Skip to Content
— UPDATE —

A new SPNEGO LoginModule is now available. Please check New SPNego login module – just around the corner which refers to the new Module Note 1457499 – SPNego add-on


In the last few weeks I was asked by several customers and here on SDN about configuring and troubleshooting the SPNego-login module for the J2EE Engine. So I decided to write my first blog. Actually, since there are already several blogs available that deal with setting up SPNego I am planning to write at least three parts about SPNego

  • the first part will be about the configuration of SPNego and some general tips (this was dealt before quite some time, but I think it belongs to a complete troubleshooting series)
  • the second part will deal with common problems and some tools to figure out what went wrong
  • the third part will deal with a more detailed troubleshooting which you might find helpful when you were not able to solve the problem with the tools from part two

Even if you are not able to solve the problem with these three blogs, I hope to be able to shed some light on what is going on. And the logs and information you will collect here will most certainly help speed up messages you might have to create.

Documentation

First of all let me say that I think the documentation about the SPNego login module is rather good. I have been working on SPNego ever since it was first developed for a customer project at SAP. From that time (of course updated since then) is the documentation you can find here on help.sap.com.
But for several months now the SPNego Wizard is available which made configuring SPNego much easier. Instead of working on several sections in the Visual Admin, on files with a text editor and so on you can use a simple web based wizard — and are (hopefully) done within about 30 minutes. I would always recommend to use the wizard and this is what this first part is all about. Of course it is not always that simple – I had plenty of installations where something did not work right away and then you have to troubleshoot.

SPNego Wizard

Take a look at Note 994791 – SPNego Wizard.
Here you can download the SPNego Wizard (if it is not already contained with your J2EE installation). There is also a ZIP file I strongly recommend containing videos about the installation. It is fast, but with the help of the pause button of your video-player you can see everything you need to know. Also contained in the ZIP files is a PDF document and sample dataSourceConfiguration files that you can use to configure your UME to connect to your LDAP directory.
[if you are using Sun JDK for your J2EE engine, please make sure that you are using a JDK with 1.4.2_13 and not _14, _15 or _16. Unfortunately all these versions contain a bug that fails Kerberos to work, see Note 1057474 – NullPointerException in KRB5LoginMoule]

Create SPNego Service User

The first step is to configure a service user in your LDAP directory. For my screenshots I used a J2EE engine that I (will) attached to a Microsoft ADS.
Create a user in the ADS and make sure that the properties
* Password never expires
* Use DES encryption types for this account
are set.

image

image

Now set the service principal names (SPN) for this user. The SPN has to be every URL / DNS-Alias you are going to use to access the J2EE Engine — and of course the fully qualified computer name has also to be created. Simply repeat the steps
setspn -A HTTP/servername username

image

for each URL. You can do a quick check via setspn –L to see if your settings were successful (all entered SPNs should be returned)

image

 

Connect the UME

Then you have to connect the usermanagement engine of the J2EE engine to the ADS. In order to do this, upload the dataSourceConfiguration file attached to the Note via the configtool [click on Browser, select the file and click on Upload]:

image

Then select it from the drop down list and enter all the data required.

image

 

Now you can click on Browse to select the User and the Group path where your users and groups are stored in the LDAP directory:

image

Make sure to test the connection and the authentication. 

image

image

After that restart the J2EE Engine.

Run the wizard

Now you are all set to start the SPNego Wizard. Simply open the URL http://servername:port/spnego

The first screen is just to remind you of what you have to do as a prerequisite.

image

Now you have to tell the wizard something about your Kerberos setup and the LDAP attached.

image

(you can use either Enter Principal or Retrieve Principal. Both options should work just fine) 

In the next step you tell the wizard how the lookup will work. The J2EE Engine gets the Kerberos ticket which usually is the SAMAccountName and the Domain. So in order to find the user in the UME the best way is to split the name and first search for the first part (kerbprefix, e.g. SAMAccountName) and if the result is not unique the second part (KPN-Suffix, domainname). Of course you can also try the other options simple and basic, but I would first go with prefixbased.

image

The first thing I would do is select the “Create new” option in order to create a new template that can be used more flexible (e.g. if you want to use SPNego with the Portal and Duet). So create a new template “spnego” (this is the default option anyway), and if you want to you can now deselect Enable Basic Password Fallback (but make sure that “Enable SSO with SAP Logon Ticket” *is* enabled.

image

And we are done.

image

Now restart the J2EE Engine.

 

Assign the template to the components

The final step is to assign the template you created to the login component you are using (for the Portal usually this is the ticket stack, for Duet it is the osp_TicketIssuserComponent):

image

Test it…

OK. If you are lucky ­čÖé everything is fine. When you try to test your configuration make sure to do this from another computer (and not the server) and using the fully qualified domain name. If it is not working then maybe my next blog will be of use.

Stay tuned…


Update: In the meantime a lot of new ideas and updates are available. The most important one is the new SPNEGO Login Modul. In addition to that there are several blogs in this series that cover the ABAP Integration and other aspects in regards to SPNego. A list of these blogs is outlined below:

Configuring and troubleshooting SPNego — Part 1
Configuring and troubleshooting SPNego — Part 2
Configuring and troubleshooting SPNego — Part 3
Configuring SPNego with ABAP datasource
Configuring SPNego with ABAP datasource — Part 2
SSO with SPNego not working on Windows 7 / Windows 2008 R2
Single Sign On to BSP pages from Duet’s Action Pane
Single Sign On to BSP pages
New SPNego login module – just around the corner
New SPNego Login Module

 


To report this post you need to login first.

75 Comments

You must be Logged on to comment or reply to a post.

  1. Hari Krishna Panda
    Hi,

    I have 2 questions:

    1) Is it possible to configure SPNego where the portal UME is configured with Sun Microsusyem LDAP server?

    2) Currently we have implemented SPNego for our UK location. We want to implement for USA location also. Both UK and USA are in separate domains. Is it possible to set up SPNego fo both location tith same portal?

    Best Regards,
    Hari

    (0) 
      1. jorge velasquez
        Hi,

        I configured successfully SPNEGO in DEV, now I want it to do it in QAS and PRD, is there a problem if I put those url using setspn and setspn -L shows multiple url (dev,qas,prd) … Is this ok?

        Regards

        (0) 
  2. Annike Lemmle
    Hello Holger,

    great blog, really helped me to configure SPNego in a complex environment.

    Just like to mention, that a connection to the MS ADS Global Catalog, because this might be usefull for others as well.

    To implent this, just use the Configtool and change the LDAP port from 389 to 3268 (if you’re using default ports – otherwise you should check it on ADS). Execute the Connection test and reboot the system, after you made your configuration.

    That’s it – now you can see the whole tree in Portal Useradministration -> Identity Managment.

    Kind regards,
    Annike

    (0) 
  3. Marc Lehmann
    Hi,

    SUN has revised the Kerberos implementation in JDK 1.4.2_14+ to make it (more) RFC4120 compliant. To make SpnegoLoginModule work with the SUN JDK 1.4.2_14+ you have to set the new JAAS property isInitiator to false.

    com.sun.security.jgss.accept
    {
            com.sun.security.auth.module.Krb5LoginModule required
            isInitiator=false
            debug=true
            useKeyTab=true
            useTicketCache=false
            storeKey=true
            principal=”…”
            doNotPrompt=true
            refreshKrb5Config=true;
    };

    Best regards,
    Marc

    (0) 
      1. Hermann Hans
        http://java.sun.com/j2se/1.4.2/download.html

        He means any version greater than 1.4.2_13 (i.e.: 1.4.2_16 is the latest).

        Note 1057474 should be noted here, stating that the above versions will cause a nullpointerexception within the KRB5LoginModule.

        However, this can be avoided by setting the parameter isInitiator = false within the com.sun.security.auth.module.Krb5LoginModule.

        Either way, great blog and I am really looking forward to the 3rd part!

        (0) 
        1. Holger Bruchelt Post author
          Hi Hermann,

          thanks for the clarification! I had mentioned Note 1057474 in the blog but I didn’t know about the workaround (isInitiator = false ).
          I will mention that in Part 3!

          Thanks,

          Holger.

          (0) 
          1. Erdal ┼×im┼ček
            Hi,

            I just wanted to add that J2SE 1.4.2_25 b02 is the recommended one from SAP – it contains
            some kerberos related fixes, pls. also refer to note 716604 and 718901 for
            details.

            Best regards,

            Erdal Simsek

            (0) 
  4. Ariela Mara Fefer
    Hi Holger, excellent blog, so valuable help to me for perform this configuration.

    Actually the landscape is a multi-forest configuration in SAP EP, a internal domain for employees, and a external domain (in a DMZ) for external users and suppliers.

    Let me ask you a question: configuration files that appear there, saying “readonly”, in my requirement, I need that the user can modify your password when this expires, controlled by policies originated in Microsoft AD ldap source.

    How do the same as indicated on the blog, but in a way “writeable”?
    Actually I am using this file:
    dataSourceConfiguration_ads_readonly_db_with_krb5.xml

    There are a “writeable” version?

    (yesterday a post this thread: /thread/725367 [original link is broken] about the issue)

    thanks in advance!!
    regards
    Leandro

    (0) 
    1. Holger Bruchelt Post author
      Hi Leonardo,

      unfortunately there is no writeable version out-of-the-box but you could easily create one. I have replyed to your post. If you have problems with that, feel free to contact me.

      Regards,

      Holger.

      (0) 
  5. Parthi Shanmugam
    Thanks for the great blog.

    Can it be possible to configure SPNego where the portal UME datasource is configured to use dataSourceConfiguration_abap.xml.

    Thanks again,
    Parthi

    (0) 
    1. Holger Bruchelt Post author
      Hi Parthi,

      yes, you can also configure SPNego with dataSourceConfiguration_abap.xml. Please use the video for SPNego_DB_datasource_Sun_JDK_x.zip attached to Note 994791 – SPNego Wizard as a first guiding point.
      You can also take a look at Configuring the UME when Using Non-ADS Data Sources (http://help.sap.com/saphelp_nw70/helpdata/en/43/4c3725aeaf30b4e10000000a11466f/frameset.htm) for some help.

      If you still have problems, please contact me directly and I will try to help you out.

      Regards,

      Holger.

      (0) 
      1. Mohammad Rashid Ali
        Dear Holger,

        I have followed your instructions in the blog and configured the same. But still when I logon, it asks for the password on the EP 7.0.

        We are using ABAP as the Datasource.

        Your help woudl be highly appreciated.

        Thanks,
        Mohammad.

        (0) 
          1. Mohammad Rashid Ali
            Dear Holger,

            I have ran the diag tool and below is the major error which I feel is the show stopper.

            Couldn’t find user by attribute krb5principalname = alimr@NPIC.COM.SA
            13:41:34:852      Warning      Guest      ~n_Thread[impl:3]_20      ~on.loginmodule.spnego.SPNegoLoginModule      Authentication failed. Error during handshake. Check the trace file for details.
            13:41:34:852      Warning      Guest      ~n_Thread[impl:3]_20      ~on.loginmodule.spnego.SPNegoLoginModule      Error during handshake.
            [EXCEPTION]
            com.sap.security.core.server.jaas.spnego.SPNegoProtocolException: User Resolution not possible.

            Appreciate your help on this!

            Regards,
            Mohammad.

            (0) 
          2. Abdullah Al-Harbi
            Dear Holger,

            I have resolved the problem, it was that I was not maintaining the krb5principal name for all the users. We have around 1000 users from the ABAP datasource, is there a way to populate this field automatically?

            Thanks,
            Mohammad.

            (0) 
  6. Golo Maichel
    Thanks for this great blog.

    We have installed Java SUN SDK 1.4.2_16 and we set the parameter “isInitiator=false” in com.sun.security.jgss.accept (Krb5LoginModule).
    It works fine now.

    Best regards
    Golo Maichel

    (0) 
  7. Jaish Singh

    Hello,<br/><br/>I am trying to do SSO setup using spnego wizard. I followed the blog at:<br/><br/>Everythig is setup correctly but I am getting following error when I access a portal after the setup. Also now I am not able to login at all and got stuck up.<br/><br/>Any help would be great. I am using portal 7.0 with sp14 version.<br/><br/>thanks<br/>Jaish<br/><br/>Error Trace<br/><br/>—-


    <br/>#1.5 #001DE04BAF67007300000026000016CC000450AA5CC0CA1C#1214592537140#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#Guest#0##n/a##b2bc4f41447911ddb1cf001de04baf67#SAPEngine_Application_Threadimpl:3_6##0#0#Error##Java###Acquiring credentials for realm SJCAD02.DATADOMAIN.COM failed <br/>EXCEPTION<br/>#1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)… 30 more

    (0) 
      1. Chandrasen Tekchandani 
        Hello Holger,
        Your documentation is very interesting. Could you please advise whether you have some tips for maintaining this configuration, e.g whether changing the password of j2ee_admin, ldap user affect the operation of SPnego ?
        Thanks and regards,
        Elizabeth.

        (0) 
    1. Holger Bruchelt Post author
      …and one more thing. If you cannot figure this one out and simply want to login to the portal again, start Visual Administrator and change the login modules for the Ticket Component (Security Provider) back to “EvaluateTicketLogonModule -> BasicPasswordLoginModule -> CreateTicketLogonModule).

      Hope this helps,

      Holger.

      (0) 
  8. Chandrasen Tekchandani 
    Hello Holger,
    Your documentation is very interesting. Could you please advise whether you have some tips for maintaining this configuration, e.g whether changing the password of j2ee_admin, ldap user affect the operation of SPnego ?
    Thanks and regards,
    Elizabeth.
    (0) 
    1. Holger Bruchelt Post author
      Hi Elizabeth,

      the only password that you should be careful about is the password of the SPNego service user (the one that you created in the first step and where you set the encryption type to DES).
      Other than that you can change passwords as you like without affecting the SPNego configuration.

      Regards,

      Holger.

      (0) 
      1. Chandrasen Tekchandani 
        Hello Holger,

        Thank you for your reply. If I change the password of the SPNego service user, could you please advise whether I need to reconfig the SPNego from the beginning ?

        Many thanks in advance.

        Best regards,
        Elizabeth.

        (0) 
        1. Holger Bruchelt Post author
          Hi Elizabeth,

          just start the SPNego Wizard and click through. Most of the filed should be prefilled and you just have to enter the new password.
          By this the keytab file will get updated and everything should be fine again.

          Regards,

          Holger.

          (0) 
      2. Wei Liang Yew

        Hi Holger,

        Firstly awesome blog! I’m attempting to setup authentication from portal to multiple AD (more then 5 ADs)

        Anyway, I’m wondering is it possible to set up in a way where I have kerberos but without the SSO.

        I’m also looking at the SPNegoDocumentation.pdf from sapnote 1488409, the procedure indicate to not check “Use DES encryption” for the service user account which is opposite of what you’ve done.

        Confused..

        (0) 
  9. Niyi Fadeyi
    Hello Holger,

    Thanks for the wonderfull Blog.

    I recently configured SSO using SPNEGO.

    The issue is that it works fine for most users but it request for LogonID and Password when some users try to authenticate to the portal.

    Please what do I do to rectify this.

    Thanks.

    NF

    (0) 
      1. Holger Bruchelt Post author
        That’s possible — but a Diagtrace would probably help and shed some light of why it is really failing. Then you could check the profile settings.

        Regards,

        Holger.

        (0) 
  10. Nur Liyana
    Hi Holger.

    I have a question to ask. When do I configure SPNego? Before I install the DUET Server Components or after installing the DUET Server Components?

    Thanks in advance.

    (0) 
    1. Holger Bruchelt Post author
      Hi Nur,

      the first part (up until “Assign the template to the components”) can (but must not) be done before you install Duet.
      Once you have installed Duet you can then assign the spnego template to the *osp_TicketIssuer.

      Hope this helps,

      Holger.

      (0) 
  11. Nur Liyana
    Hi Holger.

    I have followed the steps all the way till connecting to the UME. However, when I open the URL, I’m unable to do so. May I know what’s the possible cause? Thanks.

    (0) 
          1. Nur Liyana
            Hi Holger.

            I would like to check with you. I have created a user, “SPNego” at the Active Directory and the username I used when accessing the J2EE Engine is “Administrator”. So, when setting the SPN, is it correct when I enter setspn -A HTTP/serveripno Administrator?

            Thanks again in advance.

            (0) 
            1. Holger Bruchelt Post author
              Hi,

              for the setspn -A command you have to use the user that you used in “Create SPNego Service User” — so I guess this would be your user “SPNego”.
              So the command for you would be something like
              setspn -A HTTP/YourServerName SPNego
              Regards,
              Holger.

              (0) 
  12. Reza Ejesbo
    Hello Holger,

    Thanks for the wonderfull Blog.

    I recently configured SSO using SPNEGO.

    I have followed your instructions in the blog and configured the same. But still when I logon, it asks for the password on the EP 7.0.
    I am using a JDK with 1.4.2_13 .
    I was true this weblogs too “Common SPNEGO Implementation Issues“.
    And every thing ok but at last I get this warning.:
    “[Warning] Oct 2, 2008 2:40:44 PM     Unable to resolve host: pot
    [Info] Oct 2, 2008 2:40:44 PM     Please, enter J2EE host name ( not IP and not
    localhost )”:
    I was true this weblogs too (Configuring and troubleshooting SPNego — Part 3)

    Please what do I do to rectify this.

    Thanks.

    Reza

    (0) 
      1. Reza Ejesbo
        Hello Holger.
        Output of det diagtool is to large to sende tha her. But her is the part of my worrnings.

        18:57:09:384 Warning Guest ~n_Thread[impl:3]_23 com.sap.security.core.util.SecurityAudit Guest | LOGIN.ERROR | null |  | Login Method=[default], UserID=[null], IP Address=[000.00.0.00], Reason=[No login module succeeded.]

        18:55:16:497 Warning Guest ~on_Thread[impl:3]_6 ~.core.server.jaas.spnego.asn1.TLVParser Length octets must contain values [0x01;0xFF]. Found 0

        getLoggedInUser
        [EXCEPTION]
        com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.
        at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:178)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
        at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:324)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
        at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:146)
        at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
        at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
        at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
        at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
        at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
        at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
        at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
        at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
        at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
        at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
        at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
        at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
        at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
        at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
        at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
        at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
        at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
        Caused by: com.sap.security.core.server.jaas.DetailedLoginException: Access Denied. No authorization header received.
        at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:175)
        … 41 more

        ERROR: HTTP request was not successful. Returned code is: 200
        I hope you can help me.
        Thanks.

        (0) 
          1. Mohammed iqbal
            Hi Holger,

            Firstly thanks for the bolg it help me a lot. I have this issue that few users are asked for passowrd when loggin on to portal i ran the diagtool and the security tool and i have the following output kindly have a look and let me know the course of action.Thanks for your valuable time and effort:

            !–LOGHEADER[START]/–>

            #1.5 #001CC4E1D266004700000003000008A40004519594A8AA5D#1215602792898#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
            #1.5 #001CC4E1D266004700000005000008A40004519594A8C694#1215602792914#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
            #1.5 #001CC4E1D266004700000008000008A40004519594A94CCF#1215602792945#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
            #1.5 #001CC4E1D26600470000000B000008A40004519594A33C50#1215602792961#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
            #1.5 #001CC4E1D26600470000000E000008A40004519594A37E42#1215602792992#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
            #1.5 #001CC4E1D266004700000011000008A40004519594AA34BF#1215602793007#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
            #1.5 #001CC4E1D266004700000014000008A40004519594AAC3E4#1215602793039#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
            #1.5 #001CC4E1D266004700000017000008A40004519594A4D26F#1215602793070#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
            #1.5 #001CC4E1D26600470000001A000008A40004519594A52F46#1215602793101#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
            #1.5 #001CC4E1D26600470000001D000008A40004519594A57F54#1215602793117#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
            #1.5 #001CC4E1D266004700000020000008A40004519594A5CCEC#1215602793132#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
            #1.5 #001CC4E1D266004700000023000008A40004519594A61829#1215602793148#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
            #1.5 #001CC4E1D266004700000026000008A40004519594A65441#1215602793179#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
            #1.5 #001CC4E1D266004700000029000008A40004519594A6AE6B#1215602793195#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
            #1.5 #001CC4E1D26600470000003C000008A40004519594AF050C#1215602793320#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
            #1.5 #001CC4E1D26600470000003F000008A40004519594AA03F7#1215602793414#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
            #1.5 #001CC4E1D266004700000043000008A40004519594AB8CFB#1215602793507#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
            #1.5 #001CC4E1D266004700000047000008A40004519594AD0BDA#1215602793617#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
            #1.5 #001CC4E1D26600470000004C000008A40004519594B9FE2E#1215602794460#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
            #1.5 #001CC4E1D266004800000000000008A40004519594F9270B#1215602798601#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#6##n/a##e57d9f904da911dd80f6001cc4e1d266#Thread[Config JMS Thread,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authoriz

            Few more lines after that.

            Kindly let me knwo how to proceed.

            Regards,
            Mohammed

            (0) 
            1. Holger Bruchelt Post author
              Hi Mohammed,

              unfortunately the output does not contain too much useful information.
              Feel free to send me an email with the complete log.

              Regards,

              Holger.

              (0) 
  13. Basis Ad
    Just want to ask if the Part I and II applies for Dual stack also?
    in the note of spnego wizard, the mentioned .zip applies for what?( is the ADS and DB is for and whom does it apply?
    (0) 
  14. Tom Benjamin
    Hi Holger,

    At the end of Part 1 you mention testing from another computer – and not the server. I’ve got my SPNego based single-sign on working, but I cannot logon to my Portal on the server, which would come in handy. I’ve also found that SAP Support cannot logon with an HTTP connection. Is there a way of adjusting the configuration so it does allow that? My server is Windows 2003 x64 with Sun JDK 1.4.2_17-x64.

    Thanks,
    Tom

    (0) 
    1. Holger Bruchelt Post author
      Hi Tom,

      the issue here is that the [ticket] component is now configured to use SPNego which does not work from the server.
      So the idea would be to use a different component to redirect to your login page. Do you know my blog Single Sign On to BSP pages from Duet’s Action Pane
      You could use this simple redirect (which would then be configured [unlike in the blog] for basic authentication) to authenticate with your admin user and you would simple redirect to /irj.
      Contact me if you need any help on that.

      Holger.

      (0) 
  15. Brian McQuillan
    Hi Holger,

    your series on SPNegro is excellent.

    I have a question on what would be required when performing an SAP EP 7.0 Portal system migration to new hardware. The existing Portal is configured using SPNegro to authenticate windows based client logon using ADS LDAP lookup on the Portal UME.

    What post migration steps would be required – additional Service Principal Name entries added to the service user that was originallt created on the DC server for the new J2EE hosts that the system is being migrated to ?.

    Can the original key file stored in the filesystem be copied to the new hardware ?

    This is a standard system copy using SAP’s R3load method for export/import to the new servers.

    The DNS domain will not change – only the J2EE hostnames, servera.unix.company.com will become serverb.unix.company.com.

    Hopefully there is little needed to quickly enable the SPNegro authentication to work properly after the system move.

    Regards,

    Brian.

    (0) 
    1. Brian McQuillan
      Hi Holger,

      many thanks for your swift response. I will be doing the copy in the next week or so. I’ll let you know how I get on.

      Regards,

      Brian.

      (0) 
  16. Nirmal sivakumar
    Hi,

    Excelent blog. I have gone through all the steps in your blog but I could not locate dataSourceConfiguration_ads_readonly_db_with_krb5.xml in Note 994791. I downloaded all the zip files in the Note but none of it has a data source config file in it.
    Kindly help.

    Regards,
    Nirmal Sivakumar G

    (0) 
    1. Holger Bruchelt Post author
      Hi,

      please check the attachment SPNegoWizard_640.zip available in Note 994791 – SPNego-Assistent. Included in the ZIP file is dataSourceConfiguration_ads_readonly_db_with_krb5.xml

      Regards,

      Holger.

      (0) 
  17. Fethi YILMAZ
    Hi,
    thank you, this document prepared wonderfuly. O wonder that one thing; AD 2008 & portal integration is possible? I didnt find anywhere this information.

    thanks.

    (0) 
    1. Holger Bruchelt Post author
      Hi,

      thanks. Yes, AD 2008 is supported. Just take a look at this Note: https://service.sap.com/sap/support/notes/983808 and from there, you can search via http://www.sap.com/ecosystem/customers/directories/SoftwareISVSolutions.epx and will find http://www.sap.com/ecosystem/customers/directories/SoftwareISVSolutions.epx?context=21B87D61C0F646A22B2A6DB254A010CA8C9C141B7529F029F515B7F49325E097605E236313F854A01816911FBE869FE308CD168F5D975B09CCB1744511ACD15074B0D60E868C0E712D85742AA3CD1E0E|1E590255B6BBF9C22F03118928C387FA5EF256BECE901153

      However, depending on which DC you are using, you might have issues with DES encryption (see SSO with SPNego not working on Windows 7 / Windows 2008 R2).
      Because of that I would recommend to use the latest SPNEGOLoginModule (New SPNego login module – just around the corner).

      Regards,

      Holger.

      (0) 
  18. Shirish Joshi

    Hi Holger,<br/>Do you have a procedure, that we need to do after system copy so that SSO with the AD starts working ? I had a sandbox system hostname http://sandbox.ae which was overwritten by our training system http://training.ae. SSO Was working fine on the sandbox system before the system copy. after system copy it has stopped working. i have run the spnego wizard multiple times. however it still give me errors. <br/>Can you elaborate on the keytab files ? do they need to be recreated ? how is this done ?<br/>What checks can i run on the AD to make sure the principal has been created properly.<br/>here is the error section of my diagtool out put…<br/>regards<br/>shirish joshi<br/>12:29:41:157 Debug Guest SAPEngine_Application_Thread[impl:3]_10 ~urity.authentication.loginmodule.spnego Looking for credentials for realm EMAL.DOMAIN <br/>12:29:41:158 Debug Guest SAPEngine_Application_Thread[impl:3]_10 ~urity.authentication.loginmodule.spnego Looking for credentials for HTTP/dc1trnbw.emal.domain@EMAL.DOMAIN in {} <br/>12:29:41:158 Info Guest SAPEngine_Application_Thread[impl:3]_10 ~urity.authentication.loginmodule.spnego Acquiring credentials for GSS name HTTP/dc1trnbw.emal.domain@EMAL.DOMAIN <br/>12:29:41:158 Info Guest SAPEngine_Application_Thread[impl:3]_10 ~urity.authentication.loginmodule.spnego GSS name type is: 1 <br/>12:29:41:158 Info Guest SAPEngine_Application_Thread[impl:3]_10 ~urity.authentication.loginmodule.spnego GSS name type 1 is :1.2.840.113554.1.2.1.1 <br/>12:29:41:158 Info Guest SAPEngine_Application_Thread[impl:3]_10 ~urity.authentication.loginmodule.spnego GSS mechanism is: 1.2.840.113554.1.2.2 <br/>12:29:41:158 Info Guest SAPEngine_Application_Thread[impl:3]_10 System.out Name is not canonicalized for mech 1.2.840.113554.1.2.2, creating mech name <br/>12:29:41:158 Info Guest SAPEngine_Application_Thread[impl:3]_10 System.out getFactory: index = 0 found factory <br/>12:29:41:159 Info Guest SAPEngine_Application_Thread[impl:3]_10 System.out Name cannonicalization complete, resulting name string=HTTP/dc1trnbw.emal.domain@EMAL.DOMAIN <br/>12:29:41:159 Info Guest SAPEngine_Application_Thread[impl:3]_10 System.out Creating mech cred for HTTP/dc1trnbw.emal.domain@EMAL.DOMAIN, mech 1.2.840.113554.1.2.2, usage accept only <br/>12:29:41:159 Info Guest SAPEngine_Application_Thread[impl:3]_10 System.out getFactory: index = 0 found factory <br/>12:29:41:160 Info Guest SAPEngine_Application_Thread[impl:3]_10 System.out Obtaining creds from keytab for service HTTP/dc1trnbw.emal.domain@EMAL.DOMAIN <br/>12:29:41:160 Info Guest SAPEngine_Application_Thread[impl:3]_10 System.out KeyTab:SAPEngine_Application_Thread[impl:3]_10: >>> KeyTab: file not found keytab

    (0) 
    1. Holger Bruchelt Post author
      Hi,

      is the system copy still on the same server? If not, then you have to create another Service Principal Name entry for the service user (see setspn -A … mentioned in the blog).
      After adding the new SPN, run the Wizard again and see what happens ­čÖé

      Regards,

      Holger.

      (0) 
      1. Shirish Joshi
        will do , the only question being can we have more than one service entry for a single user ?
        which means can i run
        setspn -A http/blahblah.ae aduser
        setspn -A http/wahwah.ae aduser

        i had read some where that the principal should be unique ? or is that for blahblah.ae which should have only 1 principal, but 1 ad user can have many http/1.ae http/2.ae

        Apologies if i am asking really basic questions but this does have me confused…

        Regards
        Shirish Joshi

        (0) 
  19. Bocaj GP

    Hello Holger,

    Excellent blog. I really appreciate the effort and interest you have put in.

    We are going to implement SSO on Portal with Windows AD . Our Windows AD is 2008 R2.

    The only pre-requiste you have mentioned is to create a service user with passowrd not expiring and Enable DES Algorithm .

    Is there any other function to be active in Windows AD level. Is Kerberos Authentication etc active by default. I am not a windows expert and not sure if it comes with Windows?

    Thanks and Kind Regards,

    Jacob

    (0) 
    1. Holger Bruchelt Post author

      Hi,

      the steps outlined in this blog are all based on the “old” SPNego login module.

      I would recommend, that you also take a look at the PDF attached to Note 1457499 (inside the ZIP files).

      This blog talks a little about it: the PDF attached to Note 1457499 (inside the ZIP files)?

      Regards,

      Holger.

      (0) 
  20. Jawad Hasan

    Dear Holger,

    I am desperately in need of your help, I am trying to implement spnego sso wth abap datasource by following your blog but I am struggling for two weeks without any success. I am getting checksum error token cannot be validated. Its really getting critical for me as we are approaching go live and we are not getting any help from SAP. I would really appreciate your help in this and please tell me if i can contact you by any change.

    Really really appreciate your help !!

    (0) 
    1. Holger Bruchelt Post author

      Dear Jawad,

      did you check the Note 1488409? It has some pretty good documentations and walkthroughs included.

      The blog above (and the related ones Part 1 Part 2) are for the “legacy SPNego” implementation. With newer released the wizard and connectivity changed a little and made it even simpler.

      Regards,

      Holger.

      (0) 
  21. Ashish Kasat

    Hello Holger,

    Request you suggestion/assistance on below SPNego issue.

    Old AS JAVA version was NW7.01 SP6

    New AS JAVA version was NW7.01 SP18

     

    We performed JAVA SP patching so that we can upgrade our DB2 database to 10.5 version.

    During patching, we had to undeploy sap.com~spnego.cfg.wd as per SAP note#1643003.

    SSO with SPNego(UME is AS ABAP) was configured and working earlier, but after SP patching SSO is not working.

    Please suggest if I have to install SPNego addon separately as per SAP note#1457499 or do I have to generate new keytab for this.

     

    Thanks,

    Ashish

     

     

    (0) 

Leave a Reply