Setting up SSO with SNC/Kerberos

I'm trying to setup SSO for SAPGui with backend ECC5 on Windows 2003. I have followed the section of the install guide called SAP WebAS 6.40 SR1 because I can't find a ECC5 version so possibly what I am trying to do is not possible?
Steps that I did...
1. I've downloaded the gsskrb5.dll and put in c:\windows\system32
2. Added the profile parameters:
snc/enable = 1
snc/identity/as = p:SAPServiceIDS{at symbol}sscit.com.au
snc/gssapi_lib = C:\WINDOWS\system32\gsskrb5.dll
3. I'm still using the local account at this stage because I'm not sure how to create a domain account that can start the sap instance on this machine. I also have played with Service Principle but again I'm not sure really what I am doing.
So anyhow, after I made the parameter changes and restarted the sap instance the dispatcher soon failed with the following errors in all the wp logs...
rdisp/reinitialize_code_page -> 0
M  icm/accept_remote_trace_level -> 0
M  rdisp/no_hooks_for_sqlbreak -> 0
N  SncInit(): Initializing Secure Network Communication (SNC)
N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/32/32)
N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)
N  SncInit():   found snc/data_protection/min=2, using 2 (Integrity Level)
N  SncInit():   found snc/data_protection/use=9, using 3 (Privacy Level)
N  SncInit(): found  snc/gssapi_lib=C:\WINDOWS\system32\gsskrb5.dll
N    File "C:\WINDOWS\system32\gsskrb5.dll" dynamically loaded as GSS-API v2 library.
N  *** ERROR => SncPDLInit(): gss_indicate_mechs() failed
N   [sncxxdl.0457]*** ERROR => SncPDLInit(()==SNCERR_INIT  [sncxxdl.c 452]
N        GSS-API(maj): Miscellaneous Failure
N        GSS-API(min): Kerberos SSPI not usable with this User account
N      STOP! -- initial call to gss_indicate_mechs() failed
M  *** ERROR => ErrISetSys: error info too large [err.c        931]
M  Wed Oct 08 10:06:29 2008
M  LOCATION    SAP-Server redback_IDS_11 on host redback (wp 15)
M  ERROR       GSS-API(maj): Miscellaneous Failure
M  GSS-API(min): Kerberos SSPI not usable with this User account
M  STOP! -- initial call to gss_indicate_mechs() failed
M  TIME        Wed Oct 08 10:06:29 2008
M  RELEASE     640
M  COMPONENT   SNC (Secure Network Communication)
M  VERSION     5
M  RC          -1
M  MODULE      sncxxdl.c
M  LINE        452
M  DETAIL      SncPDLInit(
M  SYSTEM CALL gss_indicate_mechs
M  ERRNO      
M  ERRNO TEXT 
M  DESCR MSG NO
M  DESCR VARGS GSS-API(maj): Miscellaneous Failure;;;;
M  ;;;;GSS-API(min): Kerberos SSPI not usable with this User account;;;;
M  ;;;;STOP! -- initial call to gss_indicate_mechs() failed
M  DETAIL MSG N
M  DETAIL VARGS
M  COUNTER     1
N  *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter (#0) C:\WINDOWS\system32\gsskrb5.dll not loaded
N   [sncxxdl.0604]<<- ERROR: SncInit()==SNCERR_INIT
N           sec_avail = "false"
M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000001) [thxxsnc.c    223]
M  *** ERROR => ThSncInit: SncInitU (SNCERR_INIT) [thxxsnc.c    225]
M  in_ThErrHandle: 1
M  *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c   9461]
I also tried the gsstest and got the following log file...
TEST: acquiring default initiating credentials (simple)
RESULT  OK
TEST: acquiring default initiating credentials (query)
RESULT  OK
TEST: acquiring initiating credentials (gss_name_t)
RESULT  OK
TEST: acquiring initiating credentials (printable name)
RESULT  OK
TEST: acquiring initiating credentials (can. printable name)
RESULT  OK
TEST: acquiring accepting credentials for target (printable name)
  for identity "SAPServiceIDS{at symbol}sscit.com.au"
Status:  gss_acquire_cred Acc() == (GSS_S_NO_CRED)
         gss_display_status(0x00070000,GSS_S_GSS_CODE) =
           "No valid credentials provided (or available)"
         gss_display_status(0x1360000d,GSS_S_MECH_CODE) =
           "SSPI::AccSctx#1()==Logon attempt failed"
RESULT  NOT ok (rc=1)
TEST: acquiring accepting credentials for target (can. printable name)
Status:  gss_acquire_cred Acc() == (GSS_S_NO_CRED)
         gss_display_status(0x00070000,GSS_S_GSS_CODE) =
           "No valid credentials provided (or available)"
         gss_display_status(0x1360000d,GSS_S_MECH_CODE) =
           "SSPI::AccSctx#1()==Logon attempt failed"
RESULT  NOT ok (rc=1)
Note: I've changed the @'s to {at symbol} to get message posted.
I hope somebody is able to help me progress past this.
Thank you.

Hello all,
I'm sorry if someone has invested time looking into this for me. I have resolved it. Basiscally as per OSS Note 352295, "Kerberos authentication is only available for Domain Accounts that are managed by Microsoft Active Directory, NOT for local computer users". So I went through the excercise of changing the sap services to start with a domain account instead of the local account, this also required setting up the new ops$ account in oracle, then it all seamed to work pretty much as the doco said it would.

Similar Messages

  • Configure SSO for ITS to R/3 using SNC/Kerberos

    Our R/3 systems had been configured for SSO using SNC and Kerberos for awhile now.  We now have a requirement to configure SSO between ITS and R/3.  Since our R/3 env. has been using kerberos library, we won't be able to use SAP Cryptographic library.  I had modified the registry, environment and services in itsadmin to point to the kerberos library and principal names for agate and r/3 servers as described in SNC User Guide; also, I updated table SNCSYSACL with the Agate SNC name.  That seems to work fine.  From the trace file, it recognized GSS-API library for Kerberos and the SNC name for Agate.  However, when I tried to logon to R/3 from ITS, I still am being prompted with the logon screen to enter my SAP account/password.
    I found several whitepapers and documentations stating that ITS does support Kerberos for SSO but I couldn't find any procedure on how to implement it.  Following is the error I'm getting from the sapbasis.trc file but I can't find any document on this error:
    =====================================================
    [Thr 5284] SncInit(): Initializing Secure Network Communication (SNC)
    [Thr 5284]       PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/32/32)
    [Thr 5284] SncInit(): Trying environment variable SNC_LIB as a
          gssapi library name: "C:\WINNT\system32\gsskrb5.dll".
    [Thr 5284]   File "C:\WINNT\system32\gsskrb5.dll" dynamically loaded as GSS-API v2 library.
    [Thr 5284]   The internal Adapter for the loaded GSS-API mechanism identifies as:
      Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
    [Thr 2888] Sun Jan 15 22:44:59 2006
    [Thr 2888] <<- ERROR: SncSetParam()==SNCERR_PARAM_DENIED
    [Thr 2888] *** WARNING => NO Domain! domain==NULL means: No domain at all within the cookie. [sapss1_loctr 333]
    [Thr 2888] Sun Jan 15 22:45:29 2006
    [Thr 2888] *** WARNING => NO Domain! domain==NULL means: No domain at all within the cookie. [sapss1_loctr 333]
    =====================================================
    Does anyone know what am I missing?  Any help is greatly appreciated.
    Thank you!
    Diem

    Hi Markus,
    I also just installed/configured PAS for LDAP authentication using the "PAS for External Authentication Mechanisms" documentation.  I think the domain problem probably due to not having the external authentication mechanism install (in this case - PAS).  Does that sound right to you?
    I tried both options for ~extid_type parameter = "LD" and "UN".  I added the DN information to table USREXTID when ~extid_type="LD" but both options gave me error of "LDAP authentication failed".  I increased the trace level for sapextaut.trc but I don't see enough detail information.  Following are the errors/data from the trace file.  Can you please let me know how I can tell what string is being passed for authentication? 
    I'm quite sure the LDAP host and port data is correct since we've been using the same information for the SAP LDAP connector and we've been using our LDAP connector between MS AD and R/3 for a long time without any problem. 
    To logon to R/3 through ITS, I entered the AD account (CN attribute in AD) when I got the errors.
    Thank you very much for all your help.
    Diem Tran
    Trace:
    =====================================================
    2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth,  437]: W sapextauth: PAS session begins...
    2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth,  456]:     sapextauth: SncNameR3 is:    "p:na1adm/[email protected]"
    2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth,  462]:     sapextauth: SncNameAGate is: "p:[email protected]"
    2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  468]:     sapextauth: SNC_LIB is:      "C:\WINNT\system32\gsskrb5.dll"
    2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  568]:     sapextauth: XGatConnectSession leaving....
    2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  616]:     sapextauth: XGatHandleLogin called....
    2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  976]:     sapextauth: Entering XGatHandleLogin with LDAP...
    2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  993]: W Either ~login or ~password missing, returning XGDKRCloginrequired.
    2006-01-18T01:39:50.281 p001688 t4992 s00000000 [sapextauth,  398]:     sapextauth: XGatEventOpenSession called...
    2006-01-18T01:39:50.281 p001688 t4992 s0158B4E8 [sapextauth,  616]:     sapextauth: XGatHandleLogin called....
    2006-01-18T01:39:50.281 p001688 t4992 s0158B4E8 [sapextauth,  976]:     sapextauth: Entering XGatHandleLogin with LDAP...
    2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1059]:     sapextauth: LDAP port ist 389
    2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1261]: E sapextauth: LDAP authentication failed.
    2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1277]: E sapextauth: Wrong try for user Tran_Diem
    2006-01-18T01:39:59.140 p001688 t4992 s00000000 [sapextauth,  398]:     sapextauth: XGatEventOpenSession called...
    2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth,  616]:     sapextauth: XGatHandleLogin called....
    2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth,  976]:     sapextauth: Entering XGatHandleLogin with LDAP...
    2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1059]:     sapextauth: LDAP port ist 389
    2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1261]: E sapextauth: LDAP authentication failed.
    2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1277]: E sapextauth: Wrong try for user Tran_Diem
    =======================================================

  • BO XI 3.1 SP3 SSO with CMC and Webi Rich Client

    Hello,
    Is it possible in BO XI 3.1 SP3 to use SSO with CMC and Webi Rich Client ?
    It works fine with InfoView, Designer and Desktop Intelligence.
    Regards

    Hi,
    What kind of SSO authentication are you trying to set up? (AD, LDAP,...)
    I think it's AD regarding your command line.
    But be aware that in SSO, you don't need to configure the command line to run the client.
    Have a look at the following guide.
    [Configuring Manual Kerberos Authentication and-or SSO in Distributed Environments with XI 3.1 SP3.pdf|https://bosap-support.wdf.sap.corp/sap/support/sapnotes/public/services/attachment.htm?iv_key=002007204200000183782010&iv_version=0005&alt=2BCE4CB10DF674B172F4F3F7B32A284F49333135358877720E883731B332AF34CACD2AB52C0A2C8DCACA09084EF4CB494E4E0F2ECE8E2F89772908C9CE70CD2DF77675F7F2D1750C09514BCECFCFCE4C8DCF4BCC4DB5F575F4F4F3F57771F571F6F70B01B25D83D4120B0A722092A599504EB16D715E3E00&iv_guid=DF838310BFAAE8F1B486001A64C54696]
    Regarding accessing CMC with SSO, it's not recomended at all as if you break this access, than you can't connect anymore to the CMC and modify settings.
    Regards,
    Philippe
    Edited by: Philippe Tavares on Feb 15, 2011 4:11 PM

  • Weblogic SSO with AD - My Try - What's wrong?

    Dear All
    I'm trying to setup Weblogic to Authenticate using AD and have SSO with a Windows workstation(joined to the domain).
    I just setup an Active Directory(Win2K3), a Windows XP(SP2) and a Linux System(CentOS5) with Weblogic 10.3.
    I'm wondering what is wrong with my configuration. I can only logon on Adminstration Console using weblogics local users, and even with entering username(those which created on AD) and password AD Authentication does not work.
    Anyone has simliar experiance or any clue?
    Appreciated
    TIA
    Cheers
    Here is the setup:
    The domain is: example.com and machines are: dc.example.com (AD), winclient.example.com (Windows XP joined to the example.com domain) and weblogic.example.com (CentOS with Weblogic 10.3 installed)
    The hosts file on all three machines are filled with their FQDN, Machine Name and corresponding IP addresses. They all have ping working successfully between each two of them. Firewalls are checked to be off.
    These are the steps I came through based on documentation I could found on the net:
    h1. 0. Configuring Your Network Domain to Use Kerberos
    In Linux Machine(Weblogic Server) edit Kerberos configuration file for appropriate values:
    */etc/krb5.conf*
    \[logging\]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    \[libdefaults\]
    default_realm = EXAMPLE.COM
    default_tkt_enctypes = des-cbc-crc
    default_tgs_enctypes = des_cbc_crc
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime =28800
    forwardable = yes
    \[realms\]
    EXAMPLE.COM = {
    kdc = 192.168.1.193:88
    admin_server = dc
    default_domain = EXAMPLE.COM
    \[domain_realm\]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM
    \[kdc\]
    profile = /var/kerberos/krb5kdc/kdc.conf
    \[appdefaults\]
    autologin = true
    forward = true
    forwardable = true
    encrypt = true
    pkinit = {
    allow_pkinit = false
    h1. 1. Create two users on AD: "New->User" with "User must change password at next logon" option cleared (not tidked)
    weblogic (for weblogic service) (with password = "password1")
    weblogicusr (the user which should access Weblogic Administration Console) ("password2")
    * Note that group membership of these two users are left default.(Domain Users)
    h1. 2. For "weblogic" & "weblogicusr" user set these Account Optiones:
    - Use DES encryption types for this account (ticked)
    - Do not require Kerberos preauthentication (cleared)
    * then reset the password again for "weblogic" (with password = "password1") and "weblogicusr" (with "password2").
    h1. 3. Create Service Principal Names for Weblogic Server and User on Win2K3 machine:
    - >setspn -a host/weblogic.example.com weblogic
    - >setspn -a HTTP/weblogic.example.com weblogic
    here is the result
    C:\Documents and Settings\Administrator.DC>setspn -L weblogic
    Registered ServicePrincipalNames for CN=weblogic,CN=Users,DC=example,DC=com:
    HTTP/weblogic
    host/weblogic
    HTTP/weblogic.example.com
    host/weblogic.example.com
    and
    - >setspn -a HTTP/weblogic.example.com weblogicusr
    and the result
    C:\Documents and Settings\Administrator.DC>setspn -L weblogicusr
    Registered ServicePrincipalNames for CN=Weblogic User,CN=Users,DC=example,DC=com:
    HTTP/weblogicsrv.example.com
    HTTP/weblogicsrv
    h1. 4. Create the keytab file for Weblogic Server:
    On AD machine issue:
    (ktpass from MS Windows Support Tools)
    >ktpass -princ host/[email protected] -pass password1 -mapuser weblogic -out c:\temp\weblogic.host.keytab
    >ktpass -princ HTTP/[email protected] -pass password1 -mapuser weblogic -out c:\temp\weblogic.HTTP.keytab
    (ktab from JRE 6)
    >ktab -k c:\temp\weblogic.keytab -a [email protected]
    Password for [email protected]:*password1*
    Done!
    Service key for [email protected] is saved in c:\temp\weblogic.keytab
    ** Note I could not kinit successfully merely with weblogic.host.keytab and/or weblogic.HTTP.keytab, I got this error +"Key table entry not found while getting initial credentials"+ how ever the keytab I created using ktab("weblogic.keytab") works fine in this case, so I decided to merge whole three of them into a keytab.
    >\[root@weblogic keytabs\]# kinit -k -t weblogic.host.keytab [email protected]
    >kinit(v5): Key table entry not found while getting initial credentials
    h1. 5. Port and Merge keytabs
    Then I ported these three files to the Linux Machine(weblogic.example.com): weblogic.host.keytab, weblogic.HTTP.keytab and weblogic.keytab
    and merged into one keytab:
    ktutil: "rkt weblogic.host.keytab"
    ktutil: "rkt weblogic.HTTP.keytab"
    ktutil: "rkt weblogic.keytab"
    ktutil: "wkt weblogic-keytab"
    ktutil: "q"
    * then put the result keytab "weblogic-keytab" somewhere in Weblogic Path:
    >/root/bea/user_projects/domains/base_domain/kerberos
    h2. 5.1 Test the keytab and kerberos configuration
    >\[root@weblogic keytabs\]# kinit -k -t weblogic-keytab [email protected]
    >\[root@weblogic keytabs\]# klist
    >Ticket cache: FILE:/tmp/krb5cc_0
    >Default principal: [email protected]
    >
    >Valid starting Expires Service principal
    >09/04/09 16:16:42 09/05/09 00:16:42 krbtgt/[email protected]
    >
    Kerberos 4 ticket cache: /tmp/tkt0
    klist: You have no tickets cached
    h1. 6. Creating a JAAS Login File
    Create krb5Login.conf and put it in here: "/root/bea/user_projects/domains/base_domain/kerberos/"
    krb5Login.conf
    com.sun.security.jgss.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    principal=*"[email protected]"* useKeyTab=true
    keyTab=*/root/bea/user_projects/domains/base_domain/kerberos/weblogic-keytab* storeKey=true;
    com.sun.security.jgss.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    principal=*"[email protected]"* useKeyTab=true
    keyTab=*/root/bea/user_projects/domains/base_domain/kerberos/weblogic-keytab* storeKey=true;
    h1. 7. Modify startup options
    add these option to "/root/bea/user_projects/domains/base_domain/bin/startWebLogic.sh"
    h2. 7.1 Kerberos
    -Djava.security.krb5.realm=EXAMPLE.COM
    -Djava.security.krb5.kdc=dc.example.com
    -zjava.security.auth.login.config=$PATHTOKRB/krb5Login.conf
    -Djavax.security.auth.useSubjectCredsOnly=false
    -Dweblogic.security.enableNegotiate=true h2. 7.2 Debug
    -DDebugSecurityAdjudicator=true
    -Dweblogic.debug.DebugSecurityAtn=true
    -Dsun.security.krb5.debug=true
    -Dweblogic.StdoutDebugEnabled=true";
    -Dweblogic.log.StdoutSeverity=Debugh1. 8. Configuring the Identity Assertion Provider
    In Weblogic Administration I created a Security Realm called "example.com" with everything default and made it default. Then restarted the Weblogic Server.
    Again in Administation Console did this to example.com Security Realm:
    h2. 8.1 -> Prividers: Add 3 Providers
    Negotiate     WebLogic Negotiate Identity Assertion provider     1.0
         DIA     WebLogic Identity Assertion provider     1.0
         AD     Provider that performs LDAP authentication     1.0 (Active Directory provider)
         Default     WebLogic Authentication Provider     1.0
    h2. 8.2 -> Change the default parameters
    h3. 8.2.1 Negotiate     WebLogic Negotiate Identity Assertion provider
    -> Base64 Decoding Required: false (No Change, but shouldn't it be true and how to change?)
    -> Form Based Negotiation Enabled: Removed the tick
    h3. 8.2.2 DIA     WebLogic Identity Assertion provider (no changes)
    (no changes)
    h3. 8.2.3 AD     Provider that performs LDAP authentication (Active Directory provider)
    -> Control Flag: *SUFFICIENT*
    -> User Name Attribute: *sAMAccountName*
    -> Principal: *HTTP/[email protected]*
    -> Host: *192.168.1.193*
    -> User Base DN: *CN=Users,DC=example,dc=com*
    -> Propagate Cause For Login Exception: *ticked*
    -> Group Base DN: *CN=Users,DC=example,dc=com*
    -> Credential: *password1*
    * others left with their default values.
    h1. 9. Configuring an Internet Explorer Browser
    On Windows XP machine (winclient.example.com):
    h2. 9.1 Configure Local Intranet Domains
    - In Internet Explorer, Tools > Internet Options -> the Security tab -> Local intranet -> Sites:
    > "Include all sites that bypass the proxy server" *ticked*
    > "Include all local (intranet) sites not listed in other zones" *ticked*
    - then in -> Advanced Dialog Box added this:
    > weblogic.example.com
    h2. 9.2 Configure Intranet Authentication
    - In Internet Explorer, Tools > Internet Options -> the Security tab -> Local intranet -> Custome Level:
    > In the Security Settings dialog box -> the User Authentication section.
    > "Automatic logon only in Intranet zone" *ticked*
    h2. 9.3 The Proxy Settings
    No proxies are enabled
    h2. 9.4 Enable Integrated Windows Authentication
    - In Internet Explorer, Tools > Internet Options -> Advanced tab -> Security section:
    > "Enable Integrated Windows Authentication" *ticked* by default
    Edited by: Mehdi Sarmadi on Sep 4, 2009 5:51 AM

    I found something in Logfile:
    <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <LDAP Atn Login username: weblogicusr>
    <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <new LDAP connection to host 192.168.1.193 port 389 use local conne
    ction is false>
    <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <created new LDAP connection LDAPConnection { ldapVersion:2 bindDN:
    ""}>
    <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <connection failed netscape.ldap.LDAPException: error result (49);
    80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@>
    <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <[Security:090294]could not get connection>
    According to this post: Re: WL10.3 and SSO and Active Directory
    a correct ldap connection should look like this:
    <LDAP Atn Login username: Administrator>
    <userExists? user:Administrator>
    <new LDAP connection to host 10.10.0.254 port 389 use local connection is false>
    <created new LDAP connection LDAPConnection { ldapVersion:2 bindDN:""}>
    <connection succeeded>
    *<getConnection return conn:LDAPConnection {ldaps://10.10.0.254:389 ldapVersion:3 bindDN:"HTTP/[email protected]"}>
    <getDNForUser search("CN=Users,DC=DOMAIN,dc=local", "(&(&(cn=Administrator)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>xist>*
    Moreover, I turned AD's debug logging and this is what happens when I try to login with a AD user: Why "Anonymous Logon"?!
    Event Type:     Information
    Event Source:     NTDS LDAP
    Event Category:     LDAP Interface
    Event ID:     1535
    Date:          9/4/2009
    Time:          6:47:07 PM
    User:          NT AUTHORITY\*ANONYMOUS LOGON*
    Computer:     DC
    Description:
    Internal event: The LDAP server returned an error.
    Additional Data
    Error value:
    80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
    Any help would be greatly appreciated

  • Problem with SNC logon to Analyzer

    Hi friends
    We configure SNC for BW system logon. It works fine for GUI. But when we use Analyzer the problem occurs:
    Missing SNC_LIB=IN CONNECT_PARAM IN RfcOpenEx
    Why this happen?
    we have done the checking:
    existence of Kerberos dll in /windows/system32
    active directory settings for a SAPServiceSID user
    advance setting in saplogon
    It looks fine. Do we miss sth? Maybe there's some configuration for Analyzer? Thank you very much.

    We were attempting standard publishing configuration but it would not work until SNC was installed. Once installed the publishing worked. But that's when the authentication issues started.
    We can login to infoview with SAP credientials no problem. But with the SNC turned on in BOBJ, its as if that first login means nothing. If you attempt to execute a report it shows cached paramaters and is apparently not authenticating against our SAP backend system. When you turn the SNC off via the CMC in BOBJ, the reports execute correctly authenticating against SAP backend.
    With SNC on, if you try to execute a report, nothing happens. As mentioned above, it's as if it's not communicating with the backend data source.  With SNC off, all works well but we just can't do the publishing/bursting.
    Thanks again,
    Sage

  • No user exists with SNC name

    Hi,
    We have configured the SSO with kerberos, while trying to login getting the below error
    Please advice.
    Regards,
    Sam

    Hello,
    sorry my first answer was wrong (I deleted it).
    Normaly you get no such SNC names with a correct installed Secure Login Client.
    Could you please dump the enviroment variable SNC_LIB and SNC_LIB_64 here?
    best regards
    Alexander Gimbel

  • SSO with EP 6.0 and R/3 as backened not working

    Hi , 
        I am implementing ESS in EP 6.0 and r/3 4.7c as backend. SSO is working with UIPWD. but when I try with LogonTickets it does not work.
    I tried with ordinary SAP transaction SSO with logon tickets works. But through ITS if I call a ESS transaction service It asks me for login user and password.
    What are the setting to be done in ITS for SSO towork. I have set the parameter
    msapcomusesso2cookie = 1 in the global.svrc file.
    I do not know what is wrong. Please help.
    Regards,
    Ramesh

    Hi,
      I am using a standalone ITS for a R/3 4.7 system.
    How should I maintain a FQDN for ITS?
    You are right,
    now it is not of the format hostname.domain.com:port format. It is of the format hostname:port.
    But where should I change this format. The host name of the system where the ITS is setup is <hostname> only.
    can you please tell me as to where should I maintain the FQDN as the specific format you suggested.
    Regards,
    Ramesh

  • SSO with Hybrid Cloud-Based Deployments

    Hi
    I´m wondering, how SSO works with Hybrid Cloud-Based Deployments.
    I want to use Jabber for Windows with WebEx Connect and Unified Communications integration with Cisco WebEx.
    Questions:
    How can I configure Jabber for Windows to use SSO with WebEx Connect after Client-Installation?
    I´ve read, that SSO username with WebEx Connect will be [email protected] Correct?
    I´ve read, that I have to create a jabber-config.xml with a follows to enforce Jabber for Windows to use the Webex-Connect login credentials also for Phone Services. Correct?
    <CUCM>     <PhoneService_UseCredentialsFrom>presence</PhoneService_UseCredentialsFrom>   </CUCM>
    If this is correct, Jabber for Windows will use [email protected] to authenticate with CUCM, but CUCM would need only the username without the domain. From my point of view, Jabber for Windows will not be able to authenticate with CUCM for Phone Services.
    Any thoughts?
    thank you
    Tino

    Hi Maqsood
    Thanks for your info. I´ve tested the "PhoneService_UseCredentialsFrom" attribute in my hybrid deployment and it seems, that it effects the jabber also in this scenario: the credentials form in the jabber options menu are not displayed.
    My understanding of the admin guide is, that it should work:
    Authentication in Hybrid Cloud-Based Deployments
    If the client authentication credentials are the same as the voicemail service credentials on Cisco Unity Connection, you can specify the VoicemailService_UseCredentialsFrom parameter in the Cisco Jabber for Windowsconfiguration file. This parameter uses the client authentication credentials to access voicemail services. As a result, Cisco Jabber for Windows users do not need to enter their credentials for voicemail services in the client.
    You should ensure that the sign in credentials and voicemail service credentials are the same for the Cisco Jabber for Windows users. If you set this parameter, the Voicemail section is not available on the Phone accounts tab in the Options window.
    thanks,
    Tino

  • How to configure sso with SSL step by step

    Purpose
    In this document, you can learn how to configure SSO with SSL. After user have certificate installed in browser, he can login without input username and password.
    Overview
    In this document we will demonstrate:
    1.     How to configure OHS support SSL
    2.     How to Register SSO with SSL
    3.     Configure SSO for certificates
    Prerequisites
    Before start this document, you should have:
    1.     Oracle AS 10g infrastructure installed (10.1.2)
    2.     OCA installed
    Note:
    1.     “When you install Oracle infrastructure, please make sure you have select OCA.
    2.     How Certificate-Enabled Authentication Works:
    a.     The user tries to access a partner application.
    b.     The partner application redirects the user to the single sign-on server for authentication. As part of this redirection, the browser sends the user's certificate to the login URL of the server (2a). If it is able to verify the certificate, the server returns the user to the requested application.
    c.     The application delivers content. Users whose browsers are configured to prompt for a certificate-store password may only have to present this password once, depending upon how their browser is configured. If they log out and then attempt to access a partner application, the browser passes their certificate to the single sign-on server automatically. This means that they never really log out. To effectively log out, they must close the browser.
    Enable SSL on the Single Sign-On Middle Tier
    The following steps involve configuring the Oracle HTTP Server. Perform them on the single sign-on middle tier. In doing so, keep the following in mind:
    l     You must configure SSL on the computer where the single sign-on middle tier is running.
    l     You are configuring one-way SSL.
    l     You may enable SSL for simple network encryption; PKI authentication is not required. Note though that you must use a valid wallet and server certificate. The default wallet location is ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default.
    1.     Back up the opmn.xml file, found at ORACLE_HOME/opmn/conf
    2.     In opmn.xml, change the value for the start-mode parameter to ssl-enabled. This parameter appears in boldface in the xml tag immediately following.
    <ias-component id="HTTP_Server">
    <process-type id="HTTP_Server" module-id="OHS">
    <module-data>
    <category id="start-parameters">
    <data id="start-mode" value="ssl-enabled"/>
    </category>
    </module-data>
    <process-set id="HTTP_Server" numprocs="1"/>
    </process-type>
    </ias-component>
    3.     Update the distributed cluster management database with the change: ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct opmn
    4.     Reload the modified opmn configuration file:
    ORACLE_HOME/opmn/bin/opmnctl reload
    5.     Keep a non-SSL port active. The External Applications portlet communicates with the single sign-on server over a non-SSL port. The HTTP port is enabled by default. If you have not disabled the port, this step requires no action.
    6.     Apply the rule mod_rewrite to SSL configuration. This step involves modifying the ssl.conf file on the middle-tier computer. The file is at ORACLE_HOME/Apache/Apache/conf. Back up the file before editing it.
    Because the Oracle HTTP Server has to be available over both HTTP and HTTPS, the SSL host must be configured as a virtual host. Add the lines that follow to the SSL Virtual Hosts section of ssl.conf if they are not already there. These lines ensure that the single sign-on login module in OC4J_SECURITY is invoked when a user logs in to the SSL host.
    <VirtualHost ssl_host:port>
    RewriteEngine on
    RewriteOptions inherit
    </VirtualHost>
    Save and close the file.
    7.     Update the distributed cluster management database with the changes:
    ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct ohs
    8.     Restart the Oracle HTTP Server:
    ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=HTTP_Server
    ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server
    9.     Verify that you have enabled the single sign-on middle tier for SSL by trying to access the OracleAS welcome page, using the format https://host:ssl_port.
    Reconfigure the Identity Management Infrastructure Database
    Change all references of http in single sign-on URLs to https within the identity management infrastructure database. When you change single sign-on URLs in the database, you must also change these URLs in the targets.xml file on the single sign-on middle tier. targets.xml is the configuration file for the various "targets" that Oracle Enterprise Manager monitors. One of these targets is OracleAS Single Sign-On.
    1.     Change Single Sign-On URLs
    Run the ssocfg script, taking care to enter the command on the computer where the single sign-on middle tier is located. Use the following syntax:
    UNIX:
    $ORACLE_HOME/sso/bin/ssocfg.sh protocol host ssl_port
    Windows:
    %ORACLE_HOME%\sso\bin\ssocfg.bat protocol host ssl_port
    In this case, protocol is https. (To change back to HTTP, use http.) The parameter host is the host name, or server name, of the Oracle HTTP listener for the single sign-on server.
    Here is an example:
    ssocfg.sh https login.acme.com 4443
    2. Restart OC4J_SECURITY instance and verify the configuration
    To determine the correct port number, examine the ssl.conf file. Port 4443 is the port number that the OracleAS installer assigns during installation.
    If you run ssocfg successfully, the script returns a status 0. To confirm that you were successful, restart the OC4J_SECURITY instance:
    ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
    Then try logging in to the single sign-on server at its SSL address:
    https://host:ssl_port/pls/orasso/
         3. Back up the file targets.xml:
    cp ORACLE_HOME/sysman/emd/targets.xml ORACLE_HOME/sysman/emd/targets.xml.backup
    4. Open the file and find the target type oracle_sso_server. Within this target type, locate and edit the three attributes that you passed to ssocfg:
    ·     HTTPMachine—the server host name
    ·     HTTPPort—the server port number
    ·     HTTPProtocol—the server protocol
    If, for example, you run ssocfg like this:
    ORACLE_HOME/sso/bin/ssocfg.sh http sso.mydomain.com:4443
    Update the three attributes this way:
    <Property NAME="HTTPMachine" VALUE="sso.mydomain.com"/>
    <Property NAME="HTTPPort" VALUE="4443"/>
    <Property NAME="HTTPProtocol" VALUE="HTTPS"/>
    5.Save and close the file.
    6.     Reload the OracleAS console:
         ORACLE_HOME/bin/emctl reload
    7. Issue these two commands:
    ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
    ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
    Registering mod_osso
    1.     This command sequence that follows shows a mod_osso instance being reregistered with the single sign-on server.
    $ORACLE_HOME/sso/bin/ssoreg.sh
         -oracle_home_path $ORACLE_HOME
         -config_mod_osso TRUE
         -mod_osso_url https://myhost.mydomain.com:4443
    2.     Restarting the Oracle HTTP Server
    After running ssoreg, restart the Oracle HTTP Server:
    ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
    Configuring the Single Sign-On System for Certificates
    1.     Configure policy.properties with the Default Authentication Plugin
    Update the DefaultAuthLevel section of the policy.properties file with the correct authentication level for certificate sign-on. This file is at ORACLE_HOME/sso/conf. Set the default authentication level to this value:
    DefaultAuthLevel = MediumHighSecurity
    Then, in the Authentication plugins section, pair this authentication level with the default authentication plugin:
    MediumHighSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOX509CertAuth
    2.     Restart the Single Sign-On Middle Tier
    After configuring the server, restart the middle tier:
    ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
    ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
    Bringing the SSO Users to OCA User Certificate Request URL
    The OCA server reduces the administrative and maintenance cost of provisioning a user certificate. The OCA server achieves this by authenticating users by using OracleAS SSO server authentication. All users who have an Oracle AS SSO server account can directly get a certificate by using the OCA user interface. This reduces the time normoally requidred to provision a certificate by a certificate authority.
    The URL for the SSO certificate Request is:
    https://<Oracle_HTTP_host>:<oca_ssl_port>/oca/sso_oca_link
    You can configure OCA to provide the user certificate request interface URL to SSO server for display whenever SSO is not using a sertificate to authenticate a user. After the OracleAS SSO server authenticates a user, it then display the OCA screen enabling that user to request a certificate.
    To link the OCA server to OracleAS SSO server, use the following command:
    ocactl linksso
    opmnctl stoproc type=oc4j instancename=oca
    opmnctl startproc type=oc4j instancename=oca
    You also can use ocactl unlinksso to unlink the OCA to SSO.

    I have read the SSO admin guide, and performed the steps for enabling SSL on the SSO, and followed the steps to configure mod_osso with virtual host on port 4443 as mentioned in the admin guide.
    The case now is that when I call my form (which is developed by forms developer suite 10g and deployed on the forms server which is SSO enabled) , it calls the SSO module on port 7777 using http (the default behaviour).
    on a URL that looks like this :
    http://myhostname:7777/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
    and gives the error :
    ( Forbidden
    You don't have permisission to access /sso/auth on this server at port 7777)
    when I manually change the URL to :
    https://myhostname:4443/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
    the SSO works correctly.
    The question is :
    How can I change this default behaviour and make it call SSO on port 4443 using https instead ?
    Any ideas ?
    Thanks in advance

  • After Setting Up SSO Managed Server Won't Start

    I am using the Oracle supplied white paper to set up SSO using Active Directory. Following those instructions everything was working and testing correctly until I added the NegotiateIdentityAsserter provider to the list of WLS providers. Now the managed server won't start. The admin server starts without any errors and goes to the RUNNING state. But the Start BI Services command window gets to the wls.alive: prompt and hangs. And hangs. Eventually the window goes away and it may throw an error but I've never seen it. You can login to the WLS console and EM without a problem. Remove the new provider and everything comes up normally. I have looked at the krb5.ini and krb5login.conf files and even rewritten them from scratch without any change in behavior.
    While looking for answers I ran into the SPNEGOCheck webapp that Oracle makes available to diagnose problems. It says everything is OK until it parses the krb5login.conf and then complains that the Username associated with SPN in AD is blank and so doesn't match the SPN specified in the krblogin config. But I can't see anything wrong in the files themselves.
    from the log:
    In section 'libdefaults'
    LSA: Found Ticket
    LSA: Made NewWeakGlobalRef
    LSA: Found PrincipalName
    LSA: Made NewWeakGlobalRef
    LSA: Found DerValue
    LSA: Made NewWeakGlobalRef
    LSA: Found EncryptionKey
    LSA: Made NewWeakGlobalRef
    LSA: Found TicketFlags
    LSA: Made NewWeakGlobalRef
    LSA: Found KerberosTime
    LSA: Made NewWeakGlobalRef
    LSA: Found String
    LSA: Made NewWeakGlobalRef
    LSA: Found DerValue constructor
    LSA: Found Ticket constructor
    LSA: Found PrincipalName constructor
    LSA: Found EncryptionKey constructor
    LSA: Found TicketFlags constructor
    LSA: Found KerberosTime constructor
    LSA: Finished OnLoad processing
    Config name: C:\Windows\krb5.ini
    KdcAccessibility: reset
    KdcAccessibility: reset
    Reachable? true
    Connection seems to have succeeded.
    Parsing section contents 'com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required principal="[email protected]" keyTab=biwhse1a.keytab useKeyTab=true storeKey=true debug=true;};'
    Section name: 'com.sun.security.jgss.krb5.accept'
    Getting next NV pair beginning at 'principal="[email protected]" keyTab=biwhse1a.keytab useKeyTab=true storeKey=true debug=true'
    NVPair name: 'principal' value: '[email protected]'
    NVPair name: 'keyTab' value: 'biwhse1a.keytab'
    NVPair name: 'useKeyTab' value: 'true'
    NVPair name: 'storeKey' value: 'true'
    Got back 4 name/value pairs.
    section com.sun.security.jgss.krb5.accept should probably contain a setting for debug=true
    Section com.sun.security.jgss.krb5.accept seems OK
    The krb5.ini file:
    [libdefaults]
    default_realm = SRS1.COM
    default_tkt_enctypes = des-cbc-crc
    default_tgs_enctypes = des-cbc-crc
    ticket_lifetime = 600
    [realms]
    SRS1.COM = {
    kdc = 129.58.120.200
    admin_server = adc01.srs1.com
    default_domain = SRS1.COM
    [domain_realm]
    .srs1.com = SRS1.COM
    [appdefaults]
    autologin = true
    forward = true
    forwardable = true
    encrypt = true
    The krb5login.conf file:
    com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    principal="[email protected]"
    keyTab=biwhse1a.keytab
    useKeyTab=true
    storeKey=true
    debug=true;
    [D:\] setspn -L bi_kerb_prin
    Registered ServicePrincipalNames for CN=bi_kerb_prin,OU=Non-Person Users,OU=WRC Users,DC=srs1,DC=com:
    HTTP/biwhse1a.srs1.com
    HTTP/biwhse1a
    [D:\]
    OBIEE 11.1.1.6.2 BP2
    Windows Server 2008 SP1

    Did you try -Djava.security.krb5.conf=<path>/krb5.conf before the %EXTRA_JAVA_PROPERTIES%. in your C:\OBI\user_projects\domains\bifoundation_domain\bin\setDomainEnv.cmd .?
    Also change your JAAS config file and try with
    com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    principal="HTTP/[email protected]"
    keyTab=biwhse1a.keytab
    useKeyTab=true
    storeKey=true
    debug=true;
    com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    principal="HTTP/[email protected]"
    keyTab=biwhse1a.keytab
    useKeyTab=true
    storeKey=true
    debug=true;
    Now restart and see.
    Hope this helps. Pls mark if it does.
    Thanks,
    SVS
    Edited by: SSVS on Mar 17, 2013 11:47 PM

  • SSO with Custom LDAP

    This is the landscape :-
    Web Application / Portal at Oracle Web Center Suite (WCS).
    SAP BO 4.0
    Authentication using Custom LDAP & SSO with Trusted Authentication.
    Used OpenLDAP for authentication via RadiantOne VDS as the proxy.
    Activities :
    Authenticate the BO users with OpenLDAP via RadiantOne.
    Synchronize the BO user group from OpenLDAP via RadiantOne.
    Used openDocument.jsp to open WEBI reports.
    Problems :
    We configure the LDAP as Custom. Attributes mapping as default.
    When BOE trying to connect the RadiantOne VDS & create user u201Cuser01u201D which already exists in the OpenLDAP server. It throws the exception :
    "An internal error has occurred in the secLdap plugin.u201D
    When trying to create user that does not exist in LDAP. It throws the exception :
    u201CThe secLdap plugin failed to get the dn for the user notuser.u201D
    Please advise us how to resolved this internal error if we want to SSO with custom LDAP !!
    Thanks & regards,
    Herries E

    Hi,
    Herrie, Roland is correct, OpenLDAP is not supported and you can run into problems if you want to escalate issues in the future. The customer must have that into account.
    However, LDAP is pretty standard and usually you just need to make sure that the attribute mappings is correct.
    Are users correctly created when you map an LDAP group?
    Are you able to manually authenticate using LDAP? You can use the CMC page and select authentication LDAP
    When you have confirmed that LDAP manual authentication is working, you can set up Trusted Authentication. Check first that the system is working just using QUERY_STRING:
    https://service.sap.com/sap/support/notes/1593628
    When trusted auth is confirmed to work, you can configure the parameters that Radiant users to pass the user: cookies, web session, etc.
    Regards,
    Julian

  • SSO with Analysis for MS Excel?

    Hi,
    We are in the process of setting up our new BO4 environments and we will be integrating BO with the SAP Netweaver Portal, so our users will log on to the Portal and then open up a tab that will display the BI Launch Pad logging on to BO with SAP SSO into SAP BW.
    This works great, but now some of our users will be using Analysis for Microsoft Excel and the question has come up, how do they authenticate to BO. Since they will have a user id in BW, but no password set since it is all SSO with logon tickets, how can they authenticate themself?
    Thanks
    Josh

    Thanks for the quick reply.
    I am using BI 4 SP02 Patch 16.
    My requirement is when a user log in the BI launch pad using SAP authentication and opens a Workbook stored in BO repository Analysis prompts again to enter userid and password.
    I need to achieve SSO at this level so that user only log in to BI Launch pad and should be able to log in Analysis tool for excel directly. Is this possible?
    Regards,
    Pulkit Khare

  • Not able to activate SSO with logon tickets...

    Hi all,
    I configured SSO with logon tickets on a new installation of EP 7.0 Nw 2004s SR2.
    The target R3 server is in a different domain. But i added the certificate receiver portal server address in the UME service entries.
    But when i try  to test it, it is showing the password entry login screen.
    Is there any changes i need to make to the logon stacks?
    Given below are the major steps i completed.
    1. Created RFC destination in portal
    2. Created RFC destination for portal in R3
    3. Exported verify.der certificate to R3.
    4. Added necessary entries for R3 sever in the portal security providers list.
    5. Restarted portal j2ee instance.
    Did I miss out any required steps?
    I doubt whether logon tickets are generated from the portal , since it directly shows the normal login screen when i test.
    Can anyone help me on this?
    Thanks in advance
    Shobin

    Hi,
    Thanks alot for your reply.
    I checked sso2. The connection fails there. But long back, we had created another destination in the R3 system to use in a different portal instance. There, SSO works fine. Even this destination also fails when checked through sso2.
    I login to portal with administrator rights which has the same user id in R3 also. Please note that both these systems are in different domain. But I have added another host name in ume.service.login property which is already set up for SSO with the target R3 system.
    When i test SSO, i am not getting any error messages regarding the certificate or logon ticket. It simply ask me  for a user name and password.
    Is there any change i have to do in logon stacks to give preference to logon tickets?
    Thanks alot
    Shobin

  • Sample code for SSO with ucm10gR3

    hi all,
    I am using ucm10gr3 and want to implement sso with my web application running on wls, I don't have OAM, I need to implment sso with ucm by my code, reading the following statement in metalink:
    REMOTE_USER is a computed Common Gateway Interface (CGI) variable that is used by the web server to indicate that the current acting request has been successfully authenticated as acting as the user identified by the value of this CGI variable. Getting the web server to set this variable for you is highly dependent on the particular APIs and data structures available in that web server. This may also require some customization and code be written within the web server, such as a custom web server plugin. This should not require additional code or components to be written on the UCM side.
    In other words, This is not specially a content server configuration issue. If you can get any standard 3rd party web application (such as PHP -- for example a Wiki application) to get the SSO solution to work using standard webserver authentication techniques and doing nothing special in the application, then it should work without needing any additional UCM specific code.
    All web servers have a built in understanding that the current request can act at the behest of a particular user. When web servers execute CGI applications, such as PHP, the standard CGI specification specifies that this user name be used to populate a parameter called REMOTE_USER. The mechanism by which this parameter is propagated to the script or plugin that is executing the request tends to be implementation specific. This parameter can be picked up by the CS web server plug-in.
    Per my understanding, I need to use CGI to produce a variable named REMOTE_USER, and save username in it, but I am not a CGI guy, who can give me a demo for this?
    Or is there any other solution to implement sso with ucm?
    Thanks a lot!
    Best regards

    While, seems one way is to use stream to bypass login.

  • Help  - SPENGO - Microsoft SSO with WLS 9.2

    Friends,
    I am trying to integrate Microsoft SSO with WLS with SPENGO. I followed the steps given in http://edocs.bea.com/wls/docs92/secmanage/sso.html and even in 8.x documentation where I had to create a LDAP authenticator etc.
    However, instead of SPENGO token, I get the NTLM token. It looks like when Kerberos fails, WLS tries to invoke NTLM. But I am not sure where I am doing wrong. It would be great if someone could look at the following logs and suggest some workaround.
    <<WLS Kernel>> <> <> <1183957002830> <000000> <NegotiateIdentityAsserterServletAuthenticationFilter.doFilter() called>
    <<WLS Kernel>> <> <> <1183957002830> <000000> <CERT auth type found for webapp>
    <<WLS Kernel>> <> <> <1183957002830> <000000> <All request headers:>
    <<WLS Kernel>> <> <> <1183957002830> <000000> < Header: Accept : image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*>
    <<WLS Kernel>> <> <> <1183957002830> <000000> < Header: Accept-Language : en-us>
    <<WLS Kernel>> <> <> <1183957002830> <000000> < Header: UA-CPU : x86>
    <<WLS Kernel>> <> <> <1183957002830> <000000> < Header: Accept-Encoding : gzip, deflate>
    <<WLS Kernel>> <> <> <1183957002830> <000000> < Header: User-Agent : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)>
    <<WLS Kernel>> <> <> <1183957002830> <000000> < Header: Host : 10.31.252.182:7001>
    <<WLS Kernel>> <> <> <1183957002830> <000000> < Header: Connection : Keep-Alive>
    <<WLS Kernel>> <> <> <1183957002862> <000000> <Negotiate filter: new session, no negotiation has started>
    <<WLS Kernel>> <> <> <1183957002862> <000000> <PrincipalAuthenticator.getChallengeToken will use common security service>
    <<WLS Kernel>> <> <> <1183957002862> <000000> <com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl.getChallengeToken(WWW-Authenticate.Negotiate)>
    <<WLS Kernel>> <> <> <1183957002862> <000000> <com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl.getChallengeToken(WWW-Authenticate.Negotiate)>
    <<WLS Kernel>> <> <> <1183957002862> <000000> <com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.getChallengeToken(WWW-Authenticate.Negotiate)>
    <<WLS Kernel>> <> <> <1183957002862> <000000> <Unauthorized, sending WWW-Authenticate: Negotiate>
    <<WLS Kernel>> <> <> <1183957003268> <000000> <NegotiateIdentityAsserterServletAuthenticationFilter.doFilter() called>
    <<WLS Kernel>> <> <> <1183957003268> <000000> <CERT auth type found for webapp>
    <<WLS Kernel>> <> <> <1183957003268> <000000> <All request headers:>
    <<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Accept : image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*>
    <<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Accept-Language : en-us>
    <<WLS Kernel>> <> <> <1183957003268> <000000> < Header: UA-CPU : x86>
    <<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Accept-Encoding : gzip, deflate>
    <<WLS Kernel>> <> <> <1183957003268> <000000> < Header: User-Agent : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)>
    <<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Host : 10.31.252.182:7001>
    <<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Connection : Keep-Alive>
    <<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Cookie : JSESSIONID=0nRcGRQKvcpzV8wQPVX584Pxwly4GrpTdQGGGYGGb4Z62Rs1GLVv!542382297>
    <<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Authorization : Negotiate TlRMTVNTUAABAAAAB7IIogoACgAvAAAABwAHACgAAAAFAs4OAAAAD0RFU0tUT1BGRURFUkFUSU9O>
    <<WLS Kernel>> <> <> <1183957003268> <000000> < processing header: Negotiate TlRMTVNTUAABAAAAB7IIogoACgAvAAAABwAHACgAAAAFAs4OAAAAD0RFU0tUT1BGRURFUkFUSU9O>
    <<WLS Kernel>> <> <> <1183957003283> <000000> <SPNEGONegotiateToken.discriminate: not Application Constructed Object, not SPNEGO NegTokenInit token>
    <<WLS Kernel>> <> <> <1183957003283> <000000> <Token not supported by Negotiate Filter, ignoring: NTLM>

    Another question.
    When you configure Spnego and sso, do you also need to configure an active directory authenticator ??
    I think I have the SSO part working - it does kerberos authentication and gets the username, howerver after taht it fails because it tries to do an LDAP authentication with that username.
    <LDAP Atn Login username: kerbuser01>
    <[Security:090300]Identity Assertion Failed: User kerbuser01 does not exist
    Any pointers ?

Maybe you are looking for

  • Wrapping form fields in advance table bean

    i have an advance table bean with a lot of columns.there are certain columns which require large space.now the data can be filled to a huge extenet but if the data exceeds the displayed fields those fields cannot be seem once disabled.so,i need to en

  • Workshop 9.2 - Web Service Test Client - java.util.NoSuchElementException

    I've found an issue with the Web Services Test Client while developing a web service application in the Weblogic Workshop 9.2 tool. The same schema / code in Workshop 8.1 SP4 works okay in its version of the test client. The error seems to manifest i

  • Error when calling ejb.create() call

    Hi Folks, I am trying to create a simple CMP bean with J2EE1.4 but when I call ejb.create I get the following exception :- Exception in thread "main" java.rmi.ServerException: RemoteException occurred in server thread; nested exception is: java.rmi.R

  • CSA 5.1 Server 2003 SP2 support?

    Hi, Does anyone know if CSA 5.1 will support SP2 for Server 2003 when it is released? Is anyone currently testing 5.1 with SP2 RC1? If so have you come across any issues? Thanks, Neil

  • Problem showing movies.

    Why can I no longer show movies on my iPad 3?  Netflix, YouTube, my own home movies? Opens to location. Picture shows, but freezes with no sound.  Netflix works on my TV, so I know it's not Netflix problem. Also no longer have sounds (sending emails,