Login as DOMAINUsername posible in SPNego?
Hi,
I just implemented SPNego and is working but when a user is not loged into the domain the user has to login typing in the authentication window the username like [email protected] and not like DOMAINUsername, do you know if this is posible? I´ve been told of an SPNego implementation that is working as DOMAINUsername but don´t know how to do it or even if it is possible.
Thanx in Advanced!
Kind Regards,
Gerardo J
Hi,
I just made a Test and it is working the way we are expecting, with standard installation of the SPNego we are able to login as DOMAIN/Username, maybe we made the tests with wrong usernames or maybe but less probable is working now cause we pointed to the SPNego and Portal to the ADS in port 3268 which can see all domains.
Also can somebody help me out on rewarding points cause I don´t see the radio buttons to select the points, has something changed in the Forums?
Kind Regards,
Gerardo J
Similar Messages
-
Hi,
We have configured the Secure login Server and enabled the SPNEGO. We are getting the certificates and able to fully get the features of X.509 and Kerberos functionallity in ABAP.
However in the case of JAVA stack it is not taking the windows authentication and logging in instead prompting to enter the user name and password.
Any help on this is appreciated.
Regards
MukunthanHi,
Following is the log trace. I am using AS JAVA 7.4. From security trouble shooting wizard, i pulled the trace.
Trace as follows
Can't map exception.
[EXCEPTION]
com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:131)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:280)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:876)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:453)
at com.sapportals.portal.prt.service.hook.SecurityHookService.doNodeHook(SecurityHookService.java:151)
at com.sapportals.portal.prt.connection.PortalHook.doNodeHook(PortalHook.java:383)
at com.sap.portal.prt.pom.factory.ComponentNodeFactory.newInstance(ComponentNodeFactory.java:136)
at com.sap.portal.prt.pom.factory.ComponentNodeFactory.newInstance(ComponentNodeFactory.java:49)
at com.sap.portal.prt.pom.PortalNode.createComponentNode(PortalNode.java:270)
at com.sap.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:445)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:202)
at com.sap.portal.prt.dispatcher.DispatcherServlet.service(DispatcherServlet.java:132)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:202)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:103)
at com.sap.portal.prt.dispatcher.CustomHeaderFilter.doFilter(CustomHeaderFilter.java:58)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:79)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:334)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:490)
at com.sap.portal.navigation.Gateway.service(Gateway.java:161)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:202)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:103)
at com.sap.portal.http.EnrichNavRequestFilter.doFilter(EnrichNavRequestFilter.java:49)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:79)
at com.sap.portal.prt.dispatcher.CustomHeaderFilter.doFilter(CustomHeaderFilter.java:58)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:79)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:432)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:210)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:441)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:430)
at com.sap.engine.services.servlets_jsp.filters.DSRWebContainerFilter.process(DSRWebContainerFilter.java:38)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.servlets_jsp.filters.ServletSelector.process(ServletSelector.java:81)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.servlets_jsp.filters.ApplicationSelector.process(ApplicationSelector.java:278)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.WebContainerInvoker.process(WebContainerInvoker.java:81)
at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.ResponseLogWriter.process(ResponseLogWriter.java:60)
at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.DefineHostFilter.process(DefineHostFilter.java:27)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.MonitoringFilter.process(MonitoringFilter.java:29)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.SessionSizeFilter.process(SessionSizeFilter.java:26)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.MemoryStatisticFilter.process(MemoryStatisticFilter.java:57)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.DSRHttpFilter.process(DSRHttpFilter.java:43)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.server.Processor.chainedRequest(Processor.java:475)
at com.sap.engine.services.httpserver.server.Processor$FCAProcessorThread.process(Processor.java:269)
at com.sap.engine.services.httpserver.server.rcm.RequestProcessorThread.run(RequestProcessorThread.java:56)
at com.sap.engine.core.thread.execution.Executable.run(Executable.java:122)
at com.sap.engine.core.thread.execution.Executable.run(Executable.java:101)
at com.sap.engine.core.thread.execution.CentralExecutor$SingleThread.run(CentralExecutor.java:328)
Caused by: javax.security.auth.login.LoginException: Trigger SPNEGO authentication.
at com.sap.security.core.server.jaas.SPNegoLoginModule.initialStateException(SPNegoLoginModule.java:366)
at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:173)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:254)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:66)
... 64 more
Regrds
Mukunthan -
SSO issue in Upgraded Netweaver 7.4
Hi experts,
We have completed the SAP Portal Upgrade from Netweaver 7.0 to 7.4 .
In Netweaver 7.0 , we have configured SSO between windows active directory to Portal with help of SAP note 1457499 & attached configuration guide. it worked fine before the upgrade process.
but now in the Netweaver 7.4 which is not worked so again we configured the SSO as per the below SCN Link step 4 for Configuring the SSO between Java & Windows active directory.After completing that configuration also still SSO is not working.
please provide us your valuable suggestion to fix the SSO in Netweaver 7.4.
SSO configuration in SCN : Single Sign-On with Kerberos (Enable Single Sign-On on SAP AS JAVA)
Regards
Sebastian AHi Sebastian,
There is not a massive difference in the spnego from 7.0 to 7.4, the main difference that the 7.4 system can generate a keytab file itself as it comes with a 1.6 jdk. if you imported an old keytab file I suggest you run the wizard again and use the one it generates.
Have you collected any traces, if not try the reproduce the issue (on a fresh browser session) while the troublshooting wizard is running, (example 1 from note 1332726). You should see the initial part of spnego (it will be a failed login with the error "Trigger spnego athentication" then if all seems ok on the AD/browser side and there are no decryption issues a kerberos token should be recieved then we should see another login were the spnegomodule deals with the token, you can upload the output of this trace for assistance.
Best regards,
Cathal -
SPNEGO Login module Stack issue: Could not validate SPNEGO token
Hello to all,
We are deploying a SAP Netweavear 7.3 Enterprise Portal with SPNego login module activated.
We are performing some tests (performances and concurrent accesses).
During the tests we have found several times the folloiwing Issue linked to the spnego.
Could not validate SPNEGO token.
[EXCEPTION]
java.lang.NumberFormatException: multiple points
at sun.misc.FloatingDecimal.readJavaFormatString(FloatingDecimal.java:1082)
at java.lang.Double.parseDouble(Double.java:510)
at java.text.DigitList.getDouble(DigitList.java:151)
at java.text.DecimalFormat.parse(DecimalFormat.java:1303)
at java.text.SimpleDateFormat.subParse(SimpleDateFormat.java:1934)
at java.text.SimpleDateFormat.parse(SimpleDateFormat.java:1312)
at java.text.DateFormat.parse(DateFormat.java:335)
at com.sap.security.core.server.jaas.spnego.util.Utils.generalizedTimeStringToData(Utils.java:167)
at com.sap.security.core.server.jaas.spnego.krb5.KrbTicketEncryptedData.parseDecryptedData(KrbTicketEncryptedData.java:67)
at com.sap.security.core.server.jaas.spnego.krb5.KrbEncryptedData.decrypt(KrbEncryptedData.java:94)
at com.sap.security.core.server.jaas.spnego.krb5.KrbApReq.decrypt(KrbApReq.java:68)
at com.sap.security.core.server.jaas.SPNegoLoginModule.parseAndValidateSPNEGOToken(SPNegoLoginModule.java:315)
at com.sap.security.core.server.jaas.SPNegoLoginModule.processAuthorizationHeader(SPNegoLoginModule.java:474)
at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:160)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:254)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:65)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:254)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:352)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.loginWithRequestCredentials(AuthenticationService.java:337)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:321)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:60)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:163)
at com.sap.portal.prt.dispatcher.DispatcherServlet.service(DispatcherServlet.java:132)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at com.sap.engine.services.servlets_jsp.server.Invokable.invoke(Invokable.java:152)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doCached(RequestDispatcherImpl.java:655)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:488)
at com.sap.portal.navigation.Gateway.service(Gateway.java:147)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:202)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:103)
at com.sap.portal.http.EnrichNavRequestFilter.doFilter(EnrichNavRequestFilter.java:49)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:79)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:432)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:210)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:441)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:430)
at com.sap.engine.services.servlets_jsp.filters.DSRWebContainerFilter.process(DSRWebContainerFilter.java:38)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.servlets_jsp.filters.ServletSelector.process(ServletSelector.java:81)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.servlets_jsp.filters.ApplicationSelector.process(ApplicationSelector.java:276)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.WebContainerInvoker.process(WebContainerInvoker.java:81)
at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.ResponseLogWriter.process(ResponseLogWriter.java:60)
at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.DefineHostFilter.process(DefineHostFilter.java:27)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.MonitoringFilter.process(MonitoringFilter.java:29)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.SessionSizeFilter.process(SessionSizeFilter.java:26)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.MemoryStatisticFilter.process(MemoryStatisticFilter.java:57)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.DSRHttpFilter.process(DSRHttpFilter.java:43)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.server.Processor.chainedRequest(Processor.java:475)
at com.sap.engine.services.httpserver.server.Processor$FCAProcessorThread.process(Processor.java:269)
at com.sap.engine.services.httpserver.server.rcm.RequestProcessorThread.run(RequestProcessorThread.java:56)
at com.sap.engine.core.thread.execution.Executable.run(Executable.java:122)
at com.sap.engine.core.thread.execution.Executable.run(Executable.java:101)
at com.sap.engine.core.thread.execution.CentralExecutor$SingleThread.run(CentralExecutor.java:328)
The user rlinked to this user is Guest.
could you please advice us how to solve this reccuring issue?
Kind regards
Julien LEFEVREHello Cathal,
Thank you for your answer.
In fact the new spnego wizard of the SAP Enterprise Portal 7.3 is used to get the the two keys files. The SAP Jvm is used in fact with the 1.6.1.
And in fact , it functions perfectly sometimes. but during the test of massive access ( More than 30 conurent users), I have this error that comes frequently.
Best regards
Julien LEFEVRE -
SPNEGO in portal with abap data source + mapping on login & alias id
Hello
I successfully set up the new spnego autentification (with AD) on our EP7 portal.
Spnego module is configured with Mapping mod u201Cprincipal onlyu201D with source u201Clogin idu201D.
SSO is working perfectly for all users with the same u2018sap loginu2019 as the AD login. ( they can use portal to connect on all sap ECC6 server true iview without login& password )
But for user with login name different between AD and SAP , this doesnu2019t work. They have to enter their sap login & password on the portal. So spnego is not working for them.
Such user have different login name between AD et SAP because abap system limit user length to 12 caracters. So I could not change abap username.
And I could not change their AD login name. ( too much impact).
Exemple :
p.nametoolong = 13 character on AD but too long for abap
p.name = 6 ok for abap but different from AD login name.
So if I could not change login id I have to work on user mapping.
The Portal UME use our abab CUA as datasource. So I could not set up user mapping inside the u201Cuser management u201C
A solution could be that Spnego mapping use as source the u201Calias idu201D and not the u201Clogin idu201D.
So I have to set all the u201Calias idu201D. I can do a script for copying in su01 all u201Clogin idu201D to u201Calias idu201D and then edit the u201Calias idu201D of user with a different AD login. ( by the way do you know a tx for that ? )
But this is a little dirtyu2026 is there a simple way to do that ?
it would be perfect if i could do mapping on user id or on alias id if it set. So that i should only manage the alias id user with a AD name different... is that possible ?
thank you !
cdlt
GSV
Edited by: Patrick FABRIES on Oct 4, 2011 12:08 PM
Edited by: Patrick FABRIES on Oct 4, 2011 12:11 PMHi Patrick,
Even if you perform this operation, the situation will worsen overtime.
By the way, if you still want to do it, this is pretty simple: call 'BAPI_USER_CHANGE' with the username and pass:
ALIAS = <new alias>
ALIASX = 'X'
Isn't there another attribute that you could use as a pivot: e-mail, maybe?
Best regards,
Guillaume -
SPNego - LOGIN.FAILED error
Hello,
Hello gurus,
we have installed BI 7.0 SP15 with Portal as the java side of the BI (double stack). We have CI + 3 dia instances.
We get the following error only on the CI server:
LOGIN.FAILED
User: N/A
Authentication Stack: com.sun.security.jgss.accept
Login Module Flag Initialize Login Commit Abort Details
1. com.sun.security.auth.module.Krb5LoginModule OPTIONAL ok exception false null
2. com.sun.security.auth.module.Krb5LoginModule OPTIONAL ok false
3. com.sun.security.auth.module.Krb5LoginModule OPTIONAL ok false
The problem is that the SPNego authentication is not working on that server, we get the logon screen. On the other servers the authentication is working perfectly.
What I've checked:
*The spn is set correctly.
*The wizard was configured.
Please advice,
Dimitry HaritonovAre you use Windows x64? Per Note 716604 - Access to Sun J2SE and recommended J2SE options
your 1.4.2_17 -->
With 1.4.2_14 - 1.4.2_17 you get an exception using Kerberos authentication with WebAS Java
Best for you open OSS call to SAP -->
http://service.sap.com/message
Regards. -
SPNego - Login Screen Appears for IE Browser in Some machines.
Hi,
We've done the SPNEGO Implementation for Portal SSO.
All the settings related to KDC in AD server, Portal WAS and IE browser client settings have been done.
In most of the machines with WINDOWS XP SP2, portal login screen is not getting appeared in IE and so SPNEGO is working fine.
But in few machines with WINDOWS XP SP2, portal login screen appears although the IE client setting like adding the portal url in Security Local Intranet, enabling integrated windows authothentication, enabling automatic logon in intranet zone is done.
We have even followed the SAP Note 934138 and installed Microsoft hotfix KB899587, but still some machines with Windows XP SP2 are facing this issue.
Thanks,
Regards,
Aditya MetukulHI Aditya,
This might be due to proxy settings. Go to your IE -> Tools-> Internet Options -> Connections ->LAN settings -> If you are using Proxy settings then go to Advanced tab -> and add the portal URL under "Do not use Proxy servers for address beninging with".
Regards
Deb
Edited by: Debasish Sarkar on Dec 8, 2008 7:20 PM -
SPNego login using additional attribute in LDAP
Hello experts,
We have a situation here to implement SPNego login for portal.
We have integrated LDAP with portal and the j_user is mapped to an additional parameter (for ex, employee number) to enable the user to use this as a login-id instead of the default user-id.
Say if the user is logged in with user-id : XYZ and for portal we are picking up the additional parameter (ex ,. ABC) from LDAP for login.
But SPNego takes only the default user-id (XYZ) from windows. Can we cusomize SPNego to pick up additional attribute (ABC) to authenticate portal?
Regards,
Nirmal Sivakumar G
Edited by: Nirmal G on Feb 3, 2009 12:47 PMHi,
pls. check steps provided in documentation:
http://help.sap.com/saphelp_nwce711/helpdata/en/0b/d82c4142aef623e10000000a155106/frameset.htm
Best regards,
Johannes -
SPNego Login fails while using MacOS 10.4 and Firefox
Hello,
we are running an EP6 NW04 SPS 19 on an HP UX. For authentification we
configured kerberos via spnego. This is working fine for all windows
clients and the browsers ie6, ie7 and firefox.
While using Firefox on MacOS X it is not working. We analyzed the error.It is the following
error message in the trace file:
Decoding error in parsing of spnego token.
[EXCEPTION]
iaik.asn1.CodingException: ASN.1 creation error:SPNego OID expected.
Found 1.2.840.113554.1.2.2
As you can see, the mac client is sending the raw kerberos ticket. How
does the WAS handles this ticket?
Kind Regards,
OliverOliver,
The SAP SPNEGO login module supports OID 1.3.6.1.5.5.2 only, which is the OID for SPNEGO protocol, and this is why it is called an SPNEGO login module. It does not support other OIDS such as RFC1964 Kerberos V5 (1.2.840.113554.1.2.2) or NTLM (1.3.6.1.4.1.311.2.2.10). If you need to support other OIDS, and not just SPNEGO then you need to use a different login module. I can help you with that if you are interested since my company has a product (comprising a login module which uses Kerberos) which supports SPNEGO as well as other OIDS - it is not 100% SPNEGO based like the login module available from SAP.
Thanks,
Tim -
SPNEGO Login Module - SSO configuration
Hi All,
Is there anyone have configure SPNEGO successfully ?
Can you share how to do it ?
Because even during registration of http/... to service user I have already facing problem which prompt me wrong command though the keytab generation having no problem.
Best Regards,
DediDedi,
Please goto this location for the kerberos Configuration.
http://help.sap.com/saphelp_nw04/helpdata/en/43/4bd58c6c5e5f34e10000000a1553f6/frameset.htm
If you are using SP14 then you have to deploy the SPNEGO.sda for the login module. However it comes by default with SP15. SO i would suggest you to use SP15.
If you find this helpful then do reward points.
James -
No Logout/ Re-Login after SPNEGO authentification
Hi experts.
I configured our portal (7/SP12) using SSO via SPENGO/KERBEROS.
Everything works fine expact the fact, that the user cannot logout anymore. The logout popup appears, but after accepting the logout the user is again on the landing page in the portal.
where is my wrong setting? did I make a mistake in the orde of the login modules?
thanks for your infos in advance
cheers
jürgenHi ,
check by entering url http://<yourhost:port>/irj/portal?logout_submit=1 in your portal page. If it logout , Portal logoff feature is okay .
Did you change any settings previously related to this feature?
Koti Reddy -
Hi,
I'm trying to configure SSO for my web application using IIS as webserver
and the IIS-Weblogic proxy plugin provided by bea. I use Weblogic 8.1 SP4.
I followed the procedure described in the dev2dev documentation and now I am
stuck with a ntlm vs spnego issue.
Here is what I get from a full security debug in my Weblogic log:
<2005-06-09 13 h 50 EDT> <Debug> <SecurityDebug> <000000>
<PrincipalAuthenticator.assertIdentity - Token Type: Authorization>
<2005-06-09 13 h 50 EDT> <Debug> <SecurityDebug> <000000> <Found NTLM token
when expecting SPNEGO>
<2005-06-09 13 h 50 EDT> <Debug> <SecurityDebug> <000000>
<PrincipalAuthenticator.assertIdentity - IdentityAssertionException>
My iis plugin log shows that everything seems to be ok, the client first
receives a 401 response and then sends a [WWW-Authenticate] Negociate
header, including a Kerberos token in base 64. The only problem is that it
seems that this token is ntlm instead of spnego:
Thu Jun 09 13:50:07 2005 WLS info in sendRequest: myweblogicserver.com
recycled? 0
Thu Jun 09 13:50:07 2005 Hdrs from WLS:[WWW-Authenticate]=[Negotiate]
Thu Jun 09 13:50:07 2005 Hdrs to client:[WWW-Authenticate]=[Negotiate]
Thu Jun 09 13:50:07 2005 Going to send headers to the client. Status :401
Unauthorized xxx
Thu Jun 09 13:50:07 2005 Hdrs from client:[Authorization]=[Negotiate
TlRMTVNTUAABAAAAB7IIogYABgAxAAAACQAJACgAAAAFASgKAAAAD1NTUU5UMTY1NlNTUVZJRQ==]
Thu Jun 09 13:50:07 2005 Hdrs to WLS:[Authorization]=[Negotiate
TlRMTVNTUAABAAAAB7IIogYABgAxAAAACQAJACgAAAAFASgKAAAAD1NTUU5UMTY1NlNTUVZJRQ==]
Thu Jun 09 13:50:07 2005 Hdrs from WLS:[WWW-Authenticate]=[Negotiate]
Thu Jun 09 13:50:07 2005 Hdrs to client:[WWW-Authenticate]=[Negotiate]
Thu Jun 09 13:50:07 2005 Going to send headers to the client. Status :401
Unauthorized xxx
as a result of all this, I get a basic authentication prompt when I try to
access my web application.
any help would be greatly appreciated.
Thanks!Hi,
Thanks for your information. I finally managed to solve my ntlm/spnego
issue. In fact, it seems that I had no problem other than trying to test it
from the same computer on which my WLS is installed. When I invoke my web
application from another computer on the network, I dont get this
ntlm/spnego issue.
But now I have another problem. First, when I try to access my web
application, WLS prompts me (in the server window) for the password of the
SPN account for my server. I though it was supposed to use the keytab file
for it, but anyway, this is maybe a part of my problem.
If I type the correct password, it continues, but I get this chained
exception:
>
GSSException: No valid credentials provided (Mechanism level: Attempt to
obtain new ACCEPT credentials failed!)
Caused by: javax.security.auth.login.LoginException: Pre-authentication
information was invalid (24)
Caused by: KrbException: Pre-authentication information was invalid (24)
Caused by: KrbException: Identifier doesn't match expected value (906)The root cause seems to be "Identifier doesnt match expected value".. I
really dont know what it means. I am still trying to solve this so any help
would be appreciated and I will also post any other information I get on the
subject.
Thanks
<regis piccand> a ?crit dans le message de news:
[email protected]..
Hi,
I am currently trying to achieve the same configuration, and I noticed
that this happens when, in the setup of the Single Passe Negotiate
Identity Asserter, you choose the SPNEGO.AtnAssertion type (which seems to
be here only for compatibility reason - see
http://e-docs.bea.com/wles/docs42/adminguide/providers.html#1150785).
Removing this type helped in my case. However, I am now stuck with a GSS
exception No Valid Credentials provided (see my post at
http://forums.bea.com/bea/thread.jspa?threadID=600004578&tstart=0)
Hope this helps,
Kind regards,
Regis -
Logoff not working after SPNego Authentication
Hi Experts,
Configured SPNego authentication sucessfully.
But after clicking logoff button again logged in back again.
As per some advice, done as follows
Example: Portal SSO URL: http://portal.example.com
Create a URL like http://nonssoportal.example.com (Create the name in the DNS and point it to the IP of your portal server)
Changed the logoff paramter to point to the new URL. After restart once logoff clicks went to new URL but still SSO ticket authenticating.
I need to get the login page again so that i can login with administrator or other test user IDs.
Please post your suggestions.
Regards,
Raja. GHi,
Created the alias for that server and made the logoff URL as http://<alias of the server>:<port>/irj/portal.
Now am able to achieve the login page however it is asking for the windows authentication while logging off.
If we click cancel then we can able to achieve the login page.
Any idea to avoid the popup for asking windows credentials?
Regards,
Raja. G -
Hello consultant:
We are trying configurated SSO usind SPNEGO module
We have a portal 7.0 ehp1 and Active Directory Microsoft versión 2003 native
we have followed the steps described in note Sap 1457499"Note 1457499 - SPNego add-on"
When we have logged with user Active Directory and we try access to portal we obtain following error:
Authorization check user error
We have Deploy the Web diagtool from SAP Note 1045019 on the J2EE server, run it and perform the
following steps:
1. Select "Component" = "security" and "Activity" = "all"
2. Click the "Go" button, followed by the "Add All" button
3. Select "Component" = "All" and in the "Search pattern" field write "com.sap.security.spnego"
4. Click the "Go" button, followed by the "Add All" button
5. Start the tool
Then we have reproduce the problem and stop the tool. The generated zip file will contain following error:
15:45:20:078 Error J2EE_GST_PRD SAPEngine_Application_Thread[impl:3]_15 ~p.security.spnego.krb5.crypto.DesCrypto Checksum error! checksum: 0xc46bfed8d0dbc54221ee75405c8cd5ac; calculated checksum: 0x6ead7e801608b729a6957597327f2ba5
15:45:20:078 Error J2EE_GST_PRD SAPEngine_Application_Thread[impl:3]_15 ~m.sap.security.spnego.SPNEGOLoginModule Could not validate SPNEGO token.
java.lang.Exception: Checksum error.
at com.sap.security.spnego.krb5.crypto.DesCrypto.decrypt(DesCrypto.java:43)
at com.sap.security.spnego.krb5.KrbEncryptedData.decrypt(KrbEncryptedData.java:81)
at com.sap.security.spnego.krb5.KrbApReq.decrypt(KrbApReq.java:67)
at com.sap.security.spnego.SPNEGOLoginModule.parseAndValidateSPNEGOToken(SPNEGOLoginModule.java:234)
at com.sap.security.spnego.SPNEGOLoginModule.processAuthorizationHeader(SPNEGOLoginModule.java:385)
at com.sap.security.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:102)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
at java.security.AccessController.doPrivileged(AccessController.java:246)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:88)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:61)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
at java.security.AccessController.doPrivileged(AccessController.java:246)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:912)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:367)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:126)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:181)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:541)
at java.security.AccessController.doPrivileged(AccessController.java:246)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:430)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(AccessController.java:219)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
Could you help us?
Many thanks for your collaboration<< Do not post the same question across a number of forums >>
-
Help-kerberos works with spnego keytab file but not in netbeans and Metro
Hi,
Appreciate if someone can shed some light on this problem and guide on what else am I missing.
I'm trying to call .NET based WCF webservice (MS Dynamics CRM - OrganizationSvc) from a java client. Started looking at Metro framework for interoperability. I was able to generate all the proxy classes and was able to write the code to invoke web service. However the challenge was using Kerberos based authentication and related setup.
I primarily followed the link below which was very helpful but had to dig more to get more specific details.
http://blogs.sun.com/enterprisetechtips/entry/building_kerberos_based_secure_services
Tried to follow netbeans route and hit some roadblocks in verifying the setup (krb5.conf & login.conf & wsit-client.xml). So, came across SPNEGO and used their examples, made changes accordingly and after experimenting with various configuration settings(krb5.conf and login.conf), finallyI was able to run HelloKDC & HelloKeytab files successfully.
krb5.conf_
[libdefaults]
default_realm = NA.CONVERGYS.COM
[realms]
NA.CONVERGYS.COM = {
kdc = CDCWW13.na.convergys.com
admin_server = CDCWW13.na.convergys.com
[domain_realm]
.na.convergys.com = NA.CONVERGYS.COM
login.conf_
spnego-server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="C:/WINDOWS/orldwv705_feb03.keytab"
doNotPrompt=false
storeKey=true
principal="HOST/ORLDWV705.na.convergys.com"
debug=true;
C:\spnego-r7>klist -k C:\WINDOWS\orldwv705_feb03.keytab
Key tab: C:\WINDOWS\orldwv705_feb03.keytab, 1 entry found.
[1] Service principal: HOST/[email protected]
KVNO: 7
With these settings, I was able to successfully make the call & Hello Keytab was able to get the Ticket and authenticate.
http://spnego.sourceforge.net/index.html
http://spnego.sourceforge.net/client_keytab.html
http://spnego.sourceforge.net/troubleshoot_hellokeytab.html
However, when I run the example in Netbeans with the setup mentioned in the link below, I run into following exception...
http://metro.java.net/guide/Developing_with_NetBeans.html#wsit_example_with_nb-creating_wsit_client
http://metro.java.net/guide/_Configuring_Kerberos_for_Glassfish_and_Tomcat.html
1) noticed that sc:KerberosConfig element in wsit-client.xml does not get updated automatically in netbeans ide, so manually edited to put the entries.
2) also followed the setup required in glassfish domain.xml & login.conf xml.
3) also noticed that netbeans setup requires us to use C:\Windows\krb5.ini file which is nothing but krb5.conf file referred elsewhere.)
wsit-client.xml_
<wsp:Policy wsu:Id="ClientKerberosPolicy"
xmlns:sc="http://schemas.sun.com/2006/03/wss/client"
xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
xmlns:scc="http://schemas.sun.com/ws/2006/05/sc/client"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sc:KerberosConfig wspp:visibility="private"
loginModule="KerberosClient"
servicePrincipal="HOST/ORLDWV705.na.convergys.com"
credentialDelegation="true" />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
ERROR
INFO: WSP5018: Loaded WSIT configuration from file: file:/C:/Documents%20and%20Settings/rchoppal/My%20Documents/NetBeansProjects/TestOrgSvc/build/web/WEB-INF/classes/META-INF/wsit-client.xml.
WARNING: [failed to localize] WSP_0075_PROBLEMATIC_ASSERTION_STATE({http://schemas.microsoft.com/xrm/2011/Contracts/Services}AuthenticationPolicy, UNKNOWN)
WARNING: [failed to localize] WSP_0019_SUBOPTIMAL_ALTERNATIVE_SELECTED(PARTIALLY_SUPPORTED)
INFO: >>>KinitOptions cache name is C:\Documents and Settings\rchoppal\krb5cc_rchoppal
INFO: >>> KrbCreds found the default ticket granting ticket in credential cache.
SEVERE: WSITPVD0050: Error while Securing Request Message.
com.sun.xml.wss.XWSSecurityException: Unexpected Exception in Kerberos login - unable to continue
at com.sun.xml.ws.security.impl.kerberos.KerberosLogin.login(KerberosLogin.java:94)
at com.sun.xml.wss.impl.misc.WSITProviderSecurityEnvironment.doKerberosLogin(WSITProviderSecurityEnvironment.java:3049)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.populateKerberosContext(WSITClientAuthContext.java:911)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:318)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:291)
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
at sun.security.krb5.Credentials.acquireDefaultCreds(Credentials.java:451) (i tried to search open source code, but this line did'nt match exactly)
at sun.security.krb5.Credentials.acquireTGTFromCache(Credentials.java:272)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:589)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at com.sun.xml.ws.security.impl.kerberos.KerberosLogin.login(KerberosLogin.java:85)
SEVERE: SEC2004: Container-auth: wss: Error securing request
javax.xml.ws.WebServiceException: WSITPVD0050: Error while Securing Request Message.
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:299)
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
Caused by: javax.xml.ws.soap.SOAPFaultException: Unexpected Exception in Kerberos login - unable to continue
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1617)
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1633)
... 42 more
WARNING: StandardWrapperValve[TestOrgSvcServlet]: PWC1406: Servlet.service() for servlet TestOrgSvcServlet threw exception
javax.xml.ws.WebServiceException: Cannot secure request for {http://schemas.microsoft.com/xrm/2011/Contracts}CustomBinding_IOrganizationService
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:165)
Caused by: javax.xml.ws.WebServiceException: WSITPVD0050: Error while Securing Request Message.
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:299)
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
... 40 more
Caused by: javax.xml.ws.soap.SOAPFaultException: Unexpected Exception in Kerberos login - unable to continue
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1617)
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1633)
... 42 more
Edited by: user6748004 on Feb 3, 2011 5:36 PM
Edited by: user6748004 on Feb 3, 2011 5:38 PMHi Gasha,
The only change I did after this, was to try and use 'KerberosServer' configuration from the wsit-client.xml. Atleast, this enabled the glassfish application to load the configuration related to keytab etc, and use it to communicate with the WCF service for negotiation.
<sc:KerberosConfig wspp:visibility="private"
loginModule="KerberosServer"
servicePrincipal="HOST/ORLDWV705.na.convergys.com"
credentialDelegation="true" />
login.conf has
KerberosServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="C:/WINDOWS/orldwv705_feb03.keytab"
doNotPrompt=false
storeKey=true
principal="HOST/ORLDWV705.na.convergys.com"
debug=true;
fyi.. Used the following way to create the keytab
Keytab was created using below instructions
ktpass -princ HOST/[email protected]
-mapUser [email protected]
-mapOp set
-pass *
-crypto DES-CBC-MD5
-pType KRB5_NT_PRINCIPAL
-out orldwv705.keytab
Targeting domain controller: CDCWW13.na.convergys.com
Successfully mapped HOST/ORLDWV705.na.convergys.com to svcMSCRMDev.
Key created.
Output keytab to orldwv705.keytab:
Keytab version: 0x502
keysize 75 HOST/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x3 (DES-CBC-MD5) keylength 8 (0x0bc27ca83891dc2a)
Also realised that we need to add 'HTTP/ORLDWV705.na.convergys.com' & 'http/ORLDWV705.na.convergys.com' using set SPN commands on the AD of the server where CRM is installed.
With these changes, the negotiate authentication seems to have happened using the Kerberos token from the keytab, but later ran into an error for which I was not able to get any clue to go forward. Someone in another post about this error suggested that it worked once they changed principal names, but when I tried I did'nt get any success.
This is where I'm struck now. What I don't know is if there is another setup from which we can try a similar interoperability example for ex.. weblogic 10.1 & eclipse which is more close to our real environment.
SEVERE: SEC2004: Container-auth: wss: Error securing request
java.lang.IllegalArgumentException: Missing argument
at javax.crypto.spec.SecretKeySpec.<init>(DashoA13*..)
at com.sun.xml.ws.security.impl.kerberos.KerberosContext.getSecretKey(KerberosContext.java:91)
at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:525)
Edited by: user6748004 on Apr 8, 2011 10:39 AM
Maybe you are looking for
-
How can i sort a list of pages in CQ?
Hello I have a structure like this in CQ: /content/mywebsite/page3 /content/mywebsite/page1 /content/mywebsite/page5 /content/mywebsite/page2 /content/mywebsite/page4 when i open mywebsite i see a menu with the list of pages in it like this: page3 pa
-
How can I get rid of signature warnings in forms?
I was using LiveCycle to create and store about 100 forms for my company. Recently I started redoing all the forms in Acrobat Pro v9 so I could use the same field names in merged documents, something I couldn't do with LiveCycle. Adobe Reader users a
-
Where can I find the error log of adobe premiere CC
Adobe premiere CC is doing very weird things this last month. When I open adobe I get a really weird setup. When I move everything back in order it's ok again. I save the new order under the same name (overlapping) but when I start adobe again, every
-
Is there a way to sort my iTunes library (both on the Mac and iPhone) by the artist's last name? For example, Dylan instead of Bob, Lennon instead of John, etc.?
-
Hi Gurus, We are using assembly order process. As you know whenever I create a sales order, production order is also created at the same time. But now our problem is whenever I make changes in the sales order, it is taking to production order screen