JGSS: SPNEGO and NTLMv2

Hey there,
I'm getting up to speed on JGSS, both for general Kerberos use and for ActiveDirectory use, and I'm wondering: if the SPNEGO results in NTLM being chosen, does the underlying implementation handle this, or does it fail. (I'm assuming a Windows environment). If it succeeds, does it do so with NTLMv2, or just with NTLMv1?
Just for context, we're using Apache's HttpClient.
thanks in advance,
James

JimDesu wrote:
Hey there,
I'm getting up to speed on JGSS, both for general Kerberos use and for ActiveDirectory use, and I'm wondering: if the SPNEGO results in NTLM being chosen, does the underlying implementation handle this, or does it fail. (I'm assuming a Windows environment). If it succeeds, does it do so with NTLMv2, or just with NTLMv1?Hi James,
There are two HTTP authentication mechanisms that are of interest in a Windows environment. There is WWW-Authenticate: Negotiate and WWW-Authenticate: NTLM. The Negotiate method uses the SPNEGO protocol to negotiate either Kerberos or NTLM. The NTLM method uses the NTLMSSP protocol. SPNEGO is mostly just an envelope around Kerberos or NTLMSSP tokens.
Sun's GSSAPI implementation (a.k.a. JGSS) can only generate and consume raw Kerberos tokens and SPNEGO tokens containing Kerberos tokens.
However, Sun's builtin HTTP client has inlined code that will perform NTLMv1 authentication using the NTLM method.
Just for context, we're using Apache's HttpClient.Apache's HttpClient also only supports NTLMv1. There has been external interest in supporting NTLMv2 but, in general, the Apache crowd has not embraced the NTLM work citing the fact that it is not a standards based technology.
The only 100% Java HTTP client that supports NTLMv2 that I know of is the one included in a library called "Jespa":
[http://www.ioplex.com/jespa.html]
Currently the client is only exposed as a standard HttpURLConnection and URL Handler. However the underlying code supports pipelining, asynchronous I/O and other advanced features that will eventually be exposed.
Mike

Similar Messages

JAAS, JGSS Kerberos and windows 2000 newbie question

Hi
I have setup a Kerberos server on windows 2000, now i want to write code in java to authenticate and authorize user using Kerberos , I know I have to use JAAS, JGSS,
is there a how to document to setup a client machine, like setup krb4.ini file and other security files so i can use java to authorize and authenticate, i am using j2sdk1.4.2
I have following code
GSSManager manager = GSSManager.getInstance();
 Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
 Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
 // Identify who the client wishes to be
 GSSName userName = manager.createName("test02EIM", GSSName.NT_USER_NAME);
 // Identify the name of the server. This uses a Kerberos specific
 // name format.
 GSSName serverName = manager.createName("krbsvr400/[email protected]",
 krb5PrincipalNameType);
 System.out.println("server name " +serverName.getStringNameType());
 // Acquire credentials for the user
 GSSCredential userCreds = manager.createCredential(userName,
 GSSCredential.DEFAULT_LIFETIME,
 krb5Mechanism,
 GSSCredential.INITIATE_ONLY);
 // Instantiate and initialize a security context that will be
 // established with the server
 GSSContext context = manager.createContext(serverName,
 krb5Mechanism,
 userCreds,
 GSSContext.DEFAULT_LIFETIME);
and krb5.ini file looks like below
[libdefaults]
default_realm = GL1AMR.PFIZER1.TEST
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
forwardable = true
proxiable = true
[realms]
GL1AMR.PFIZER1.TEST= {
kdc = gl1mopsamrdc01.gl1amr.pfizer1.test:88
admin_server = gl1mopsamrdc03.gl1amr.pfizer1.test
default_domain = gl1amr.pfizer1.test
[domain_realm]
.gl1amr.pfizer1.test = GL1AMR.PFIZER1.TEST
gl1amr.pfizer1.testm = GL1AMR.PFIZER1.TEST
[login]
krb4_convert = true
krb4_get_tickets = true
i get following error
SSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
 at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:143)
 at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:70)
 at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
 at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
 at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
 at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
 at com.pfizer.maps.sso.TestGSS.useGSS(TestGSS.java:41)
 at com.pfizer.maps.sso.TestGSS.main(TestGSS.java:59)
what am i missing

My JAVA FILE having the code as follows , when i run this code iam geeting the Folowing error
Error
D:\Ramesh_Dump\KerbersTools>java GSSAPI
GSSException: No valid credentials provided (Mechanism level: Failed to find any
Kerberos Ticket)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredent
ial.java:133)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechF
actory.java:72)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.
java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:37)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java
:96)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
78)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
58)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5
Client.java:155)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.ja
va:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.jav
a:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:6
67)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:1
34)
at GSSAPI.main(GSSAPI.java:34)
Problem searching directory: javax.naming.AuthenticationException: GSSAPI [Root
exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by G
SSException: No valid credentials provided]]
JAVA CODE
import java.util.Hashtable;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import javax.naming.*;
import java.util.*;
import java.util.Calendar.*;
import java.text.*;
public class GSSAPI {
 * @param args
 public static void main(String[] args) {
 Hashtable env = new Hashtable();
 String adminName = "[email protected]";//"[email protected]";
 String adminPassword = "Password12";
 String ldapURL = "ldap://172.20.55.97:389/";
 env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
 //set security credentials, note using simple cleartext authentication
 env.put(Context.SECURITY_AUTHENTICATION,"GSSAPI");
 //env.put(Context.SECURITY_PRINCIPAL,adminName);
 //env.put(Context.SECURITY_CREDENTIALS,adminPassword);
 //env.put("javax.security.sasl.server.authentication","true");
 //connect to my domain controller
 env.put(Context.PROVIDER_URL,ldapURL);
 try {
 //Create the initial directory context
 LdapContext ctx = new InitialLdapContext(env,null);
 //lets get the domain lockout duration policy
 Attributes attrs = ctx.getAttributes("dc=globalv,dc=com");
 //System.out.println("test arttr"+attrs.get(""));
 System.out.println("Lockout policy for " + attrs.get("distinguishedName").get());
 System.out.println("Duration: " + attrs.get("lockoutDuration").get());
 System.out.println("Threshold: " + attrs.get("lockoutThreshold").get());
 long lockoutDuration = Long.parseLong(attrs.get("lockoutDuration").get().toString());
 //Create the search controls
 SearchControls searchCtls = new SearchControls();
 //Specify the attributes to return
 String returnedAtts[]={"sn","givenName","mail","lockoutTime"};
 searchCtls.setReturningAttributes(returnedAtts);
 //Specify the search scope
 searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
 //Create the correct LDAP search filter
 //Win32 file time is based from 1/1/1601
 //Java date/time is based from 1/1/1970
 /*GregorianCalendar Win32Epoch = new GregorianCalendar(1601,Calendar.JANUARY,1);
 GregorianCalendar Today = new GregorianCalendar();
 long Win32Date = Win32Epoch.getTimeInMillis();
 long TodaysDate = Today.getTimeInMillis();
 long TimeSinceWin32Epoch = TodaysDate - Win32Date;
 long lockoutDate = (TimeSinceWin32Epoch * 10000) + lockoutDuration;
 System.out.println("Lockout (Long): " + lockoutDate);*/
 //System.out.println("Lockout (Date): " + DisplayWin32Date(lockoutDate));
 //String searchFilter = "(&(objectClass=user)(lockoutTime>=" + lockoutDate + "))";
 String searchFilter = "(objectclass=user)";
 //Specify the Base for the search
 String searchBase = "dc=globalv,dc=com";
 //initialize counter to total the results
 int totalResults = 0;
 //Search for objects using the filter
 NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
 //Loop through the search results
 while (answer.hasMoreElements()) {
 SearchResult sr = (SearchResult)answer.next();
 totalResults++;
 System.out.println(">>>" + sr.getName());
 // Print out some of the attributes, catch the exception if the attributes have no values
 attrs = sr.getAttributes();
 if (attrs != null) {
 try {
 System.out.println(" name: " + attrs.get("givenName").get() + " " + attrs.get("sn").get());
 System.out.println(" mail: " + attrs.get("mail").get());
 System.out.println(" locked: " + attrs.get("lockoutTime").get().toString());
 //System.out.println(" locked: " + DisplayWin32Date(attrs.get("lockoutTime").get().toString()));
 catch (NullPointerException e) {
 System.err.println("Problem listing attributes: " + e);
// System.out.println("Total results: " + totalResults);
 ctx.close();
 catch (NamingException e) {
 System.err.println("Problem searching directory: " + e);
import java.util.Hashtable;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import javax.naming.*;
import java.util.*;
import java.util.Calendar.*;
import java.text.*;
public class GSSAPI {
 * @param args
 public static void main(String[] args) {
 Hashtable env = new Hashtable();
 String adminName = "[email protected]";//"[email protected]";
 String adminPassword = "Password12";
 String ldapURL = "ldap://172.20.55.97:389/";
 env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
 //set security credentials, note using simple cleartext authentication
 env.put(Context.SECURITY_AUTHENTICATION,"GSSAPI");
 //env.put(Context.SECURITY_PRINCIPAL,adminName);
 //env.put(Context.SECURITY_CREDENTIALS,adminPassword);
 //env.put("javax.security.sasl.server.authentication","true");
 //connect to my domain controller
 env.put(Context.PROVIDER_URL,ldapURL);
 try {
 //Create the initial directory context
 LdapContext ctx = new InitialLdapContext(env,null);
 //lets get the domain lockout duration policy
 Attributes attrs = ctx.getAttributes("dc=globalv,dc=com");
 //System.out.println("test arttr"+attrs.get(""));
 System.out.println("Lockout policy for " + attrs.get("distinguishedName").get());
 System.out.println("Duration: " + attrs.get("lockoutDuration").get());
 System.out.println("Threshold: " + attrs.get("lockoutThreshold").get());
 long lockoutDuration = Long.parseLong(attrs.get("lockoutDuration").get().toString());
 //Create the search controls
 SearchControls searchCtls = new SearchControls();
 //Specify the attributes to return
 String returnedAtts[]={"sn","givenName","mail","lockoutTime"};
 searchCtls.setReturningAttributes(returnedAtts);
 //Specify the search scope
 searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
 //Create the correct LDAP search filter
 //Win32 file time is based from 1/1/1601
 //Java date/time is based from 1/1/1970
 /*GregorianCalendar Win32Epoch = new GregorianCalendar(1601,Calendar.JANUARY,1);
 GregorianCalendar Today = new GregorianCalendar();
 long Win32Date = Win32Epoch.getTimeInMillis();
 long TodaysDate = Today.getTimeInMillis();
 long TimeSinceWin32Epoch = TodaysDate - Win32Date;
 long lockoutDate = (TimeSinceWin32Epoch * 10000) + lockoutDuration;
 System.out.println("Lockout (Long): " + lockoutDate);*/
 //System.out.println("Lockout (Date): " + DisplayWin32Date(lockoutDate));
 //String searchFilter = "(&(objectClass=user)(lockoutTime>=" + lockoutDate + "))";
 String searchFilter = "(objectclass=user)";
 //Specify the Base for the search
 String searchBase = "dc=globalv,dc=com";
 //initialize counter to total the results
 int totalResults = 0;
 //Search for objects using the filter
 NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
 //Loop through the search results
 while (answer.hasMoreElements()) {
 SearchResult sr = (SearchResult)answer.next();
 totalResults++;
 System.out.println(">>>" + sr.getName());
 // Print out some of the attributes, catch the exception if the attributes have no values
 attrs = sr.getAttributes();
 if (attrs != null) {
 try {
 System.out.println(" name: " + attrs.get("givenName").get() + " " + attrs.get("sn").get());
 System.out.println(" mail: " + attrs.get("mail").get());
 System.out.println(" locked: " + attrs.get("lockoutTime").get().toString());
 //System.out.println(" locked: " + DisplayWin32Date(attrs.get("lockoutTime").get().toString()));
 catch (NullPointerException e) {
 System.err.println("Problem listing attributes: " + e);
// System.out.println("Total results: " + totalResults);
 ctx.close();
 catch (NamingException e) {
 System.err.println("Problem searching directory: " + e);
}

SPNEGO and Windows 2008

Hello,
We've had SPnego integrated authentication for Windows working with our EP for sometime.
Our company is moving to W2k8 domain and dc's (kdc's) for this question.
When one of our kdc functional servers has been replaced, it appears that the SPNego authentication function has started to fail upon restart of the Java\EP system.
Can anyone provide any info as to what might need to change for the continued use of the SPNego authentication against a W2k8 kdc?
Upon pointing the java\ep system back to a w2k3 kdc the implementation continues to work. So it looks to be windows version related.
Appreciate any help. Not seeing much from SAP areas possibly related to this?
Rick

Hi,
>the Windows 2008 R2 server does not support DES encryption by default. So you have to enable it manually
This workaround works but is not secure : DES has been abandonned for default because it has been conpromised.
The real solution is to use the new SAP SPNEGO/Kerberos implementation which is able to use RC4 or AES.
If you cannot because of an unsufficient relaase or SP level, you have to do like we had to do in my company : buy a third party product which is able to use RC4 even for Netweaver 7.0 J2EE.
The security team has forbidden the use of DES in my company...
Regards,
Olivier

OD, Kerberos, SPNEGO and Single Sign-On

I have been asked to identify ways to improve a company intranet, the entire network is Mac OS X for both clients and servers. The first thing I though of was using Kerberos for Single Sign-on functionality. Is anyone familiar with any issues surrounding setting this up in an all OS X environment. The Intranet hosts a number of web applications that would need to be converted to use Kerberos authentication and I just wanted to know if anyone is aware of any issues with the Apache mod_spnego or Safari 2.x's support for SPNEGO that could make things difficult. Also, I'm coming up blank for all my searches for any implementation instructions that might be out there so if anyone knows of any implementation descriptions that could be really helpful.
Thanks,
James

Hi,
the best thing would be the mapping, I thought it would work either the SSO was activated or not. I thought that once the system can't match the user with SSO it would try with the mapped user.
The problem if I am not wrong is that the index_service user can't be created in R/3 side, the name is too long. I guess you'll have to find another workaround.
Gregori Coll Ingles.

SPNego and Windows domain

Hi,
just to make sure: when the windows 2003 domain is MYDOMAIN and not MYDOMAIN.COM or anything with a dot in it (so users logon via MYDOMAIN\username), but the FQDN of the J2EE server is j2eehost.mydomain.com, then MYDOMAIN should be used to create the keytab file, instead of MYDOMAIN.COM, correct?
Thus host/j2eehost.mydomain.com@MYDOMAIN instead of host/[email protected] is the service principal name?

Hi Yonko,
thanks again. Yes I understand why you would assume that there would be a MYDOMAIN.COM domain but it isn't as far as I know (result of upgrades all the way back from NT4).
I actually forgot to write that the windows logon dialog shows DOMAIN, but the FQDN is AMUCHBIGGERDOMAIN.COM. For example, the logon is COMPANYNAME\username, but the FQDN of all servers (all domain memebers) are host.globalcompanyname.com
interesting enough, we cannot logon using [email protected]
None the less, I'll double check using TweakUI.
Cheers
Marcel

Help-kerberos works with spnego keytab file but not in netbeans and Metro

Hi,
Appreciate if someone can shed some light on this problem and guide on what else am I missing.
I'm trying to call .NET based WCF webservice (MS Dynamics CRM - OrganizationSvc) from a java client. Started looking at Metro framework for interoperability. I was able to generate all the proxy classes and was able to write the code to invoke web service. However the challenge was using Kerberos based authentication and related setup.
I primarily followed the link below which was very helpful but had to dig more to get more specific details.
http://blogs.sun.com/enterprisetechtips/entry/building_kerberos_based_secure_services
Tried to follow netbeans route and hit some roadblocks in verifying the setup (krb5.conf & login.conf & wsit-client.xml). So, came across SPNEGO and used their examples, made changes accordingly and after experimenting with various configuration settings(krb5.conf and login.conf), finallyI was able to run HelloKDC & HelloKeytab files successfully.
krb5.conf_
[libdefaults]
default_realm = NA.CONVERGYS.COM
[realms]
NA.CONVERGYS.COM = {
kdc = CDCWW13.na.convergys.com
admin_server = CDCWW13.na.convergys.com
[domain_realm]
.na.convergys.com = NA.CONVERGYS.COM
login.conf_
spnego-server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="C:/WINDOWS/orldwv705_feb03.keytab"
doNotPrompt=false
storeKey=true
principal="HOST/ORLDWV705.na.convergys.com"
debug=true;
C:\spnego-r7>klist -k C:\WINDOWS\orldwv705_feb03.keytab
Key tab: C:\WINDOWS\orldwv705_feb03.keytab, 1 entry found.
[1] Service principal: HOST/[email protected]
KVNO: 7
With these settings, I was able to successfully make the call & Hello Keytab was able to get the Ticket and authenticate.
http://spnego.sourceforge.net/index.html
http://spnego.sourceforge.net/client_keytab.html
http://spnego.sourceforge.net/troubleshoot_hellokeytab.html
However, when I run the example in Netbeans with the setup mentioned in the link below, I run into following exception...
http://metro.java.net/guide/Developing_with_NetBeans.html#wsit_example_with_nb-creating_wsit_client
http://metro.java.net/guide/_Configuring_Kerberos_for_Glassfish_and_Tomcat.html
1) noticed that sc:KerberosConfig element in wsit-client.xml does not get updated automatically in netbeans ide, so manually edited to put the entries.
2) also followed the setup required in glassfish domain.xml & login.conf xml.
3) also noticed that netbeans setup requires us to use C:\Windows\krb5.ini file which is nothing but krb5.conf file referred elsewhere.)
wsit-client.xml_
<wsp:Policy wsu:Id="ClientKerberosPolicy"
xmlns:sc="http://schemas.sun.com/2006/03/wss/client"
xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
xmlns:scc="http://schemas.sun.com/ws/2006/05/sc/client"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sc:KerberosConfig wspp:visibility="private"
loginModule="KerberosClient"
servicePrincipal="HOST/ORLDWV705.na.convergys.com"
credentialDelegation="true" />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
ERROR
INFO: WSP5018: Loaded WSIT configuration from file: file:/C:/Documents%20and%20Settings/rchoppal/My%20Documents/NetBeansProjects/TestOrgSvc/build/web/WEB-INF/classes/META-INF/wsit-client.xml.
WARNING: [failed to localize] WSP_0075_PROBLEMATIC_ASSERTION_STATE({http://schemas.microsoft.com/xrm/2011/Contracts/Services}AuthenticationPolicy, UNKNOWN)
WARNING: [failed to localize] WSP_0019_SUBOPTIMAL_ALTERNATIVE_SELECTED(PARTIALLY_SUPPORTED)
INFO: >>>KinitOptions cache name is C:\Documents and Settings\rchoppal\krb5cc_rchoppal
INFO: >>> KrbCreds found the default ticket granting ticket in credential cache.
SEVERE: WSITPVD0050: Error while Securing Request Message.
com.sun.xml.wss.XWSSecurityException: Unexpected Exception in Kerberos login - unable to continue
at com.sun.xml.ws.security.impl.kerberos.KerberosLogin.login(KerberosLogin.java:94)
at com.sun.xml.wss.impl.misc.WSITProviderSecurityEnvironment.doKerberosLogin(WSITProviderSecurityEnvironment.java:3049)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.populateKerberosContext(WSITClientAuthContext.java:911)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:318)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:291)
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
at sun.security.krb5.Credentials.acquireDefaultCreds(Credentials.java:451) (i tried to search open source code, but this line did'nt match exactly)
at sun.security.krb5.Credentials.acquireTGTFromCache(Credentials.java:272)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:589)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at com.sun.xml.ws.security.impl.kerberos.KerberosLogin.login(KerberosLogin.java:85)
SEVERE: SEC2004: Container-auth: wss: Error securing request
javax.xml.ws.WebServiceException: WSITPVD0050: Error while Securing Request Message.
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:299)
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
Caused by: javax.xml.ws.soap.SOAPFaultException: Unexpected Exception in Kerberos login - unable to continue
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1617)
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1633)
... 42 more
WARNING: StandardWrapperValve[TestOrgSvcServlet]: PWC1406: Servlet.service() for servlet TestOrgSvcServlet threw exception
javax.xml.ws.WebServiceException: Cannot secure request for {http://schemas.microsoft.com/xrm/2011/Contracts}CustomBinding_IOrganizationService
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:165)
Caused by: javax.xml.ws.WebServiceException: WSITPVD0050: Error while Securing Request Message.
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:299)
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
... 40 more
Caused by: javax.xml.ws.soap.SOAPFaultException: Unexpected Exception in Kerberos login - unable to continue
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1617)
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1633)
... 42 more
Edited by: user6748004 on Feb 3, 2011 5:36 PM
Edited by: user6748004 on Feb 3, 2011 5:38 PM

Hi Gasha,
The only change I did after this, was to try and use 'KerberosServer' configuration from the wsit-client.xml. Atleast, this enabled the glassfish application to load the configuration related to keytab etc, and use it to communicate with the WCF service for negotiation.
<sc:KerberosConfig wspp:visibility="private"
loginModule="KerberosServer"
servicePrincipal="HOST/ORLDWV705.na.convergys.com"
credentialDelegation="true" />
login.conf has
KerberosServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="C:/WINDOWS/orldwv705_feb03.keytab"
doNotPrompt=false
storeKey=true
principal="HOST/ORLDWV705.na.convergys.com"
debug=true;
fyi.. Used the following way to create the keytab
Keytab was created using below instructions
ktpass -princ HOST/[email protected]
-mapUser [email protected]
-mapOp set
-pass *
-crypto DES-CBC-MD5
-pType KRB5_NT_PRINCIPAL
-out orldwv705.keytab
Targeting domain controller: CDCWW13.na.convergys.com
Successfully mapped HOST/ORLDWV705.na.convergys.com to svcMSCRMDev.
Key created.
Output keytab to orldwv705.keytab:
Keytab version: 0x502
keysize 75 HOST/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x3 (DES-CBC-MD5) keylength 8 (0x0bc27ca83891dc2a)
Also realised that we need to add 'HTTP/ORLDWV705.na.convergys.com' & 'http/ORLDWV705.na.convergys.com' using set SPN commands on the AD of the server where CRM is installed.
With these changes, the negotiate authentication seems to have happened using the Kerberos token from the keytab, but later ran into an error for which I was not able to get any clue to go forward. Someone in another post about this error suggested that it worked once they changed principal names, but when I tried I did'nt get any success.
This is where I'm struck now. What I don't know is if there is another setup from which we can try a similar interoperability example for ex.. weblogic 10.1 & eclipse which is more close to our real environment.
SEVERE: SEC2004: Container-auth: wss: Error securing request
java.lang.IllegalArgumentException: Missing argument
at javax.crypto.spec.SecretKeySpec.<init>(DashoA13*..)
at com.sun.xml.ws.security.impl.kerberos.KerberosContext.getSecretKey(KerberosContext.java:91)
at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:525)
Edited by: user6748004 on Apr 8, 2011 10:39 AM

SSPIs and SPNEGO

Robert,
In a previous post you said,
"I've said this elsewhere on this forum, but in case you missed it, in certain
cases you might be forced to implement a servlet filter rather than use the SSPIs.
My case was using identity assertion with SPNEGO where you need to send back a
response to the browser which in turn sends back a token to the server."
Could you please explain how do we do SSPI for SPNEGO? I have a requirement where
we need to pass the credentials from WL portal to IIS server to access content
on IIS. Right now, as a temporary solution, we are doing https://uid:[email protected]
I am new to security and JAAS. If you could please give me pointers to accomplish
this in a cleaner way, I would really appreciate it.
Thanks,
Adam

Robert,
Thats really awesome. Can we get this discussion offline from here? Could you
please e-mail me at [email protected]?
Thanks,
Adam
Robert Greig <[email protected]> wrote:
Adam Gilchrist wrote:
Robert,
In a previous post you said,
"I've said this elsewhere on this forum, but in case you missed it,in certain
cases you might be forced to implement a servlet filter rather thanuse the SSPIs.
My case was using identity assertion with SPNEGO where you need tosend back a
response to the browser which in turn sends back a token to the server."
Could you please explain how do we do SSPI for SPNEGO? I have a requirementwhere
we need to pass the credentials from WL portal to IIS server to accesscontent
on IIS. Right now, as a temporary solution, we are doing https://uid:[email protected]@mydomain.com.
First, here's how to do it in the "standard" web browser case (IE client
talking to WLS).
1) Don't use the WLS SSPIs. You don't have access to the http response
therefore it is not easy (perhaps not possible although maybe there are
evil hacks that I haven't come up with!).
2) Download the SPNEGO RFC. You'll need an ASN parser (unless you want
to do the encoding manually - I don't recommend that unless you're
familiar with ASN). Create an SPNEGO grammar your parser can understand
and generate java code from the grammar. I used the cryptix parser (open
source) but note that it had some bugs I had to fix first.
3) Write a servlet filter. It should send back 403 responses in order
to
get the base 64 encoded SPNEGO token (see the RFC for details). When
you
have a token, get the GSS initial context token from it and use the
GSSAPI to validate it. Then send back the appropriate response, having
put the appropriate details into the session so you don't have to
perform this for every request!
Second - I plan on open sourcing what I have done and writing an article
on it. Maybe I'm just sad and lonely but I certainly found it
interesting to do (having never done anything in this area before) and
I
found that it was not an area that is either mature or well documented.
This might be of some use to you. I am currently trying to get
permission from my employer to do this (I work for an investment bank
hence this is not entirely straightforward but I do now have agreement
in principle).
Third - to cover your case. You need to create an SPNEGO initial context
token (see the spec for details). This should be quite easy once you
have the ASN parser (just use the GSSAPI to get the underlying context
token). You will have to implement SPNEGO from a client-side perspective
however that should be easy (expect a 403 response from the server, then
put in the base 64 encoded SPNEGO token into a particular request header).
I am new to security and JAAS. If you could please give me pointersto accomplish
this in a cleaner way, I would really appreciate it.Do you need to use SPNEGO here? If you can write an ASP page to service
all requests then so long as you are happy using HTTPS you could put
the
username into a POST parameter. Or must you directly access the content
without going through an intermediary page? If direct username isn't
possible then you could even just ignore SPNEGO and put in the base 64
intial context token (which you can process using the Windows SSPI APIs).
I hope this is of some use to you.
Robert

SPNego Not Working

Hello,
We wanted to have desktop single sign on by using SPNEgo and we have configured everything as said in SAP Help document and we could not achieve single sign on. Not sure where we are going wrong.
When we run the Diagtool, we are getting the error "Cannot login user" and " Error sending krb5 token".
Need your inputs and suggestions and corrections in this. Below are the details.
Landscape information:
Active Directory Windows 2003 SP1
Active Directory Domain ED.ET.COM
Portal EP 7.0 (NW2004s SPS8)
Portal OS AIX 5.3
Database DB2 UDB
Portal/J2EE Engine domain comp.com
JDK IBM JDK
Client / Workstation Windows XP SP1 (Domain ED.ET.COM)
Portal sysid B01
Steps
1. Created the User j2ee-b01 in the active directory, with password never expires option
2. Created keytab files using windows ktpass.
ktpass -princ host/[email protected] -pass password out g023us08.keytab -mapUser j2ee-b01 +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL
ktpass princ HTTP/[email protected] pass password out g023us08.keytab -in g023us08.keytab -mapUser j2ee-b01 +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL
3. setspn A HTTP/g023us08.comp.com j2ee-b01
4. Placed the g023us08.keytab and krb5.conf under /usr/sap/B01/certfiles.
5.Jave parameters are added in the configtool
6. Resolution mode = simple and in the UME added the attribute "krb5principalname" and physicalAtrrbibute "userprincipalname".
7. Configured of login to use SPNego Login Module.
8.The maintained parameters for SPNegoLoginModule are
com.sap.spnego.jgss.name = [email protected]
com.sap.spnego.uid.resolution.mode = simple
com.sap.spnego.uid.resolution.attr = krb5principalname
Krb5.conf contents.
[domain_realm]
.comp.com = ED.ET.COM
[libdefaults]
 default_keytab_name = /usr/sap/B01/certfiles/g023us08.keytab
 default_realm = ED.ET.COM
 dns_lookup_kdc = true
 default_tgs_enctypes=des-cbc-md5;des-cbc-crc
 default_tkt_enctypes=des-cbc-md5;des-cbc-crc
[realms]
 ED.ET.COM = {
 admin_server = g1432dc01.ed.et.com
 kdc = g1432dc01.ed.et.com
[appdefaults]
pam = {
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false
Thanks in Advance.
Regards,
Praveen

Hi Praveen,
I did a compare of your configuration with mine.
My ktpass commands are same as yours, but I did not use the mapuser option in the first one. There is no dash in front of it too.
Ex :
ktpass -princ host/[email protected] -pass password -out c:\keytab_p1d +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL
ktpass -princ HTTP/[email protected] -pass password -out c:\keytab_p1d -in c:\keytab_p1d mapUser kerb_p1d +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL
In my Krb5.conf, I put the ip of the admin_server and kdc
instead of pc name, but it should be valid.
To verify that your datasource changes are good, check in the portal useradmin if the new attribute krb5principalname shows up in the "customized information" tab.
You got an error at
com.sap.spnego.jgss.name
It should be :
com.sap.spnego.jgss.name = HTTP/[email protected]
Also, you did not give your other login modules config, like krb5loginmodule and mappingmodule.
Please note that all the config is case sensitive.
Brad

SPNego authentication not working

Hi,
We are trying to configure SPNego and we are facing issues. We had done the configuration in another environment and it worked fine.
I have checked the configuration at AD end and portal end multiple
times and everything looks to be fine. Following is the error message coming in the logs.
[JGSS_DBG_CTX] Client time Sat Feb 03 13:09:32 GMT 2007 too skewed
13:04:05:373 Error Guest ~on_Thread[impl:3]_1 System.err org.ietf.jgss.GSSException, major code: 10, minor code: 37
major string: Defective token
minor string: Client time 03 February 2007 at 13:09:32 too skewed
13:04:05:373 Error Guest ~on_Thread[impl:3]_1 System.err at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:5)
at com.ibm.security.jgss.mech.krb5.k.a(k.java:896)
at com.ibm.security.jgss.mech.krb5.k.a(k.java:6)
at com.ibm.security.jgss.mech.krb5.k.b(k.java:231)
at com.ibm.security.jgss.mech.krb5.k.acceptSecContext(k.java:1010)
at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:30)
at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:370)
at com.sap.security.core.server.jaas.SPNegoLoginModule.doHandshake(SPNegoLoginModule.java:614)
at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:322)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:150)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:69)
at java.security.AccessController.doPrivileged(AccessController.java:242)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:172)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
at java.security.AccessController.doPrivileged(AccessController.java:242)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:142)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)
at java.security.AccessController.doPrivileged(AccessController.java:242)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:160)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(AccessController.java:215)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
Any help is highly appreciated.
Many Thanks,
Chandra

Hi,
per this part of the exception:
minor string: Client time 03 February 2007 at 13:09:32 too skewed
there seems to be a problem with the time syncronizations between the domain controller, the client system and the SAP NetWeaver system. Check that all system clocks are syncronized and have the correct time zone settings.
Hope this helps,
Yonko

SPNego - J2ee did not send request for authentication

Hi All,
I have configured SPNego and completed all setup as per documentation. When I use the browser to access the portal, it is prompting for user id and password. If we manually enter the id and password on AD, it works fine. Somehow not able connect to j2ee without prompting for id and password.
To troubleshoot this, traced the http traffic using winshark and found that j2ee engine did not send any request for kerberos authentication.
Is there way to check on the server side to make sure spnego is configured properly and server is able to send kerberos authentication ?
Appreciate your help !
Thanks!

Login to your Visual Admin, then go to -->Security Provider -->com.sun.security.jgss.accept -->Krb5LoginModule
Add a Parameter isInitiator and Value false. Save it and take a bounce of J2EE.
This should solve your login page problem Otherwise paste the default trace.
You can also read my BLOG : Common SPNEGO Implementation Issues
Reward points if my suggestion was helpful -

Web Diagtool error while testing for SPNEGO

Dear Experts,
I have configured SPNEGO and got some trace from web-daigtool. While connecting through portal, I get UNKNOWN ERROR in the login page. I have checked the j2ee user password and its fine..The trace is as below,
GSS Context created.
12:23:45:618 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 System.out Entered Krb5Context.acceptSecContext with state=STATE_NEW
12:23:45:618 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 System.out >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
12:23:45:620 Error J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~rity.core.server.jaas.SPNegoLoginModule CreateContext failed: GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))
[EXCEPTION]
h1 GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
at com.sap.security.core.server.jaas.SPNegoLoginModule.doHandshake(SPNegoLoginModule.java:612)
at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:321)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:150)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:69)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:172)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
12:23:45:623 Error J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~rity.core.server.jaas.SPNegoLoginModule Error during handshake (has already been reported). Authentication failed.
12:23:45:623 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.engine.services.security Login module com.sap.security.core.server.jaas.SPNegoLoginModule from authentication stack spnego does not authenticate the caller.
12:23:45:623 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~m.sap.security.core.server.jaas.login() Entering method
12:23:45:623 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas No authenticated user found.
12:23:45:623 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas Exiting method with false
12:23:45:624 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.engine.services.security No user name provided.
12:23:45:624 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~m.sap.security.core.server.jaas.login() Entering method
12:23:45:624 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas No authenticated user found.
12:23:45:624 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas Exiting method with false
12:23:45:624 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.engine.services.security Unsuccessful login: no login module succeeded. The size of the used authentication stack spnego is 5.
12:23:45:625 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.engine.services.security Exception : No login module succeeded.
java.lang.Exception
at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1141)
at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:253)
at com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:134)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:190)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:172)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:131)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)
at java.security.AccessController.doPrivileged(Native Method)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
..more error below

12:23:45:626 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~m.sap.security.core.server.jaas.abort() Entering method
12:23:45:626 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas Internal Login Module data has been reset.
12:23:45:626 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas Exiting method with true
12:23:45:626 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~m.sap.security.core.server.jaas.abort() Entering method
12:23:45:626 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas Exiting method with true
12:23:45:627 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~m.sap.security.core.server.jaas.abort() Entering method
12:23:45:627 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas Exiting method with true
12:23:45:627 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~][md=getUserAccountByLogonId][cl=19874] Entering method
12:23:45:627 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~][md=getUserAccountByLogonId][cl=19874] Found uniqueID for logonId J2EE_GUEST
12:23:45:627 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~][md=getUserAccountByLogonId][cl=19874] Exiting method with userAccount from cache
12:23:45:628 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~.security.core.server.jaas.initialize() Entering method with (Subject:
, javax.security.auth.login.LoginContext$SecureCallbackHandler@6f6b52b2)
12:23:45:628 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas The options of EvaluateTicketLoginModule in [spnego] authentication stack are: [{ume.configuration.active=true, trustediss1=OU=J2EE,CN=ABC, trustedsys1=ABC,555, trusteddn1=OU=J2EE,CN=ABC}].
12:23:45:628 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~s.constructor(Map, Properties, boolean) Entering method with ({System-ID=ABC, sap.security.auth.configuration.name=spnego, sap.security.auth.context.object=Security Context : session (0) for J2EE_GUEST created at Wed Mar 11 12:13:58 AST 2009}, <null>)
12:23:45:628 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas got [ume.configuration.active]: [true]
12:23:45:629 Warning J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas no authscheme found that has auth template spnego
12:23:45:629 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas Exiting method with [Ljava.lang.Object;@6f025d43
12:23:45:629 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~ity.core.server.jaas.getMergedOptions() Entering method
12:23:45:629 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas Exiting method with [Ljava.lang.Object;@43912a5
12:23:45:629 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas The options of EvaluateTicketLoginModule in [spnego] authentication stack after merge with UME properties are: [{ume.configuration.active=true, trustediss1=OU=J2EE,CN=ABC, system=ABC, client=555, j_authscheme=default, inclcert=0, trusteddn1=OU=J2EE,CN=ABC, ume.logon.httponlycookie=TRUE, alias=SAPLogonTicketKeypair, ume.logon.security.enforce_secure_cookie=FALSE, validity=8, keystore=TicketKeystore, trustedsys1=ABC,555, password=}].
12:23:45:629 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas The options of EvaluateTicketLoginModule in [spnego] authentication stack after adding the default values are: [{ume.configuration.active=true, trustediss1=OU=J2EE,CN=ABC, system=ABC, client=555, j_authscheme=default, inclcert=0, trusteddn1=OU=J2EE,CN=ABC, ume.logon.httponlycookie=TRUE, alias=SAPLogonTicketKeypair, sap.security.auth.configuration.name=spnego, ume.logon.security.enforce_secure_cookie=FALSE, validity=8, keystore=TicketKeystore, trustedsys1=ABC,555, password=}].
12:23:45:630 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas Exiting method
12:23:45:630 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~.security.core.server.jaas.initialize() Entering method with (Subject:
, javax.security.auth.login.LoginContext$SecureCallbackHandler@6f6b52b2, {System-ID=ABC, sap.security.auth.configuration.name=spnego, sap.security.auth.context.object=Security Context : session (0) for J2EE_GUEST created at Wed Mar 11 12:13:58 AST 2009}, {ume.configuration.active=true})
12:23:45:630 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas The options of CreateTicketLoginModule in [spnego] authentication stack are: [{ume.configuration.active=true}].
12:23:45:630 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~s.constructor(Map, Properties, boolean) Entering method with ({System-ID=ABC, sap.security.auth.configuration.name=spnego, sap.security.auth.context.object=Security Context : session (0) for J2EE_GUEST created at Wed Mar 11 12:13:58 AST 2009}, <null>)
12:23:45:630 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas got [ume.configuration.active]: [true]
12:23:45:631 Warning J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas no authscheme found that has auth template spnego
12:23:45:631 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas Exiting method with [Ljava.lang.Object;@3ef710cd
12:23:45:631 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~ity.core.server.jaas.getMergedOptions() Entering method
12:23:45:631 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas Exiting method with [Ljava.lang.Object;@4e702306
12:23:45:631 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas The options of CreateTicketLoginModule in [spnego] authentication stack after merge with UME properties are: [{ume.configuration.active=true, system=ABC, client=555, j_authscheme=default, inclcert=0, ume.logon.httponlycookie=TRUE, alias=SAPLogonTicketKeypair, ume.logon.security.enforce_secure_cookie=FALSE, validity=8, keystore=TicketKeystore, password=}].
12:23:45:632 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas The options of CreateTicketLoginModule in [spnego] authentication stack after adding the default values are: [{ume.configuration.active=true, system=ABC, client=555, j_authscheme=default, inclcert=0, ume.logon.httponlycookie=TRUE, alias=SAPLogonTicketKeypair, sap.security.auth.configuration.name=spnego, ume.logon.security.enforce_secure_cookie=FALSE, validity=8, keystore=TicketKeystore, password=}].
12:23:45:632 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.server.jaas Exiting method
12:23:45:632 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~.security.core.server.jaas.initialize() Entering method with (Subject:
, javax.security.auth.login.LoginContext$SecureCallbackHandler@6f6b52b2, {System-ID=ABC, sap.security.auth.configuration.name=spnego, sap.security.auth.context.object=Security Context : session (0) for J2EE_GUEST created at Wed Mar 11 12:13:58 AST 2009}, {ume.configuration.active=true})
12:23:45:635 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.engine.services.security Unsuccessful login: no login module succeeded. The size of the used authentication stack spnego is 5.
12:23:45:637 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.engine.services.security Exception
: No login module succeeded.
java.lang.Exception
at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1141)
at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:253)
at com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:134)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:190)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:172)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:848)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:367)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:126)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)
at java.security.AccessController.doPrivileged(Native Method)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
12:23:45:637 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~m.sap.security.core.server.jaas.abort() Entering method
com.sap.security.core.server.jaas Exiting method with true
12:23:45:639 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~l.SecurityAudit][md=log(...)][cl=19874] ObjectID handed over is 'null'!
12:23:45:639 Warning J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 com.sap.security.core.util.SecurityAudit J2EE_GUEST | LOGIN.ERROR | null | | Login Method=[default], UserID=[null], IP Address=[10.150.162.205], Reason=[No login module succeeded.]
12:23:45:639 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~][md=getUserAccountByLogonId][cl=19874] Entering method
12:23:45:640 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~][md=getUserAccountByLogonId][cl=19874] Found uniqueID for logonId J2EE_GUEST
12:23:45:640 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~][md=getUserAccountByLogonId][cl=19874] Exiting method with userAccount from cache
12:23:45:646 Error J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~n.SAPMLogonLogic][md=doLogon][cl=22651] h1 doLogon failed
[EXCEPTION]
com.sap.security.core.logon.imp.UMELoginException
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:943)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:367)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:126)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)
at java.security.AccessController.doPrivileged(Native Method)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
12:23:45:647 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~rBean][md=ErrorBean(Message)][cl=19874] message UNKNOWN_ERROR
12:23:45:648 Error J2EE_GUEST SAPEngine_Application_Thread[impl:3]_0 ~.util.ResourceBean][md=print][cl=19874] Message ID (UNKNOWN_ERROR) not found in properties files-UNKNOWN_ERROR
[EXCEPTION]
java.util.MissingResourceException: Can't find resource for bundle java.util.PropertyResourceBundle, key h1 UNKNOWN_ERROR
at java.util.ResourceBundle.getObject(ResourceBundle.java:325)
at java.util.ResourceBundle.getObject(ResourceBundle.java:322)
at java.util.ResourceBundle.getString(ResourceBundle.java:285)
at com.sap.security.core.util.ResourceBean.getString(ResourceBean.java:119)
at com.sap.security.core.util.ResourceBean.print(ResourceBean.java:133)
at sapportalsjspumLogonPage.subDoContent(_sapportalsjsp_umLogonPage.java:538)
at sapportalsjspumLogonPage.doContent(_sapportalsjsp_umLogonPage.java:67)
at sapportalsjspumLogonPage.service(_sapportalsjsp_umLogonPage.java:47)
at com.sapportals.portal.prt.core.broker.PortalComponentItemFacade.service
12:23:48:712 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_38 ~.security.core.server.jaas.initialize() Entering method with (Subject:
, javax.security.auth.login.LoginContext$SecureCallbackHandler@6038a47d)
12:23:48:712 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_38 com.sap.security.core.server.jaas The options of EvaluateTicketLoginModule in [spnego] authentication stack are: [{ume.configuration.active=true, trustediss1=OU=J2EE,CN=ABC, trustedsys1=ABC,555, trusteddn1=OU=J2EE,CN=ABC}].
12:23:48:712 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_38 ~s.constructor(Map, Properties, boolean) Entering method with ({System-ID=ABC, sap.security.auth.configuration.name=spnego, sap.security.auth.context.object=Security Context : session (0) for J2EE_GUEST created at Wed Mar 11 12:13:58 AST 2009}, <null>)
12:23:48:712 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_38 com.sap.security.core.server.jaas got [ume.configuration.active]: [true]

Login as DOMAINUsername posible in SPNego?

Hi,
I just implemented SPNego and is working but when a user is not loged into the domain the user has to login typing in the authentication window the username like [email protected] and not like DOMAINUsername, do you know if this is posible? I´ve been told of an SPNego implementation that is working as DOMAINUsername but don´t know how to do it or even if it is possible.
Thanx in Advanced!
Kind Regards,
Gerardo J

Hi,
I just made a Test and it is working the way we are expecting, with standard installation of the SPNego we are able to login as DOMAIN/Username, maybe we made the tests with wrong usernames or maybe but less probable is working now cause we pointed to the SPNego and Portal to the ADS in port 3268 which can see all domains.
Also can somebody help me out on rewarding points cause I don´t see the radio buttons to select the points, has something changed in the Forums?
Kind Regards,
Gerardo J

SPNego still allowing non Kerberos Logons

After exhaustive searches and attempts, I thought I had the SPNegoLoginModule installed. These are the steps that I have followed.
1.     Created a service user in the user directory used by the KDC.
2.     Created the keytab file and transferred it to the J2EE server.***Note that I have found that the directions in help.sap.com are different for NW2004 and NW2004s! It seems there is an additional step there. I am running EP6 SPS15 and using NW2004
3.     Created krb5.conf
4.     Added the 3 lines to the UME.
5.     Configured the logon stacks. *** Note and warning, there is a difference between the instructions for NW2004 and NW2004s! Coming from an Environment that never had to deal with this step before, I admit that I was totally lost on my first attempts.
6.     Configured ADS data source for Kerberos Authentication.
7.     Configured IE for Kerberos Authentication.
I restarted the engine and I was able to log on to the Portal.   Victory, NO!
I wanted to test so I undid step 7. I was STILL able to log in. SPNego is not working. Not finding any other docs, I went to the VA and changed the SAP-J2EE-Engine logon module to SPNegoLoginModule. DO NOT DO THIS! The engine comes up, SPNego is still not working and you can no longer get into the VA. I had to manually change the security settings in the configtool just to activate SAP* to undo the damage.
The only thing I can think of that is still letting me log in is that I use MSADS as my LDAP. In configuring the ADS for Kerberos I add the lines of code to the existing code that was used. Is this the correct way to do this?
Anyone see a step that I missed?

Hello David.
I've made the same mistake:
I went to the VA and changed the SAP-J2EE-Engine logon module to SPNegoLoginModule.
So could you tell me, how can I log on to VA now?
Where can I activate SAP*?
I've set the value ume.superadmin.activated = true,
but I still cannot logon to VA.
And could you tell me where do I need to define my
SPNegoLoginModule for correct work of SPNego?
If you have configured SSO using SPNego and
have step by step manual for it, could you send it for me?
Best Regards!
Vitali
[email protected]
Message was edited by: Vitali Chasalau

SPNego, Reverse Proxy?

We all know that we should be switching to SPNego and I am trying to set up a new portal with it now.
My question is, if we are to use SPNego now, how does that act as a reverse proxy? This is supposed to be replacing IISProxy, right?

Hi David,
I guess is a little late... SPNego is not for reverse proxying.
It is used for authentication purpouses.
Kind Regards,
Gerardo J

SPNego: User ID Mapping

Hi Gurus,
We have a requirement, to have SSO between, user Microsoft Credentials and SAP Portal.
The Chalenge here is that the user name, in Microsoft credentials is different from the Portal user, so we need authenticate the user against ADS and then setup the SAP Logon Ticket with the Portal user ID.
We will be using the same ADS, for both SPNego and SAP Portal UME, but as we need a different ID for SAP Portal we will do an attribute Mapping for that porpoise.
For example
ADS User = 20 characters
Portal user= 8 characters
SAPLogon Ticket generated with 8 characters Portal user.
Thanks in Advanced.
Rogelio

Hi Rogelio,
please have a look into SAP Library. There you will find detailed instructions how to <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/43/4bd58c6c5e5f34e10000000a1553f6/frameset.htm">use Kerberos authentication for Single Sign-on with SAP NetWeaver Portal</a>. Contemplating your requirements (Kerberos Principal Name is different from portal user name), I suggest you pay special attention to sub section <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/43/4bba9d9e5e5f6ce10000000a1553f6/frameset.htm">Configuring the UME</a> and <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/43/4c363ac31e30f3e10000000a11466f/frameset.htm">Configuring the UME when Using ADS Data Sources for Kerberos</a>.
Best regards,
Martin

JGSS: SPNEGO and NTLMv2

Similar Messages

Maybe you are looking for