Loginexception spnego WL - Windows AD

Similar Messages

• SPNEGO  and Windows 2008

  Hello,
  We've had  SPnego integrated authentication for Windows working with our EP  for sometime.
  Our company is moving to W2k8 domain and dc's  (kdc's)  for this question. 
  When one of our kdc functional servers has been replaced,  it appears that the SPNego authentication function  has started to fail  upon restart of  the Java\EP  system.
  Can anyone  provide any info as to what might need to change for the continued use of the  SPNego authentication against a W2k8 kdc?
  Upon pointing the java\ep system back to a w2k3 kdc  the implementation continues to work.  So it looks to be  windows version related.
  Appreciate any help.  Not seeing much from SAP areas possibly related to this?
  Rick

  Hi,
  >the Windows 2008 R2 server does not support DES encryption by default. So you have to enable it manually
  This workaround works but is not secure : DES has been abandonned for default because it has been conpromised.
  The real solution is to use the new SAP SPNEGO/Kerberos implementation which is able to use RC4 or AES.
  If you cannot because of an unsufficient relaase or SP level, you have to do like we had to do in my company : buy a third party product which is able to use RC4 even for Netweaver 7.0 J2EE.
  The security team has forbidden the use of DES in my company...
  Regards,
  Olivier

• SPNego and Windows domain

  Hi,
  just to make sure: when the windows 2003 domain is MYDOMAIN and not MYDOMAIN.COM or anything with a dot in it (so users logon via MYDOMAIN\username), but the FQDN of the J2EE server is j2eehost.mydomain.com, then MYDOMAIN should be used to create the keytab file, instead of MYDOMAIN.COM, correct?
  Thus host/j2eehost.mydomain.com@MYDOMAIN instead of host/[email protected] is the service principal name?

  Hi Yonko,
  thanks again. Yes I understand why you would assume that there would be a MYDOMAIN.COM domain but it isn't as far as I know (result of upgrades all the way back from NT4).
  I actually forgot to write that the windows logon dialog shows DOMAIN, but the FQDN is AMUCHBIGGERDOMAIN.COM. For example, the logon is COMPANYNAME\username, but the FQDN of all servers (all domain memebers) are <i>host.globalcompanyname.com</i>
  interesting enough, we cannot logon using [email protected]
  None the less, I'll double check using TweakUI.
  Cheers
  Marcel

• How to logon with different user when use of SPNego

  Hi
  We have implemented SPNego as Windows Integrated Authentication - but how to logoff the portal to log on with another user?
  Since the users are authenticated when logging on the network from their client pc - the user will be using the standard logon page. But when logging off the portal - the users are automatic redirected and logged back in to the portal.
  I have created a HTML page which the users are redirected to by use of the ume.redirect.url. But how to logon to the portal again?
  When entering the portal url - the users are once more directly logged in due to the SPNego configuration.
  I need to develop a new logon page where the users are able to enter another uid and pw to enter the portal.
  Regards
  Kay-Arne

  Hi Kay-Arne
  The whole idea of Windows authentication is to remove the need for a user to enter a username and password. If you want a user to not get the automatic log on, then you'll need to access the portal with a URL that is in a different domain
  Cheers

• Different user IDs in LDAP and R/3

  Hi,
  EP EP 6.0 SP20
  We have configured Single sign on from protal to R/3. Works great... Then we started out to use LDAP for Portal user maangement. PErformed the configuration in portal and this works fine as well.
  My main issue is that the LDAP user ID and the R/3 user ID are not the same and hence we would not be able to perform Single sign on.
  For example the LDAP user ID name of an employee is "peterc" where as the LDAP user id name of that employee is "peter.cuddihy". Hence the single sign on does not work. We want to use LDAP as the user database as we also intend to cnfigure SPNego for windows based authentication.
  Is ther any way that I can create the portal user id to be "peter.cuddihy" and map this user to "peterc".
  NOTE : We do not want to use the User mapping functionality. IT is too to do the user mapping for the the number of users we have and also the security invloved in this method.
  Any help
  gogol
  null

  Hi gurus,
  i am not sure if i am missing something, but it looks like the Login tickets would not work if LDAP user ID and the R/3 user ID are the same. Is user mapping the only way to go if the LDAP user ID and the R/3 user are different. Cant we still in some way use logon tickets from portal ( with LDAP as user data source) to R/3 ???
  please advise
  regards
  Raj

• BI & Portal integration. Import BW certificate to the Portal -

  Hi
  We are in the process of integrating our newly upgraded BI 7.01 system with EP 7.01.
  We are trying to integrate BI system with our central portal, which has BI components installed. Also, this portal has been configured with SPNEGO for windows integrated authentication and we use Microsoft LDAP as our UME.
  As per documentation,  I could not find option for com.sap.security.core.server.jaas.evaluateticketloginmodule, as I can only see SPNEGO template, since we configured SPNEGO for windows integrated authentication. Can I skip this step? If so, what are the implications.  I see that this step (see below) is required for accepting SAP logon tickets from the BI system as an external system.
  In the Service Security Provider under Ticket, perform the following steps to ensure that the SAP J2EE Engine accepts the SAP Logon Tickets from the BI system as an external system.
  7. Start the Visual Administrator with %INSTALLATION_ROOT%\admin\go.
  8. Connect to the portal server.
  9. In the tree, choose <SID>/Server<#>/Services/Security Provider.
  10. Under Component, choose Ticket.
  11. Choose the Authentication tab page.
  12. Change the options for com.sap.security.core.server.jaas.EvaluateTicketLoginModule and enter the following values:
  trustedsys<Number>=<BW_SID>, <BW_CLIENT> (for example, BWP, 000)
  trustediss<Number>=<ISSUER_DISTINGUISHED_NAME> (z. B. CN= BWP, OU=SAP Web AS, O=SAP Trust Community, C=DE)
  trusteddn<Number>=<SUBJECT_DISTINGUISHED_NAME> (z. B. CN= BWP, OU=SAP Web AS, O=SAP Trust Community, C=DE)
  I also noticed that this steps is introduced from BI 7.0, as previously this step did not exist for BW 3.5 and EP 6.0.
  Thanks in advance,
  Regards
  Chandu

  If a user is to access an application deployed on the java server via SSO, using the SAP logon ticket for authentication, the login module stack that the application uses must include the EvaluateTicketLoginModule and this EvaluateTicketLoginModule must contain these ACL entries (trusteddn, trustediss etc) if the logon ticket was issued by a different system. What this means is that trusteddn, trusediss, trustedsys are required in EvaluateTicketLoginModule in order for SSO to work. You cannot skip
  them.
  If you have configured SPNego authentication, the EvaluateTicketLoginModue will still be required. So if you have a policy configuration called SPNego, and the 'ticket' logn module stack is using the SPNego configuration as a template, you simply have to configure the EvaluateTicketLoginModule in the 'SPNego' template and the 'ticket' login module stack will be updated accordingly
  If the 'SPNego' policy configuration/template does not already at least include EvaluateTicketLoginModue I would be very surprised, it is required for all ticket evaluation, even tickets issued by the same server and should exist in the template that the 'ticket' authentication stack points to. See here for an two example LM stacks for SPNego
  http://help.sap.com/saphelp_nw04/helpdata/EN/43/4bf48061215f6be10000000a1553f6/content.htm

• User status shows active in portal for inactive LDAP users

  Hi all,
  Users listed in the LDAP as deleted or inactive are still listed in EP
  User Management as valid active users.
  1) is there any process or OSS note which can help us to get users
  inactive in portal user management to the corresponding LDAP inactive
  users?
  2) is there any chance that any inactive or deleted entries in LDAP
  should not be searchable from User admin Portal search?
  Any solution for the above problem?
  Please reply.
  Regards,
  haroon

  Hello there,
  i have the same problem: We have several domains that sometimes contain users with the same user-id. This happens, if a user is "moved" from one domain to another: A new user with the same user-id is created in the new domain and the user-status of the user in the old domain is set to "inactive".
  But SAP NetWeaver Portal (7.0 EHP 1) ignores this user-status flag and thus login (with SPNego / Integrated Windows Authentication, which does not send the domain of an identified user to the portal) fails.
  Is there a possibility to get the portal to "ignore" LDAP users (meaning no longer list them in the UME) that have their user-status flag set to "inactive"?
  Thanks for a reply in advance!
  Regards,
  René

• HTTP/SPNEGO for "SSO" on MS Windows

  HTTP/SPNEGO for "SSO" on MS Windows
  Hi all of you !
  The scene is simple : I got a software (All in plain java ) and some simple web access to this system. ( it's not a real web server wich will be in need for Apache or some big container it's just a few access to some informations of the software )
  The client company is all MS Windows, and it's used to some SSO approach,
  they got a AD server on Win2003, all laptops are under winXP Pro and got IE at least version 6
  Now The question is this ;
  I got
  -a guy (properly authentified) who is
  - using IE (properly setted)
  - on a computer (properly attached to AD)
  to access a ressource URL of my app
  It's quite simple to send him a http 401 or 407 so IE go back to the AD server and get its token
  BUT how can I manage in java to extract the account used by the client
  from the SPENEGO token ? this is all I need
  I cant find any help on this, So please if someone can help me in this...
  I'm lost ... Thanks in adavnce for a simple hint or a url linking me on the good path

  I forget :
  Ok for the configuration, thanks to some of your posts (thanks all)
  I know all the importants steps to be followed
  For exemple I quote danielshrem last post on the thread http://forum.java.sun.com/thread.jspa?forumID=545&threadID=760214
  <quote>
  Hey Seema,
  Indeed my server's principal was not the correct one, now everything is cool with rc4 encryption.
  for all u dudes out there in need of Java HTTP kerberos auth here's a few simple configuration procedures:
  1. on the Domain Controller add an HTTP SPN to the account running the web service (use setspn.exe). the SPN has to be in format HTTP/host@Realm or HTTP/host (this SPN worked for me). if u dont know exactly which SPN u need u can sniff an HTTP session on ethereal look for Kerberos AP Req-->ticket-->Server Name. from what i gather this is the principal the clients use.
  2. on the DC add a mapping to the newly created SPN (use ktpass.exe)
  3. on the host running the service create a keytab file containing the newly created HTTP principal (use java's ktab.exe)
  4. make sure the SPN is set up OK by running kinit and pass the newly created keytab file and the newly created SPN.
  once u recieve an ok result you are good to go (login and authenticate users)
  hope this helps
  Daniel.
  </quote>
  My problem (I know it must sounds stupid) : how do I extract the login account from this ?

• How configure Windows 8.1 Clients with IE11 for SSO with Kerberos SPNEGO

  We are using BI Publisher OBIEE 11.1.1.7 with SSO Kerberos SPNEGO.
  The Weblogic Server Version is WLS_PRODUCT_VERSION=10.3.5.0
  The SSO is working very well with Clients that are Windows XP or Windows 2003 R2. We had testet wit IE7,IE8 Firefox.
  Now as we become Windows 8.1 Clients with IE11 the Kerberos SPNEGO SSO is not working.
  Please give us advice or a HOW TO Document about the configuration on Windows 8.1 Cllients with IE11 Browser.
  I find many Dokuments related to older Windows Versions for example
  http://www.oracle.com/technetwork/articles/idm/weblogic-sso-kerberos-1619890.html
  but nothing for Windows 8.1 Clients
  Thanks in advance.

  The location for tabs in IE11 browser might be different but the steps are the same :
  Configure Local Intranet Domains
     1. In Internet Explorer, select Tools > Internet Options.
     2. Select the Security tab.
     3. Select Local intranet and click Sites.
     4. In the Local intranet popup, ensure that the Include all sites that bypass the proxy server and Include all local (intranet) sites not listed in other zones options are checked.
     5. Click Advanced.
     6. In the Local intranet (Advanced) dialog box, add all relative domain names that will be used for Oracle WebLogic Server instances participating in the SSO configuration (for example, myhost.example.com) and click OK.
  Configure Intranet Authentication
     1. Select Tools > Internet Options.
     2. Select the Security tab.
     3. Select Local intranet and click Custom Level... .
     4. In the Security Settings dialog box, scroll to the User Authentication section.
     5. Select Automatic logon only in Intranet zone. This option prevents users from having to re-enter logon credentials, which is a key piece to this solution.
     6. Click OK.
  Verify Proxy Settings
  If you have a proxy server enabled:
     1. Select Tools > Internet Options.
     2. Select the Connections tab and click LAN Settings.
     3. Verify that the proxy server address and port number are correct.
     4. Click Advanced.
     5. In the Proxy Settings dialog box, ensure that all desired domain names are entered in the Exceptions field.
     6. Click OK to close the Proxy Settings dialog box.
  What is the error reported by the browser / wls logs ?
  -- Puneeth

• SPNego - Windows integrated Single-Sign On not working - How to debug?

  Dear board,
  I've tried to configure SPNego - Windows Integrated SSO with no sucess yet. We do use SAP EP7 on Windows Server 2003 64bit with MS AD 2003. The following is done:
  - Service Account is created, authentication works when done on pupose
  - SPNego wizard completed sucessfully, WebAs Java restarted
  - IE6: Windows integrated Logon is activated, IE shows Intranet when accessing the portal url ( I can't modify the IE Security Settings yet, but as we do use KERBEROS outside of SAP as well, my assumption was settings are fine)
  - UID in windows, EP and ECC are equal
  When I access the portal URL, I am prompted for used id and password. How can I trace methodically what is wrong? Some kind of checklist with links, url or SAP Notes would be great. I've also read references to a test application as well as some diag / trace tool.
  Please post thoroughly as I am rather new to this topic and still missing important terms and knowledge.
  Kind regards and thanks in advance,
  Richard

  Dear board,
  after the service principal name registration was done (once again maybe) the error message disappeared in the SPNego wizard when I retrieve the Principal in Step 2,  the test resolution works as before in step 3 of the wizard.
  At the moment, the error message in the central log file is still unchanged. Acquiring crendetials for realm xxx.xxx.org failed, no valid credentials provided.
  #1.5 #001A4BAF485A0079000000040000207000043C8446E8BA7E#1192438730203#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#J2EE_GUEST#0####d8ce7ab07afc11dc8d93001a4baf485a#Thread[Thread-307,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#/System/Security/Authentication#Plain###LOGIN.FAILED
  User: N/A
  Authentication Stack: com.sun.security.jgss.accept
  Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
  1. com.sun.security.auth.module.Krb5LoginModule                            OPTIONAL    ok          exception             false      null#
  #1.5 #001A4BAF485A00580000007F0000207000043C8446E8C109#1192438730203#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#J2EE_GUEST#0####d8ce7ab17afc11dc8f50001a4baf485a#SAPEngine_Application_Thread[impl:3]_29##0#0#Error##Java###Acquiring credentials for realm XXX.XXX.ORG failed
  [EXCEPTION]
  #1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
  Any ideas? I haven't used the diag tool yet, is there any other reasonable way how to debug the setup?
  Kind regards and many thanks,
  Richard

• Is j2sdk-1_4_2_18-windows-amd64.exe rel with a FIX on Portal/SPNEGO Bug

  I am using j2sdk-1_4_2_17-windows-amd64.exe for my EP7.0 SP14.
  My SPNEGO is completed and the authentication is working fine. But the Portal Logon Page is coming when I am using the URL : http://PortalServername.Domain name/irj/portal.
  Found a note : 1057474 which says all JDK version 1.4.2_14 to 1.4.2_17 is having a Kerberos bug.
  My question here is should I install JDK 1.4.2_18 amd 64 ... and give a try or should downgrade back to 13 .... Will this impact my EP 7.0 SP 14 or any other application.
  Points will be awarded for any help.

  Got the Solution for the SPNEGO Bug Fixing :
  http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6572805
  For any JDK Version simply add :
  isInitiator = false in your Visual Admin
  -->Security Provider -->com.sun.security.gss.accept -->Krb5LoginModule
  Parameter isInitiator and Value false. Save it and take a bounce of J2EE.
  Njoy.

• SPNEGO vs NTLM issue

  Hi,
  I'm trying to configure SSO for my web application using IIS as webserver
  and the IIS-Weblogic proxy plugin provided by bea. I use Weblogic 8.1 SP4.
  I followed the procedure described in the dev2dev documentation and now I am
  stuck with a ntlm vs spnego issue.
  Here is what I get from a full security debug in my Weblogic log:
  <2005-06-09 13 h 50 EDT> <Debug> <SecurityDebug> <000000>
  <PrincipalAuthenticator.assertIdentity - Token Type: Authorization>
  <2005-06-09 13 h 50 EDT> <Debug> <SecurityDebug> <000000> <Found NTLM token
  when expecting SPNEGO>
  <2005-06-09 13 h 50 EDT> <Debug> <SecurityDebug> <000000>
  <PrincipalAuthenticator.assertIdentity - IdentityAssertionException>
  My iis plugin log shows that everything seems to be ok, the client first
  receives a 401 response and then sends a [WWW-Authenticate] Negociate
  header, including a Kerberos token in base 64. The only problem is that it
  seems that this token is ntlm instead of spnego:
  Thu Jun 09 13:50:07 2005 WLS info in sendRequest: myweblogicserver.com
  recycled? 0
  Thu Jun 09 13:50:07 2005 Hdrs from WLS:[WWW-Authenticate]=[Negotiate]
  Thu Jun 09 13:50:07 2005 Hdrs to client:[WWW-Authenticate]=[Negotiate]
  Thu Jun 09 13:50:07 2005 Going to send headers to the client. Status :401
  Unauthorized xxx
  Thu Jun 09 13:50:07 2005 Hdrs from client:[Authorization]=[Negotiate
  TlRMTVNTUAABAAAAB7IIogYABgAxAAAACQAJACgAAAAFASgKAAAAD1NTUU5UMTY1NlNTUVZJRQ==]
  Thu Jun 09 13:50:07 2005 Hdrs to WLS:[Authorization]=[Negotiate
  TlRMTVNTUAABAAAAB7IIogYABgAxAAAACQAJACgAAAAFASgKAAAAD1NTUU5UMTY1NlNTUVZJRQ==]
  Thu Jun 09 13:50:07 2005 Hdrs from WLS:[WWW-Authenticate]=[Negotiate]
  Thu Jun 09 13:50:07 2005 Hdrs to client:[WWW-Authenticate]=[Negotiate]
  Thu Jun 09 13:50:07 2005 Going to send headers to the client. Status :401
  Unauthorized xxx
  as a result of all this, I get a basic authentication prompt when I try to
  access my web application.
  any help would be greatly appreciated.
  Thanks!

  Hi,
  Thanks for your information. I finally managed to solve my ntlm/spnego
  issue. In fact, it seems that I had no problem other than trying to test it
  from the same computer on which my WLS is installed. When I invoke my web
  application from another computer on the network, I dont get this
  ntlm/spnego issue.
  But now I have another problem. First, when I try to access my web
  application, WLS prompts me (in the server window) for the password of the
  SPN account for my server. I though it was supposed to use the keytab file
  for it, but anyway, this is maybe a part of my problem.
  If I type the correct password, it continues, but I get this chained
  exception:
  >
  GSSException: No valid credentials provided (Mechanism level: Attempt to
  obtain new ACCEPT credentials failed!)
  Caused by: javax.security.auth.login.LoginException: Pre-authentication
  information was invalid (24)
  Caused by: KrbException: Pre-authentication information was invalid (24)
  Caused by: KrbException: Identifier doesn't match expected value (906)The root cause seems to be "Identifier doesnt match expected value".. I
  really dont know what it means. I am still trying to solve this so any help
  would be appreciated and I will also post any other information I get on the
  subject.
  Thanks
  <regis piccand> a ?crit dans le message de news:
  [email protected]..
  Hi,
  I am currently trying to achieve the same configuration, and I noticed
  that this happens when, in the setup of the Single Passe Negotiate
  Identity Asserter, you choose the SPNEGO.AtnAssertion type (which seems to
  be here only for compatibility reason - see
  http://e-docs.bea.com/wles/docs42/adminguide/providers.html#1150785).
  Removing this type helped in my case. However, I am now stuck with a GSS
  exception No Valid Credentials provided (see my post at
  http://forums.bea.com/bea/thread.jspa?threadID=600004578&tstart=0)
  Hope this helps,
  Kind regards,
  Regis

• Help-kerberos works with spnego keytab file but not in netbeans and Metro

  Hi,
  Appreciate if someone can shed some light on this problem and guide on what else am I missing.
  I'm trying to call .NET based WCF webservice (MS Dynamics CRM - OrganizationSvc) from a java client. Started looking at Metro framework for interoperability. I was able to generate all the proxy classes and was able to write the code to invoke web service. However the challenge was using Kerberos based authentication and related setup.
  I primarily followed the link below which was very helpful but had to dig more to get more specific details.
  http://blogs.sun.com/enterprisetechtips/entry/building_kerberos_based_secure_services
  Tried to follow netbeans route and hit some roadblocks in verifying the setup (krb5.conf & login.conf & wsit-client.xml). So, came across SPNEGO and used their examples, made changes accordingly and after experimenting with various configuration settings(krb5.conf and login.conf), finallyI was able to run HelloKDC & HelloKeytab files successfully.
  krb5.conf_
  [libdefaults]
  default_realm = NA.CONVERGYS.COM
  [realms]
  NA.CONVERGYS.COM = {
  kdc = CDCWW13.na.convergys.com
  admin_server = CDCWW13.na.convergys.com
  [domain_realm]
  .na.convergys.com = NA.CONVERGYS.COM
  login.conf_
  spnego-server {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  keyTab="C:/WINDOWS/orldwv705_feb03.keytab"
  doNotPrompt=false
  storeKey=true
  principal="HOST/ORLDWV705.na.convergys.com"
  debug=true;
  C:\spnego-r7>klist -k C:\WINDOWS\orldwv705_feb03.keytab
  Key tab: C:\WINDOWS\orldwv705_feb03.keytab, 1 entry found.
  [1] Service principal: HOST/[email protected]
  KVNO: 7
  With these settings, I was able to successfully make the call & Hello Keytab was able to get the Ticket and authenticate.
  http://spnego.sourceforge.net/index.html
  http://spnego.sourceforge.net/client_keytab.html
  http://spnego.sourceforge.net/troubleshoot_hellokeytab.html
  However, when I run the example in Netbeans with the setup mentioned in the link below, I run into following exception...
  http://metro.java.net/guide/Developing_with_NetBeans.html#wsit_example_with_nb-creating_wsit_client
  http://metro.java.net/guide/_Configuring_Kerberos_for_Glassfish_and_Tomcat.html
  1) noticed that sc:KerberosConfig element in wsit-client.xml does not get updated automatically in netbeans ide, so manually edited to put the entries.
  2) also followed the setup required in glassfish domain.xml & login.conf xml.
  3) also noticed that netbeans setup requires us to use C:\Windows\krb5.ini file which is nothing but krb5.conf file referred elsewhere.)
  wsit-client.xml_
  <wsp:Policy wsu:Id="ClientKerberosPolicy"
  xmlns:sc="http://schemas.sun.com/2006/03/wss/client"
  xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
  xmlns:scc="http://schemas.sun.com/ws/2006/05/sc/client"
  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsp:ExactlyOne>
  <wsp:All>
  <sc:KerberosConfig wspp:visibility="private"
  loginModule="KerberosClient"
  servicePrincipal="HOST/ORLDWV705.na.convergys.com"
  credentialDelegation="true" />
  </wsp:All>
  </wsp:ExactlyOne>
  </wsp:Policy>
  ERROR
  INFO: WSP5018: Loaded WSIT configuration from file: file:/C:/Documents%20and%20Settings/rchoppal/My%20Documents/NetBeansProjects/TestOrgSvc/build/web/WEB-INF/classes/META-INF/wsit-client.xml.
  WARNING: [failed to localize] WSP_0075_PROBLEMATIC_ASSERTION_STATE({http://schemas.microsoft.com/xrm/2011/Contracts/Services}AuthenticationPolicy, UNKNOWN)
  WARNING: [failed to localize] WSP_0019_SUBOPTIMAL_ALTERNATIVE_SELECTED(PARTIALLY_SUPPORTED)
  INFO: >>>KinitOptions cache name is C:\Documents and Settings\rchoppal\krb5cc_rchoppal
  INFO: >>> KrbCreds found the default ticket granting ticket in credential cache.
  SEVERE: WSITPVD0050: Error while Securing Request Message.
  com.sun.xml.wss.XWSSecurityException: Unexpected Exception in Kerberos login - unable to continue
  at com.sun.xml.ws.security.impl.kerberos.KerberosLogin.login(KerberosLogin.java:94)
  at com.sun.xml.wss.impl.misc.WSITProviderSecurityEnvironment.doKerberosLogin(WSITProviderSecurityEnvironment.java:3049)
  at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.populateKerberosContext(WSITClientAuthContext.java:911)
  at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:318)
  at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:291)
  at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
  Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
  at sun.security.krb5.Credentials.acquireDefaultCreds(Credentials.java:451) (i tried to search open source code, but this line did'nt match exactly)
  at sun.security.krb5.Credentials.acquireTGTFromCache(Credentials.java:272)
  at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:589)
  at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
  at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
  at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
  at java.security.AccessController.doPrivileged(Native Method)
  at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
  at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
  at com.sun.xml.ws.security.impl.kerberos.KerberosLogin.login(KerberosLogin.java:85)
  SEVERE: SEC2004: Container-auth: wss: Error securing request
  javax.xml.ws.WebServiceException: WSITPVD0050: Error while Securing Request Message.
  at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:299)
  at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
  Caused by: javax.xml.ws.soap.SOAPFaultException: Unexpected Exception in Kerberos login - unable to continue
  at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1617)
  at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1633)
  ... 42 more
  WARNING: StandardWrapperValve[TestOrgSvcServlet]: PWC1406: Servlet.service() for servlet TestOrgSvcServlet threw exception
  javax.xml.ws.WebServiceException: Cannot secure request for {http://schemas.microsoft.com/xrm/2011/Contracts}CustomBinding_IOrganizationService
  at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:165)
  Caused by: javax.xml.ws.WebServiceException: WSITPVD0050: Error while Securing Request Message.
  at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:299)
  at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
  ... 40 more
  Caused by: javax.xml.ws.soap.SOAPFaultException: Unexpected Exception in Kerberos login - unable to continue
  at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1617)
  at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1633)
  ... 42 more
  Edited by: user6748004 on Feb 3, 2011 5:36 PM
  Edited by: user6748004 on Feb 3, 2011 5:38 PM

  Hi Gasha,
  The only change I did after this, was to try and use 'KerberosServer' configuration from the wsit-client.xml. Atleast, this enabled the glassfish application to load the configuration related to keytab etc, and use it to communicate with the WCF service for negotiation.
  <sc:KerberosConfig wspp:visibility="private"
  loginModule="KerberosServer"
  servicePrincipal="HOST/ORLDWV705.na.convergys.com"
  credentialDelegation="true" />
  login.conf has
  KerberosServer {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  keyTab="C:/WINDOWS/orldwv705_feb03.keytab"
  doNotPrompt=false
  storeKey=true
  principal="HOST/ORLDWV705.na.convergys.com"
  debug=true;
  fyi.. Used the following way to create the keytab
  Keytab was created using below instructions
  ktpass -princ HOST/[email protected]
  -mapUser [email protected]
  -mapOp set
  -pass *
  -crypto DES-CBC-MD5
  -pType KRB5_NT_PRINCIPAL
  -out orldwv705.keytab
  Targeting domain controller: CDCWW13.na.convergys.com
  Successfully mapped HOST/ORLDWV705.na.convergys.com to svcMSCRMDev.
  Key created.
  Output keytab to orldwv705.keytab:
  Keytab version: 0x502
  keysize 75 HOST/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x3 (DES-CBC-MD5) keylength 8 (0x0bc27ca83891dc2a)
  Also realised that we need to add 'HTTP/ORLDWV705.na.convergys.com' & 'http/ORLDWV705.na.convergys.com' using set SPN commands on the AD of the server where CRM is installed.
  With these changes, the negotiate authentication seems to have happened using the Kerberos token from the keytab, but later ran into an error for which I was not able to get any clue to go forward. Someone in another post about this error suggested that it worked once they changed principal names, but when I tried I did'nt get any success.
  This is where I'm struck now. What I don't know is if there is another setup from which we can try a similar interoperability example for ex.. weblogic 10.1 & eclipse which is more close to our real environment.
  SEVERE: SEC2004: Container-auth: wss: Error securing request
  java.lang.IllegalArgumentException: Missing argument
  at javax.crypto.spec.SecretKeySpec.<init>(DashoA13*..)
  at com.sun.xml.ws.security.impl.kerberos.KerberosContext.getSecretKey(KerberosContext.java:91)
  at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:525)
  Edited by: user6748004 on Apr 8, 2011 10:39 AM

• Logoff not working after SPNego Authentication

  Hi Experts,
  Configured SPNego authentication sucessfully.
  But after clicking logoff button again logged in back again.
  As per some advice, done as follows
  Example: Portal SSO URL: http://portal.example.com
  Create a URL like http://nonssoportal.example.com (Create the name in the DNS and point it to the IP of your portal server)
  Changed the logoff paramter to point to the new URL. After restart once logoff clicks went to new URL but still SSO ticket authenticating.
  I need to get the login page again so that i can login with administrator or other test user IDs.
  Please post your suggestions.
  Regards,
  Raja. G

  Hi,
  Created the alias for that server and made the logoff URL as http://<alias of the server>:<port>/irj/portal.
  Now am able to achieve the login page however it is asking for the windows authentication while logging off.
  If we click cancel then we can able to achieve the login page.
  Any idea to avoid the popup for asking windows credentials?
  Regards,
  Raja. G

• SSO (single sign on) on NetWeaver 7.0 Enterprise Portal based on spnego with Microsoft Active Directory

  Hi,
  we are using SAP Netweaver Enterprise Portal 7.0 (SP25) based on Windows 2008 R2/Oracle 11g.
  When we setup the Portal, we used the UME of the ECC - ABAP.
  The portal is used internally only.
  Now we want to provide SSO.
  User authenticate against Windows Active Directory (Windows 2003).
  We thought SSO via spnego would be the best solution.
  Any better alternates, we should use?
  We are following the SAP documentation:
  SAP-Bibliothek - Benutzerauthentifizierung und Single Sign-On
  We still want to create users in ABAP and assign them the portal roles. LDAP access should only have read access, to verify the security token from Active Directory.
  When we setup the portal from scratch using ABAP as its UME, in the system configuration, LDAP can't be selected/add as data source.
  In case we understand the documentation correctly, we would now need to add LDAP via the configtool for read access.
  What is not clear to us, when we active now LDAP via config tool, if we would now lose the ABAP connection.
  Is there a tutorial for SSO Netweaver 7.0 EP, like for EP 7.3, available?
  In 7.3 SSO is pretty simple to get it running, thanks to the many tutorials here and on the internet.
  Thanks for your help.
  Best regards
  Carlos Behlau

  Hi,
  I was able to generate the key via ktab program.
  But when I am enable SSO, nothing is happening when I try to log-on via SSO to the portal.
  I installed WebDiag tool on the portal server and ran trace.
  The users are located in domain: company.com of activate directory.
  The Java AS are located in domain: sap.company.com of activate directory.
  The sap.company.com domain acts as child of company.com.
  When I check the WebDiag trace, I see for the SPNegoLoginModule - the entry "... no key (etype: 23) for realm sap.company.com available ..."
  I would except company.com as realm key, as the keytabs have been generated on the domain controller of company.com.
  Is it possible to get SSO with child domain running?
  Based on the statement of the network folks, child and father domain having a trust.
  Thanks for your help.
  Best regards
  Carlos