Configuring SPNego with ABAP datasource
After writing three blogs about configuring and troubleshooting SPNego (Configuring and troubleshooting SPNego — Part 1, Configuring and troubleshooting SPNego — Part 2 and Configuring and troubleshooting SPNego — Part 3) I got several questions about what steps are necessary to use SPNego if your J2EE Engine is connected to an ABAP backend.
In this blog I will try to explain just that.
In general the setup is similar to the one mentioned in the video for dataSourceConfiguration_DB attached to the SPNego Wizard.
As in “Configuring and troubleshooting SPNego — Part 1“ the first thing to do is to create a service user in the ADS (even if you are using the ABAP System as the userstore for the J2EE Engine, the ADS still plays an important part).
Create a user like j2ee-SID in the ADS and make sure that the settings
* Password never expires and
* Use DES encryption types for this account
are set. (in the following screenshots I will use j2ee-hbr as the service-user.)
Then run the setspn command to assign the ServicePrincipalName to the user. (this was the URL that you use to access the J2EE Engine — all these steps are explained in detail in the first blog).
A short ldifde reveals some important parameters that we are going to use later:
sAMAccountName: j2ee-hbr
userPrincipalName: j2ee-hbr@dev16
servicePrincipalName: HTTP/vmw2153
Now, if not already done connect the J2EE to the ABAP System:
In the next screen I also used the user j2ee-hbr to connect the J2EE to the ABAP system (for this I had to created this user in the ABAP system as well). You could also use a service user as mentioned here (Requirements for the System User for UME-ABAP Communication and here Configuring the UME to Use an AS ABAP as Data Source)
Now start the configtool and add the krb5principalname as an additional ume attribute
After a restart this property will be available to all user objects in the UME. Search for your service user (j2ee-hbr, which will now be found in the ABAP system) and set the krb5principalname to the same name as the userPrincipalName of the ADS user (see above) [this can be a little confusing: you now have two users j2ee-hbr. One in the ADS and one in the ABAP system]
Now we can start the SPNego Wizard:
Make sure that krb5principalname is used for Mapping Attribute and continue:
In the next screen make sure that the KPN Prefix is set to uniquename (which is defined in the ABAP dataSourceConfiguration file.)
After testing the resolution mode continue with the next step. I always prefer to create a new template and assign this template later on to my ticket component:
That’s it.
Restart the J2EE Engine and you should be done with the wizard.
Now the final step left is to assign the spnego template we created to the ticket component via the Visual Administrator:
That should be it!
Now you should be able to access the portal via SPNego. If it is not working, then please have a look at the previous blogs mentioned above…
great blog series, keep 'em coming 😉
Best,
Stefan
read your blog today and was glad reading this, as it covers an actual problem.
hope 2 hear (read) from you soon,
Mike
in the oss note regarding this configuration it is told to use simple resolution mode. Here you suggest to use prefix based one.
Can you explain the difference or why you write to use prefix based?
Anyway very good and useful blog series!
thnx
Renato
"simple" will probably work as well...
Usually I connect the J2EE Engine to an ADS and in this case I prefer the prefix based resolution mode. In prefix-based mode the username received is split up in two parts: kpn_prefix and kpn_suffix (e.g. when the username d044410@DOMAIN is received it is split in kpnprefix=d044410 and kpnsuffix=domain).
Then the J2EE Engine tries to find the username d044410 in the UME. If this lookup is successful then everything is fine (and this is the same way as the simple resolution mode would work). If you chose prefix-based -- and the lookup was not successful/not unique -- then the J2EE Engine uses the kpn_suffix to try a unique lookup.
So, just old habit: in this case you can use simple, but I prefer prefix-based...
Regards,
Holger.
I noticed very significant difference between Simple and prefix-based resolution mode:
when i used prefix-based, SPNego worked only when ABAP user name was equal to ADS user name.
When i changed to simple mode, and changed from uniquename to krb5principalname, then the authorization worked for every user with mapped ADS account name.
Hope this helps to others who will configure spnego in future 🙂
Several errors appers in log>
...
Cookie MYSAPSSO2 is not found
...
Login failed!
[EXCEPTION]
java.security.PrivilegedActionException: com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.
ABORT() for auth stack
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true Access Denied. No authorization
...
<<br/>Can anyone help me?
Thanks
On our site the username in Active Directory will be for example paz.boaz and also the same in SAP.
However the problem arises for users with more then 12 characters in their AD username. For example: User in AD = steinberg.micheal
User in SAP = steinberg.mich
This because of SAP 12 character limitation for username.
How should I attack this problem? Aside from the option of shortening their userrname in AD?
What resolution mode should I use? I heard of an option of 'manual mapping' of users from AD to ABAP but I do not understand where this mapping fits?
Thanks
Boaz
I am also struggling with long usernames in AD when using prefixedbased resolution mode.
Did you manage to get a solution for your problem?
thanks
Dawid
I saw an earlier post to match based on email address which does not have the limitation but have not tried it yet!
I am followind your instructions but even if I am able to see krb5principalname in useradmin after restarting J2EE, it is missing in SPNego wizard.
Do I miss something?
Thank you very much!
Kind regards
Sandro
Many thanks
Sandro
I will contact you via email. Maybe we can solve this offline.
Regards,
Holger.
I am having the same problem as Sandro.
If you have a solution for Sandro I would like to know it.
My email is boaz.paz@hp.com
Thanks
Boaz
just a quick update from my side. From NetWeaver 7.0 SPS 14 on the field "mapping attribute" in the first Wizard screen is no longer available -- but this is fine. You don't need it.
Regards,
Holger.
I have tried to follow this blog, which is very simple and useful.
But I have come across with an issue which I am not getting a clue about.
Could you please have a look at my post
SPNEgo with UME-ABAP.
i have the same problem as Sandro.
If you have a solution, please can you explain this.
kind regards and thank you,
my email: Martina_amrein@web.de
sorry for the long delay. Please make sure that you have deployed the files sap.com~tc~sec~auth~jmx~ear.ear and sap.com~tc~sec~auth~spnego~wizard.ear from the SPNego wizard. Also make sure that the additional attribute is set in the configtool.
I just checked this on a new installed J2EE 7.0 SP9 and it worked without problems.
Regards,
Holger.
Do I miss something here?
currently you are using the dataSourceConfiguration_ABAP, right? Then there is no supported way to switch to _ADS_read_only. But you do not have to switch to another datasource if you want to use SPNego. Just follow the blog above and use _ABAP.
Hope this helps,
Holger.
We have Ep70 with ABAp+Java and we followed the suggestions on the blog and it seems working but I have some questions:
Please which is the final advantage to use the SPnego Wizard in an Abap+Java scenario with an ABAP userstore ?
I mean, if we start from ABAP+JAVA instance with an ABAP datasource and we are aware now that it cannot be changed, the logon to the EP is always done via users created and managed in the ABAP stack. That also using the SPnego wizard.
At the end we have to continue anyway to create and manage users in the ABAP stack.
I'm not very expert in this problem, probabily I miss something.
regards
I agree. When there is no real reason to connect the portal to an ABAP system I personally would also not user the ABAP userstore, but choose any other. By that you are much more flexible.
However, there can be situations where the usage of ABAP+Java is already given and you still want to use SPNego.
Hope this help,
Holger.
The overview is great and extremely helpful.
Hi Eric,
Holger,<br/>I hate to post this whole output, but maybe it will help you to see my issue... and help any others that may have a similar issue.<br/><br/><br/><br/>Web Diagtool Version : 1.17<br/><br/><br/>Start Time: 2008/11/13 10:43:26<br/><br/>--
<br/><br/><br/>Selected Locations: {com.sap.engine.services.security.authentication=ALL, com.sap.security.core.ticket=ALL}<br/>Set Severity For Selected Locations: All<br/>Set Severity For All Other Locations: Error<br/>Get Traces From Other Locations: true<br/>Maximum number of collected records: 50000<br/><br/>
<br/><br/><br/>SAP System Name: <SID><br/>Server Version: 700<br/>SP Level: 16<br/><br/>
<br/><br/><br/>Canonical Host Name: <localhost>.domain.com<br/>Host: <localhost><br/>IP: .....28<br/>Operating system name: Windows 2003<br/>Java Runtime Environment version: 1.4.2_13<br/>Java Runtime Environment vendor: Sun Microsystems Inc.<br/><br/>
<br/><br/>Link to the Traces<br/><br/>
<br/><br/>login.modules:<br/><br/>ume.properties:<br/><br/><br/>
<br/>Time Severity User Thread Location Message <br/><br/><br/> 10:43:33:011 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~entication.programmatic.getLoggedInUser Entering method with (com.sap.engine.services.servlets_jsp.server.runtime.client.HttpServletRequestFacade@6d7689e8, com.sap.engine.services.servlets_jsp.server.runtime.client.HttpServletResponseFacade@158167d) <br/>10:43:33:011 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~entication.programmatic.getLoggedInUser no user in session, relogin <br/>10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~.EvaluateTicketLoginModule.initialize() Entering method with (Subject:<br/>, javax.security.auth.login.LoginContext$SecureCallbackHandler@29731812) <br/>10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in authentication stack are: [{ume.configuration.active=true, trustediss1=CN=, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, 10:43:33:026 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket got ume.configuration.active: <br/>10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@43315b00 <br/>10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~n.loginmodule.ticket.getMergedOptions() Entering method <br/>10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@5d4d7f76 <br/>10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in authentication stack after merge with UME properties are: [{ume.configuration.active=true, trustediss1=CN=10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in authentication stack after adding the default values are: [{ume.configuration.active=true, trustediss1=CN=, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, {ume.configuration.active=true}) <br/>10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack are: {ume.configuration.active=true}. , sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, 10:43:33:026 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket got ume.configuration.active: <br/>10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@aeb4bd5 <br/>10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~n.loginmodule.ticket.getMergedOptions() Entering method <br/>10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@5dbf928c <br/>10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after merge with UME properties are: [{ume.configuration.active=true, system=10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after adding the default values are: [{ume.configuration.active=true, system=, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, {ume.configuration.active=true}) <br/>10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack are: {ume.configuration.active=true}. , sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, 10:43:33:026 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket got ume.configuration.active: <br/>10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@4c2e5569 <br/>10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~n.loginmodule.ticket.getMergedOptions() Entering method <br/>10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@75e98791 <br/>10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after merge with UME properties are: [{ume.configuration.active=true, system=10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after adding the default values are: [{ume.configuration.active=true, system=10:43:33:026 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule Received no SAPLogonTicket. Authentication stack: . 10:43:33:042 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in authentication stack are: [{ume.configuration.active=true, trustediss1=CN=, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, 10:43:33:042 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket got ume.configuration.active: <br/>10:43:33:042 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@7bc8aeaf <br/>10:43:33:042 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~n.loginmodule.ticket.getMergedOptions() Entering method <br/>10:43:33:042 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@3444a2a6 <br/>10:43:33:042 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in authentication stack after merge with UME properties are: [{ume.configuration.active=true, trustediss1=CN=10:43:33:042 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in authentication stack after adding the default values are: [{ume.configuration.active=true, trustediss1=CN=, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, {ume.configuration.active=true}) <br/>10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack are: {ume.configuration.active=true}. , sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, 10:43:33:058 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket got ume.configuration.active: <br/>10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@6125b19 <br/>10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~n.loginmodule.ticket.getMergedOptions() Entering method <br/>10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@1f1ac96c <br/>10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after merge with UME properties are: [{ume.configuration.active=true, system=10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after adding the default values are: [{ume.configuration.active=true, system=, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, {ume.configuration.active=true}) <br/>10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack are: {ume.configuration.active=true}. , sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, 10:43:33:058 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket got ume.configuration.active: <br/>10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@179de168 <br/>10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~n.loginmodule.ticket.getMergedOptions() Entering method <br/>10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@7e397ef4 <br/>10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after merge with UME properties are: [{ume.configuration.active=true, system=10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after adding the default values are: [{ume.configuration.active=true, system=10:43:33:058 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule Received no SAPLogonTicket. Authentication stack: . 10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 tication.programmatic.forceLoggedInUser invokedURL=/webdynpro/dispatcher/sap.com/tclmwebadminmainframe~wd/WebAdminApp <br/>10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~tication.programmatic.forceLoggedInUser forceLoggedInUser(): Redirecting to: /logon/logonServlet?redirectURL=%2Fwebdynpro%2Fdispatcher%2Fsap.com%2Ftc%7Elm%7Ewebadmin%7Emainframe%7Ewd%2FWebAdminApp <br/>10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~tication.programmatic.forceLoggedInUser Exiting method <br/>10:43:33:073 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~thentication.logonapplication.initBeans LogonLocaleBean and LogonMessageBean created <br/>10:43:33:073 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~thentication.logonapplication.initBeans LanguagesBean created <br/>10:43:33:073 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~ication.logonapplication.executeRequest No command found, forwarding to umLogonPage <br/>10:43:33:073 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~entication.programmatic.getLoggedInUser Entering method with (com.sap.engine.services.servlets_jsp.server.runtime.client.HttpServletRequestFacade@6d7689e8, com.sap.engine.services.servlets_jsp.server.runtime.client.HttpServletResponseFacade@158167d) <br/>10:43:33:073 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~entication.programmatic.getLoggedInUser no user in session, relogin <br/>10:43:33:073 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~.EvaluateTicketLoginModule.initialize() Entering method with (Subject:<br/>, javax.security.auth.login.LoginContext$SecureCallbackHandler@4b763dd2) <br/>10:43:33:073 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in authentication stack are: [{ume.configuration.active=true, trustediss1=CN=, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, 10:43:33:073 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket got ume.configuration.active: <br/>10:43:33:073 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@3fd4ccb2 <br/>10:43:33:073 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~n.loginmodule.ticket.getMergedOptions() Entering method <br/>10:43:33:073 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@2bcadadb <br/>10:43:33:073 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in authentication stack after merge with UME properties are: [{ume.configuration.active=true, trustediss1=CN=10:43:33:073 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in authentication stack after adding the default values are: [{ume.configuration.active=true, trustediss1=CN=, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, {ume.configuration.active=true}) <br/>10:43:33:073 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack are: {ume.configuration.active=true}. , sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, 10:43:33:073 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket got ume.configuration.active: <br/>10:43:33:073 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@12e67653 <br/>10:43:33:089 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~n.loginmodule.ticket.getMergedOptions() Entering method <br/>10:43:33:089 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@58624cd6 <br/>10:43:33:089 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after merge with UME properties are: [{ume.configuration.active=true, system=10:43:33:089 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after adding the default values are: [{ume.configuration.active=true, system=, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, {ume.configuration.active=true}) <br/>10:43:33:089 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack are: {ume.configuration.active=true}. , sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, 10:43:33:089 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket got ume.configuration.active: <br/>10:43:33:089 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@1da2a2ef <br/>10:43:33:089 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~n.loginmodule.ticket.getMergedOptions() Entering method <br/>10:43:33:089 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@2077081c <br/>10:43:33:089 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after merge with UME properties are: [{ume.configuration.active=true, system=10:43:33:089 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after adding the default values are: [{ume.configuration.active=true, system=10:43:33:089 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~module.ticket.EvaluateTicketLoginModule Received no SAPLogonTicket. Authentication stack: . 10:43:33:089 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~on.loginmodule.s
usually a form would be a better place to poast such long logs.
Did you set the krb5principal name for all the users you wanted to log on?.
Regards,
Holger.
Holger,
can you sent me an email and we can discuss this that way? I guess this will be easier than using the comment section of this blog...
Regards,
Holger.
Thanks a lot for this wonderful blog. I have used it and is working fine (data source = ABAP, resolution mode = simple)
One query: Is it possible to map UME custom attribute krb5principalname to ABAP user's email field? By this way, I think I can populate krb5principalname automatcally while creating / modifying users in ABAP.
Thanks in advance!
Shaji
yes, this will work. If you do not need the email in your ABAP system this is a very nice way of getting the krb5principalnames to your ABAP users.
If you want more details, please have a look at the following whitepaper: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/portal-and-collaboration/search/federated%20search%20between%20sap%20netweaver%20enterprise%20search%20and%20microsoft%20search%20server%202008.pdf (page 8).
Just enter "email" for the KPN in the SPNego Wizard.
Regards,
Holger.
Just to re-phrase my query: While creating ABAP user-ids, the email field is populated with user's email address, which is used in the ABAP system for mailing.
As the email field is the krb5principalname as well, I would like to know whether I can map this to krb5principalname, so that the field krb5principalname is populated automatically, just by entering the email field while creating the ABAP user-id.
PS: I am unable to access mentioned pdf document. Can you kindly post the link again please?
Thanks a lot, and best regards,
Shaji
Managed to download the pdf and was exactly what I was looking for. Great!
Thanks and best regards,
Shaji
Our current setup is NW2004s(SP16)- Dual Stack(ABAP+JAVA) and by default we are using ABAP as our UME datasource.
I have downloaded SPNegoWizard_645.zip file from the Note: 994791 and I uploaded this "dataSourceConfiguration_ads_readonly_db_with_krb5.xml" as my additional xml file into UME persistence using (Configtool), and tested successfully with connection and authentication test. Once the J2ee engine was restarted, I get stuck with an Error Report as: "503 Service Unavailable";"Message: Dispatcher running but no server connected!"
Could you please have a look at my post
/thread/1228018 [original link is broken]
Please help and advice me.
Awaiting for your favorable response.
Kind regards,
Vijay
As shown in the screen shot and als the spnego avi files in the wizard, I could not find the krb5principalname while creating the abap user through useradmin. I am using EP7?
Is there any other setting?
Can you search for "Federated Search between SAP NetWeaver Enterprise Search and Microsoft Search Server 2008" and take a look at this document. On page 8 we describe how to map the KPN to the email field of ABAP (you basically do this now in Step 3). Here you could also enter the krb5principalname.
Hope this helps,
Holger.
Also the following link on SAP Help mentions that you can configure SPNego with ABAP UME:
http://help.sap.com/saphelp_nw70/helpdata/en/43/4c3725aeaf30b4e10000000a11466f/frameset.htm
Please let me know if this solution would work in case the user ids in the AD and the ABAP systems are the same? Generally, a user will not be able to authenticate on to the portal if the UME is connected to two different user data sources and both the datasources contain the same id.
Does this blog resolve the issue pertaining to duplicate user ids? Has anyone implemented this scenario?
Thanks in advance,
Vibhu
I need to Integrate BI portal with Microsoft Active Directory service, so that users can login with into BI Portal with ADS Authentication.
Please provide me the steps need to configure, and any related documents on said subject.
Appreciate ur help.
Thanks inadvance.
Regards,
Venkat
is your BI portal connected to the ABAP datasource? Then follow this blog (and the one that will be hopefully released soon).
If your datasource is already connected to the ADS or to the database, please follow Configuring and troubleshooting SPNego -- Part 1
Regards,
Holger.
I am trying to configurate LDAP Autentication with Windows Active Directory for SAP Enterprise Portal, on UME With dataSourceConfiguration_abap.xml, ABAP Datasource, but LDAP Tab is Not Visible or Enable, how can i make visible or enable this tab for continue with this configuration.
Thanks for your help.
Carlos
once you are on dataSourceConfigration_abap there is no way back to connect the J2EE directly to an ADS (see Note 718383 - NetWeaver: Supported UME Data Sources and Change Options).
But depending on the userIDs connecting the ADS might not be necessary. Please also have a look at Configuring SPNego with ABAP datasource -- Part 2
Regards,
Holger.
I configured the SPNEGO succesfully inmmy system. Now after a system copy of that system I need to remove SPNEGO. Can yuou please tell how can this be done? (a oss note, a guide....)
Thanks in Advance
Renato
Hi,
thank you very much for you reply.
It works.
Bye
Renato
I configured the SPNEGO succesfully in a double-stack system. The SAPJSF user is used to connect the J2EE to the ABAP system. Additionally, I created a user like j2ee-SID in the ADS and set the krb5principalname ume attribute of the SAPJSF user to this ADS user. As SNC is enabled in the ABAP system, we are using SNC between Java and ABAP as well. We are having problems with the Java/ABAP communication when the TGT is expired.
Can you please tell me how to make the j2ee engine to get the TGTs automatically (instead of getting it from the credential cache file) when the SNC is enabled in the ABAP backend?
Thanks in advance
Kind regards
Hugo
are you sure this is SNC related?
If you are talking about the client tickets, this might be an issue with a missing KB (KB899587
, see also Note 934138).
Did you check the J2EE logs when it is working, and when not?
Regards,
Holger.
Hi Holger,' <br/>[Thr 62721] *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI Hugo
in order to investigate I need some more invormation/logs. I tried to find your email, but I couldn't.
Can you please contact me so that I can follow up?
Thanks,
Holger.
When i try to log to the portal, appear an popup where i have to write the user and password, and after, i have to log again in the portal.
I do a trace with diagtool, and appear this error:
Credentials for realm KMC.LOCAL successfully acquired: j2ee-DM2@KMC.LOCAL
Access Denied - responseHeader is NULLLogin module com.sap.security.core.server.jaas.SPNegoLoginModule from authentication stack ticket does not authenticate the caller.
What happend?
Thanks in advance,
Regards
I am not sure if this is the issue. Can you take another look at the trace and see if you find something else (some other errors).
Regards,
Holger.
Hi,<br/><br/>Thanks by the answer, i can not fin another error important...<br/><br/>I attach a part of the trace:<br/><br/>The options of CreateTicketLoginModule in authentication stack after merge with UME properties are: {ume.configuration.active=true, system=DM2, client=000, j_authscheme=basicauthentication, inclcert=0, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, ume.logon.security.enforce_secure_cookie=false, validity=8, keystore=TicketKeystore, password=}.<br/>The options of CreateTicketLoginModule in authentication stack after adding the default values are: {ume.configuration.active=true, system=DM2, client=000, j_authscheme=basicauthentication, inclcert=0, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, sap.security.auth.configuration.name=ticket, ume.logon.security.enforce_secure_cookie=false, validity=8, keystore=TicketKeystore, password=}.<br/>Exiting method<br/>Entering method<br/>Received no SAPLogonTicket. Authentication stack: .
Clock skew too great (37)
In this blog appear:
This means, that the time difference between the Client and the Server is to great (there is a default time difference for Kerberos which is usually about 5 minutes). Please check the time of both client and server. You can also try to issue a
net time /set /domain
on the client (and on the server). It will syncronize the time from the client with the one on the domain.
But in the server, i haven´t access, appear error: Access is denied.
How can avoid it?
Thanks in advance,
Regards,
well apparently the clocks are not correct. Windows machines you can run the net time command -- but you have to have permissions to set the time (can you do it manually?).
I would recommend to run a NTP service (or some similar service to synchronize the times).
Once they are the same this issue should be resolved.
Regards,
Holger.
I can modify the time manually in the clock of menu bar of windows, now two machine has the same time (except the seconds), but appear the same error... Is necessary synchronize with net time?
Thanks in advance,
Regars,
finally got the log:
Lot of thanks, finally, i can do SSO.
The problem was the time, i was able to sync.
Thanks,
Regards,
I got a problem with configuring SSO in SAP BI 7.0 (Dualstack, conntect to ABAP datasource).
I followed your instructions till the end.
Test resolution works fine..
But when i open the portal url, i get the logon mask. No SSO, no error.
Maybe you got some hints (logs for example), where I can search for the error?
Best regards,
Florian
------
HTTP/1.1 401 Unauthorized
Server: SAP J2EE Engine/7.00
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Content-Language: de-DE
expires: 0
Content-Encoding: gzip
Date: Mon, 02 Aug 2010 11:42:10 GMT
Set-Cookie: saplb_*=(SRVA085_BWT_00)4424850; Version=1; Path=/
Set-Cookie: PortalAlias=portal; Path=/
Set-Cookie: JSESSIONID=(SRVA085_BWT_00)ID1206139550DB329bdf23b2611714efcf9111a6e5e8bf766be6d0End; Version=1; Domain=.lossburg.arburg.com; Path=/
a
‹
-------
GET /irj/portal HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: de-DE,en-US;q=0.5
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322; .NET CLR 3.5.21022)
Host: sapbwt.lossburg.arburg.com:50000
Connection: Keep-Alive
can you take a look at the diagtool trace like mentioned here: Configuring and troubleshooting SPNego -- Part 3
From these logs you should be able to narrow down the problem a little.
Regards,
Holger.
i started the diagtool the following way:
go.bat conf\spnego.conf D:\usr\sap\BWT\DVEBMGS00\j2ee\configtool
It shows me version, host etc..that it crashes.
java.lang.reflect.InvocationTargetExpetion
...
Caused by: java.lang.Error: getenv no longer supported, use properties and -D instead: debug
can you please use the WebDiagtool as explained in the blog?
It's newer and better 🙂
Thanks,
Holger.
finally got the log.
Regards,
Holger.
Nice blog. We have a different scenario and thought will have a suggestion from you. The UME for our Java is ABAP and userids in ABAP are different from LDAP userids.Our plan is to populate one of the user fields with their LDAP userids and achieve spnego. Can you please suggest any steps for this on how this mapping can be achieved?
if I understand you correct, you want to populate some field in the ABAP system. If that is the case I would recommend that you take a look at the new SPNEGO Login module (you should do that anyway..., New SPNego login module - just around the corner, https://service.sap.com/sap/support/notes/1457499) Then you can populate the Logon Alias with the LDAP userids.
Other options are also explain in my blog http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/13265. [original link is broken] [original link is broken]
Hope this helps!
Regards,
Holger.
in the UME you do not have to do any LDAP configuration. But you will have to provide the REALM information during the SPNEGO Configuration -- but that is it.
Regards,
Holger.
This is probably independant of SPNEGO but I will mention it anyway as it is one of the config steps in your blog.
I have added the custom UME attribute ' krb5principalname' but it is not visible on the user profile in portal. What I have noticed is that after entering the attribute it only appears under 'Local Properties' whilst 'Custom Value' still reads blank.
Thanks, Vipul
I have got this resolved. I needed to change the global attribute, from the screenshots it appeared to be instance attribute.
I have got another question now - the first screen of the SPNEGO wizard is not displaying 'mapping attribute'.
cheers, vipul
that is probably because this setting is now moved to a different screen later on.
So don't worry about that now...
Regards,
Holger.
I realised later that there was no need to create 'krb5principalname' attribute as we keep abap users in sync with ADS users. So in 4/5 screen name resolution worked fine based on 'uniqueattribute'.
However, after assigning template to ticket component in VA and restart of the cluster, SSO has not worked.
I will look at blog Configuring and troubleshooting SPNego -- Part 3 and see how it goes.
Regards
Vipul
I have configured a JAVA system (DP1) which already uses the UME on the associated ABAP system (D01)to use authenticcation from our ADS, as per you instructions and I can log on without entering id or password and see the kerberos ticket being issued and all works well.
The problem comes when the (ABAP\JAVA)user has to change their SAP password - then the standard Logon Credentials are requested, asking for the user to change their SAP password. I thought that the authentication came from the ADS and so the user would not be required to change their SAP password? Or have I configured something incorrectly?
FYI - I am using the new spnego2 wizard for the configuration and have configured the Mapping Mode with "principal only" as the user names are identical in ADS and SAP.
Regards
Phil
I have configured a JAVA system (DP1) which already uses the UME on the associated ABAP system (D01)to use authenticcation from our ADS, as per you instructions and I can log on without entering id or password and see the kerberos ticket being issued and all works well.
The problem comes when the (ABAP\JAVA)user has to change their SAP password - then the standard Logon Credentials are requested, asking for the user to change their SAP password. I thought that the authentication came from the ADS and so the user would not be required to change their SAP password? Or have I configured something incorrectly?
FYI - I am using the new spnego2 wizard for the configuration and have configured the Mapping Mode with "principal only" as the user names are identical in ADS and SAP.
Regards
Phil
thanks!
Can you take a look at the parameter ume.logon.force_password_change_on_sso (see http://help.sap.com/saphelp_nw70/helpdata/EN/52/4c6c3e58d0d064e10000000a114084/frameset.htm)
If you set this to false users should not be required to change their password anymore.
Regards,
Holger.
One further question, if you don't mind - I was attempting to use the ?spnego=disabled switch after the url of the portal, in order to bring up the standard logon, but I can not get it to work on I.E.8, however it appears to work fine on Firefox3.6. Any idea what browser it was been tested on, or why it might not work on I.E.8?
what was the solutiojn for the password expire ? we have the same issue
thanks,
Moti
if you are refering to the SAP password expiring when we expected the to use the ADS password, you need to set ume.logon.force_password_change_on_sso as Holger stated.
However if you are refering to the I.E. issues these are not directly resolvable as it is a "feature" of I.E. - see note "1159129 Password reset not possible in SPNego scenario".
Please mail me if you need any further help (phil underscore jones at biscuits dot com).
Regards
Phil
As you have been so helpfull previously I was hoping you could help with a new issue:
We have just implemented SSO for our Portal (which is connected to the UME in the backend ABAP ECC system) using spnego2 wizard.
We have a mixed client base with some PC's in the AD and some not in AD, so some PC's can use SSO to logon and some default to standard Portal logon.
The PC's in the AD use SSO successfully and have no issues.
The PC's NOT in the AD have no issues until their SAP password expires. When their SAP password expires, the logon fails but issues no
message and does not ask for the password to be changed. Once the initial password is set (within the ECC system) they still cannot logon, as the logon does not ask them to change their
password from this initial password.
We have tried setting the "ume.logon.force_password_change_on_sso"
to both false and true and it appears to make no difference to the logon on
the non-AD PC's.
How can we get the NON-AD (NON-SSO) clients to still recieve a password change request?
Hope this makes sense and you can help,
Regards,
Phil Jones
Thanks for very nice blog. I have very strange error during SPNego Wizard, I hope you have sonme ideas.
We have ABAP+Java System on one host - Unix (AIX). User Data source for Portal is ABAP.
We already configured Kerberos SSO to allow SAP Logon without password. SSO via SAP Logon Ticket between Portal ans ABAP is also already configured.
No I am trying to configure spnego for Portal Login.
Service user in ADS is created, I hope I can use one service user for ABAP part and Portal part.
Last 5th confirmation screen ands with error - "Failed to create keytab file". "Show Logs" button shows only one error -
Error saving SPNego configuration due to: java.lang.Exception: Realm must be in uppercase.
com.sap.engine.services.security.jmx.spnego.impl.SPNegoConfigurationManagerImpl
sap.com/tc~wd~dispwda
But Realm on this confirmation screen IS in uppercase. Do you have ideas where this realm can be written in wrong case? I didn't find any parameter in Config tool regarding realm name. Is it possible to manually run this command for creating keytab file?
Thanks,
Ilgvars
Very helpful post!!
We are currently working in providing transport layer security (SSL) to Spnego. Is there any guide which describes the required steps to accomplish this?
Our UME use ABAP DB as a datasource btw.
Thanks in advance.
Regards
Hi
I wan to know if it is possible to configure SPNEGO with two diferent AD, for example I have Portal system with ABAP Ume, now customer wants users from its company and from another (2 different active directory) log automatically to portal withou asking again user and password.
Is it possiblle this configuration?
Also Portal system is 7.0 SP23 I guess this configuration is for lower versions.
Regards
Andy,
Hi did you get response about how tu use SPNEGO with abaps source using multidomains....I am using abap source and now i have two domains....I would like to know how to set up.
Thanks,
Hi, yes
this is the procedure
1. Your sap portal has to be in domain A (this your domain)
2. Set trust relationship between domain A and domain B (target domain) (this is necessary becuase let kerberos ticket travel between different domains)
3. In domain B (Active Directory) set your user for SPNEGO (execute SPN comands as the guide tells)
4. Then in Portal go to spnego link and configure the access to domain B and also customize your stack authentication (there is a guide for SPNEGO configuration, it's very helpful)
5. In user mapping for domain B you have to set the attibute for matching your user from abap source with the user from active directory from domain B, I worked with email attribute.
Keep in mind the policy passwords for users are from your abap source.
Which version of Portal do you have?
If you any doubt you can contact me, this is my skype account andygio87
This works for me.
Hello Sir,
We've been implementing this on our site but we get no results.
I've followed all mentioned steps but, UME can't use ADS users to authenticate (Can do using ABAP ones).
In our case we don't have ABAP users identical to ADS ones.
Please, advise if any further more steps are needed to be followed.
Thanks in advances.
Hi Holger
please SPNEGO can be used in case of a scenario Windows 2012 / Netweaver Java 701 or Netweaver 740 , both with ABAP UME ?
Which j2sdk should be used  on Win 2012 ?
Regards and thanks in advance