SSPIs and SPNEGO

Similar Messages

• Kerberos and SPNEGO

  I wan trying to do sso for Oracle UCM 11g which uses weblogic 10.3.4 using Kerberos and SPNEGO as stated in Oracle documentation
  I followed all steps on the following links
  http://download.oracle.com/docs/cd/E17904_01/web.1111/e13707/sso.htm#i1102021
  and
  http://download.oracle.com/docs/cd/E17904_01/doc.1111/e10792/c03_security.htm#CDDDIHBA
  My issue is strange there are no error no exception and SSO not working even if I added wrong info to krb5.conf or krb5login.conf, I have created JAAS configuration file, and I have specified krb5login.conf file location as a startup option in the WebLogic where I have added the following to startWeblogic.sh
  JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=krb5login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Dsun.security.krb5.debug=true"
  what do you think I am facing here???

  Hi,
  Apply SAP Note 1045019 (Example 3) and provide for analysis the errors (in red) from the collected traces.
  Regards,
  Dimitar

• Anonymous and SPNego issue

  Hi ,
  We are using EP 7.0 EHP 1 portal for couple of purpose.
  1) Anonymous Webpage composer site for intranet information portal purpose
  2) SPNego SSO configured portal for ESS/MSS access.
  Now the problem is when the users are accessing the anonymous portal url (http:hostname:port/irj/portal/anonymous it is actually does SPNego to the user and they get logged on to portal to see ESS/MSS roles.
  I am not sure why launching the anonymous url does SPNego SSO. any clue on this?
  Thanks,
  Siva

  Hi Simon,
  Yes we have the default anonymous portal url as http://<portal_hostname>/irj/portal/anonymous.
  The KDC is configured to issue a token for <portal_hostname>. So you mean to say because of this, the use gets the token when they logon to network and even if they access the anonymous url, they would be logged on to portal automatically?
  Should i change the hostname for anonymous url like http://anonymous_hostname/irj/portal/anonymous ? will it would solve the problem.
  Thanks,
  Siva

• Sap webdispatcher and spnego

  what needs to be done for sapwebdispatcher to work with spnego? we've done setspn for webdispatcher host, but it prompted us to login to webdispatcher server. Do we need to change any configuration in UME or j2ee engine?
  Thanks
  Jane

  Hi
  For using SPNEGO through a SAP webdispatcher you only need to create a SPN for the webdispatcher host like "setspn -A  http/<webdisp-host> <j2ee-user>".
  The <webdisp-host> must be FQDN like "host.domain.com" and the <j2ee-user> should be the J2EE service user created when configuring SPNEGO/kerberos for J2EE.
  BR
  Tom Bo

• UI5 and SPNEGO authentication

  Hi,
  we already use the Netweaver Gateway to provide some OData services.
  These services are consumed by some 3rd party software components.
  To authenticate the user at the Gateway, these applications are using the SPNEGO authentication mechanism.
  Now I wanted to start to develop my first UI5 app. Of course I'd like to consume the OData services from our existing gateway installation.
  The main problem that I'm currently facing is, that I don't know how to use Single Sign On (based on Kerberos tickets) to consume the gateway services from an UI5 app. I would like to use SPNEGO but I didn't find any information on how to implement SPNEGO in an UI5 app.
  Can you please provide me some information (or even some code snippets) on how to use SPNEGO authentication from an UI5 app!?!?
  Thanks in advance
  Holger

  Hi Michael,
  Thanks for that.  My opinion of secondary authentication is the same, but hey ho.  The client insists.  I think the main iview is the payslip iview, so it is on the same server as the portal. 
  My thinking was that as form based logon uses com.sap.portal.runtime.logon.certlogon and basic authentication uses com.sap.portal.runtime.logon.basicauthentication they could have different priorities set in authschemes.xml and consequently it asks for secondary authentication.  However, I see your point that they are both in the ticket logon stack.
  Paul

• RSA and SPNEGO

  Hi -
  As part of one of our projects - We actually configured RSA authentication using the SI JAAS Module in the EP 7.0 Environment- and it worked successfully. Now, as next step, we are trying to configure the Portal for Single Sign On within the Network - via SPNEGO. Do you forsee any issues/customization or will it work without glitches? Any suggestions?
  Let me know.
  Thanks.

  Mayur,
  If you construct the JAAS stack correctly, you should be fine.
  You probably want:
  EvaluateTicket - sufficient
  SPNEGO - optional
  CreateTicket - sufficient
  RSA - optional
  CreateTicket - sufficient
  Basic - Requisite
  CreateTicket - optional
  The idea here is that CreateTicket only succeeds if there is a valid user in the context - so having CreateTicket as sufficient down the stack means that as soon as one of the (optional) modules above populates a valid user, a ticket is created and the stack is exited, all the way down to the usual Basic/CreateTicket pair at the bottom, which is your fallback username/password authentication.
  Hope this helps,
  Darren
  <a href="http://www.fortybeans.com/">Read my blog</a>

• SSPI and revocation

  Does Windows SSPI perform any OCSP/CRL checking when its asked to perform certificate validation or do you have to explicitly pass a command to SSPI in order to do OSCP checks?

  Hi,
  Based on my research, the Microsoft Security Support Provider Interface (SSPI) is the foundation for Windows authentication. The default Security Support Providers (SSPs) that invoke specific authentication protocols in Windows are incorporated
  into the SSPI as DLLs.
  During Kerberos smart card authentication, Kerberos Security Support Provider is used. During the authentication process, the certificate within the smart card is validated using Kerberos version 5 protocol.
  Therefore, I would say that Windows SSPI does perform OSCP/CRL checking, automatically.
  More information for you:
  Security Support Provider Interface Architecture
  http://technet.microsoft.com/en-us/library/dn169026(v=ws.10).aspx
  Best Regards,
  Amy

• JGSS: SPNEGO and NTLMv2

  Hey there,
  I'm getting up to speed on JGSS, both for general Kerberos use and for ActiveDirectory use, and I'm wondering: if the SPNEGO results in NTLM being chosen, does the underlying implementation handle this, or does it fail. (I'm assuming a Windows environment). If it succeeds, does it do so with NTLMv2, or just with NTLMv1?
  Just for context, we're using Apache's HttpClient.
  thanks in advance,
  James

  JimDesu wrote:
  Hey there,
  I'm getting up to speed on JGSS, both for general Kerberos use and for ActiveDirectory use, and I'm wondering: if the SPNEGO results in NTLM being chosen, does the underlying implementation handle this, or does it fail. (I'm assuming a Windows environment). If it succeeds, does it do so with NTLMv2, or just with NTLMv1?Hi James,
  There are two HTTP authentication mechanisms that are of interest in a Windows environment. There is WWW-Authenticate: Negotiate and WWW-Authenticate: NTLM. The Negotiate method uses the SPNEGO protocol to negotiate either Kerberos or NTLM. The NTLM method uses the NTLMSSP protocol. SPNEGO is mostly just an envelope around Kerberos or NTLMSSP tokens.
  Sun's GSSAPI implementation (a.k.a. JGSS) can only generate and consume raw Kerberos tokens and SPNEGO tokens containing Kerberos tokens.
  However, Sun's builtin HTTP client has inlined code that will perform NTLMv1 authentication using the NTLM method.
  Just for context, we're using Apache's HttpClient.Apache's HttpClient also only supports NTLMv1. There has been external interest in supporting NTLMv2 but, in general, the Apache crowd has not embraced the NTLM work citing the fact that it is not a standards based technology.
  The only 100% Java HTTP client that supports NTLMv2 that I know of is the one included in a library called "Jespa":
  [http://www.ioplex.com/jespa.html]
  Currently the client is only exposed as a standard HttpURLConnection and URL Handler. However the underlying code supports pipelining, asynchronous I/O and other advanced features that will eventually be exposed.
  Mike

• SSO for Enterprise Portal 6 with different Portal and R/3 userIDs

  Hi there,
  We are using SNC library for SAP GUI logon to R/3 and SPNEGO for Web access to EP. What works for us currently is:
  SSO from Windows logon to Portal using SPNego (LDAP as our datasource with AD)
  However once we are inside the portal, the SSO to R/3 using SNC is not working. I have my Portal user mapped to my R/3 user as they are different usernames.
  But, if i launch SAP GUI on its own i can SSO into R/3 no problem.
  So, i have 3 queries here!
  1) Why am i not able to SSO into R/3 once i have SSO into Portal?
  2) Is there any way around the high maintenance of the user mapping?
  3) I have read on SAP Help about "Using an LDAP Directory Attribute as the ABAP User ID" but this will still require user / administrator to maintain the R/3 password.
  Is it possible to disable the R/3 password and thus have no maintenance as the R/3 (ABAP) User ID will be stored in LDAP attribute?
  Hoping you can help...
  Thanks.

  Answers below:
  1)
  When you say "ITS" I assume you are referring to the Integrated ITS in NetWeaver, not the external ITS product ?
  Anyway, if you are referring to Integrated ITS, then surely you are using webgui, not SAP GUI. The webgui is accessed via browser and is not related to SNC or SAP GUI product. The SAP GUI product is a Windows application that uses SNC to authenticate to SAP systems.
  If you are logged onto portal, which is a J2EE application and trying to access webgui which is running on ABAP Engine, then this might not work becasue your SSO2 trust is not setup correctly. Do you see an error in work process log saying anything about why the SSO2 ticket is not accepted ? Also, if ABAP and JAVA are on same system and Java Engine was installed as an add-in, you might need to create new SSO2 certificates to avoid a clash, and change client number from 000 to something else so SSO2 tickets issued in J2EE engine are differentiated from SSO2 tickets issued by ABAP Engine, but they are still trusted through configuration in STRUSTSSO2 t-code.
  2)
  You need to use a different product, which is available from a SAP partner to do this. I am not allowed to mention third party products on this forum, so if you want to know more you will have to contact me offline via email.
  3)
  See answer to question 2.
  Thanks,
  Tim

• CVSnt and winCVS connection

  hi...i really need ur guys help..
  im trying to create client-server architecture using CVS.For this i installed winCVS1.3b20-2
  and also installed cvsnt 2.0.51.0 on 1 machine say mac1 that shud act as a client and for another machine say mac2 installed cvsnt 2.0.51.0 and ofcourse it shud act as a server.
  after setting the configurationv from cvsnt contrlpanel applet i created repository that is stored as C:\CVSREPOS1\TEST and also created a CVSTEMP folder in the same directory.
  i employed sspi protocol and tested the connection on server side using sspi and it worked well and then tried to import a project folder from winCVS gui of mac1 to the repository that resides on mac2(server) and finally failed.I set the cvsroot from winCVS on mac1 as
  "cvsroot=:sspi;username=sys16;hostname=sys-16:/TEST" where "sys-16" is the servers computername and "sys16" is the user or admin name or whatever.
  After running the command the error has occured as shown on the output console.
  cvs -z9 -q -d :sspi;username=sys16;hostname=sys-16:/TEST import -I !
  cvs [server aborted]: cannot change permissions on temporary directory C:\CVSREPOS1\CVSTEMP/cvs-serv4000: No such file or directory
  cvs [import aborted]: reading from server: error -1
  ***** CVS exited normally with code 1 *****
  so,can u please help me out what cud be the wrong thing i did ..I guess it must be relly sumthing odd .
  please try to reply me fruitfully as soon as possible....i wud be grateful to u.
  Thanking u in advance..
  takecare.

  Hopefully Apple will fix this. It'd be nice if you could at least e-mail them and let them know stuff is broken. Who knows if they actually read these forums:
  http://discussions.apple.com/thread.jspa?messageID=6978064&#6978064

• HTTP/SPNEGO Authentication

  Hi,
  Having read in posting [http://forums.sun.com/thread.jspa?threadID=5362388&tstart=15|http://forums.sun.com/thread.jspa?threadID=5362388&tstart=15] that "Sun's GSSAPI implementation (a.k.a. JGSS) can only generate and consume raw Kerberos tokens and SPNEGO tokens containing Kerberos tokens" I' still wondering why the getPasswordAuthentication() in class MyAuthenticator of Sun's [HTTP/SPNEGO example (2nd case)|http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/lab/part6.html#Example] is not called upon starting the client without giving any arguments, i.e.
  java RunHttpSpnego http://www.ad.local/hello/hello.htmlFrom the server the client receives a
  WWW-Authenticate: Negotiateresponse, and the client should enter the HTTP/SPNEGO challenge/response protocol.
  To summarize, class MyAuthenticator looks like:
  class MyAuthenticator extends Authenticator {
          public PasswordAuthentication getPasswordAuthentication() {
              // I haven't checked getRequestingScheme() here, since for NTLM
              // and Negotiate, the usrname and password are all the same.
              System.err.println("Feeding username and password for "
                 + getRequestingScheme());
              return (new PasswordAuthentication(kuser, kpass.toCharArray()));
      }It should be called as a side effect of openConnection() upon executing the following code:
  Authenticator.setDefault(new MyAuthenticator());
  URL url = new URL(args[0]);
  InputStream ins = url.openConnection().getInputStream();
  ...My client environment is Windows Vista, Java 1.6.0_16, and the client is not a member of an Active Directory.

  Perhaps the issue is with this quote:
  "Sun's GSSAPI implementation (a.k.a. JGSS) can only generate and consume raw Kerberos tokens and SPNEGO tokens containing Kerberos tokens"
  I believe the HttpURLConnection class in JDK 1.6 can handle NTLM.
  Meaning, if you logon to your workstation as a domain user and run the java code, it is probably using NTLM.
  I recall noticing this when I put TCPMon between the workstation and the server.

• SSPI Connector for weblogic

  Hi,
  I have to integrate OAM with Weblogic directly and in our environment we have multiple webservers through which the enduser will access the application.So, I have some doubts for implementing this:
  Could anyone please clarify if we can configure SSPI connector with multiple webgates?
  Can we install SSPI connector without the proxy server ( without webgate being installed) ? If yes, Please provide the link which provides the information for the same.
  Thanks in Advance.

  Hi Mahendra,
  Thanks for your response.
  As per my understanding, while installing SSPI connector we have to specify the name of webgate instance with which SSPI communicates to OAM. In our environment we have loadbalancer configured for eight webservers and there is a webgate on each of these servers. The enduser will access through the loadbalancer and the request can be catered by any one of these webgates.
  If we establish a communication of SSPI with single webgate, whether SSPI can authenticate the users if that webserver goes down ?
  In the link provided, it was mentioned we can install the SSPI without webgate, does this mean we can establish direct communication between SSPI and OAM ?
  Also there is no seperate steps for SSPI-OAM direct integration.Could you please provide anyother doc/link , for installation of SSPI-OAM integration.

• IIS Proxy SAR file needed

  Hi all:
     I would like to implement the IIS Proxy SSO solution. Is there anybody can send me the IIS Proxy SAR file ?
     I cannot find it in service.sap.com/patches
     my mail : [email protected]
     I will give you the reward points.
     thanks.

  Hi,
  To my knowledge IISProxy is not supported/delivered by SAP anymore. See the OSS note 886214 for details. You can use WebDispatcher as reverse proxy and SPNego for SSO authentication. They are supposed to be replacements for what you could do with IISProxy.
  So I doubt you will find IIS Proxy inside Service Marketplace. Doesn't mean that you cannot get it anywhere else though.
  Regards,
  Mike

• SSRS Execution Account cannot be used with Report Builder

  Running SQL Server 2012 SP2, I have specified an Execution Account in Reporting Services Configuration Manager as described here: http://msdn.microsoft.com/en-us/library/ms156302(v=sql.110).aspx
  The article states: "You can specify Integrated Security=SSPI if the database server supports Windows integrated security and the account used for unattended report processing has permission to read the database." I have created a data source using
  the Report Manager Web interface with connection string: "Data Source=<server>;Initial Catalog=<database>;Integrated Security=SSPI" and "Connect using: Credentials are not required" option.
  The Execution Account is a domain user account with db_owner membership on the database in question. When I "Test Connection" in Report Manager, the connection is created successfully.
  However, when I attempt to create a new dataset using this data source in Report Builder, I am unable to connect to the data source: "You have specified integrated security or credentials in the connection string for the data source, but the data source
  is configured to use a different credential type. To use the values in the connection string, you must configure the unattended report processing account for the report server."
  If I change the "connect using" option for the data source to "Windows integrated security" I can successfully create a new dataset and report in Report Builder. After saving the report, I reconfigure the data source for "Credentials
  are not required" and I am able to successfully run the report using the Execution Account.
  Is this a known limitation? The Report Builder cannot be used with an unattended Execution Account configured?

  Hi desmondgc,
  According to your description, you have set the execution account for connecting data source. You can connect data source successfully, but can't create dataset with the unattended account. Right?
  As we tested in our local environment, we encountered the same issue. Even testing connection successfully in Report Builder, it still says unable connect to data source when creating dataset.
  For this issue,  I would recommend to submit it to the Microsoft Connect at this link
  https://connect.microsoft.com/SQLServer/Feedback.
  This connect site will serve as a connecting point between you and Microsoft, and ultimately the large community for you and Microsoft to interact with. Your feedback enables Microsoft to offer the best software and deliver superior services, meanwhile you
  can learn more about and contribute to the exciting projects on Microsoft Connect.
  We will keep you updated if we find something, thank you for your posting.
  Best Regards,
  Simon Hou

• How do I troubleshoot AD authentication after a SUCCESSFUL bind?

  In the Domain Controller Security Policy on my active directory domain (w2k3), I opened Local Policies -> Security Options and changed "Microsoft network client: Digitally sign communications (if server agrees)" to Enabled, and I changed "Microsoft network server: Digitally sign communications (if client agrees)" to Enabled. I then did GPUPDATE from a cmd prompt on the domain controller and I was able to bind with my 10.4.7 PowerBook.
  But now that I am bound I still cannot authenticate with domain credentials. Yes, in SMB/CIFS I have set the workgroup to be the netbios name of my domain. And the clock is synced with the domain controllers. I have even edited my smb.conf file with the "realm = MY.DOMAIN" and "security = ADS" and "spnego = yes" lines (where, of course, "MY.DOMAIN" = my domain name). But when I get to the login screen and type in my AD username and password, I get the shaking screen. It's like it isn't even trying to authenticate me with the domain.
  The computer account appeared in Active Directory with no problems. I have bound and unbound and rebound, to no avail (but, notably, with no errors in binding at any point).
  I'm not even sure which log will show me the authentication process so I can check for errors.
  Please help...
  PBG4 17" 1.67GHz 2GB 100GB   Mac OS X (10.4.7)  

  Hi Eric!
  Most of your steps for binding are correct, however you don't need to modify your smb.conf file.
  A couple of things that come to mind are:
  1. When attempting to log in you may be using a local user name that is the same as an AD user name. The local user name will always override an AD user name.
  2. Your AD domain may be incorrect. You may be trying to use an incorrect domain such as "subdomain.domain.com" when all you really need is "domain.com". This could still result in a bind but incorrect authentication.
  Also, this may sound simple but have you made sure the Active Directory plugin in the Directory Service application is checkmarked and that your domain is appearing under the Authentication section?
  After binding, you should be able to immediately go into the Terminal application and issue a switch user command using an AD user name ("su shortname") for testing. This will make troubleshooting easier than logging out and logging in again.
  The log your looking for can be found in the Console under /Library/Logs/Directory Service.
  Hope this helps! bill
  1 GHz Powerbook G4   Mac OS X (10.4.7)