Skip to Content
Author's profile photo Former Member

Configuring and troubleshooting SPNego — Part 1

— UPDATE —

A new SPNEGO LoginModule is now available. Please check New SPNego login module – just around the corner which refers to the new Module Note 1457499 – SPNego add-on


In the last few weeks I was asked by several customers and here on SDN about configuring and troubleshooting the SPNego-login module for the J2EE Engine. So I decided to write my first blog. Actually, since there are already several blogs available that deal with setting up SPNego I am planning to write at least three parts about SPNego

  • the first part will be about the configuration of SPNego and some general tips (this was dealt before quite some time, but I think it belongs to a complete troubleshooting series)
  • the second part will deal with common problems and some tools to figure out what went wrong
  • the third part will deal with a more detailed troubleshooting which you might find helpful when you were not able to solve the problem with the tools from part two

Even if you are not able to solve the problem with these three blogs, I hope to be able to shed some light on what is going on. And the logs and information you will collect here will most certainly help speed up messages you might have to create.

Documentation

First of all let me say that I think the documentation about the SPNego login module is rather good. I have been working on SPNego ever since it was first developed for a customer project at SAP. From that time (of course updated since then) is the documentation you can find here on help.sap.com.
But for several months now the SPNego Wizard is available which made configuring SPNego much easier. Instead of working on several sections in the Visual Admin, on files with a text editor and so on you can use a simple web based wizard — and are (hopefully) done within about 30 minutes. I would always recommend to use the wizard and this is what this first part is all about. Of course it is not always that simple – I had plenty of installations where something did not work right away and then you have to troubleshoot.

SPNego Wizard

Take a look at Note 994791 – SPNego Wizard.
Here you can download the SPNego Wizard (if it is not already contained with your J2EE installation). There is also a ZIP file I strongly recommend containing videos about the installation. It is fast, but with the help of the pause button of your video-player you can see everything you need to know. Also contained in the ZIP files is a PDF document and sample dataSourceConfiguration files that you can use to configure your UME to connect to your LDAP directory.
[if you are using Sun JDK for your J2EE engine, please make sure that you are using a JDK with 1.4.2_13 and not _14, _15 or _16. Unfortunately all these versions contain a bug that fails Kerberos to work, see Note 1057474 – NullPointerException in KRB5LoginMoule]

Create SPNego Service User

The first step is to configure a service user in your LDAP directory. For my screenshots I used a J2EE engine that I (will) attached to a Microsoft ADS.
Create a user in the ADS and make sure that the properties
* Password never expires
* Use DES encryption types for this account
are set.

image

image

Now set the service principal names (SPN) for this user. The SPN has to be every URL / DNS-Alias you are going to use to access the J2EE Engine — and of course the fully qualified computer name has also to be created. Simply repeat the steps
setspn -A HTTP/servername username

image

for each URL. You can do a quick check via setspn –L to see if your settings were successful (all entered SPNs should be returned)

image

 

Connect the UME

Then you have to connect the usermanagement engine of the J2EE engine to the ADS. In order to do this, upload the dataSourceConfiguration file attached to the Note via the configtool [click on Browser, select the file and click on Upload]:

image

Then select it from the drop down list and enter all the data required.

image

 

Now you can click on Browse to select the User and the Group path where your users and groups are stored in the LDAP directory:

image

Make sure to test the connection and the authentication. 

image

image

After that restart the J2EE Engine.

Run the wizard

Now you are all set to start the SPNego Wizard. Simply open the URL http://servername:port/spnego

The first screen is just to remind you of what you have to do as a prerequisite.

image

Now you have to tell the wizard something about your Kerberos setup and the LDAP attached.

image

(you can use either Enter Principal or Retrieve Principal. Both options should work just fine) 

In the next step you tell the wizard how the lookup will work. The J2EE Engine gets the Kerberos ticket which usually is the SAMAccountName and the Domain. So in order to find the user in the UME the best way is to split the name and first search for the first part (kerbprefix, e.g. SAMAccountName) and if the result is not unique the second part (KPN-Suffix, domainname). Of course you can also try the other options simple and basic, but I would first go with prefixbased.

image

The first thing I would do is select the “Create new” option in order to create a new template that can be used more flexible (e.g. if you want to use SPNego with the Portal and Duet). So create a new template “spnego” (this is the default option anyway), and if you want to you can now deselect Enable Basic Password Fallback (but make sure that “Enable SSO with SAP Logon Ticket” *is* enabled.

image

And we are done.

image

Now restart the J2EE Engine.

 

Assign the template to the components

The final step is to assign the template you created to the login component you are using (for the Portal usually this is the ticket stack, for Duet it is the osp_TicketIssuserComponent):

image

Test it…

OK. If you are lucky 🙂 everything is fine. When you try to test your configuration make sure to do this from another computer (and not the server) and using the fully qualified domain name. If it is not working then maybe my next blog will be of use.

Stay tuned…


Update: In the meantime a lot of new ideas and updates are available. The most important one is the new SPNEGO Login Modul. In addition to that there are several blogs in this series that cover the ABAP Integration and other aspects in regards to SPNego. A list of these blogs is outlined below:

Configuring and troubleshooting SPNego — Part 1
Configuring and troubleshooting SPNego — Part 2
Configuring and troubleshooting SPNego — Part 3
Configuring SPNego with ABAP datasource
Configuring SPNego with ABAP datasource — Part 2
SSO with SPNego not working on Windows 7 / Windows 2008 R2
Single Sign On to BSP pages from Duet’s Action Pane
Single Sign On to BSP pages
New SPNego login module – just around the corner
New SPNego Login Module

 


Assigned Tags

      75 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member
      Hi,

      I have 2 questions:

      1) Is it possible to configure SPNego where the portal UME is configured with Sun Microsusyem LDAP server?

      2) Currently we have implemented SPNego for our UK location. We want to implement for USA location also. Both UK and USA are in separate domains. Is it possible to set up SPNego fo both location tith same portal?

      Best Regards,
      Hari

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi Hari,

      both should be possible:
      For your first question, please have a look at http://help.sap.com/saphelp_nw70/helpdata/en/43/4c3725aeaf30b4e10000000a11466f/frameset.htm (also in Note 994791 there is an example for Sun LDAP).

      The same is true for your second question: please have a look at Note 994791 and the two files SPNego_multiple_ADS_Sun_JDK_1.zip

      Hope this helps,

      Holger.

      Author's profile photo jorge velasquez
      jorge velasquez
      Hi,

      I configured successfully SPNEGO in DEV, now I want it to do it in QAS and PRD, is there a problem if I put those url using setspn and setspn -L shows multiple url (dev,qas,prd) ... Is this ok?

      Regards

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi,

      as long as the SPNs are unique to one user you should be fine with your approach.
      Regards,
      Holger.

      Author's profile photo Former Member
      Former Member
      Hello Holger,

      great blog, really helped me to configure SPNego in a complex environment.

      Just like to mention, that a connection to the MS ADS Global Catalog, because this might be usefull for others as well.

      To implent this, just use the Configtool and change the LDAP port from 389 to 3268 (if you're using default ports - otherwise you should check it on ADS). Execute the Connection test and reboot the system, after you made your configuration.

      That's it - now you can see the whole tree in Portal Useradministration -> Identity Managment.

      Kind regards,
      Annike

      Author's profile photo Former Member
      Former Member
      Hi,

      SUN has revised the Kerberos implementation in JDK 1.4.2_14+ to make it (more) RFC4120 compliant. To make SpnegoLoginModule work with the SUN JDK 1.4.2_14+ you have to set the new JAAS property isInitiator to false.

      com.sun.security.jgss.accept
      {
              com.sun.security.auth.module.Krb5LoginModule required
              isInitiator=false
              debug=true
              useKeyTab=true
              useTicketCache=false
              storeKey=true
              principal="..."
              doNotPrompt=true
              refreshKrb5Config=true;
      };

      Best regards,
      Marc

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi Marc,

      thanks a lot for this information. Can you tell me where I can download 1.4.2_14+?

      Regards,

      Holger.

      Author's profile photo Former Member
      Former Member
      http://java.sun.com/j2se/1.4.2/download.html

      He means any version greater than 1.4.2_13 (i.e.: 1.4.2_16 is the latest).

      Note 1057474 should be noted here, stating that the above versions will cause a nullpointerexception within the KRB5LoginModule.

      However, this can be avoided by setting the parameter isInitiator = false within the com.sun.security.auth.module.Krb5LoginModule.

      Either way, great blog and I am really looking forward to the 3rd part!

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi Hermann,

      thanks for the clarification! I had mentioned Note 1057474 in the blog but I didn't know about the workaround (isInitiator = false ).
      I will mention that in Part 3!

      Thanks,

      Holger.

      Author's profile photo Erdal ÅžimÅŸek
      Erdal ÅžimÅŸek
      Hi,

      I just wanted to add that J2SE 1.4.2_25 b02 is the recommended one from SAP - it contains
      some kerberos related fixes, pls. also refer to note 716604 and 718901 for
      details.

      Best regards,

      Erdal Simsek

      Author's profile photo Former Member
      Former Member
      Hi Holger, excellent blog, so valuable help to me for perform this configuration.

      Actually the landscape is a multi-forest configuration in SAP EP, a internal domain for employees, and a external domain (in a DMZ) for external users and suppliers.

      Let me ask you a question: configuration files that appear there, saying "readonly", in my requirement, I need that the user can modify your password when this expires, controlled by policies originated in Microsoft AD ldap source.

      How do the same as indicated on the blog, but in a way "writeable"?
      Actually I am using this file:
      dataSourceConfiguration_ads_readonly_db_with_krb5.xml

      There are a "writeable" version?

      (yesterday a post this thread: /thread/725367 [original link is broken] about the issue)

      thanks in advance!!
      regards
      Leandro

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi Leonardo,

      unfortunately there is no writeable version out-of-the-box but you could easily create one. I have replyed to your post. If you have problems with that, feel free to contact me.

      Regards,

      Holger.

      Author's profile photo Parthi Shanmugam
      Parthi Shanmugam
      Thanks for the great blog.

      Can it be possible to configure SPNego where the portal UME datasource is configured to use dataSourceConfiguration_abap.xml.

      Thanks again,
      Parthi

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi Parthi,

      yes, you can also configure SPNego with dataSourceConfiguration_abap.xml. Please use the video for SPNego_DB_datasource_Sun_JDK_x.zip attached to Note 994791 - SPNego Wizard as a first guiding point.
      You can also take a look at Configuring the UME when Using Non-ADS Data Sources (http://help.sap.com/saphelp_nw70/helpdata/en/43/4c3725aeaf30b4e10000000a11466f/frameset.htm) for some help.

      If you still have problems, please contact me directly and I will try to help you out.

      Regards,

      Holger.

      Author's profile photo Former Member
      Former Member
      Dear Holger,

      I have followed your instructions in the blog and configured the same. But still when I logon, it asks for the password on the EP 7.0.

      We are using ABAP as the Datasource.

      Your help woudl be highly appreciated.

      Thanks,
      Mohammad.

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi Mohammad,

      did you try the third blog (Configuring and troubleshooting SPNego -- Part 3) and analyse the situation with the Web Diag tool?

      Give it a try and sent me an email if you have problems.

      Regards,

      Holger.

      Author's profile photo Former Member
      Former Member
      Dear Holger,

      I have ran the diag tool and below is the major error which I feel is the show stopper.

      Couldn't find user by attribute krb5principalname = alimr@NPIC.COM.SA
      13:41:34:852      Warning      Guest      ~n_Thread[impl:3]_20      ~on.loginmodule.spnego.SPNegoLoginModule      Authentication failed. Error during handshake. Check the trace file for details.
      13:41:34:852      Warning      Guest      ~n_Thread[impl:3]_20      ~on.loginmodule.spnego.SPNegoLoginModule      Error during handshake.
      [EXCEPTION]
      com.sap.security.core.server.jaas.spnego.SPNegoProtocolException: User Resolution not possible.

      Appreciate your help on this!

      Regards,
      Mohammad.

      Author's profile photo Former Member
      Former Member
      Did you ever resolve this issue? I'm having the same issue. any help would be greatly appreciated.
      Eric
      Author's profile photo Former Member
      Former Member
      Dear Holger,

      I have resolved the problem, it was that I was not maintaining the krb5principal name for all the users. We have around 1000 users from the ABAP datasource, is there a way to populate this field automatically?

      Thanks,
      Mohammad.

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi,

      just a quick update. I have create a new blog (Configuring SPNego with ABAP datasource) dealing with SPNego and ABAP datasource.

      Regards,

      Holger.

      Author's profile photo Golo Maichel
      Golo Maichel
      Thanks for this great blog.

      We have installed Java SUN SDK 1.4.2_16 and we set the parameter "isInitiator=false" in com.sun.security.jgss.accept (Krb5LoginModule).
      It works fine now.

      Best regards
      Golo Maichel

      Author's profile photo Former Member
      Former Member

      Hello,<br/><br/>I am trying to do SSO setup using spnego wizard. I followed the blog at:<br/><br/>Everythig is setup correctly but I am getting following error when I access a portal after the setup. Also now I am not able to login at all and got stuck up.<br/><br/>Any help would be great. I am using portal 7.0 with sp14 version.<br/><br/>thanks<br/>Jaish<br/><br/>Error Trace<br/><br/>----


      <br/>#1.5 #001DE04BAF67007300000026000016CC000450AA5CC0CA1C#1214592537140#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#Guest#0##n/a##b2bc4f41447911ddb1cf001de04baf67#SAPEngine_Application_Threadimpl:3_6##0#0#Error##Java###Acquiring credentials for realm SJCAD02.DATADOMAIN.COM failed <br/>EXCEPTION<br/>#1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)... 30 more

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi,

      can you take a look at Blog 3 in the series (Configuring and troubleshooting SPNego -- Part 3). There is also one section which deals with the "Acquiring credentials for realm failed" error. Maybe this will help!

      Holger.

      Author's profile photo Chandrasen Tekchandani
      Chandrasen Tekchandani
      Hello Holger,
      Your documentation is very interesting. Could you please advise whether you have some tips for maintaining this configuration, e.g whether changing the password of j2ee_admin, ldap user affect the operation of SPnego ?
      Thanks and regards,
      Elizabeth.

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      ...and one more thing. If you cannot figure this one out and simply want to login to the portal again, start Visual Administrator and change the login modules for the Ticket Component (Security Provider) back to "EvaluateTicketLogonModule -> BasicPasswordLoginModule -> CreateTicketLogonModule).

      Hope this helps,

      Holger.

      Author's profile photo Chandrasen Tekchandani
      Chandrasen Tekchandani
      Hello Holger,
      Your documentation is very interesting. Could you please advise whether you have some tips for maintaining this configuration, e.g whether changing the password of j2ee_admin, ldap user affect the operation of SPnego ?
      Thanks and regards,
      Elizabeth.
      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi Elizabeth,

      the only password that you should be careful about is the password of the SPNego service user (the one that you created in the first step and where you set the encryption type to DES).
      Other than that you can change passwords as you like without affecting the SPNego configuration.

      Regards,

      Holger.

      Author's profile photo Chandrasen Tekchandani
      Chandrasen Tekchandani
      Hello Holger,

      Thank you for your reply. If I change the password of the SPNego service user, could you please advise whether I need to reconfig the SPNego from the beginning ?

      Many thanks in advance.

      Best regards,
      Elizabeth.

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi Elizabeth,

      just start the SPNego Wizard and click through. Most of the filed should be prefilled and you just have to enter the new password.
      By this the keytab file will get updated and everything should be fine again.

      Regards,

      Holger.

      Author's profile photo Chandrasen Tekchandani
      Chandrasen Tekchandani
      Hello Holger,

      Thank you very much for your help.
      Unfortunately, in my case, I have to recreate the users with new password. I am not sure what is wrong.

      Best regards,
      Elizabeth.

      Author's profile photo Former Member
      Former Member

      Hi Holger,

      Firstly awesome blog! I'm attempting to setup authentication from portal to multiple AD (more then 5 ADs)

      Anyway, I'm wondering is it possible to set up in a way where I have kerberos but without the SSO.

      I'm also looking at the SPNegoDocumentation.pdf from sapnote 1488409, the procedure indicate to not check "Use DES encryption" for the service user account which is opposite of what you've done.

      Confused..

      Author's profile photo Former Member
      Former Member
      Hello Holger,

      Thanks for the wonderfull Blog.

      I recently configured SSO using SPNEGO.

      The issue is that it works fine for most users but it request for LogonID and Password when some users try to authenticate to the portal.

      Please what do I do to rectify this.

      Thanks.

      NF

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi NF,

      are the clients in the same domain? What about the browser settings? Is Windows Integrated Authentication enabled?

      Have you seen my other blogs (Configuring and troubleshooting SPNego -- Part 2, Configuring and troubleshooting SPNego -- Part 3). Maybe Blog 3 will help you identify the problem.

      If not: just drop me an email and we can try to work on it.

      Regards,

      Holger.

      Author's profile photo Former Member
      Former Member

      Hi Holger,

      Author's profile photo Former Member
      Former Member
      Could this be due to user network profile?
      Author's profile photo Former Member
      Former Member
      Blog Post Author
      That's possible -- but a Diagtrace would probably help and shed some light of why it is really failing. Then you could check the profile settings.

      Regards,

      Holger.

      Author's profile photo Former Member
      Former Member
      Hi Holger.

      I have a question to ask. When do I configure SPNego? Before I install the DUET Server Components or after installing the DUET Server Components?

      Thanks in advance.

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi Nur,

      the first part (up until "Assign the template to the components") can (but must not) be done before you install Duet.
      Once you have installed Duet you can then assign the spnego template to the *osp_TicketIssuer.

      Hope this helps,

      Holger.

      Author's profile photo Former Member
      Former Member
      Hi Holger.

      I have followed the steps all the way till connecting to the UME. However, when I open the URL, I'm unable to do so. May I know what's the possible cause? Thanks.

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Can you specify which URL you are talking about?

      Thanks,

      Holger.

      Author's profile photo Former Member
      Former Member
      Hi Holger.

      this url: http://servername:port/spnego

      and one more question. Do I need to install anything for the wizard to start running?

      Thanks.

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi,

      if /spnego is not working, please take a look and apply Note 994791 - SPNego Wizard.

      Regards,

      Holger.

      Author's profile photo Former Member
      Former Member
      Hi Holger.

      I would like to check with you. I have created a user, "SPNego" at the Active Directory and the username I used when accessing the J2EE Engine is "Administrator". So, when setting the SPN, is it correct when I enter setspn -A HTTP/serveripno Administrator?

      Thanks again in advance.

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi,

      for the setspn -A command you have to use the user that you used in "Create SPNego Service User" -- so I guess this would be your user "SPNego".
      So the command for you would be something like
      setspn -A HTTP/YourServerName SPNego
      Regards,
      Holger.

      Author's profile photo Former Member
      Former Member
      Hello Holger,

      Thanks for the wonderfull Blog.

      I recently configured SSO using SPNEGO.

      I have followed your instructions in the blog and configured the same. But still when I logon, it asks for the password on the EP 7.0.
      I am using a JDK with 1.4.2_13 .
      I was true this weblogs too "Common SPNEGO Implementation Issues".
      And every thing ok but at last I get this warning.:
      "[Warning] Oct 2, 2008 2:40:44 PM     Unable to resolve host: pot
      [Info] Oct 2, 2008 2:40:44 PM     Please, enter J2EE host name ( not IP and not
      localhost )":
      I was true this weblogs too (Configuring and troubleshooting SPNego -- Part 3)

      Please what do I do to rectify this.

      Thanks.

      Reza

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi Reza,

      can you sent me the complete output of the diagtool (Configuring and troubleshooting SPNego -- Part 3).

      Thanks,

      Holger.

      Author's profile photo Former Member
      Former Member
      Hello Holger.

      Can you give your E-mail addres to sende my file there.

      Thanks very much.

      Author's profile photo Former Member
      Former Member
      Hello Holger.
      Output of det diagtool is to large to sende tha her. But her is the part of my worrnings.

      18:57:09:384 Warning Guest ~n_Thread[impl:3]_23 com.sap.security.core.util.SecurityAudit Guest | LOGIN.ERROR | null |  | Login Method=[default], UserID=[null], IP Address=[000.00.0.00], Reason=[No login module succeeded.]

      18:55:16:497 Warning Guest ~on_Thread[impl:3]_6 ~.core.server.jaas.spnego.asn1.TLVParser Length octets must contain values [0x01;0xFF]. Found 0

      getLoggedInUser
      [EXCEPTION]
      com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.
      at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:178)
      at java.security.AccessController.doPrivileged(Native Method)
      at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
      at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:324)
      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
      at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
      at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:146)
      at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
      at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
      at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
      at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524)
      at java.security.AccessController.doPrivileged(Native Method)
      at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
      at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
      at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
      at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
      at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
      at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
      at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
      at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
      at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
      at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
      at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
      at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
      at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
      at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
      at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
      at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
      at java.security.AccessController.doPrivileged(Native Method)
      at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
      at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
      Caused by: com.sap.security.core.server.jaas.DetailedLoginException: Access Denied. No authorization header received.
      at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:175)
      ... 41 more

      ERROR: HTTP request was not successful. Returned code is: 200
      I hope you can help me.
      Thanks.

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi,

      unfortunately that does not help. You can see my email from my business card. Please contact me from there.
      Thanks,

      HOlger.

      Author's profile photo Mohammed iqbal
      Mohammed iqbal
      Hi Holger,

      Firstly thanks for the bolg it help me a lot. I have this issue that few users are asked for passowrd when loggin on to portal i ran the diagtool and the security tool and i have the following output kindly have a look and let me know the course of action.Thanks for your valuable time and effort:

      !--LOGHEADER[START]/-->

      #1.5 #001CC4E1D266004700000003000008A40004519594A8AA5D#1215602792898#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
      #1.5 #001CC4E1D266004700000005000008A40004519594A8C694#1215602792914#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
      #1.5 #001CC4E1D266004700000008000008A40004519594A94CCF#1215602792945#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
      #1.5 #001CC4E1D26600470000000B000008A40004519594A33C50#1215602792961#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
      #1.5 #001CC4E1D26600470000000E000008A40004519594A37E42#1215602792992#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
      #1.5 #001CC4E1D266004700000011000008A40004519594AA34BF#1215602793007#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
      #1.5 #001CC4E1D266004700000014000008A40004519594AAC3E4#1215602793039#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
      #1.5 #001CC4E1D266004700000017000008A40004519594A4D26F#1215602793070#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
      #1.5 #001CC4E1D26600470000001A000008A40004519594A52F46#1215602793101#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
      #1.5 #001CC4E1D26600470000001D000008A40004519594A57F54#1215602793117#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
      #1.5 #001CC4E1D266004700000020000008A40004519594A5CCEC#1215602793132#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
      #1.5 #001CC4E1D266004700000023000008A40004519594A61829#1215602793148#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
      #1.5 #001CC4E1D266004700000026000008A40004519594A65441#1215602793179#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
      #1.5 #001CC4E1D266004700000029000008A40004519594A6AE6B#1215602793195#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
      #1.5 #001CC4E1D26600470000003C000008A40004519594AF050C#1215602793320#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
      #1.5 #001CC4E1D26600470000003F000008A40004519594AA03F7#1215602793414#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
      #1.5 #001CC4E1D266004700000043000008A40004519594AB8CFB#1215602793507#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
      #1.5 #001CC4E1D266004700000047000008A40004519594AD0BDA#1215602793617#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
      #1.5 #001CC4E1D26600470000004C000008A40004519594B9FE2E#1215602794460#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#0##n/a##e1cfd9d04da911dd928e001cc4e1d266#SAPEngine_Application_Thread[impl:3]_9##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#SAP-J2EE-Engine#administrators#
      #1.5 #001CC4E1D266004800000000000008A40004519594F9270B#1215602798601#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#6##n/a##e57d9f904da911dd80f6001cc4e1d266#Thread[Config JMS Thread,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authoriz

      Few more lines after that.

      Kindly let me knwo how to proceed.

      Regards,
      Mohammed

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi Mohammed,

      unfortunately the output does not contain too much useful information.
      Feel free to send me an email with the complete log.

      Regards,

      Holger.

      Author's profile photo Former Member
      Former Member
      Hi Holger,

      Great weblog! I am having a problem with the fully qualified hostname. SPNEGO works when I type in the URL

      1) does not work = http://wf35.company.com:22000/irj/portal

      2) works = http://wf35:22000/irj/portal

      So it does not work for the fully qualified hostname, and it gives a Basic Login Module pop-up. Any ideas?

      Thanks!
      Imran

      Author's profile photo Former Member
      Former Member
      Just want to ask if the Part I and II applies for Dual stack also?
      in the note of spnego wizard, the mentioned .zip applies for what?( is the ADS and DB is for and whom does it apply?
      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi,

      in general Part I and II also apply. However, I would ask you to take a look at Configuring SPNego with ABAP datasource which deals with ABAP as a datasource in specific.

      Regards,

      Holger.

      Author's profile photo Former Member
      Former Member
      Hi Holger,

      At the end of Part 1 you mention testing from another computer - and not the server. I've got my SPNego based single-sign on working, but I cannot logon to my Portal on the server, which would come in handy. I've also found that SAP Support cannot logon with an HTTP connection. Is there a way of adjusting the configuration so it does allow that? My server is Windows 2003 x64 with Sun JDK 1.4.2_17-x64.

      Thanks,
      Tom

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi Tom,

      the issue here is that the [ticket] component is now configured to use SPNego which does not work from the server.
      So the idea would be to use a different component to redirect to your login page. Do you know my blog Single Sign On to BSP pages from Duet's Action Pane
      You could use this simple redirect (which would then be configured [unlike in the blog] for basic authentication) to authenticate with your admin user and you would simple redirect to /irj.
      Contact me if you need any help on that.

      Holger.

      Author's profile photo Former Member
      Former Member
      Hi Holger,

      your series on SPNegro is excellent.

      I have a question on what would be required when performing an SAP EP 7.0 Portal system migration to new hardware. The existing Portal is configured using SPNegro to authenticate windows based client logon using ADS LDAP lookup on the Portal UME.

      What post migration steps would be required - additional Service Principal Name entries added to the service user that was originallt created on the DC server for the new J2EE hosts that the system is being migrated to ?.

      Can the original key file stored in the filesystem be copied to the new hardware ?

      This is a standard system copy using SAP's R3load method for export/import to the new servers.

      The DNS domain will not change - only the J2EE hostnames, servera.unix.company.com will become serverb.unix.company.com.

      Hopefully there is little needed to quickly enable the SPNegro authentication to work properly after the system move.

      Regards,

      Brian.

      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Hi Brian,

      Author's profile photo Former Member
      Former Member
      Hi Holger,

      many thanks for your swift response. I will be doing the copy in the next week or so. I'll let you know how I get on.

      Regards,

      Brian.

      Author's profile photo Former Member
      Former Member
      Hi,

      Excelent blog. I have gone through all the steps in your blog but I could not locate dataSourceConfiguration_ads_readonly_db_with_krb5.xml in Note 994791. I downloaded all the zip files in the Note but none of it has a data source config file in it.
      Kindly help.

      Regards,
      Nirmal Sivakumar G

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi,

      please check the attachment SPNegoWizard_640.zip available in Note 994791 - SPNego-Assistent. Included in the ZIP file is dataSourceConfiguration_ads_readonly_db_with_krb5.xml

      Regards,

      Holger.

      Author's profile photo Former Member
      Former Member
      Hi,
      thank you, this document prepared wonderfuly. O wonder that one thing; AD 2008 & portal integration is possible? I didnt find anywhere this information.

      thanks.

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Author's profile photo Former Member
      Former Member

      Hi Holger,<br/>Do you have a procedure, that we need to do after system copy so that SSO with the AD starts working ? I had a sandbox system hostname http://sandbox.ae which was overwritten by our training system http://training.ae. SSO Was working fine on the sandbox system before the system copy. after system copy it has stopped working. i have run the spnego wizard multiple times. however it still give me errors. <br/>Can you elaborate on the keytab files ? do they need to be recreated ? how is this done ?<br/>What checks can i run on the AD to make sure the principal has been created properly.<br/>here is the error section of my diagtool out put...<br/>regards<br/>shirish joshi<br/>12:29:41:157 Debug Guest SAPEngine_Application_Thread[impl:3]_10 ~urity.authentication.loginmodule.spnego Looking for credentials for realm EMAL.DOMAIN <br/>12:29:41:158 Debug Guest SAPEngine_Application_Thread[impl:3]_10 ~urity.authentication.loginmodule.spnego Looking for credentials for HTTP/dc1trnbw.emal.domain@EMAL.DOMAIN in {} <br/>12:29:41:158 Info Guest SAPEngine_Application_Thread[impl:3]_10 ~urity.authentication.loginmodule.spnego Acquiring credentials for GSS name HTTP/dc1trnbw.emal.domain@EMAL.DOMAIN <br/>12:29:41:158 Info Guest SAPEngine_Application_Thread[impl:3]_10 ~urity.authentication.loginmodule.spnego GSS name type is: 1 <br/>12:29:41:158 Info Guest SAPEngine_Application_Thread[impl:3]_10 ~urity.authentication.loginmodule.spnego GSS name type 1 is :1.2.840.113554.1.2.1.1 <br/>12:29:41:158 Info Guest SAPEngine_Application_Thread[impl:3]_10 ~urity.authentication.loginmodule.spnego GSS mechanism is: 1.2.840.113554.1.2.2 <br/>12:29:41:158 Info Guest SAPEngine_Application_Thread[impl:3]_10 System.out Name is not canonicalized for mech 1.2.840.113554.1.2.2, creating mech name <br/>12:29:41:158 Info Guest SAPEngine_Application_Thread[impl:3]_10 System.out getFactory: index = 0 found factory <br/>12:29:41:159 Info Guest SAPEngine_Application_Thread[impl:3]_10 System.out Name cannonicalization complete, resulting name string=HTTP/dc1trnbw.emal.domain@EMAL.DOMAIN <br/>12:29:41:159 Info Guest SAPEngine_Application_Thread[impl:3]_10 System.out Creating mech cred for HTTP/dc1trnbw.emal.domain@EMAL.DOMAIN, mech 1.2.840.113554.1.2.2, usage accept only <br/>12:29:41:159 Info Guest SAPEngine_Application_Thread[impl:3]_10 System.out getFactory: index = 0 found factory <br/>12:29:41:160 Info Guest SAPEngine_Application_Thread[impl:3]_10 System.out Obtaining creds from keytab for service HTTP/dc1trnbw.emal.domain@EMAL.DOMAIN <br/>12:29:41:160 Info Guest SAPEngine_Application_Thread[impl:3]_10 System.out KeyTab:SAPEngine_Application_Thread[impl:3]_10: >>> KeyTab: file not found keytab

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi,

      is the system copy still on the same server? If not, then you have to create another Service Principal Name entry for the service user (see setspn -A ... mentioned in the blog).
      After adding the new SPN, run the Wizard again and see what happens 🙂

      Regards,

      Holger.

      Author's profile photo Former Member
      Former Member
      will do , the only question being can we have more than one service entry for a single user ?
      which means can i run
      setspn -A http/blahblah.ae aduser
      setspn -A http/wahwah.ae aduser

      i had read some where that the principal should be unique ? or is that for blahblah.ae which should have only 1 principal, but 1 ad user can have many http/1.ae http/2.ae

      Apologies if i am asking really basic questions but this does have me confused...

      Regards
      Shirish Joshi

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi,

      yes. A single user can have multiple SPNs.

      Regards,

      Holger.

      Author's profile photo John De Baets
      John De Baets

      Hi,

      what is the starting point please for setup SPNego on  a 730 portal (no Visual Admin anymore) ?

      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Hi,

      can you take a look at the PDF attached to Note 1457499 (inside the ZIP files)? Maybe the steps outlined there can help.

      Also www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/18567 might help.

      Regards,

      Holger.

      Author's profile photo Former Member
      Former Member

      Hello Holger,

      Excellent blog. I really appreciate the effort and interest you have put in.

      We are going to implement SSO on Portal with Windows AD . Our Windows AD is 2008 R2.

      The only pre-requiste you have mentioned is to create a service user with passowrd not expiring and Enable DES Algorithm .

      Is there any other function to be active in Windows AD level. Is Kerberos Authentication etc active by default. I am not a windows expert and not sure if it comes with Windows?

      Thanks and Kind Regards,

      Jacob

      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Hi,

      the steps outlined in this blog are all based on the "old" SPNego login module.

      I would recommend, that you also take a look at the PDF attached to Note 1457499 (inside the ZIP files).

      This blog talks a little about it: the PDF attached to Note 1457499 (inside the ZIP files)?

      Regards,

      Holger.

      Author's profile photo Former Member
      Former Member

      Thanks Holger ...The information is really helpful

      Author's profile photo Jawad Hasan
      Jawad Hasan

      Dear Holger,

      I am desperately in need of your help, I am trying to implement spnego sso wth abap datasource by following your blog but I am struggling for two weeks without any success. I am getting checksum error token cannot be validated. Its really getting critical for me as we are approaching go live and we are not getting any help from SAP. I would really appreciate your help in this and please tell me if i can contact you by any change.

      Really really appreciate your help !!

      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Dear Jawad,

      did you check the Note 1488409? It has some pretty good documentations and walkthroughs included.

      The blog above (and the related ones Part 1 Part 2) are for the "legacy SPNego" implementation. With newer released the wizard and connectivity changed a little and made it even simpler.

      Regards,

      Holger.

      Author's profile photo Ashish Kasat
      Ashish Kasat

      Hello Holger,

      Request you suggestion/assistance on below SPNego issue.

      Old AS JAVA version was NW7.01 SP6

      New AS JAVA version was NW7.01 SP18

       

      We performed JAVA SP patching so that we can upgrade our DB2 database to 10.5 version.

      During patching, we had to undeploy sap.com~spnego.cfg.wd as per SAP note#1643003.

      SSO with SPNego(UME is AS ABAP) was configured and working earlier, but after SP patching SSO is not working.

      Please suggest if I have to install SPNego addon separately as per SAP note#1457499 or do I have to generate new keytab for this.

       

      Thanks,

      Ashish

       

      Â