Configuring SPNego in EP7
Hi,
I am using the SPNego wizard to configure SSO. On step 3 of 4, the resolution mode is set to none. I test the user and get "Service user <username>@domain.com not found" error message.
According to the troubleshooting section, the problem could be one of the below 3 items.
Service user not under the configured User Path in UME
The mapping attribute does not exist in UME data source
The UME attribute is mapped to wrong physical attribute
Can someone elaborate on how to confirm the above 3 items?
Your help is greatly appreciated and points are always awarded.
Regards,
Rick
Hi Rick,
usually modifiing the Ticket stack should not prevent you from accessing the visual admin.
If you cannot login then you probably have modified the policy configuration [SAP-J2EE-Engine] . In order to restore the login configuration for the visual admin start the config tool. Then switch to the edit mode / configuration editor -> go to security -> authentication and check the entries there.
You should see two more "folders":
DBMS User Store
UME User Store.
If you extend these folders you will see one folder "0" and the entry size=1.
In the folder 0 you have the entries
classname="com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule" and the entry
flag="SUFFICIENT".
If this is not the case correct it accordingly.
After a reboot you should be able to connect to the visual admin again.
If this is not possible (because you cannot enter the entries or because you have other problems) please drop me an email and we can try to solve it "offline".
Regards,
Holger.
Similar Messages
-
Configure SPNego on Portal using ABAP ume
Hi there,
I need help configuring SPNego (single sign on) on the SAP Portal 7.0 using an ABAP system as the portal's ume. Has anyone done this before? is it possible?
Your help is much appreciated.
kind regards,
ClintonHi,
Check the below link for SPNego configuration.
http://help.sap.com/saphelp_nw70/helpdata/en/43/4bd58c6c5e5f34e10000000a1553f6/frameset.htm
Thanks
R.Murali -
Configure SPNEGO [keytab]
Hi,
While configuring the SPNEGO [Add new realm by principal], getting the below error
"Error during generation of encryption key with type AES256-CTS-HMAC-SHA1-96: Illegal key size. Check the crypto policy file in use and also SAP Note 1240081"
we are on NW 7.4.
Please advice.
Regards,
SamDear Sam,
In which folder did you install the JCE? Is it the "Unlimited" one?
You should install it under the JVM in DIR_EXE_ROOT. Then restart your AS Java.
KR
Valerie -
SLD configuration for NW04s EP7
Hello,
Is there any step by step procedure to configure SLD for NW04s EP7.
Backend system is ECC6
*Points will be awarded based on answerMickey,
Still I am facing problem.Please send me configuration document to the following E-Mail ID
[email protected]
I will give you points once I received you E-mail
Thanks in advance -
Configuring ITS for EP7.0 to create Transactional Iviews
Hi Everybody,
This is urgent!!!!!!!!
<b>
Do we have to configure Internet Transaction Server for EP 7.0 to create Transactional Iviews?
</b>
with regards
BrahmachaitanyaWhat is your backend version. If it is ECC 5.0 or ECC 6.0 you need to configure integrated ITS. There are some differences interms of features offered by standalone Vs integrated ITS. Service marketplace will list them very well. (http://service.sap.com/sap-its)
Thanks,
-Bharath -
Dear Experts,
Does anybody have any documents regarding SLD creating in EP7.
Regards
ThanuHi,
Check these links
[https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b00462bb-b7a0-2a10-8da6-f6b89834f8b4]
[https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e0a1a8fb-0527-2a10-f781-8b67eab16582]
[https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/50a9952d-15cc-2a10-84a9-fd9184f35366] -
Configuring portal content EP7 SP9
Hi experts
I have finished installation Enterprise 7 SP9 and now want to configure it.Iam using SAP Best Practices for portals v1.70 .When i try to configure the portal content ,the browse tab is coming out empty as i need to create a system that will connect to the portal.Am i using the correct BP or i need to import a SCA for that.
Your ideas are most welcome.Hi Tsungy,
Are you using IP address to access portal,if so access the portal with Fully Qualified Domain name instead of IP address after making an entry in the host file,i.e,
http://<hostname>:<portnumber>/irj/portal
Hope this helps,
Regards,
Vinoth.M
Edited by: Vinoth.Murugaiyan on Feb 15, 2008 5:57 PM -
Configuration guide for EP7 portal with Solman
Hi,
I would like to know the procedure for integrating EP 7 portal with Solution manager. I have found few docs which are pointing to service market place but i don't have the market place credentials currently. Can someone attach the relavant docs or guide me on the procedure.
regards
BharatClosing as thereis no reply
-
Hi All,
We have configured SPNego on customer's sand box and DEV as mentioned in the thread
https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/8235,
however when we tried configureing on QA system, we are getting the following error.
UME cannot resolve Kerberos principal name principalname, check selected resolution mode.
We have selected Prefix-Based from drop box
KPN Prefix: krb5principalname
KPN Suffix: dn
Any help will be highly appreciated.
SatishHi Satish,
Have a look at SAP Note 994791 - SPNego Wizard, and the attachments to this note.
It should surely help you solve the problem.
Regards,
Anagha -
SPNEGO Login Module - SSO configuration
Hi All,
Is there anyone have configure SPNEGO successfully ?
Can you share how to do it ?
Because even during registration of http/... to service user I have already facing problem which prompt me wrong command though the keytab generation having no problem.
Best Regards,
DediDedi,
Please goto this location for the kerberos Configuration.
http://help.sap.com/saphelp_nw04/helpdata/en/43/4bd58c6c5e5f34e10000000a1553f6/frameset.htm
If you are using SP14 then you have to deploy the SPNEGO.sda for the login module. However it comes by default with SP15. SO i would suggest you to use SP15.
If you find this helpful then do reward points.
James -
SPNego - Windows integrated Single-Sign On not working - How to debug?
Dear board,
I've tried to configure SPNego - Windows Integrated SSO with no sucess yet. We do use SAP EP7 on Windows Server 2003 64bit with MS AD 2003. The following is done:
- Service Account is created, authentication works when done on pupose
- SPNego wizard completed sucessfully, WebAs Java restarted
- IE6: Windows integrated Logon is activated, IE shows Intranet when accessing the portal url ( I can't modify the IE Security Settings yet, but as we do use KERBEROS outside of SAP as well, my assumption was settings are fine)
- UID in windows, EP and ECC are equal
When I access the portal URL, I am prompted for used id and password. How can I trace methodically what is wrong? Some kind of checklist with links, url or SAP Notes would be great. I've also read references to a test application as well as some diag / trace tool.
Please post thoroughly as I am rather new to this topic and still missing important terms and knowledge.
Kind regards and thanks in advance,
RichardDear board,
after the service principal name registration was done (once again maybe) the error message disappeared in the SPNego wizard when I retrieve the Principal in Step 2, the test resolution works as before in step 3 of the wizard.
At the moment, the error message in the central log file is still unchanged. Acquiring crendetials for realm xxx.xxx.org failed, no valid credentials provided.
#1.5 #001A4BAF485A0079000000040000207000043C8446E8BA7E#1192438730203#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#J2EE_GUEST#0####d8ce7ab07afc11dc8d93001a4baf485a#Thread[Thread-307,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#/System/Security/Authentication#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: com.sun.security.jgss.accept
Login Module Flag Initialize Login Commit Abort Details
1. com.sun.security.auth.module.Krb5LoginModule OPTIONAL ok exception false null#
#1.5 #001A4BAF485A00580000007F0000207000043C8446E8C109#1192438730203#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#J2EE_GUEST#0####d8ce7ab17afc11dc8f50001a4baf485a#SAPEngine_Application_Thread[impl:3]_29##0#0#Error##Java###Acquiring credentials for realm XXX.XXX.ORG failed
[EXCEPTION]
#1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
Any ideas? I haven't used the diag tool yet, is there any other reasonable way how to debug the setup?
Kind regards and many thanks,
Richard -
Dear Experts,
I want to implement the SSO at clients place and I have gone throught the note
Note 994791 - SPNego Wizard.pdfu200E and in that they have the following attachment
File Type File Name Language Size
ZIP File Type File Name Language Size
ZIP SPNego_DB_datasource_Sun_JDK_1.zip E 2.008 KB
ZIP SPNego_DB_datasource_Sun_JDK_2.zip E 1.538 KB
ZIP SPNego_ADS_datasource_Sun_JDK_1.zip E 1.049 KB
ZIP SPNego_ADS_datasource_Sun_JDK_2.zip E 1.470 KB_datasource_Sun_JDK_1.zip E 2.008 KB
ZIP SPNego_DB_datasource_Sun_JDK_2.zip E 1.538 KB
ZIP SPNego_ADS_datasource_Sun_JDK_1.zip E 1.049 KB
ZIP SPNego_ADS_datasource_Sun_JDK_2.zip E 1.470 KB
I have Solaris 10 and with ECC6 and EP7 SP 9 on the same box and needs to configure SPNego on it( Dual stack)
With the above .zip file, which will be for my requirement?
What does the SPNego_DB, SPNego_DBFollowing is the setspn command details and I am stuck with the LDAP user path and groups through Portal--> System Admin
local J2ee-
@(AT)
C:\Documents and Settings\tsadmin3>ldifde -r (samaccountname=J2ee-dev) -f out.ld
f
Connecting to "abcbhdc01.bah.ARAB.LOCAL"
Logging in as current user using SSPI
Exporting directory to file out.ldf
Searching for entries...
Writing out entries.
1 entries exported
The command has completed successfully
dn: CN=J2ee-dev,OU=IT Application Services(763),OU=Global Information Technology (760),DC=bah,DC=ARAB,DC=LOCAL
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: J2ee-dev
description: Sab sign on user
givenName: J2ee-dev
distinguishedName:
CN=J2ee-dev,OU=IT Application Services(763),OU=Global Information Technology (
760),DC=bah,DC=ARAB,DC=LOCAL
instanceType: 4
whenCreated: 20090209075309.0Z
whenChanged: 20090211090157.0Z
displayName: J2ee-dev
uSNCreated: 46498115
uSNChanged: 47113114
name: J2ee-dev
objectGUID:: 6AF2hwAcCE60Gb5HcDD0jA==
userAccountControl: 2163200
codePage: 0
countryCode: 0
scriptPath: duser1.bat
pwdLastSet: 128786537344568663
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAADi/cefk/OnBiRqljSjAAAA==
accountExpires: 9223372036854775807
sAMAccountName: J2ee-dev
sAMAccountType: 805306368
userPrincipalName: J2ee-dev AT bah.ARAB.LOCAL
servicePrincipalName: HTTP/ABCBHDC01.bah.ARAB.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ARAB,DC=LOCAL
Can I get what information to update in user path and group path.
As far as Configtool is concerned I am not able to enter any details in UME LDAP data.
Also what other settings required?
in spnego I am getting
Search by service user mapping attribute krb5principalname=J2ee-devATBAH.ARAB.LOCAL failed; check the mapping attribute and the UME configuration
In configtool, I have set the self.addattrs to krb5principalname
Rest what needs to be done?
Please guide.. -
Logoff not working after SPNego Authentication
Hi Experts,
Configured SPNego authentication sucessfully.
But after clicking logoff button again logged in back again.
As per some advice, done as follows
Example: Portal SSO URL: http://portal.example.com
Create a URL like http://nonssoportal.example.com (Create the name in the DNS and point it to the IP of your portal server)
Changed the logoff paramter to point to the new URL. After restart once logoff clicks went to new URL but still SSO ticket authenticating.
I need to get the login page again so that i can login with administrator or other test user IDs.
Please post your suggestions.
Regards,
Raja. GHi,
Created the alias for that server and made the logoff URL as http://<alias of the server>:<port>/irj/portal.
Now am able to achieve the login page however it is asking for the windows authentication while logging off.
If we click cancel then we can able to achieve the login page.
Any idea to avoid the popup for asking windows credentials?
Regards,
Raja. G -
Multi-Domain LDAP UME configuration
Hello
We have EP 7.0 installed and want to connect the UME to our Corporate
LDAP (MSADS) as data source.
Our ADS is as follows:
domain.pt u2013 This is our top level domain. Here we have our main users.
Gs.domain.pt u2013 This is a child domain of ren.pt. Here are some special
users that cannot be moved to domain.pt level (because of this we have to
use multi-domain configuration)
According to some documents Step 2 of Note 762419 - Multi-Domain Logon
Using Microsoft Active Directory this configuration as to be done
according to a Multiple-Domain UME LDAP Configuration.
Following is is my configuration of LDAP access:
I have set the u201CUME LDAP Datau201D in Config Tool to point to
the u201CdataSourceConfiguration_ads_readonly_db_with_krb5_multipledomain.xmlu201D configuration file that has been previously change by me following previous documents. The xml is is the end of the message
Also in the u201CUME LDAP Datau201D (Directory Server) I have defined the following settings:
Server Name: dc01.domain.pt (This is the DC of domain.pt)
Server port: 389
User: j2ee-pp3 @domain.pt
Pass: ******* (ok on all configuration tests and authentication)
SSL: NO.
User Path: DC=domain,DC=pt
Group Path: DC=domain,DC=pt
Checked the u201CFlat User Group Hierarchyu201D.
Checked the u201CUse UME Unique id with unique LDAP Attributeu201D.
At u201CAdditional LDAP Propertiesu201D I have set the properties of
ume.ldap.unique_user_attribute(global) and
ume.ldap.unique_uacc_attribute(global) to userprincipalname. This was
done according to the Multi-Domain configuration.
Also ume.ldap.access.multidomain.enabled=true was set the property
sheet of the UME service. After this all checks are ok including in
User Administration in Portal.
Conclusion: We have no problem with SSO and search capabilities
at u201Cdomain.ptu201D level. All users of this domain are able to access the
portal with SSO.
Nevertheless no user from u201Cgs.domain.ptu201D is able to logon. Additionally,
using User Admninistration in Portal with option u201CAll Data Sourcesu201D
returns no results when searching for users from this child domain. It
seems the the configuration file does not recognize gs.domain.pt.
Is it possible that our xml file is incorrectly adapted? Is there any
missing or wrong configuration for multi-domain LDAP access? Please
advice.
Thanks in advance
dataSourceConfiguration_ads_readonly_db_with_krb5_multipledomain.xml
<?xml version="1.0" encoding="UTF-8"?>
<!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/dataSourceConfiguration_ads_readonly_db_with_krb5_multipledomain.xml#6 $ from $DateTime: 2004/08/20 09:55:24 $ ($Change: 17140 $) -->
<!DOCTYPE dataSources SYSTEM "dataSourceConfiguration.dtd">
<dataSources>
<dataSource id="PRIVATE_DATASOURCE"
className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence"
isReadonly="false"
isPrimary="true">
<homeFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</homeFor>
<notHomeFor/>
<responsibleFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</responsibleFor>
<privateSection>
</privateSection>
</dataSource>
<dataSource id="CORP_LDAP"
className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
isReadonly="true"
isPrimary="true">
<homeFor/>
<responsibleFor>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="j_user"/>
<attribute name="j_password"/>
<attribute name="userid"/>
<attribute name="logonalias"/>
</attributes>
</nameSpace>
</principal>
<principal type="user">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="firstname" populateInitially="true"/>
<attribute name="displayname" populateInitially="true"/>
<attribute name="lastname" populateInitially="true"/>
<attribute name="fax"/>
<attribute name="email" populateInitially="true"/>
<attribute name="email"/>
<attribute name="title"/>
<attribute name="department"/>
<attribute name="description"/>
<attribute name="mobile"/>
<attribute name="telephone"/>
<attribute name="streetaddress"/>
<attribute name="uniquename" populateInitially="true"/>
<attribute name="krb5principalname"/>
<attribute name="kpnprefix"/>
<attribute name="dn"/>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</attributes>
</nameSpace>
<nameSpace name="$usermapping$">
<attributes>
<attribute name="REFERENCE_SYSTEM_USER"/>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
<principal type="group">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="displayname" populateInitially="true"/>
<attribute name="description" populateInitially="true"/>
<attribute name="uniquename"/>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE"/>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attributes>
<attribute name="dn"/>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
</responsibleFor>
<attributeMapping>
<principals>
<principal type="account">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="domain_j_user">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="j_user">
<physicalAttribute name="userprincipalname"/>
<attribute name="logonalias">
<physicalAttribute name="userprincipalname"/>
</attribute>
<attribute name="j_password">
<physicalAttribute name="unicodepwd"/>
</attribute>
<attribute name="userid">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
<principal type="user">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="firstname">
<physicalAttribute name="givenname"/>
</attribute>
<attribute name="displayname">
<physicalAttribute name="displayname"/>
</attribute>
<attribute name="lastname">
<physicalAttribute name="sn"/>
</attribute>
<attribute name="fax">
<physicalAttribute name="facsimiletelephonenumber"/>
</attribute>
<attribute name="uniquename">
<physicalAttribute name="userprincipalname"/>
</attribute>
<attribute name="loginid">
<physicalAttribute name="null"/>
</attribute>
<attribute name="email">
<physicalAttribute name="mail"/>
</attribute>
<attribute name="mobile">
<physicalAttribute name="mobile"/>
</attribute>
<attribute name="telephone">
<physicalAttribute name="telephonenumber"/>
</attribute>
<attribute name="department">
<physicalAttribute name="ou"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="streetaddress">
<physicalAttribute name="postaladdress"/>
</attribute>
<attribute name="pobox">
<physicalAttribute name="postofficebox"/>
</attribute>
<attribute name="krb5principalname">
<physicalAttribute name="userprincipalname"/>
</attribute>
<attribute name="kpnprefix">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="dn">
<physicalAttribute name="distinguishedname"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="$usermapping$">
<attributes>
<attribute name="REFERENCE_SYSTEM_USER">
<physicalAttribute name="sapusername"/>
</attribute>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
<principal type="group">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="displayname">
<physicalAttribute name="displayname"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="uniquename" populateInitially="true">
<physicalAttribute name="ou"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE">
<physicalAttribute name="null"/>
</attribute>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attributes>
<attribute name="dn">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
</principals>
</attributeMapping>
<privateSection>
<ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>
<ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
<ume.ldap.access.flat_group_hierachy>true</ume.ldap.access.flat_group_hierachy>
<ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>
<ume.ldap.access.dynamic_groups>false</ume.ldap.access.dynamic_groups>
<ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>
<ume.ldap.access.objectclass.user>User</ume.ldap.access.objectclass.user>
<ume.ldap.access.objectclass.uacc>User</ume.ldap.access.objectclass.uacc>
<ume.ldap.access.objectclass.grup>organizationalUnit</ume.ldap.access.objectclass.grup>
<ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>
<ume.ldap.access.auxiliary_naming_attribute.user>samaccountname</ume.ldap.access.auxiliary_naming_attribute.user>
<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
<ume.ldap.access.auxiliary_naming_attribute.uacc>samaccountname</ume.ldap.access.auxiliary_naming_attribute.uacc>
<ume.ldap.access.naming_attribute.grup>ou</ume.ldap.access.naming_attribute.grup>
<ume.ldap.access.pwd.via.usercontext>true</ume.ldap.access.pwd.via.usercontext>
<ume.ldap.access.set_pwd>true</ume.ldap.access.set_pwd>
<ume.ldap.access.multidomain.enabled>true</ume.ldap.access.multidomain.enabled>
<ume.ldap.access.extended_search_size>200</ume.ldap.access.extended_search_size>
<ume.ldap.access.domain_mapping>
[DOMAIN_PT;DC=domain,DC=pt]
[GS_DOMAIN_PT;DC=gs,DC=domain,DC=pt]
[gs;DC=DC=gs,DC=domain,DC=pt]
[domain;DC=pt]
</ume.ldap.access.domain_mapping>
</privateSection>
</dataSource>
</dataSources>
Edited by: Joaquim Pereira on Feb 7, 2009 1:34 PMHi Gaetano
I tried to set back the "uniqueid" in the XML to samaccountname.
Also, i changed the spnego to go only to domain.pt (gs.domain.pt is a child domain).
In the 1st tests this worked perfectly, but we still to do some testings with this config.
When i get confirmation, ill reply here.
Thank you.
PS:. we thought on defining the abap user for each user, but there are a lot of users...
we'll try this config, and if it doesn't work, probably, thats what we'll do.
Edited by: Joaquim Pereira on Feb 12, 2009 5:45 PM
Everything seams to be working now. setting back the uniqueid to samaccountname and configuring spnego to go to only 1 domain solved the issue.
I just need to test which change did the trick.
Edited by: Joaquim Pereira on Feb 13, 2009 1:02 PM -
SPNego authentication not working
Hi,
We are trying to configure SPNego and we are facing issues. We had done the configuration in another environment and it worked fine.
I have checked the configuration at AD end and portal end multiple
times and everything looks to be fine. Following is the error message coming in the logs.
[JGSS_DBG_CTX] Client time Sat Feb 03 13:09:32 GMT 2007 too skewed
13:04:05:373 Error Guest ~on_Thread[impl:3]_1 System.err org.ietf.jgss.GSSException, major code: 10, minor code: 37
major string: Defective token
minor string: Client time 03 February 2007 at 13:09:32 too skewed
13:04:05:373 Error Guest ~on_Thread[impl:3]_1 System.err at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:5)
at com.ibm.security.jgss.mech.krb5.k.a(k.java:896)
at com.ibm.security.jgss.mech.krb5.k.a(k.java:6)
at com.ibm.security.jgss.mech.krb5.k.b(k.java:231)
at com.ibm.security.jgss.mech.krb5.k.acceptSecContext(k.java:1010)
at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:30)
at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:370)
at com.sap.security.core.server.jaas.SPNegoLoginModule.doHandshake(SPNegoLoginModule.java:614)
at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:322)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:150)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:69)
at java.security.AccessController.doPrivileged(AccessController.java:242)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:172)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
at java.security.AccessController.doPrivileged(AccessController.java:242)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:142)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)
at java.security.AccessController.doPrivileged(AccessController.java:242)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:160)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(AccessController.java:215)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
Any help is highly appreciated.
Many Thanks,
ChandraHi,
per this part of the exception:
minor string: Client time 03 February 2007 at 13:09:32 too skewed
there seems to be a problem with the time syncronizations between the domain controller, the client system and the SAP NetWeaver system. Check that all system clocks are syncronized and have the correct time zone settings.
Hope this helps,
Yonko
Maybe you are looking for
-
Need Help With Backup To Pc After Hard Drive Format
Hi All, I reformatted my pc which meant i had to reinstall itunes. Inserted my iphone after i reinstalled itunes and none of my apps where saved in itunes. Clicked sync and it did not backup any apps to itunes. After alot of mucking around it eventua
-
Hi all I'm trying to establish auto login in Solaris 10, as a regular user or root. This is a personal testing machine, so security is not an issue. I want to automatically login preferably in the shell mode, ( no GUI if it's possible ), otherwise I
-
Lost data after upgrade to Lion
Hi. I recently upgraded to Lion on my Macbook Pro and after a crash, my data was lost. The documents and downloads folders were empty. Fortunately I have a PC backup of the data and when I tried to restore the music to Itunes I was getting error mess
-
Error while executing the proxy service
Hi, I have a procedure which uses a database link to access my tables. And business service will invoke this procedure through JCA. We have created a datasource (Driver : non - XA for Service connections). However, while executing the proxy service i
-
I've tried using a powered and non-powered USB hub without success. Plugging the hd directly into the airport didn't work either. The hd functions fine when plugged into a USB port on 3 other computers so it doesn't appear to be a hd issue. I've rese