50000
    There is a problem accessing this with IE6.0.. it might appear a Windows popup authentication window. In order to get rid of this.. you have to change the Internet Explorer Security Level.
    Option a) Include the portalNOSPNEGO site on the Trusted Sites. On the security level of the trusted sites select "Anonymous Logon". Include the portal.client.com site on the Intranet Sites... the security level of this sites should be "Authentication only on Intranet Sites"
    Option b)Upgrade to IE 7.0
    For the external users that have nothing to do with your domain..
    Option a)the security level for the Internet sites should be "Anonymous Logon".... or
    Option b)Uncheck de Integrted Windows Authentication
    Option c)Upgrade to IE7.0

Maybe you are looking for

  • [Athlon64] TV-out and SPDIF brackets for RS482M - where to get them?

    Hi folks! I'm building a HTPC and the MSI RS482M motherboard looks like a perfect candidate for me! However, I'm having problems locating a supplier for the TV-out and SPDIF brackets. I've asked the retailer if they're a part of the mainboard package

  • Desktop CC App cannot download App. What should I do?

    When I open de Creative Cloud Desktop App, and browse to the App tab, the following screen appears...What should I do to fix this?

  • Problems with Enterprise Manager Oracle 10gR2

    Hi, The installation of 10gR2 on Windows 2000 seems to work. I only have a problem with web enterprise manager. I can connect to the database correctly and I can manage the database (creating tables, users and so on). The only problem is in the first

  • Use of printmagic 5.0 for mac

    I've used printmagic for several years. Since I installed SL I get an error message 9705. I've talked repeatedly with the developers of pm and they say it works fine on their demo of 10.6. They have concluded that it's a problem w/ my system. What sh

  • All new clips disabled

    Hi, I am new to FCP X but not FCP.  I am working on a project trying to learn this program and I have done something (stupid) and now the clips that existed in my timeline are all active, but anything new I bring down from the event library is disabl