SPNego Configuration

Similar Messages

• SSO (SPNego) Configured, but  Anonymous user´s page doesn´t work

  Hello,
  I configured Single Sign-On between Portal and windows using SPNego (working OK) but when we try to connect to Portal using anonymous user I ca´n´t do it ( my pc user is automatically loged), Any idea to filter the anonymous user?
  Kind regards

  Hi,
  What you need to do is create an alias of the server on the DNS.
  Example:
  http://portal.client.com:50000 is the normal portal access with SPNEGO. You have set the SPN to this server (setspn) to use SPNEGO
  On the DNS you need to create another alias to the same server but you don't map it to the SPN user.
  http://portalNOSPNEGO.cliente.com:50000
  As it is not mapped to use kerberos... it won't use the SSO.
  If you want to access anonymous user or with any other user on your domain you will access the new portal URL http://portalNOSPNEGO.client.com:50000
  There is a problem accessing this with IE6.0.. it might appear a Windows popup authentication window. In order to get rid of this.. you have to change the Internet Explorer Security Level.
  Option a) Include the portalNOSPNEGO site on the Trusted Sites. On the security level of the trusted sites select "Anonymous Logon". Include the portal.client.com site on the Intranet Sites... the security level of this sites should be "Authentication only on Intranet Sites"
  Option b)Upgrade to IE 7.0
  For the external users that have nothing to do with your domain..
  Option a)the security level for the Internet sites should be "Anonymous Logon".... or
  Option b)Uncheck de Integrted Windows Authentication
  Option c)Upgrade to IE7.0

• SPNego configuration with Active Directory as UME datasource

  Here are some additional informations:
  According to SAP note 718383 changing an existing datasource configuration "dataSourceConfiguration_abap.xml" is not possible.
  But my aim is to connect an ADS server as datasource
  (dataSourceConfiguration_ads_readonly_db_with_krb5.xml).
  Can I use my existing J2EE Engine at all?
  The system has evolved like this:
  BW 3.5 installation, upgrade to NW2004s, then Java Add In-Installation.
  Or is it necessary to install an additional java instance?
  I have just experiemented a bit:
  In the Offline-Configtool the UME Property "Global server configuration ->
  services -> com.sap.security.core.ume.service ->
  ume.persistence.data_source_configuration" changed like this:
  OLD: dataSourceConfiguration_abap.xml
  NEW: dataSourceConfiguration_ads_readonly_db_with_krb5.xml
  Then I restarted the J2EE cluster.
  Result: the server0 process does not start anymore.
  But at least now I could enter same values for the LDAP server (in the Offline-Configtool),
  choose values from the drilldown list for the several configuration files and so on...
  -> but is this the correct way at all?
  Kind regards
  Rüdiger Höckel
  apetito AG

  Hi Rüdiger,
  It all depends on what you want to do. You installed the AS Java as an Add-in to take adavantage of the existing user base in your AS ABAP and to access the resource from the AS ABAP from a portal.
  OK, but now you want to do something about SSO and enable kerberos logon. For this you need the kerberos principal name from your ADS. OK, authentication is not my strong suit, but here are some ideas you can try. By the way in SAP NetWeaver 7.1 there is a configuration to log on to the AS Java using logon data from an LDAP, but still use the backend AS ABAP. See Configuring the UME for Directory Service Sync with AS ABAP for details. However, since you are still using 7.0, let's stick with that for now.
  1. Use the LDAP Sync of the AS ABAP function to synchronize the user data of the AS ABAP and your ADS. You must populate the AS ABAP user records with the kerberos principal name. Which ABAP field you populate with this value I am not sure. You would then have to adapt the following procedure to get this data into your AS Java: Configuring the UME when Using Non-ADS Data Sources.
  2. Set up a second AS Java and portal with the ADS as the datasource. Then migrate your users from the old one to the new one. Unfortunately, the users have different user IDs on the AS Java and the AS ABAP, so you would have to maintain user mapping between the two systems.
  3. Use SAP NetWeaver Identity Management Identity Center to distribute the user data between the systems.
  Unfortunately this kind of configuration is not well documented. I will see if I can find someone who can comment on this kind of setup.
  -Michael

• Java System Copy with SPNego configured

  Hi,
  I just attempted a java system copy of our EP7, SP12 Portal to new hardware.  The copy itself was successful.  I am not able to login to the Portal. 
  I ran the setspn -a HTTP/new_hardware same_user command to set the SPN with the ADS.  Still I am unable to login.  I have attempted to set the fall back login authentication method with the below SPNego settings and still I am not able to login.
  EvaluateTicketLoginModule ( SUFFICIENT )
  SPNegoLoginModule ( OPTIONAL )
  CreateTicketLoginModule ( SUFFICIENT )
  BasicPasswordLoginModule ( REQUISITE )
  CreateTicketLoginModule ( OPTIONAL )
  Could there be a step with SPNego the I may be missing with a system copy?
  Any help is greatly appreciated.
  Regards,
  Rick

  Rick,
  This is the central note for SPNEgo related issues : 968191
  SAP AS Java can not start after running SPNego wizard : Check this note as well. : 1082560.
  Note 982044 - SPNego succeeds but overall logon fails.
  Let me know what error message you get when try to access the Portal.Get the information from the log files.
  <drive>:\usr\sap\<sid>\<ins_id>\j2ee\cluster\server0\logs\defaultTrace.trc
  try to get the information from "work" directory as well.
  Regards,
  Karthick Eswaran
  Edited by: Karthick Eswaran on May 9, 2008 9:46 AM

• Configure SPNego on Portal using ABAP ume

  Hi there,
  I need help configuring SPNego (single sign on) on the SAP Portal 7.0 using an ABAP system as the portal's ume. Has anyone done this before? is it possible?
  Your help is much appreciated.
  kind regards,
  Clinton

  Hi,
    Check the below link for SPNego configuration.
  http://help.sap.com/saphelp_nw70/helpdata/en/43/4bd58c6c5e5f34e10000000a1553f6/frameset.htm
  Thanks
  R.Murali

• SPNEGO Problem

  Hello,
  We have recently migrated out netweaver portal to a new hardware but spnego configuration is not working as before the migration process. We have followed many guides and check forums but we can't make it work.
  please help.
  Jonah

  hi,
  i would suggest to use webdiagtool to check the error when you open the website. Then post the error logs to check the problem, i had a similar issue but the netweaver version was 6.40? which version are you using?
  can you check this doc.
  SPNEGO Problem in Netweaver old releases 6.40
  Let me know how it goes.
  Regards,
  Michael

• SPNego SSO not working on specific servers

  Hello gurus,
  we have installed BI 7.0 SP15 with Portal as the java side of the BI (double stack). We have CI + 3 dia instances.
  we have configured the SPNego as described in SAP documents and for some reason only on two servers the SSO is working.
  On the problematic servers we got error:
  CreateContext failed: GSSException: Failure unspecified at GSS-API
  level (Mechanism level: KDC has no support for encryption type (14))
  I wasn't able to find any differences between the servers so the spnego configuration
  looks fine on all the servers.
  Any idea ?
  Dimitry Haritonov

  ok so :
  WebLogic Server security system as well as Windows Kerberos protocol
  suggested solution:
  Check the user account at KDC for "Use DES encryption types for this account" and it needs to be checked.
  Log off from the client machine so that the credentials cache is flushed and all session tickets and all session keys are destroyed. After relogin the Kerberos client at user's machine will get new session ticket and key with proper encryption type.
  but as I already stated I have 4 servers that only two of them have SPNego working correctly. All the servers use the same active directory user.
  Also all the krb5.conf files are the same...
  Any ideas ?
  Dimitry Haritonov

• How to logon with different user when use of SPNego

  Hi
  We have implemented SPNego as Windows Integrated Authentication - but how to logoff the portal to log on with another user?
  Since the users are authenticated when logging on the network from their client pc - the user will be using the standard logon page. But when logging off the portal - the users are automatic redirected and logged back in to the portal.
  I have created a HTML page which the users are redirected to by use of the ume.redirect.url. But how to logon to the portal again?
  When entering the portal url - the users are once more directly logged in due to the SPNego configuration.
  I need to develop a new logon page where the users are able to enter another uid and pw to enter the portal.
  Regards
  Kay-Arne

  Hi Kay-Arne
  The whole idea of Windows authentication is to remove the need for a user to enter a username and password. If you want a user to not get the automatic log on, then you'll need to access the portal with a URL that is in a different domain
  Cheers

• *Simple and Protected Negotiation Protocol (SPNEGO)* - Approx Project time

  Hi....Experts......
  A project configuring 2 Portals with LDAP and authenticating users wit  Simple and Protected Negotiation Protocol (SPNEGO)
  ...Approximate How many days effort is required if we work 2 hours per day...
  Any luck.
  Rgds

  Given that the SPNego configurations can be done using wizards these days (http://help.sap.com/saphelp_nw70/helpdata/en/45/40a0de773a7527e10000000a114a6b/content.htm) it should be approximately 3 work weeks on effort considering 2hrs per day including testing.
  Of course, this is considering all the pre-reqs are in place.
  - Regards, Dibya

• SSO To J2EE engine of ABAP+JAVA Addin Install

  Hi all,
  I have setup an SAP system as a ABAPJAVA Addin Install.  The system is running NW04s SP11.  I have an SAP Portal installed on the JAVA side to support some BW functions.  I would like to do SSO from the users desktop directly to the portal component.  Is this possible with this type of install?  I have setup Kerberos / SPNego with a JAVA only install connected to a Microsoft ADS.  I have also configured the system to use MYSAPSSO2 tickets from another SAP system, but that requires the users to go to the other SAP system before going to ABAPJAVA Addin system.  I would like the users to go directly to the ABAP+JAVA Addin system via a URL like http://server:port/irj/... and get single signed on to the system.  Is this possible?
  Any help is appreciated!
  Russ Scherbarth

  Hello Russ,
  yes it is possible to configure SSO using SPNego Loginmodule (Kerberos) for this type of system as well. You also can use the SPNego configuration wizard to get the configuration work done, but you need to perform some manual follow up work as well.
  So my recommendation is check the online documentation for wizard based configuration AND manual configuration, perform the wizard based configuration (more or less the same as you did for the other system) and afterwards (depending on your JDK) you might have to perform some manual follow up activities.
  Select as user resolution mode prefixbased, the attribute to be used is uniquename. In addition you need to create the service user in the portal database (when using SUN JDK), as you do not have direct connection to Active Directory.
  With best regards,
  René

• Different between SSO using X.509 and Kerberos

  Dear Experts,
  When trying to decide which route to go for SSO X.509 certificate or Kerberos token for SAP Abap system only , I am a bit confused.
  These are the main steps for using X.509. All the documents I found only talk about installing Secure Login Server on AS Java by using Telnet/JSPM deployment. Can we not do the same for AS Abap? If that is true, does that mean X.509 certificate can only be using for ABAP + JAVA systems and not for Abap only?
  X.509 Certificate:
  1. Install and Configure Secure Login Server on SAP AS Java system.
  2. Intall Secure Login Client
  3. Install and Configure Secure Login Library on SAP AS ABAP
  4. Configure User Mapping in SAP AS ABAP/JAVA
  On the other hand Kerberos seems much simpler because installation of Secure Login Server is not required for AS ABAP.
  1. Install and Configure Secure Login Library
     Configure SPNEGO & SNC in SAP AS ABAP
  2. Install Secure Login Client
  3. Configure user mapping in AS ABAP.
  Kindly advise.

  We don't intend to use this on other web applications except for web gui.
  From what I understood, we create 2 values for "servicePrincipalName" for the user in AD. One for SNC interface for Gui and the other entry to web interface for web gui users and with SNC/SPNEGO configured, Kerberos keyTab also configured for SAPNEGO/SNC in ABAP , users should be able to login to gui and web gui.
  That said, below are our current versions. Do we still have to upgrade kernel version?
  S/W component     Release  Level      Highest Support Package
  SAP_BASIS             702         0012     SAPKB70212
  Kernel
  kernel make variant           720_REL , Unicode, AIX 64 BIT, Patch number 500.

• Trex Indexing giving HTTP Status Code 401:Unauthorized error

  Dear All,
  We have configured TREX search on KM repository of our EP
  production server and trying to search using the same our KM repository.
  The TREX is installed on the a separate server.
  When we try to Index production repository the documents are failing in
  the Preparation failed status with return code 6401 and error message
  HTTP Status Code 401: Unauthorized.
  I also applied SAP-Note 650521 and checked id index_service user and
  found that its active and not locked but still issue didnu2019t get
  resolved. Moreover i have gone thru most of the previous post regarding this topic but didt help.
  I even checked the URL Generator service too which is fine.
  On one test system also where SPNego is configured we are getting same
  401 error. On this system we disabled SPnego and Indexing started working
  fine. When we reverted back the SPNego configuration for confirmation of
  our observation we found that it again started to give 401 error.
  Any help in this regard will be appreciated.
  Regards,
  Srinath Pillai
  Edited by: Srinath Pillai on Sep 3, 2009 8:59 AM

  Dear
  Open System Administration--> System Configuration> Knowledge Management--> Content Management> Global Services (Mode : Advanced)> Index Management Service--> Check for Crawling Service User  it has to be index_service
  If still you have problem than do let me know where is your Repository located are the documents are stored on Portal Server itself or it is stored on some external server...
  What kind of repository you use CM Repository(Mode:DB,DBFS,FSDB) , File System Repository....e.t.c....
  Regards
  Akshit

• BI & Portal integration. Import BW certificate to the Portal -

  Hi
  We are in the process of integrating our newly upgraded BI 7.01 system with EP 7.01.
  We are trying to integrate BI system with our central portal, which has BI components installed. Also, this portal has been configured with SPNEGO for windows integrated authentication and we use Microsoft LDAP as our UME.
  As per documentation,  I could not find option for com.sap.security.core.server.jaas.evaluateticketloginmodule, as I can only see SPNEGO template, since we configured SPNEGO for windows integrated authentication. Can I skip this step? If so, what are the implications.  I see that this step (see below) is required for accepting SAP logon tickets from the BI system as an external system.
  In the Service Security Provider under Ticket, perform the following steps to ensure that the SAP J2EE Engine accepts the SAP Logon Tickets from the BI system as an external system.
  7. Start the Visual Administrator with %INSTALLATION_ROOT%\admin\go.
  8. Connect to the portal server.
  9. In the tree, choose <SID>/Server<#>/Services/Security Provider.
  10. Under Component, choose Ticket.
  11. Choose the Authentication tab page.
  12. Change the options for com.sap.security.core.server.jaas.EvaluateTicketLoginModule and enter the following values:
  trustedsys<Number>=<BW_SID>, <BW_CLIENT> (for example, BWP, 000)
  trustediss<Number>=<ISSUER_DISTINGUISHED_NAME> (z. B. CN= BWP, OU=SAP Web AS, O=SAP Trust Community, C=DE)
  trusteddn<Number>=<SUBJECT_DISTINGUISHED_NAME> (z. B. CN= BWP, OU=SAP Web AS, O=SAP Trust Community, C=DE)
  I also noticed that this steps is introduced from BI 7.0, as previously this step did not exist for BW 3.5 and EP 6.0.
  Thanks in advance,
  Regards
  Chandu

  If a user is to access an application deployed on the java server via SSO, using the SAP logon ticket for authentication, the login module stack that the application uses must include the EvaluateTicketLoginModule and this EvaluateTicketLoginModule must contain these ACL entries (trusteddn, trustediss etc) if the logon ticket was issued by a different system. What this means is that trusteddn, trusediss, trustedsys are required in EvaluateTicketLoginModule in order for SSO to work. You cannot skip
  them.
  If you have configured SPNego authentication, the EvaluateTicketLoginModue will still be required. So if you have a policy configuration called SPNego, and the 'ticket' logn module stack is using the SPNego configuration as a template, you simply have to configure the EvaluateTicketLoginModule in the 'SPNego' template and the 'ticket' login module stack will be updated accordingly
  If the 'SPNego' policy configuration/template does not already at least include EvaluateTicketLoginModue I would be very surprised, it is required for all ticket evaluation, even tickets issued by the same server and should exist in the template that the 'ticket' authentication stack points to. See here for an two example LM stacks for SPNego
  http://help.sap.com/saphelp_nw04/helpdata/EN/43/4bf48061215f6be10000000a1553f6/content.htm

• Kerberos Authentication for EP 7.0 Portal

  We are implementing Kerberos Authentication on our EP7 Portal. In our landscape we have
  2 main domains (US & INTL). In each of the domain we have several domain controllers (more than 10 each). We had the following queries:
  1) We have a mix of domain controllers running on win 2000 and win 2003. Will this cause any issue with the SPNego configuration?
  2) Since we have more than 10 DCs in each domain do we need to add all the DCs as KDCs in the step 2 of SPNego wizard?
  System Details
  1) Portal Version à EP7 SP13
  2) Operating System à SunOS (sparcv9) 5.9
  3) LDAP à MS ADS
  4) DB à Oracle 10.2.0.2.0 - 64bit
  Thanks.

  Hi Lisandro,
  For Q1:  I don't think there should be a problem with the mixture of DCs types.
  For Q2: You only need to configure one DC in the wizard (a W2003 server may be the best choice). This is just the DC that the wizard talks to during configuration.
  Hope this helps,
  Darren

• LDAP: error code 49

  Hi,
  I am testing a single sign-on with spnego configuration. When I run diagtool spnego.conf, I always get this error.
  Error connecting to the LDAP server
  [EXCEPTION]
  javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece&#65533;]
  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2988)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2735)
  at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2649)
  at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:290)
  at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
  at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
  at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
  at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
  at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:662)
  at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
  at javax.naming.InitialContext.init(InitialContext.java:219)
  at javax.naming.InitialContext.<init>(InitialContext.java:195)
  at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:80)
  at com.sap.engine.config.diagtool.lib.ldap.LDAPServer.connect(LDAPServer.java:99)
  at com.sap.engine.config.diagtool.tests.authentication.krb.MSActiveDirectoryKrbTest.checkServiceUser(MSActiveDirectoryKrbTest.java:153)
  at com.sap.engine.config.diagtool.tests.authentication.krb.MSActiveDirectoryKrbTest.execute(MSActiveDirectoryKrbTest.java:127)
  at com.sap.engine.config.diagtool.Task.execute(Task.java:55)
  at com.sap.engine.config.diagtool.Launcher.run(Launcher.java:343)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:324)
  at com.sap.engine.config.diagtool.Launcher.main(Launcher.java:394)
  Please help me to figure out what's wrong, and I would greatly appreciate that.
  Regards,
  -Napadol

  Hello,
  You have implemented a trusted domain tree configured with a cross-referrals in order to forward the DNs to another LDAP within the domain. Most probably you login onto an LDAP server that forwards the search request (aka the logon request). As the LDAP connection is not configured against referrals, the authentication to LDAP fails.
  for more details, see http://support.microsoft.com/kb/241737
  This is a known issue on the DiagTool that the SAP NW Security Developers currently investigate.
  Please use the WebDiagtool for root cause analysis. It provides the same functionality. If you'd like to collect the user data from the LDAP server (as the DiagTool does it automatically), please use ldifde command directly on the MS host.
  Cheers,
  Tsvetomir