Configuring and troubleshooting SPNego — Part 1
— UPDATE —
A new SPNEGO LoginModule is now available. Please check New SPNego login module – just around the corner which refers to the new Module Note 1457499 – SPNego add-on
In the last few weeks I was asked by several customers and here on SDN about configuring and troubleshooting the SPNego-login module for the J2EE Engine. So I decided to write my first blog. Actually, since there are already several blogs available that deal with setting up SPNego I am planning to write at least three parts about SPNego
- the first part will be about the configuration of SPNego and some general tips (this was dealt before quite some time, but I think it belongs to a complete troubleshooting series)
- the second part will deal with common problems and some tools to figure out what went wrong
- the third part will deal with a more detailed troubleshooting which you might find helpful when you were not able to solve the problem with the tools from part two
Even if you are not able to solve the problem with these three blogs, I hope to be able to shed some light on what is going on. And the logs and information you will collect here will most certainly help speed up messages you might have to create.
Documentation
First of all let me say that I think the documentation about the SPNego login module is rather good. I have been working on SPNego ever since it was first developed for a customer project at SAP. From that time (of course updated since then) is the documentation you can find here on help.sap.com.
But for several months now the SPNego Wizard is available which made configuring SPNego much easier. Instead of working on several sections in the Visual Admin, on files with a text editor and so on you can use a simple web based wizard — and are (hopefully) done within about 30 minutes. I would always recommend to use the wizard and this is what this first part is all about. Of course it is not always that simple – I had plenty of installations where something did not work right away and then you have to troubleshoot.
SPNego Wizard
Take a look at Note 994791 – SPNego Wizard.
Here you can download the SPNego Wizard (if it is not already contained with your J2EE installation). There is also a ZIP file I strongly recommend containing videos about the installation. It is fast, but with the help of the pause button of your video-player you can see everything you need to know. Also contained in the ZIP files is a PDF document and sample dataSourceConfiguration files that you can use to configure your UME to connect to your LDAP directory.
[if you are using Sun JDK for your J2EE engine, please make sure that you are using a JDK with 1.4.2_13 and not _14, _15 or _16. Unfortunately all these versions contain a bug that fails Kerberos to work, see Note 1057474 – NullPointerException in KRB5LoginMoule]
Create SPNego Service User
The first step is to configure a service user in your LDAP directory. For my screenshots I used a J2EE engine that I (will) attached to a Microsoft ADS.
Create a user in the ADS and make sure that the properties
* Password never expires
* Use DES encryption types for this account
are set.
Now set the service principal names (SPN) for this user. The SPN has to be every URL / DNS-Alias you are going to use to access the J2EE Engine — and of course the fully qualified computer name has also to be created. Simply repeat the steps
setspn -A HTTP/servername username
for each URL. You can do a quick check via setspn –L to see if your settings were successful (all entered SPNs should be returned)
Connect the UME
Then you have to connect the usermanagement engine of the J2EE engine to the ADS. In order to do this, upload the dataSourceConfiguration file attached to the Note via the configtool [click on Browser, select the file and click on Upload]:
Then select it from the drop down list and enter all the data required.
Now you can click on Browse to select the User and the Group path where your users and groups are stored in the LDAP directory:
Make sure to test the connection and the authentication.
After that restart the J2EE Engine.
Run the wizard
Now you are all set to start the SPNego Wizard. Simply open the URL http://servername:port/spnego
The first screen is just to remind you of what you have to do as a prerequisite.
Now you have to tell the wizard something about your Kerberos setup and the LDAP attached.
(you can use either Enter Principal or Retrieve Principal. Both options should work just fine)
In the next step you tell the wizard how the lookup will work. The J2EE Engine gets the Kerberos ticket which usually is the SAMAccountName and the Domain. So in order to find the user in the UME the best way is to split the name and first search for the first part (kerbprefix, e.g. SAMAccountName) and if the result is not unique the second part (KPN-Suffix, domainname). Of course you can also try the other options simple and basic, but I would first go with prefixbased.
The first thing I would do is select the “Create new” option in order to create a new template that can be used more flexible (e.g. if you want to use SPNego with the Portal and Duet). So create a new template “spnego” (this is the default option anyway), and if you want to you can now deselect Enable Basic Password Fallback (but make sure that “Enable SSO with SAP Logon Ticket” *is* enabled.
And we are done.
Now restart the J2EE Engine.
Assign the template to the components
The final step is to assign the template you created to the login component you are using (for the Portal usually this is the ticket stack, for Duet it is the osp_TicketIssuserComponent):
Test it…
OK. If you are lucky 🙂 everything is fine. When you try to test your configuration make sure to do this from another computer (and not the server) and using the fully qualified domain name. If it is not working then maybe my next blog will be of use.
Stay tuned…
Update: In the meantime a lot of new ideas and updates are available. The most important one is the new SPNEGO Login Modul. In addition to that there are several blogs in this series that cover the ABAP Integration and other aspects in regards to SPNego. A list of these blogs is outlined below:
Configuring and troubleshooting SPNego — Part 1
Configuring and troubleshooting SPNego — Part 2
Configuring and troubleshooting SPNego — Part 3
Configuring SPNego with ABAP datasource
Configuring SPNego with ABAP datasource — Part 2
SSO with SPNego not working on Windows 7 / Windows 2008 R2
Single Sign On to BSP pages from Duet’s Action Pane
Single Sign On to BSP pages
New SPNego login module – just around the corner
New SPNego Login Module
I have 2 questions:
1) Is it possible to configure SPNego where the portal UME is configured with Sun Microsusyem LDAP server?
2) Currently we have implemented SPNego for our UK location. We want to implement for USA location also. Both UK and USA are in separate domains. Is it possible to set up SPNego fo both location tith same portal?
Best Regards,
Hari
both should be possible:
For your first question, please have a look at http://help.sap.com/saphelp_nw70/helpdata/en/43/4c3725aeaf30b4e10000000a11466f/frameset.htm (also in Note 994791 there is an example for Sun LDAP).
The same is true for your second question: please have a look at Note 994791 and the two files SPNego_multiple_ADS_Sun_JDK_1.zip
Hope this helps,
Holger.
I configured successfully SPNEGO in DEV, now I want it to do it in QAS and PRD, is there a problem if I put those url using setspn and setspn -L shows multiple url (dev,qas,prd) ... Is this ok?
Regards
as long as the SPNs are unique to one user you should be fine with your approach.
Regards,
Holger.
great blog, really helped me to configure SPNego in a complex environment.
Just like to mention, that a connection to the MS ADS Global Catalog, because this might be usefull for others as well.
To implent this, just use the Configtool and change the LDAP port from 389 to 3268 (if you're using default ports - otherwise you should check it on ADS). Execute the Connection test and reboot the system, after you made your configuration.
That's it - now you can see the whole tree in Portal Useradministration -> Identity Managment.
Kind regards,
Annike
SUN has revised the Kerberos implementation in JDK 1.4.2_14+ to make it (more) RFC4120 compliant. To make SpnegoLoginModule work with the SUN JDK 1.4.2_14+ you have to set the new JAAS property isInitiator to false.
com.sun.security.jgss.accept
{
com.sun.security.auth.module.Krb5LoginModule required
isInitiator=false
debug=true
useKeyTab=true
useTicketCache=false
storeKey=true
principal="..."
doNotPrompt=true
refreshKrb5Config=true;
};
Best regards,
Marc
thanks a lot for this information. Can you tell me where I can download 1.4.2_14+?
Regards,
Holger.
He means any version greater than 1.4.2_13 (i.e.: 1.4.2_16 is the latest).
Note 1057474 should be noted here, stating that the above versions will cause a nullpointerexception within the KRB5LoginModule.
However, this can be avoided by setting the parameter isInitiator = false within the com.sun.security.auth.module.Krb5LoginModule.
Either way, great blog and I am really looking forward to the 3rd part!
thanks for the clarification! I had mentioned Note 1057474 in the blog but I didn't know about the workaround (isInitiator = false ).
I will mention that in Part 3!
Thanks,
Holger.
I just wanted to add that J2SE 1.4.2_25 b02 is the recommended one from SAP - it contains
some kerberos related fixes, pls. also refer to note 716604 and 718901 for
details.
Best regards,
Erdal Simsek
Actually the landscape is a multi-forest configuration in SAP EP, a internal domain for employees, and a external domain (in a DMZ) for external users and suppliers.
Let me ask you a question: configuration files that appear there, saying "readonly", in my requirement, I need that the user can modify your password when this expires, controlled by policies originated in Microsoft AD ldap source.
How do the same as indicated on the blog, but in a way "writeable"?
Actually I am using this file:
dataSourceConfiguration_ads_readonly_db_with_krb5.xml
There are a "writeable" version?
(yesterday a post this thread: /thread/725367 [original link is broken] about the issue)
thanks in advance!!
regards
Leandro
unfortunately there is no writeable version out-of-the-box but you could easily create one. I have replyed to your post. If you have problems with that, feel free to contact me.
Regards,
Holger.
Can it be possible to configure SPNego where the portal UME datasource is configured to use dataSourceConfiguration_abap.xml.
Thanks again,
Parthi
yes, you can also configure SPNego with dataSourceConfiguration_abap.xml. Please use the video for SPNego_DB_datasource_Sun_JDK_x.zip attached to Note 994791 - SPNego Wizard as a first guiding point.
You can also take a look at Configuring the UME when Using Non-ADS Data Sources (http://help.sap.com/saphelp_nw70/helpdata/en/43/4c3725aeaf30b4e10000000a11466f/frameset.htm) for some help.
If you still have problems, please contact me directly and I will try to help you out.
Regards,
Holger.
I have followed your instructions in the blog and configured the same. But still when I logon, it asks for the password on the EP 7.0.
We are using ABAP as the Datasource.
Your help woudl be highly appreciated.
Thanks,
Mohammad.
did you try the third blog (Configuring and troubleshooting SPNego -- Part 3) and analyse the situation with the Web Diag tool?
Give it a try and sent me an email if you have problems.
Regards,
Holger.
I have ran the diag tool and below is the major error which I feel is the show stopper.
Couldn't find user by attribute krb5principalname = alimr@NPIC.COM.SA
13:41:34:852 Warning Guest ~n_Thread[impl:3]_20 ~on.loginmodule.spnego.SPNegoLoginModule Authentication failed. Error during handshake. Check the trace file for details.
13:41:34:852 Warning Guest ~n_Thread[impl:3]_20 ~on.loginmodule.spnego.SPNegoLoginModule Error during handshake.
[EXCEPTION]
com.sap.security.core.server.jaas.spnego.SPNegoProtocolException: User Resolution not possible.
Appreciate your help on this!
Regards,
Mohammad.
Eric
I have resolved the problem, it was that I was not maintaining the krb5principal name for all the users. We have around 1000 users from the ABAP datasource, is there a way to populate this field automatically?
Thanks,
Mohammad.
just a quick update. I have create a new blog (Configuring SPNego with ABAP datasource) dealing with SPNego and ABAP datasource.
Regards,
Holger.
We have installed Java SUN SDK 1.4.2_16 and we set the parameter "isInitiator=false" in com.sun.security.jgss.accept (Krb5LoginModule).
It works fine now.
Best regards
Golo Maichel
Hello,<br/><br/>I am trying to do SSO setup using spnego wizard. I followed the blog at:<br/><br/>Everythig is setup correctly but I am getting following error when I access a portal after the setup. Also now I am not able to login at all and got stuck up.<br/><br/>Any help would be great. I am using portal 7.0 with sp14 version.<br/><br/>thanks<br/>Jaish<br/><br/>Error Trace<br/><br/>----
<br/>#1.5 #001DE04BAF67007300000026000016CC000450AA5CC0CA1C#1214592537140#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#Guest#0##n/a##b2bc4f41447911ddb1cf001de04baf67#SAPEngine_Application_Threadimpl:3_6##0#0#Error##Java###Acquiring credentials for realm SJCAD02.DATADOMAIN.COM failed <br/>EXCEPTION<br/>#1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)... 30 more
can you take a look at Blog 3 in the series (Configuring and troubleshooting SPNego -- Part 3). There is also one section which deals with the "Acquiring credentials for realm failed" error. Maybe this will help!
Holger.
Your documentation is very interesting. Could you please advise whether you have some tips for maintaining this configuration, e.g whether changing the password of j2ee_admin, ldap user affect the operation of SPnego ?
Thanks and regards,
Elizabeth.
Hope this helps,
Holger.
Your documentation is very interesting. Could you please advise whether you have some tips for maintaining this configuration, e.g whether changing the password of j2ee_admin, ldap user affect the operation of SPnego ?
Thanks and regards,
Elizabeth.
the only password that you should be careful about is the password of the SPNego service user (the one that you created in the first step and where you set the encryption type to DES).
Other than that you can change passwords as you like without affecting the SPNego configuration.
Regards,
Holger.
Thank you for your reply. If I change the password of the SPNego service user, could you please advise whether I need to reconfig the SPNego from the beginning ?
Many thanks in advance.
Best regards,
Elizabeth.
just start the SPNego Wizard and click through. Most of the filed should be prefilled and you just have to enter the new password.
By this the keytab file will get updated and everything should be fine again.
Regards,
Holger.
Thank you very much for your help.
Unfortunately, in my case, I have to recreate the users with new password. I am not sure what is wrong.
Best regards,
Elizabeth.
Hi Holger,
Firstly awesome blog! I'm attempting to setup authentication from portal to multiple AD (more then 5 ADs)
Anyway, I'm wondering is it possible to set up in a way where I have kerberos but without the SSO.
I'm also looking at the SPNegoDocumentation.pdf from sapnote 1488409, the procedure indicate to not check "Use DES encryption" for the service user account which is opposite of what you've done.
Confused..
Thanks for the wonderfull Blog.
I recently configured SSO using SPNEGO.
The issue is that it works fine for most users but it request for LogonID and Password when some users try to authenticate to the portal.
Please what do I do to rectify this.
Thanks.
NF
are the clients in the same domain? What about the browser settings? Is Windows Integrated Authentication enabled?
Have you seen my other blogs (Configuring and troubleshooting SPNego -- Part 2, Configuring and troubleshooting SPNego -- Part 3). Maybe Blog 3 will help you identify the problem.
If not: just drop me an email and we can try to work on it.
Regards,
Holger.
Hi Holger,
Regards,
Holger.
I have a question to ask. When do I configure SPNego? Before I install the DUET Server Components or after installing the DUET Server Components?
Thanks in advance.
the first part (up until "Assign the template to the components") can (but must not) be done before you install Duet.
Once you have installed Duet you can then assign the spnego template to the *osp_TicketIssuer.
Hope this helps,
Holger.
I have followed the steps all the way till connecting to the UME. However, when I open the URL, I'm unable to do so. May I know what's the possible cause? Thanks.
Thanks,
Holger.
this url: http://servername:port/spnego
and one more question. Do I need to install anything for the wizard to start running?
Thanks.
if /spnego is not working, please take a look and apply Note 994791 - SPNego Wizard.
Regards,
Holger.
I would like to check with you. I have created a user, "SPNego" at the Active Directory and the username I used when accessing the J2EE Engine is "Administrator". So, when setting the SPN, is it correct when I enter setspn -A HTTP/serveripno Administrator?
Thanks again in advance.
for the setspn -A command you have to use the user that you used in "Create SPNego Service User" -- so I guess this would be your user "SPNego".
So the command for you would be something like
setspn -A HTTP/YourServerName SPNego
Regards,
Holger.
Thanks for the wonderfull Blog.
I recently configured SSO using SPNEGO.
I have followed your instructions in the blog and configured the same. But still when I logon, it asks for the password on the EP 7.0.
I am using a JDK with 1.4.2_13 .
I was true this weblogs too "Common SPNEGO Implementation Issues".
And every thing ok but at last I get this warning.:
"[Warning] Oct 2, 2008 2:40:44 PM Unable to resolve host: pot
[Info] Oct 2, 2008 2:40:44 PM Please, enter J2EE host name ( not IP and not
localhost )":
I was true this weblogs too (Configuring and troubleshooting SPNego -- Part 3)
Please what do I do to rectify this.
Thanks.
Reza
can you sent me the complete output of the diagtool (Configuring and troubleshooting SPNego -- Part 3).
Thanks,
Holger.
Can you give your E-mail addres to sende my file there.
Thanks very much.
Output of det diagtool is to large to sende tha her. But her is the part of my worrnings.
18:57:09:384 Warning Guest ~n_Thread[impl:3]_23 com.sap.security.core.util.SecurityAudit Guest | LOGIN.ERROR | null | | Login Method=[default], UserID=[null], IP Address=[000.00.0.00], Reason=[No login module succeeded.]
18:55:16:497 Warning Guest ~on_Thread[impl:3]_6 ~.core.server.jaas.spnego.asn1.TLVParser Length octets must contain values [0x01;0xFF]. Found 0
getLoggedInUser
[EXCEPTION]
com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:178)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:146)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524)
at java.security.AccessController.doPrivileged(Native Method)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
Caused by: com.sap.security.core.server.jaas.DetailedLoginException: Access Denied. No authorization header received.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:175)
... 41 more
ERROR: HTTP request was not successful. Returned code is: 200
I hope you can help me.
Thanks.
unfortunately that does not help. You can see my email from my business card. Please contact me from there.
Thanks,
HOlger.
Firstly thanks for the bolg it help me a lot. I have this issue that few users are asked for passowrd when loggin on to portal i ran the diagtool and the security tool and i have the following output kindly have a look and let me know the course of action.Thanks for your valuable time and effort:
!--LOGHEADER[START]/-->
#1.5 #001CC4E1D266004700000003000008A40004519594A8AA5D#1215602792898#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
#1.5 #001CC4E1D266004700000005000008A40004519594A8C694#1215602792914#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
#1.5 #001CC4E1D266004700000008000008A40004519594A94CCF#1215602792945#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
#1.5 #001CC4E1D26600470000000B000008A40004519594A33C50#1215602792961#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
#1.5 #001CC4E1D26600470000000E000008A40004519594A37E42#1215602792992#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
#1.5 #001CC4E1D266004700000011000008A40004519594AA34BF#1215602793007#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
#1.5 #001CC4E1D266004700000014000008A40004519594AAC3E4#1215602793039#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
#1.5 #001CC4E1D266004700000017000008A40004519594A4D26F#1215602793070#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
#1.5 #001CC4E1D26600470000001A000008A40004519594A52F46#1215602793101#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
#1.5 #001CC4E1D26600470000001D000008A40004519594A57F54#1215602793117#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
#1.5 #001CC4E1D266004700000020000008A40004519594A5CCEC#1215602793132#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
#1.5 #001CC4E1D266004700000023000008A40004519594A61829#1215602793148#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
#1.5 #001CC4E1D266004700000026000008A40004519594A65441#1215602793179#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
#1.5 #001CC4E1D266004700000029000008A40004519594A6AE6B#1215602793195#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
#1.5 #001CC4E1D26600470000003C000008A40004519594AF050C#1215602793320#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
#1.5 #001CC4E1D26600470000003F000008A40004519594AA03F7#1215602793414#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
#1.5 #001CC4E1D266004700000043000008A40004519594AB8CFB#1215602793507#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
#1.5 #001CC4E1D266004700000047000008A40004519594AD0BDA#1215602793617#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
#1.5 #001CC4E1D26600470000004C000008A40004519594B9FE2E#1215602794460#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
#1.5 #001CC4E1D266004800000000000008A40004519594F9270B#1215602798601#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#6##n/a##e57d9f904da911dd80f6001cc4e1d266#Thread[Config JMS Thread,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authoriz
Few more lines after that.
Kindly let me knwo how to proceed.
Regards,
Mohammed
unfortunately the output does not contain too much useful information.
Feel free to send me an email with the complete log.
Regards,
Holger.
Great weblog! I am having a problem with the fully qualified hostname. SPNEGO works when I type in the URL
1) does not work = http://wf35.company.com:22000/irj/portal
2) works = http://wf35:22000/irj/portal
So it does not work for the fully qualified hostname, and it gives a Basic Login Module pop-up. Any ideas?
Thanks!
Imran
in the note of spnego wizard, the mentioned .zip applies for what?( is the ADS and DB is for and whom does it apply?
in general Part I and II also apply. However, I would ask you to take a look at Configuring SPNego with ABAP datasource which deals with ABAP as a datasource in specific.
Regards,
Holger.
At the end of Part 1 you mention testing from another computer - and not the server. I've got my SPNego based single-sign on working, but I cannot logon to my Portal on the server, which would come in handy. I've also found that SAP Support cannot logon with an HTTP connection. Is there a way of adjusting the configuration so it does allow that? My server is Windows 2003 x64 with Sun JDK 1.4.2_17-x64.
Thanks,
Tom
the issue here is that the [ticket] component is now configured to use SPNego which does not work from the server.
So the idea would be to use a different component to redirect to your login page. Do you know my blog Single Sign On to BSP pages from Duet's Action Pane
You could use this simple redirect (which would then be configured [unlike in the blog] for basic authentication) to authenticate with your admin user and you would simple redirect to /irj.
Contact me if you need any help on that.
Holger.
your series on SPNegro is excellent.
I have a question on what would be required when performing an SAP EP 7.0 Portal system migration to new hardware. The existing Portal is configured using SPNegro to authenticate windows based client logon using ADS LDAP lookup on the Portal UME.
What post migration steps would be required - additional Service Principal Name entries added to the service user that was originallt created on the DC server for the new J2EE hosts that the system is being migrated to ?.
Can the original key file stored in the filesystem be copied to the new hardware ?
This is a standard system copy using SAP's R3load method for export/import to the new servers.
The DNS domain will not change - only the J2EE hostnames, servera.unix.company.com will become serverb.unix.company.com.
Hopefully there is little needed to quickly enable the SPNegro authentication to work properly after the system move.
Regards,
Brian.
Hi Brian,
many thanks for your swift response. I will be doing the copy in the next week or so. I'll let you know how I get on.
Regards,
Brian.
Excelent blog. I have gone through all the steps in your blog but I could not locate dataSourceConfiguration_ads_readonly_db_with_krb5.xml in Note 994791. I downloaded all the zip files in the Note but none of it has a data source config file in it.
Kindly help.
Regards,
Nirmal Sivakumar G
please check the attachment SPNegoWizard_640.zip available in Note 994791 - SPNego-Assistent. Included in the ZIP file is dataSourceConfiguration_ads_readonly_db_with_krb5.xml
Regards,
Holger.
thank you, this document prepared wonderfuly. O wonder that one thing; AD 2008 & portal integration is possible? I didnt find anywhere this information.
thanks.
thanks. Yes, AD 2008 is supported. Just take a look at this Note: https://service.sap.com/sap/support/notes/983808 and from there, you can search via http://www.sap.com/ecosystem/customers/directories/SoftwareISVSolutions.epx and will find http://www.sap.com/ecosystem/customers/directories/SoftwareISVSolutions.epx?context=21B87D61C0F646A22B2A6DB254A010CA8C9C141B7529F029F515B7F49325E097605E236313F854A01816911FBE869FE308CD168F5D975B09CCB1744511ACD15074B0D60E868C0E712D85742AA3CD1E0E|1E590255B6BBF9C22F03118928C387FA5EF256BECE901153
However, depending on which DC you are using, you might have issues with DES encryption (see SSO with SPNego not working on Windows 7 / Windows 2008 R2).
Because of that I would recommend to use the latest SPNEGOLoginModule (New SPNego login module - just around the corner).
Regards,
Holger.
Hi Holger,<br/>Do you have a procedure, that we need to do after system copy so that SSO with the AD starts working ? I had a sandbox system hostname http://sandbox.ae which was overwritten by our training system http://training.ae. SSO Was working fine on the sandbox system before the system copy. after system copy it has stopped working. i have run the spnego wizard multiple times. however it still give me errors. <br/>Can you elaborate on the keytab files ? do they need to be recreated ? how is this done ?<br/>What checks can i run on the AD to make sure the principal has been created properly.<br/>here is the error section of my diagtool out put...<br/>regards<br/>shirish joshi<br/>12:29:41:157 Debug Guest SAPEngine_Application_Thread[impl:3]_10 ~urity.authentication.loginmodule.spnego Looking for credentials for realm EMAL.DOMAIN <br/>12:29:41:158 Debug Guest SAPEngine_Application_Thread[impl:3]_10 ~urity.authentication.loginmodule.spnego Looking for credentials for HTTP/dc1trnbw.emal.domain@EMAL.DOMAIN in {} <br/>12:29:41:158 Info Guest SAPEngine_Application_Thread[impl:3]_10 ~urity.authentication.loginmodule.spnego Acquiring credentials for GSS name HTTP/dc1trnbw.emal.domain@EMAL.DOMAIN <br/>12:29:41:158 Info Guest SAPEngine_Application_Thread[impl:3]_10 ~urity.authentication.loginmodule.spnego GSS name type is: 1 <br/>12:29:41:158 Info Guest SAPEngine_Application_Thread[impl:3]_10 ~urity.authentication.loginmodule.spnego GSS name type 1 is :1.2.840.113554.1.2.1.1 <br/>12:29:41:158 Info Guest SAPEngine_Application_Thread[impl:3]_10 ~urity.authentication.loginmodule.spnego GSS mechanism is: 1.2.840.113554.1.2.2 <br/>12:29:41:158 Info Guest SAPEngine_Application_Thread[impl:3]_10 System.out Name is not canonicalized for mech 1.2.840.113554.1.2.2, creating mech name <br/>12:29:41:158 Info Guest SAPEngine_Application_Thread[impl:3]_10 System.out getFactory: index = 0 found factory <br/>12:29:41:159 Info Guest SAPEngine_Application_Thread[impl:3]_10 System.out Name cannonicalization complete, resulting name string=HTTP/dc1trnbw.emal.domain@EMAL.DOMAIN <br/>12:29:41:159 Info Guest SAPEngine_Application_Thread[impl:3]_10 System.out Creating mech cred for HTTP/dc1trnbw.emal.domain@EMAL.DOMAIN, mech 1.2.840.113554.1.2.2, usage accept only <br/>12:29:41:159 Info Guest SAPEngine_Application_Thread[impl:3]_10 System.out getFactory: index = 0 found factory <br/>12:29:41:160 Info Guest SAPEngine_Application_Thread[impl:3]_10 System.out Obtaining creds from keytab for service HTTP/dc1trnbw.emal.domain@EMAL.DOMAIN <br/>12:29:41:160 Info Guest SAPEngine_Application_Thread[impl:3]_10 System.out KeyTab:SAPEngine_Application_Thread[impl:3]_10: >>> KeyTab: file not found keytab
is the system copy still on the same server? If not, then you have to create another Service Principal Name entry for the service user (see setspn -A ... mentioned in the blog).
After adding the new SPN, run the Wizard again and see what happens 🙂
Regards,
Holger.
which means can i run
setspn -A http/blahblah.ae aduser
setspn -A http/wahwah.ae aduser
i had read some where that the principal should be unique ? or is that for blahblah.ae which should have only 1 principal, but 1 ad user can have many http/1.ae http/2.ae
Apologies if i am asking really basic questions but this does have me confused...
Regards
Shirish Joshi
yes. A single user can have multiple SPNs.
Regards,
Holger.
Hi,
what is the starting point please for setup SPNego on a 730 portal (no Visual Admin anymore) ?
Hi,
can you take a look at the PDF attached to Note 1457499 (inside the ZIP files)? Maybe the steps outlined there can help.
Also www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/18567 might help.
Regards,
Holger.
Hello Holger,
Excellent blog. I really appreciate the effort and interest you have put in.
We are going to implement SSO on Portal with Windows AD . Our Windows AD is 2008 R2.
The only pre-requiste you have mentioned is to create a service user with passowrd not expiring and Enable DES Algorithm .
Is there any other function to be active in Windows AD level. Is Kerberos Authentication etc active by default. I am not a windows expert and not sure if it comes with Windows?
Thanks and Kind Regards,
Jacob
Hi,
the steps outlined in this blog are all based on the "old" SPNego login module.
I would recommend, that you also take a look at the PDF attached to Note 1457499 (inside the ZIP files).
This blog talks a little about it: the PDF attached to Note 1457499 (inside the ZIP files)?
Regards,
Holger.
Thanks Holger ...The information is really helpful
Dear Holger,
I am desperately in need of your help, I am trying to implement spnego sso wth abap datasource by following your blog but I am struggling for two weeks without any success. I am getting checksum error token cannot be validated. Its really getting critical for me as we are approaching go live and we are not getting any help from SAP. I would really appreciate your help in this and please tell me if i can contact you by any change.
Really really appreciate your help !!
Dear Jawad,
did you check the Note 1488409? It has some pretty good documentations and walkthroughs included.
The blog above (and the related ones Part 1 Part 2) are for the "legacy SPNego" implementation. With newer released the wizard and connectivity changed a little and made it even simpler.
Regards,
Holger.
Hello Holger,
Request you suggestion/assistance on below SPNego issue.
Old AS JAVA version was NW7.01 SP6
New AS JAVA version was NW7.01 SP18
We performed JAVA SP patching so that we can upgrade our DB2 database to 10.5 version.
During patching, we had to undeploy sap.com~spnego.cfg.wd as per SAP note#1643003.
SSO with SPNego(UME is AS ABAP) was configured and working earlier, but after SP patching SSO is not working.
Please suggest if I have to install SPNego addon separately as per SAP note#1457499 or do I have to generate new keytab for this.
Thanks,
Ashish
Â