SPNego Wizard

We have the SAP Web AS 7.0 installed. We are using the SGNego Wizard to implement SSO. I through the wizard but needed to restart the J2EE engine per Wizard before changes could applied. But when I restart the engine, the Wizard times out. Now, it takes awhile for the portal to come up and when I am finally able to log in, I can not get to the UME page. It states 'The page cannot be displayed'. Could this be an Internet Explorer issue? The SAP services are all green. I have been playing with the setting i.e. changing the Advanced settings to accept Windows Authentication and adding the portal URL to the Local Sites Advanced settings. Any ideas why I can not restart the wizard or why the UME page is not coming up? Thanks in advance!

Hi Margie,
please use the spnego test page to see if you have a problem with your config :
http://youportalurl:portalport/spnegoconfig/dih
There is also a needed hotfix for Windowx XP SP2 for kerberos :
http://support.microsoft.com/default.aspx?scid=kb;en-us;885887
You may apply note 958107 to valid your config too.
I hope this can help you.
Brad

Similar Messages

How to deactivate SPNego after running the SPNego Wizard in NW2004s

Hello,
We have a NW2004s Platform with Usage Type AS Java and DI. The SPNego is configured using the SPNego Wizard and its working absoutely fine. The problem is this that we would liek to use the Basicc authentication also side by side. In NW2004, when SPNego is manually configured (without wizard), the URL for SPNego needs to be configured so that you get the SPnego at all. If you call the normal URL for example for Portal http://portal:50000/irj, you get the Basic Authentication. But as soon as the SPNego is configured through the Wizard, the mentioned URL is automatically configured to the SPNego! During configuring the SPNego Wizard, UIDPW or Basic is set as a Fallback Authentication..but Fallback means Fallback, i.e., when SPNego doesnot function..What is when the two schemes are required to work simultaneously ?
I did change the Ticket in the Security Keystore in the Visual admin and set it to "basic" again (for the Configuration of the Wiizard, it was set to spnego) , it does return a login screen, but you cannot get acces through any of the users, not even with Administrator/j2ee_admin.
I did deactivate the service user as well, but in vain.
Has anyone experience with this. Should we make changes in the prios in the authschemes.xml ?? Would it not the working spnego in any way..
I look forward to any helpful hints.
Thanks,
Rahila Zahir

Later I found th solution. Just had to switch back to Basic in the Login Modules in Visual Admin--Security Provider Service. I was confusing it earlier with the NW2004.
Cheers,
Rahila Zahir
Edited by: Rahila Zahir on Jan 5, 2008 1:15 AM

SPNEGO Login module Stack issue: Could not validate SPNEGO token

Hello to all,
We are deploying a SAP Netweavear 7.3 Enterprise Portal with SPNego login module activated.
We are performing some tests (performances and concurrent accesses).
During the tests we have found several times the folloiwing Issue linked to the spnego.
Could not validate SPNEGO token.
[EXCEPTION]
java.lang.NumberFormatException: multiple points
at sun.misc.FloatingDecimal.readJavaFormatString(FloatingDecimal.java:1082)
at java.lang.Double.parseDouble(Double.java:510)
at java.text.DigitList.getDouble(DigitList.java:151)
at java.text.DecimalFormat.parse(DecimalFormat.java:1303)
at java.text.SimpleDateFormat.subParse(SimpleDateFormat.java:1934)
at java.text.SimpleDateFormat.parse(SimpleDateFormat.java:1312)
at java.text.DateFormat.parse(DateFormat.java:335)
at com.sap.security.core.server.jaas.spnego.util.Utils.generalizedTimeStringToData(Utils.java:167)
at com.sap.security.core.server.jaas.spnego.krb5.KrbTicketEncryptedData.parseDecryptedData(KrbTicketEncryptedData.java:67)
at com.sap.security.core.server.jaas.spnego.krb5.KrbEncryptedData.decrypt(KrbEncryptedData.java:94)
at com.sap.security.core.server.jaas.spnego.krb5.KrbApReq.decrypt(KrbApReq.java:68)
at com.sap.security.core.server.jaas.SPNegoLoginModule.parseAndValidateSPNEGOToken(SPNegoLoginModule.java:315)
at com.sap.security.core.server.jaas.SPNegoLoginModule.processAuthorizationHeader(SPNegoLoginModule.java:474)
at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:160)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:254)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:65)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:254)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:352)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.loginWithRequestCredentials(AuthenticationService.java:337)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:321)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:60)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:163)
at com.sap.portal.prt.dispatcher.DispatcherServlet.service(DispatcherServlet.java:132)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at com.sap.engine.services.servlets_jsp.server.Invokable.invoke(Invokable.java:152)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doCached(RequestDispatcherImpl.java:655)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:488)
at com.sap.portal.navigation.Gateway.service(Gateway.java:147)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:202)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:103)
at com.sap.portal.http.EnrichNavRequestFilter.doFilter(EnrichNavRequestFilter.java:49)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:79)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:432)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:210)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:441)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:430)
at com.sap.engine.services.servlets_jsp.filters.DSRWebContainerFilter.process(DSRWebContainerFilter.java:38)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.servlets_jsp.filters.ServletSelector.process(ServletSelector.java:81)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.servlets_jsp.filters.ApplicationSelector.process(ApplicationSelector.java:276)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.WebContainerInvoker.process(WebContainerInvoker.java:81)
at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.ResponseLogWriter.process(ResponseLogWriter.java:60)
at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.DefineHostFilter.process(DefineHostFilter.java:27)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.MonitoringFilter.process(MonitoringFilter.java:29)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.SessionSizeFilter.process(SessionSizeFilter.java:26)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.MemoryStatisticFilter.process(MemoryStatisticFilter.java:57)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.DSRHttpFilter.process(DSRHttpFilter.java:43)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.server.Processor.chainedRequest(Processor.java:475)
at com.sap.engine.services.httpserver.server.Processor$FCAProcessorThread.process(Processor.java:269)
at com.sap.engine.services.httpserver.server.rcm.RequestProcessorThread.run(RequestProcessorThread.java:56)
at com.sap.engine.core.thread.execution.Executable.run(Executable.java:122)
at com.sap.engine.core.thread.execution.Executable.run(Executable.java:101)
at com.sap.engine.core.thread.execution.CentralExecutor$SingleThread.run(CentralExecutor.java:328)
The user rlinked to this user is Guest.
could you please advice us how to solve this reccuring issue?
Kind regards
Julien LEFEVRE

Hello Cathal,
Thank you for your answer.
In fact the new spnego wizard of the SAP Enterprise Portal 7.3 is used to get the the two keys files. The SAP Jvm is used in fact with the 1.6.1.
And in fact , it functions perfectly sometimes. but during the test of massive access ( More than 30 conurent users), I have this error that comes frequently.
Best regards
Julien LEFEVRE

Supplied credentials not accepted by the server and Could not validate SPNEGO token

Hi,
We have installed and configured SSO 2.0 SP02 on HP-UX system. We have exported the client policy files, root certificate from SLS and imported the same in the client PC. Then we have installed the SLC in client PC with logging enabled option. Now when we try to manually login using SLC we are getting the below error.
In SLC - "Supplied credentials not accepted by the server"
In Diatool - "Could not validate SPNEGO token"
Attached the trace file from SLC and logs from diatool. Anyone suggest how to rectify this error.
The trace file from SLC
[2014.03.28 12:08:50.434][TRACE][sbus.exe            ][sbus.dll    ][ 4856] CToken:: Secure Login token [toksw:mem://securelogin/Windows Authentication (SPNEGO) :: login
[2014.03.28 12:08:50.452][TRACE][sbus.exe            ][sbusresloade][ 4856] { GetLocale
[2014.03.28 12:08:50.453][TRACE][sbus.exe            ][sbusresloade][ 4856] }        0
[2014.03.28 12:08:50.453][TRACE][sbus.exe            ][sbusslogin.d][ 4856] { CSecureLogin_Protocol_2_0::Send_Init
[2014.03.28 12:08:50.453][TRACE][sbus.exe            ][sbusslogin.d][ 4856] { CSecureLogin::Send_Any
[2014.03.28 12:08:50.515][ERROR][sbus.exe            ][BASE        ][ 2800] ERROR(0xA0100017) in CRYPT->sec_crypt_cipher_get_cipher_len(): An attribute is missing
[2014.03.28 12:08:50.563][TRACE][sbus.exe            ][sbusslogin.d][ 4856] }        0
[2014.03.28 12:08:50.563][TRACE][sbus.exe            ][sbusslogin.d][ 4856] }        0
[2014.03.28 12:08:50.566][TRACE][sbus.exe            ][sbusresloade][ 4856] { CResourceManager::New
[2014.03.28 12:08:50.566][TRACE][sbus.exe            ][sbusresloade][ 4856] { GetLocale
[2014.03.28 12:08:50.566][TRACE][sbus.exe            ][sbusresloade][ 4856] }        0
[2014.03.28 12:08:50.566][TRACE][sbus.exe            ][sbusresloade][ 4856] { CResourceManager::Init
[2014.03.28 12:08:50.568][TRACE][sbus.exe            ][sbusresloade][ 4856] }        0
[2014.03.28 12:08:50.568][TRACE][sbus.exe            ][sbusresloade][ 4856] }        0
[2014.03.28 12:09:00.979][ERROR][sbus.exe            ][sbus.dll    ][ 4856] LogonUser failed with error 0x0000052e
[2014.03.28 12:09:12.628][TRACE][sbus.exe            ][Kerberos    ][ 4856] Got kerberos ticket for 'HTTP/ssodev' with server key type 23 and session key type 23
[2014.03.28 12:09:12.628][TRACE][sbus.exe            ][BASE/RANDOM ][ 4856] Get 8 bytes random data
[2014.03.28 12:09:12.628][TRACE][sbus.exe            ][sbusslogin.d][ 4856] { CSecureLogin_Protocol_2_0::Send_Auth_SPNEGO
[2014.03.28 12:09:12.628][TRACE][sbus.exe            ][sbusslogin.d][ 4856] { CSecureLogin::Send_Any
[2014.03.28 12:09:12.727][TRACE][sbus.exe            ][sbusslogin.d][ 4856] }        0
[2014.03.28 12:09:12.727][TRACE][sbus.exe            ][sbusslogin.d][ 4856] { CSecureLogin_Protocol_2_0::Handle_Auth_Response
[2014.03.28 12:09:12.727][TRACE][sbus.exe            ][sbusslogin.d][ 4856] }        0
[2014.03.28 12:09:12.727][TRACE][sbus.exe            ][sbusslogin.d][ 4856] } 80070005
Regards,
Yogesh Kumar D

Hello Yogesh,
With regards to the 2nd error "Could not validate SPNEGO Token"
Login Module                                                               Flag        Initialize Login      Commit     Abort      Details
1. com.sap.security.core.server.jaas.SPNegoLoginModule                     SUFFICIENT ok          exception             true       Could not validate SPNEGO token. Reason: No user with account attributes [[namespace=com.sap.security.core.authentication, name=principal, value=sap.helpdesk1, isCaseSensitive=false], [namespace=com.sap.security.core.authentication, name=realm, value=HZL01.VEDANTARESOURCE.LOCAL, isCaseSensitive=false]] found
No logon policy was applied
It means that the user "sap.helpdesk1" was decrypted from the kerberos
token but there is no user with this name in the AS Java. The reason for that is a misconfiguration in the SPNEGO user mapping.
Therefore, please open the SPNEGO wizard in the NWA and configure
how AS Java should choose a user from the UME based on the received
SPNEGO token. Here is some documentation about configuring the user
mapping:
http://help.sap.com/saphelp_nw73/helpdata/en/f4/1978c3a37a441b87a89d61c1a08689/frameset.htm
Regards,
David

SPNego - Windows integrated Single-Sign On not working - How to debug?

Dear board,
I've tried to configure SPNego - Windows Integrated SSO with no sucess yet. We do use SAP EP7 on Windows Server 2003 64bit with MS AD 2003. The following is done:
- Service Account is created, authentication works when done on pupose
- SPNego wizard completed sucessfully, WebAs Java restarted
- IE6: Windows integrated Logon is activated, IE shows Intranet when accessing the portal url ( I can't modify the IE Security Settings yet, but as we do use KERBEROS outside of SAP as well, my assumption was settings are fine)
- UID in windows, EP and ECC are equal
When I access the portal URL, I am prompted for used id and password. How can I trace methodically what is wrong? Some kind of checklist with links, url or SAP Notes would be great. I've also read references to a test application as well as some diag / trace tool.
Please post thoroughly as I am rather new to this topic and still missing important terms and knowledge.
Kind regards and thanks in advance,
Richard

Dear board,
after the service principal name registration was done (once again maybe) the error message disappeared in the SPNego wizard when I retrieve the Principal in Step 2, the test resolution works as before in step 3 of the wizard.
At the moment, the error message in the central log file is still unchanged. Acquiring crendetials for realm xxx.xxx.org failed, no valid credentials provided.
#1.5 #001A4BAF485A0079000000040000207000043C8446E8BA7E#1192438730203#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#J2EE_GUEST#0####d8ce7ab07afc11dc8d93001a4baf485a#Thread[Thread-307,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#/System/Security/Authentication#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: com.sun.security.jgss.accept
Login Module Flag Initialize Login Commit Abort Details
1. com.sun.security.auth.module.Krb5LoginModule OPTIONAL ok exception false null#
#1.5 #001A4BAF485A00580000007F0000207000043C8446E8C109#1192438730203#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#J2EE_GUEST#0####d8ce7ab17afc11dc8f50001a4baf485a#SAPEngine_Application_Thread[impl:3]_29##0#0#Error##Java###Acquiring credentials for realm XXX.XXX.ORG failed
[EXCEPTION]
#1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
Any ideas? I haven't used the diag tool yet, is there any other reasonable way how to debug the setup?
Kind regards and many thanks,
Richard

Host name of KDC for SPNEGO?

Hi,
Is the Host name of the Key Distribution Center the same as the Active Directory Domain.
We have only one active directory domain, the domain is mycompany.internal.
Will the host name of the KCD will also be mentioned as mycompany.internal in the spnego wizard?
Regards
Deb
Edited by: Debasish Sarkar on Oct 20, 2008 7:25 PM

Hi,
We have only one active directory domain, its mycompany.internal.
XYZ is one of the active directory servers in this domain. Hence the fully qualified domain name for XYZ is xyz.mycpmpany.internal.
The primary domain controller is xyz the fully qualified name of this server is xyz.mycompany.internal.
We have created the service user j2ee-ecd in the xyz ADS server.
Now, when configuring SPNEGO through wizard, whats are the value to be provided in the following parameters:
Realm Name: mycompany.internal
KDC Host: ?
Principal Name: ?
Regards
Deb

Java System Copy with SPNego configured

Hi,
I just attempted a java system copy of our EP7, SP12 Portal to new hardware. The copy itself was successful. I am not able to login to the Portal.
I ran the setspn -a HTTP/new_hardware same_user command to set the SPN with the ADS. Still I am unable to login. I have attempted to set the fall back login authentication method with the below SPNego settings and still I am not able to login.
EvaluateTicketLoginModule ( SUFFICIENT )
SPNegoLoginModule ( OPTIONAL )
CreateTicketLoginModule ( SUFFICIENT )
BasicPasswordLoginModule ( REQUISITE )
CreateTicketLoginModule ( OPTIONAL )
Could there be a step with SPNego the I may be missing with a system copy?
Any help is greatly appreciated.
Regards,
Rick

Rick,
This is the central note for SPNEgo related issues : 968191
SAP AS Java can not start after running SPNego wizard : Check this note as well. : 1082560.
Note 982044 - SPNego succeeds but overall logon fails.
Let me know what error message you get when try to access the Portal.Get the information from the log files.
<drive>:\usr\sap\<sid>\<ins_id>\j2ee\cluster\server0\logs\defaultTrace.trc
try to get the information from "work" directory as well.
Regards,
Karthick Eswaran
Edited by: Karthick Eswaran on May 9, 2008 9:46 AM

Configuring SPNego in EP7

Hi,
I am using the SPNego wizard to configure SSO. On step 3 of 4, the resolution mode is set to none. I test the user and get "Service user <username>@domain.com not found" error message.
According to the troubleshooting section, the problem could be one of the below 3 items.
Service user not under the configured User Path in UME
The mapping attribute does not exist in UME data source
The UME attribute is mapped to wrong physical attribute
Can someone elaborate on how to confirm the above 3 items?
Your help is greatly appreciated and points are always awarded.
Regards,
Rick

Hi Rick,
usually modifiing the Ticket stack should not prevent you from accessing the visual admin.
If you cannot login then you probably have modified the policy configuration [SAP-J2EE-Engine] . In order to restore the login configuration for the visual admin start the config tool. Then switch to the edit mode / configuration editor -> go to security -> authentication and check the entries there.
You should see two more "folders":
DBMS User Store
UME User Store.
If you extend these folders you will see one folder "0" and the entry size=1.
In the folder 0 you have the entries
classname="com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule" and the entry
flag="SUFFICIENT".
If this is not the case correct it accordingly.
After a reboot you should be able to connect to the visual admin again.
If this is not possible (because you cannot enter the entries or because you have other problems) please drop me an email and we can try to solve it "offline".
Regards,
Holger.

Problem loggin in SPNego

Hi gurus,
i am getting the below error when i am trying to log in to url
http://<localhost>:<port>/spnego
Acquiring credentials for ream SASOL.COM failed
[EXCEPTION]
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
     at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
     at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
     at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
     at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
     at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
     at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
     at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
     at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:242)
     at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:31)
     at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:350)
Caused by: javax.security.auth.login.LoginException: No LoginModules configured for com.sun.security.jgss.accept
     at javax.security.auth.login.LoginContext.init(LoginContext.java:189)
     at javax.security.auth.login.LoginContext.<init>(LoginContext.java:404)
     at sun.security.jgss.LoginUtility.run(LoginUtility.java:56)
     at java.security.AccessController.doPrivileged(Native Method)
     at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
     ... 9 more
please help me on this
thanks
kishore

Hi Kishore,
It seems that you have missed to configure the com.sun.security.jgss.accept policy configuration. As the manual configuration is not officially supported anymore please use the SPNEGO Wizard from SAP Note 994791 to setup SPNEGO. It will resolve this problem.
Regards,
Dimitar

SPNEGO on dual stack

Dear Experts,
I want to implement the SSO at clients place and I have gone throught the note
Note 994791 - SPNego Wizard.pdfu200E and in that they have the following attachment
File Type File Name Language Size
ZIP File Type File Name Language Size
ZIP SPNego_DB_datasource_Sun_JDK_1.zip E 2.008 KB
ZIP SPNego_DB_datasource_Sun_JDK_2.zip E 1.538 KB
ZIP SPNego_ADS_datasource_Sun_JDK_1.zip E 1.049 KB
ZIP SPNego_ADS_datasource_Sun_JDK_2.zip E 1.470 KB_datasource_Sun_JDK_1.zip E 2.008 KB
ZIP SPNego_DB_datasource_Sun_JDK_2.zip E 1.538 KB
ZIP SPNego_ADS_datasource_Sun_JDK_1.zip E 1.049 KB
ZIP SPNego_ADS_datasource_Sun_JDK_2.zip E 1.470 KB
I have Solaris 10 and with ECC6 and EP7 SP 9 on the same box and needs to configure SPNego on it( Dual stack)
With the above .zip file, which will be for my requirement?
What does the SPNego_DB, SPNego_DB

Following is the setspn command details and I am stuck with the LDAP user path and groups through Portal--> System Admin
local J2ee-
@(AT)
C:\Documents and Settings\tsadmin3>ldifde -r (samaccountname=J2ee-dev) -f out.ld
f
Connecting to "abcbhdc01.bah.ARAB.LOCAL"
Logging in as current user using SSPI
Exporting directory to file out.ldf
Searching for entries...
Writing out entries.
1 entries exported
The command has completed successfully
dn: CN=J2ee-dev,OU=IT Application Services(763),OU=Global Information Technology (760),DC=bah,DC=ARAB,DC=LOCAL
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: J2ee-dev
description: Sab sign on user
givenName: J2ee-dev
distinguishedName:
CN=J2ee-dev,OU=IT Application Services(763),OU=Global Information Technology (
760),DC=bah,DC=ARAB,DC=LOCAL
instanceType: 4
whenCreated: 20090209075309.0Z
whenChanged: 20090211090157.0Z
displayName: J2ee-dev
uSNCreated: 46498115
uSNChanged: 47113114
name: J2ee-dev
objectGUID:: 6AF2hwAcCE60Gb5HcDD0jA==
userAccountControl: 2163200
codePage: 0
countryCode: 0
scriptPath: duser1.bat
pwdLastSet: 128786537344568663
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAADi/cefk/OnBiRqljSjAAAA==
accountExpires: 9223372036854775807
sAMAccountName: J2ee-dev
sAMAccountType: 805306368
userPrincipalName: J2ee-dev AT bah.ARAB.LOCAL
servicePrincipalName: HTTP/ABCBHDC01.bah.ARAB.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ARAB,DC=LOCAL
Can I get what information to update in user path and group path.
As far as Configtool is concerned I am not able to enter any details in UME LDAP data.
Also what other settings required?
in spnego I am getting
Search by service user mapping attribute krb5principalname=J2ee-devATBAH.ARAB.LOCAL failed; check the mapping attribute and the UME configuration
In configtool, I have set the self.addattrs to krb5principalname
Rest what needs to be done?
Please guide..

SPNego Doubt

Hi !
I've been setting up SSO using the SPNego wizard via http://server:port/spnego for a 740 Portal system.
Using the wizard, I was able to successfully setup SSO for Sandbox & Dev.
For Production, I see the below error when I use the Manual option under Add:
Error during generation of encryption key with type AES256-CTS-HMAC-SHA1-96: Illegal key size. Check the crypto policy file in use and also SAP Note 1240081
If I use the Keytab option under Add, I'm able to proceed successfully & SSO also works fine on Production.
In Dev & Sandbox I see 4 keys; whereas, Production does not show me the AES256 key.
Is there something amiss with my Production box, that the first option does not work ?
SP's levels are the same...SP 7...even SAP JVM...
Kindly help advise.......
Thanks a lot !
saba.

Dear Saba,
Hope you are doing good.
Nice to hear from you again.
Normally following note 1240081 should have fixed this issue. Both local_policy.jar and US_export_policy.jar files contain the unlimited versions. Please ensure that when you store new JCE files in the path sapjvm_N/jre/lib/security/, the old jar file are not presnt there, not even with new xtensions. Please move them to a different directory.
Also, the JVM location should be /usr/sap/<SID>/J<nr>/exe/sapjvm_6/jre/lib/security
even though the files will be present at:
/usr/sap/<SID/SYS/exe/jvm/
Once this is done, re-run the SPNEGO wizard again. If the issue still persists, kindly run the web diag tool as outlined in SAP Note No. 1332726.
Hope this helps.
Kind Regards,
Hemanth
SAP AGS

SPNEGO when the Portal Authentication is set to ABAP

Hi all,
I have seen documentation (994791) showing how to set up SPNEGO if the authentication is of type DB or ADS. But i cannot see how to do it if the authentication is of type ABAP.
I have added the krb5principalname in to the config as per note 994791, but with type ABAP the Customized Information field (krb5principalname) is not coming up in User Creation/modification?
Can anyone help?
Thanks,
Guy

The only thing I know is that this is not officially supported by SAP.
Up to SP11 there was said to be a workaround which I failed to implement myself as there was no help from SAP via OSS.
Since SP12 in general SAP supports SpNego config by the new SPNego wizard only so I think the possibilities have become even less.
But let me say: I have had the same problem as you have and I was not able to solve it.
Sigi

SPNego Configuration

Hi All,
We have configured SPNego on customer's sand box and DEV as mentioned in the thread
https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/8235,
however when we tried configureing on QA system, we are getting the following error.
UME cannot resolve Kerberos principal name principalname, check selected resolution mode.
We have selected Prefix-Based from drop box
KPN Prefix: krb5principalname
KPN Suffix: dn
Any help will be highly appreciated.
Satish

Hi Satish,
Have a look at SAP Note 994791 - SPNego Wizard, and the attachments to this note.
It should surely help you solve the problem.
Regards,
Anagha

SPNego authentication to Portal

Hi
Can anyone tell me whether SPNego authentication would work when you call the Portal via a web dispatcher? I can authenticate automatically when calling the Portal directly so I know it's configured and working when called directly.
We have hidden our servers behind a VLAN and allow access only via the web dispatchers.
Thanks
Mark

Thanks Patrick
Have you got this scenario working yourself?
I have the following scenario. False names to protect the innocent!!!
Lets assume Portal server is called - pserver1.sap.somedomain.com
N.B. Sits in subdomain sap of domain somedomain.com
It is fronted by two load balanced web dispatchers in the parent domain somedomain.com
webdisp1.somedomain.com
webdisp2.somedomain.com
load balancer is referred to as webdisp.somedomain.com
To gain access to the portal the dispatcher is running on port 8107 on both web dispatchers
so...
Direct access to portal is
http://pserver1.sap.somedomain.com:50000/irj/portal
Web dispatcher access is
http://webdisp.somedomain.com:8107/irj/portal
Because i'm not sure I have grasped the full implications of Kerberos realms I have set up the following on both domains. It's overkill I know but I wanted to be sure.
service user s-sid-j2ee on DC for sap.somedomain.com
setspn -a HTTP/webdisp.somedomain.com:8107 s-sid-j2ee
setspn -a HTTP/webdisp1.somedomain.com:8107 s-sid-j2ee
setspn -a HTTP/webdisp2.somedomain.com:8107 s-sid-j2ee
setspn -a HTTP/pserver1.sap.somedomain.com s-sid-j2ee
service user s-sid-j2ee on DC for somedomain.com
setspn -a HTTP/webdisp.somedomain.com:8107 s-sid-j2ee
setspn -a HTTP/webdisp1.somedomain.com:8107 s-sid-j2ee
setspn -a HTTP/webdisp2.somedomain.com:8107 s-sid-j2ee
setspn -a HTTP/pserver1.sap.somedomain.com s-sid-j2ee
I configured the SPNEGO wizard with both realms and their respective service users.
result
I get logged in when accessing pserver1
I don't when accessing via web dispatcher load balnced address or each individual web dispatcher.
Any ideas?
Thanks
Mark

Spnego on a clustered portal

Hey all,
I am about to embark on a mission to configure kerberos authentication on a clustered portal. Any suggestions?
I'm guessing that it is more or less the same, but registering SPNs for every server in the cluster and ensuring the keytab/conf file is accessible to all servers. Is this correct?
I already managed (with a lot of pain) on a singlehost portal (see this thread: spnego wizard with EP7 / ADS )
Question: should the UPN be in the format
1) [email protected] , or
2) host/[email protected]
if (2), i guess "portalserver" would be the clustered DNS. how would this work if you want to access as single server individually?
Thanks in advance for all the excellent advice.
Regards,
faB
**a little bribe: I award points to the max

Hello,
One thing that was a little odd about the wizard, was that it configured one of my server's JVM to use a UNC name (-Djava.security.krb5.conf=
<SCS>\sapmnt\<SID>\SYS\global\kerberos\ID<>\krb5.conf), and the other a local drive. I changed both to the respective UNC name and it was OK.
You only need the SPN entry for the virtual name (HTTP/virtual.domain.com), unless you want to log onto the servers directly. Then just set multiple SPNs.
My UPN is like [email protected], but from the previous thread, your environment seems to require some inconsistency?

SPNego Wizard

Similar Messages

Maybe you are looking for