Skip to Content

After writing three blogs about configuring and troubleshooting SPNego (Configuring and troubleshooting SPNego — Part 1, Configuring and troubleshooting SPNego — Part 2 and Configuring and troubleshooting SPNego — Part 3) I got several questions about what steps are necessary to use SPNego if your J2EE Engine is connected to an ABAP backend.
In this blog I will try to explain just that.

In general the setup is similar to the one mentioned in the video for dataSourceConfiguration_DB attached to the SPNego Wizard.

As in “Configuring and troubleshooting SPNego — Part 1 the first thing to do is to create a service user in the ADS (even if you are using the ABAP System as the userstore for the J2EE Engine, the ADS still plays an important part).

Create a user like j2ee-SID in the ADS and make sure that the settings
* Password never expires and
* Use DES encryption types for this account
are set. (in the following screenshots I will use j2ee-hbr as the service-user.)

Then run the setspn command to assign the ServicePrincipalName to the user. (this was the URL that you use to access the J2EE Engine — all these steps are explained in detail in the first blog).

A short ldifde reveals some important parameters that we are going to use later:
sAMAccountName: j2ee-hbr
userPrincipalName: j2ee-hbr@dev16
servicePrincipalName: HTTP/vmw2153

Now, if not already done connect the J2EE to the ABAP System:

image

In the next screen I also used the user j2ee-hbr to connect the J2EE to the ABAP system (for this I had to created this user in the ABAP system as well). You could also use a service user as mentioned here (Requirements for the System User for UME-ABAP Communication  and here Configuring the UME to Use an AS ABAP as Data Source)

image

Now start the configtool and add the krb5principalname as an additional ume attribute

image

After a restart this property will be available to all user objects in the UME. Search for your service user (j2ee-hbr, which will now be found in the ABAP system) and set the krb5principalname to the same name as the userPrincipalName of the ADS user (see above) [this can be a little confusing: you now have two users j2ee-hbr. One in the ADS and one in the ABAP system]

image

Now we can start the SPNego Wizard:
 
 

image

Make sure that krb5principalname is used for Mapping Attribute and continue: 

image

In the next screen make sure that the KPN Prefix is set to uniquename (which is defined in the ABAP dataSourceConfiguration file.) 

image

After testing the resolution mode continue with the next step. I always prefer to create a new template and assign this template later on to my ticket component:

image

That’s it.  

image

Restart the J2EE Engine and you should be done with the wizard. 

image

Now the final step left is to assign the spnego template we created to the ticket component via the Visual Administrator:

image

That should be it!

Now you should be able to access the portal via SPNego. If it is not working, then please have a look at the previous blogs mentioned above…

To report this post you need to login first.

84 Comments

You must be Logged on to comment or reply to a post.

  1. Former Member
    Hello Holger,

    in the oss note regarding this configuration it is told to use simple resolution mode. Here you suggest to use prefix based one.
    Can you explain the difference or why you write to use prefix based?

    Anyway very good and useful blog series!
    thnx
    Renato

    (0) 
    1. Former Member Post author
      Hi Renato,

      “simple” will probably work as well…
      Usually I connect the J2EE Engine to an ADS and in this case I prefer the prefix based resolution mode. In prefix-based mode the username received is split up in two parts: kpn_prefix and kpn_suffix (e.g. when the username d044410@DOMAIN is received it is split in kpnprefix=d044410 and kpnsuffix=domain).
      Then the J2EE Engine tries to find the username d044410 in the UME. If this lookup is successful then everything is fine (and this is the same way as the simple resolution mode would work). If you chose prefix-based — and the lookup was not successful/not unique — then the J2EE Engine uses the kpn_suffix to try a unique lookup.

      So, just old habit: in this case you can use simple, but I prefer prefix-based…

      Regards,

      Holger.

      (0) 
      1. Former Member
        Hello
        I noticed very significant difference between Simple and prefix-based resolution mode:

        when i used prefix-based, SPNego worked only when ABAP user name was equal to ADS user name.
        When i changed to simple mode, and changed from uniquename to krb5principalname, then the authorization worked for every user with mapped ADS account name.

        Hope this helps to others who will configure spnego in future πŸ™‚

        (0) 
        1. Former Member
          Configuring SPNego with ABAP datasource on NW CE 7.1 EHP1 we SSO does not work. All required configration steps were done already.
          Several errors appers in log>

          Cookie MYSAPSSO2 is not found

          Login failed!
          [EXCEPTION]
          java.security.PrivilegedActionException: com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.
          ABORT() for auth stack
          Login Module Flag Initialize Login Commit Abort Details
          1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true

          2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true Access Denied. No authorization


          <<br/>Can anyone help me?
          Thanks

          (0) 
  2. Former Member
    Hi Holger,
    On our site the username in Active Directory will be for example paz.boaz and also the same in SAP.
    However the problem arises for users with more then 12 characters in their AD username. For example: User in AD  = steinberg.micheal 
             User in SAP = steinberg.mich
    This because of SAP 12 character limitation for username.

    How should I attack this problem? Aside from the option of shortening their userrname in AD?
    What resolution mode should I use? I heard of an option of ‘manual mapping’ of users from AD to ABAP but I do not understand where this mapping fits?

    Thanks
    Boaz

    (0) 
    1. Former Member
      Hi Boaz

      I am also struggling with long usernames in AD when using prefixedbased resolution mode.

      Did you manage to get a solution for your problem?

      thanks

      Dawid

      (0) 
    2. Eric Poellinger
      Hello Boaz – I was curious if you ever decided on an approach for the 12 character limitation? 

      I saw an earlier post to match based on email address which does not have the limitation but have not tried it yet!

      (0) 
  3. SANDRO COCO
    Hi Holger,

    I am followind your instructions but even if I am able to see krb5principalname in useradmin after restarting J2EE, it is missing in SPNego wizard.
    Do I miss something?

    Thank you very much!
    Kind regards
    Sandro

    (0) 
    1. SANDRO COCO
      Sorry I try to explain myself better… what I miss is the field “mapping attribute” in first SPNego wizard step, so I cannot put krb5principalname there.

      Many thanks
      Sandro

      (0) 
          1. Former Member Post author
            Hi,

            just a quick update from my side. From NetWeaver 7.0 SPS 14 on the field “mapping attribute” in the first Wizard screen is no longer available — but this is fine. You don’t need it.

            Regards,

            Holger.

            (0) 
    1. Former Member Post author
      Hi Martina,

      sorry for the long delay. Please make sure that you have deployed the files sap.com~tc~sec~auth~jmx~ear.ear and sap.com~tc~sec~auth~spnego~wizard.ear from the SPNego wizard. Also make sure that the additional attribute is set in the configtool.
      I just checked this on a new installed J2EE 7.0 SP9 and it worked without problems.

      Regards,

      Holger.

      (0) 
  4. Former Member
    My current setup is ABAP+JAVA Stack and using ABAP as my datasource. while configuring SPNego I get stuck with xml file upload. Though I have “dataSourceConfiguration_ads_readonly_db_with_krb5.xml” as my additional xml file and uploaded in UME LDAP Data (Configtool), I still dont see selectable drop down in “Configuration File” list.

    Do I miss something here?

    (0) 
    1. Former Member Post author
      Hi,

      currently you are using the dataSourceConfiguration_ABAP, right? Then there is no supported way to switch to _ADS_read_only. But you do not have to switch to another datasource if you want to use SPNego. Just follow the blog above and use _ABAP.

      Hope this helps,

      Holger.

      (0) 
  5. Former Member
    Very nice blog, it’s very usefull.

    We have Ep70 with ABAp+Java and we followed the suggestions on the blog and it seems working but I have some questions:

    Please which is the final advantage to use the SPnego Wizard in an Abap+Java scenario with an ABAP userstore ?

    I mean, if we start from ABAP+JAVA instance with an ABAP datasource and we are aware now that it cannot be changed, the logon to the EP is always done via users created and managed in the ABAP stack. That also using the SPnego wizard.

    At the end we have to continue anyway to create and manage users in the ABAP stack.

    I’m not very expert in this problem, probabily I miss something.

    regards

    (0) 
    1. Former Member Post author
      Hi Roberto,

      I agree. When there is no real reason to connect the portal to an ABAP system I personally would also not user the ABAP userstore, but choose any other. By that you are much more flexible.
      However, there can be situations where the usage of ABAP+Java is already given and you still want to use SPNego.

      Hope this help,

      Holger.

      (0) 
      1. Former Member

        Holger,<br/>I hate to post this whole output, but maybe it will help you to see my issue… and help any others that may have a similar issue.<br/><br/><br/><br/>Web Diagtool Version : 1.17<br/><br/><br/>Start Time: 2008/11/13 10:43:26<br/><br/>–


        <br/><br/><br/>Selected Locations: {com.sap.engine.services.security.authentication=ALL, com.sap.security.core.ticket=ALL}<br/>Set Severity For Selected Locations: All<br/>Set Severity For All Other Locations: Error<br/>Get Traces From Other Locations: true<br/>Maximum number of collected records: 50000<br/><br/>


        <br/><br/><br/>SAP System Name: <SID><br/>Server Version: 700<br/>SP Level: 16<br/><br/>


        <br/><br/><br/>Canonical Host Name: <localhost>.domain.com<br/>Host: <localhost><br/>IP: …..28<br/>Operating system name: Windows 2003<br/>Java Runtime Environment version: 1.4.2_13<br/>Java Runtime Environment vendor: Sun Microsystems Inc.<br/><br/>


        <br/><br/>Link to the Traces<br/><br/>


        <br/><br/>login.modules:<br/><br/>ume.properties:<br/><br/><br/>


        <br/>Time Severity User Thread Location Message <br/><br/><br/> 10:43:33:011 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~entication.programmatic.getLoggedInUser Entering method with (com.sap.engine.services.servlets_jsp.server.runtime.client.HttpServletRequestFacade@6d7689e8, com.sap.engine.services.servlets_jsp.server.runtime.client.HttpServletResponseFacade@158167d) <br/>10:43:33:011 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~entication.programmatic.getLoggedInUser no user in session, relogin <br/>10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~.EvaluateTicketLoginModule.initialize() Entering method with (Subject:<br/>, javax.security.auth.login.LoginContext$SecureCallbackHandler@29731812) <br/>10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in authentication stack are: [{ume.configuration.active=true, trustediss1=CN=, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, 10:43:33:026 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket got ume.configuration.active: <br/>10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@43315b00 <br/>10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~n.loginmodule.ticket.getMergedOptions() Entering method <br/>10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@5d4d7f76 <br/>10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in authentication stack after merge with UME properties are: [{ume.configuration.active=true, trustediss1=CN=10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in authentication stack after adding the default values are: [{ume.configuration.active=true, trustediss1=CN=, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, {ume.configuration.active=true}) <br/>10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack are: {ume.configuration.active=true}. , sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, 10:43:33:026 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket got ume.configuration.active: <br/>10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@aeb4bd5 <br/>10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~n.loginmodule.ticket.getMergedOptions() Entering method <br/>10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@5dbf928c <br/>10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after merge with UME properties are: [{ume.configuration.active=true, system=10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after adding the default values are: [{ume.configuration.active=true, system=, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, {ume.configuration.active=true}) <br/>10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack are: {ume.configuration.active=true}. , sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, 10:43:33:026 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket got ume.configuration.active: <br/>10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@4c2e5569 <br/>10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~n.loginmodule.ticket.getMergedOptions() Entering method <br/>10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@75e98791 <br/>10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after merge with UME properties are: [{ume.configuration.active=true, system=10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after adding the default values are: [{ume.configuration.active=true, system=10:43:33:026 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule Received no SAPLogonTicket. Authentication stack: . 10:43:33:042 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in authentication stack are: [{ume.configuration.active=true, trustediss1=CN=, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, 10:43:33:042 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket got ume.configuration.active: <br/>10:43:33:042 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@7bc8aeaf <br/>10:43:33:042 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~n.loginmodule.ticket.getMergedOptions() Entering method <br/>10:43:33:042 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@3444a2a6 <br/>10:43:33:042 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in authentication stack after merge with UME properties are: [{ume.configuration.active=true, trustediss1=CN=10:43:33:042 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in authentication stack after adding the default values are: [{ume.configuration.active=true, trustediss1=CN=, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, {ume.configuration.active=true}) <br/>10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack are: {ume.configuration.active=true}. , sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, 10:43:33:058 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket got ume.configuration.active: <br/>10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@6125b19 <br/>10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~n.loginmodule.ticket.getMergedOptions() Entering method <br/>10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@1f1ac96c <br/>10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after merge with UME properties are: [{ume.configuration.active=true, system=10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after adding the default values are: [{ume.configuration.active=true, system=, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, {ume.configuration.active=true}) <br/>10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack are: {ume.configuration.active=true}. , sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, 10:43:33:058 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket got ume.configuration.active: <br/>10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@179de168 <br/>10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~n.loginmodule.ticket.getMergedOptions() Entering method <br/>10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@7e397ef4 <br/>10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after merge with UME properties are: [{ume.configuration.active=true, system=10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after adding the default values are: [{ume.configuration.active=true, system=10:43:33:058 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule Received no SAPLogonTicket. Authentication stack: . 10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 tication.programmatic.forceLoggedInUser invokedURL=/webdynpro/dispatcher/sap.com/tclmwebadminmainframe~wd/WebAdminApp <br/>10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~tication.programmatic.forceLoggedInUser forceLoggedInUser(): Redirecting to: /logon/logonServlet?redirectURL=%2Fwebdynpro%2Fdispatcher%2Fsap.com%2Ftc%7Elm%7Ewebadmin%7Emainframe%7Ewd%2FWebAdminApp <br/>10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~tication.programmatic.forceLoggedInUser Exiting method <br/>10:43:33:073 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~thentication.logonapplication.initBeans LogonLocaleBean and LogonMessageBean created <br/>10:43:33:073 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~thentication.logonapplication.initBeans LanguagesBean created <br/>10:43:33:073 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~ication.logonapplication.executeRequest No command found, forwarding to umLogonPage <br/>10:43:33:073 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~entication.programmatic.getLoggedInUser Entering method with (com.sap.engine.services.servlets_jsp.server.runtime.client.HttpServletRequestFacade@6d7689e8, com.sap.engine.services.servlets_jsp.server.runtime.client.HttpServletResponseFacade@158167d) <br/>10:43:33:073 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~entication.programmatic.getLoggedInUser no user in session, relogin <br/>10:43:33:073 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~.EvaluateTicketLoginModule.initialize() Entering method with (Subject:<br/>, javax.security.auth.login.LoginContext$SecureCallbackHandler@4b763dd2) <br/>10:43:33:073 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in authentication stack are: [{ume.configuration.active=true, trustediss1=CN=, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, 10:43:33:073 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket got ume.configuration.active: <br/>10:43:33:073 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@3fd4ccb2 <br/>10:43:33:073 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~n.loginmodule.ticket.getMergedOptions() Entering method <br/>10:43:33:073 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@2bcadadb <br/>10:43:33:073 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in authentication stack after merge with UME properties are: [{ume.configuration.active=true, trustediss1=CN=10:43:33:073 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in authentication stack after adding the default values are: [{ume.configuration.active=true, trustediss1=CN=, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, {ume.configuration.active=true}) <br/>10:43:33:073 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack are: {ume.configuration.active=true}. , sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, 10:43:33:073 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket got ume.configuration.active: <br/>10:43:33:073 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@12e67653 <br/>10:43:33:089 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~n.loginmodule.ticket.getMergedOptions() Entering method <br/>10:43:33:089 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@58624cd6 <br/>10:43:33:089 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after merge with UME properties are: [{ume.configuration.active=true, system=10:43:33:089 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after adding the default values are: [{ume.configuration.active=true, system=, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, {ume.configuration.active=true}) <br/>10:43:33:089 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack are: {ume.configuration.active=true}. , sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : ]}, 10:43:33:089 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket got ume.configuration.active: <br/>10:43:33:089 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@1da2a2ef <br/>10:43:33:089 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~n.loginmodule.ticket.getMergedOptions() Entering method <br/>10:43:33:089 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@2077081c <br/>10:43:33:089 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after merge with UME properties are: [{ume.configuration.active=true, system=10:43:33:089 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in authentication stack after adding the default values are: [{ume.configuration.active=true, system=10:43:33:089 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~module.ticket.EvaluateTicketLoginModule Received no SAPLogonTicket. Authentication stack: . 10:43:33:089 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~on.loginmodule.s

        (0) 
        1. Former Member Post author
          Hi Eric,

          usually a form would be a better place to poast such long logs.

          Did you set the krb5principal name for all the users you wanted to log on?.

          Regards,

          Holger.

          (0) 
            1. Former Member Post author
              Hi Eric,

              can you sent me an email and we can discuss this that way? I guess this will be easier than using the comment section of this blog…

              Regards,

              Holger.

              (0) 
  6. Former Member
    Hi Holger,

    Thanks a lot for this wonderful blog.  I have used it and is working fine (data source = ABAP, resolution mode = simple)

    One query:  Is it possible to map UME custom attribute krb5principalname to ABAP user’s email field?  By this way, I think I can populate krb5principalname automatcally while creating / modifying users in ABAP.

    Thanks in advance!
    Shaji

    (0) 
    1. Former Member Post author
      Hi,

      yes, this will work. If you do not need the email in your ABAP system this is a very nice way of getting the krb5principalnames to your ABAP users.

      If you want more details, please have a look at the following whitepaper: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/portal-and-collaboration/search/federated%20search%20between%20sap%20netweaver%20enterprise%20search%20and%20microsoft%20search%20server%202008.pdf (page 8).
      Just enter “email” for the KPN in the SPNego Wizard.

      Regards,
      Holger.

      (0) 
      1. Former Member
        Thanks Holger,

        Just to re-phrase my query:  While creating ABAP user-ids, the email field is populated with user’s email address, which is used in the ABAP system for mailing.

        As the email field is the krb5principalname as well, I would like to know whether I can map this to krb5principalname, so that the field krb5principalname is populated automatically, just by entering the email field while creating the ABAP user-id.

        PS:  I am unable to access mentioned pdf document.  Can you kindly post the link again please?

        Thanks a lot, and best regards,
        Shaji

        (0) 
  7. Former Member
    Very nice blog, it’s very useful.

    Our current setup is NW2004s(SP16)- Dual Stack(ABAP+JAVA) and by default we are using ABAP as our UME datasource.

    I have downloaded SPNegoWizard_645.zip file from the Note: 994791 and I uploaded this “dataSourceConfiguration_ads_readonly_db_with_krb5.xml” as my additional xml file into UME persistence using (Configtool), and tested successfully with connection and authentication test. Once the J2ee engine was restarted, I get stuck with an Error Report as: “503   Service Unavailable”;”Message: Dispatcher running but no server connected!”

    Could you please have a look at my post

    /thread/1228018 [original link is broken]

    Please help and advice me.

    Awaiting for your favorable response.

    Kind regards,
    Vijay

    (0) 
  8. Former Member
    Hi,

    As shown in the screen shot and als the spnego avi files in the wizard, I could not find the krb5principalname while creating the abap user through useradmin. I am using EP7?
    Is there any other setting?

    (0) 
    1. Former Member Post author
      You are right (I guess you mean the screenshot here Step 1 of 5). With the new version of the Wizard the dialog changed a little.
      Can you search for “Federated Search between SAP NetWeaver Enterprise Search and Microsoft Search Server 2008” and take a look at this document. On page 8 we describe how to map the KPN to the email field of ABAP (you basically do this now in Step 3). Here you could also enter the krb5principalname.
      Hope this helps,
      Holger.
      (0) 
  9. I am planning to implement SPNego with ABAP UME for my customer and have already checked the steps mentioned in your weblog:
    Also the following link on SAP Help mentions that you can configure SPNego with ABAP UME:

    http://help.sap.com/saphelp_nw70/helpdata/en/43/4c3725aeaf30b4e10000000a11466f/frameset.htm

    Please let me know if this solution would work in case the user ids in the AD and the ABAP systems are the same? Generally, a user will not be able to authenticate on to the portal if the UME is connected to two different user data sources and both the datasources contain the same id.

    Does this blog resolve the issue pertaining to duplicate user ids? Has anyone implemented this scenario?

    Thanks in advance,
    Vibhu

    (0) 
  10. Former Member
    Hi Friends,

    I need to Integrate BI portal with Microsoft Active Directory service, so that users can login with into BI Portal with ADS Authentication.

    Please provide me the steps need to configure, and any related documents on said subject.

    Appreciate ur help.

    Thanks inadvance.

    Regards,

    Venkat

    (0) 
  11. Former Member
    Hi Holger,

    I am trying to configurate LDAP Autentication with Windows Active Directory for SAP Enterprise Portal, on UME With dataSourceConfiguration_abap.xml, ABAP Datasource, but LDAP Tab is Not Visible or Enable, how can i make visible or enable this tab for continue with this configuration.

    Thanks for your help.

    Carlos

    (0) 
  12. Renato Moltrasio
    Hello Holger,

    I configured the SPNEGO succesfully inmmy system. Now after a system copy of that system I need to remove SPNEGO. Can yuou please tell how can this be done? (a oss note, a guide….)

    Thanks in Advance
    Renato

    (0) 
  13. Former Member
    Hello Holger,

    I configured the SPNEGO succesfully in a double-stack system. The SAPJSF user is used to connect the J2EE to the ABAP system. Additionally, I created a user like j2ee-SID in the ADS and set the krb5principalname ume attribute of the SAPJSF user to this ADS user. As SNC is enabled in the ABAP system, we are using SNC between Java and ABAP as well. We are having problems with the Java/ABAP communication when the TGT is expired.

    Can you please tell me how to make the j2ee engine to get the TGTs automatically (instead of getting it from the credential cache file) when the SNC is enabled in the ABAP backend?

    Thanks in advance
    Kind regards
    Hugo

    (0) 
    1. Former Member Post author
      Hi Hugo,

      are you sure this is SNC related?
      If you are talking about the client tickets, this might be an issue with a missing KB (KB899587
      , see also Note 934138).
      Did you check the J2EE logs when it is working, and when not?

      Regards,

      Holger.

      (0) 
        1. Former Member Post author
          Hi Hugo,

          in order to investigate I need some more invormation/logs. I tried to find your email, but I couldn’t.
          Can you please contact me so that I can follow up?

          Thanks,
          Holger.

          (0) 
  14. Former Member
    Hi,

    When i try to log to the portal, appear an popup where i have to write the user and password, and after, i have to log again in the portal.

    I do a trace with diagtool, and appear this error:
    Credentials for realm KMC.LOCAL successfully acquired: j2ee-DM2@KMC.LOCAL
    Access Denied – responseHeader is NULLLogin module com.sap.security.core.server.jaas.SPNegoLoginModule from authentication stack ticket does not authenticate the caller.

    What happend?

    Thanks in advance,
    Regards

    (0) 
    1. Former Member Post author
      Hi,
      I am not sure if this is the issue. Can you take another look at the trace and see if you find something else (some other errors).

      Regards,

      Holger.

      (0) 
      1. Former Member

        Hi,<br/><br/>Thanks by the answer, i can not fin another error important…<br/><br/>I attach a part of the trace:<br/><br/>The options of CreateTicketLoginModule in authentication stack after merge with UME properties are: {ume.configuration.active=true, system=DM2, client=000, j_authscheme=basicauthentication, inclcert=0, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, ume.logon.security.enforce_secure_cookie=false, validity=8, keystore=TicketKeystore, password=}.<br/>The options of CreateTicketLoginModule in authentication stack after adding the default values are: {ume.configuration.active=true, system=DM2, client=000, j_authscheme=basicauthentication, inclcert=0, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, sap.security.auth.configuration.name=ticket, ume.logon.security.enforce_secure_cookie=false, validity=8, keystore=TicketKeystore, password=}.<br/>Exiting method<br/>Entering method<br/>Received no SAPLogonTicket. Authentication stack: .

        (0) 
      2. Former Member
        I see this error:

        Clock skew too great (37)

        In this blog appear:
        This means, that the time difference between the Client and the Server is to great (there is a default time difference for Kerberos which is usually about 5 minutes). Please check the time of both client and server. You can also try to issue a

        net time /set /domain

        on the client (and on the server). It will syncronize the time from the client with the one on the domain.

        But in the server, i haven´t access, appear error: Access is denied.

        How can avoid it?

        Thanks in advance,
        Regards,

        (0) 
        1. Former Member Post author
          Hi,

          well apparently the clocks are not correct. Windows machines you can run the net time command — but you have to have permissions to set the time (can you do it manually?).
          I would recommend to run a NTP service (or some similar service to synchronize the times).
          Once they are the same this issue should be resolved.

          Regards,

          Holger.

          (0) 
          1. Former Member
            Hi,

            I can modify the time manually in the clock of menu bar of windows, now two machine has the same time (except the seconds), but appear the same error… Is necessary synchronize with net time?

            Thanks in advance,
            Regars,

            (0) 
  15. Florian Lusch
    Hello Holger,

    I got a problem with configuring SSO in SAP BI 7.0 (Dualstack, conntect to ABAP datasource).

    I followed your instructions till the end.
    Test resolution works fine..

    But when i open the portal url, i get the logon mask. No SSO, no error.

    Maybe you got some hints (logs for example), where I can search for the error?

    Best regards,
    Florian

    (0) 
    1. Florian Lusch
      YATT trace:

      ——
      HTTP/1.1 401 Unauthorized
      Server: SAP J2EE Engine/7.00
      Transfer-Encoding: chunked
      Content-Type: text/html; charset=UTF-8
      Content-Language: de-DE
      expires: 0
      Content-Encoding: gzip
      Date: Mon, 02 Aug 2010 11:42:10 GMT
      Set-Cookie: saplb_*=(SRVA085_BWT_00)4424850; Version=1; Path=/
      Set-Cookie: PortalAlias=portal; Path=/
      Set-Cookie: JSESSIONID=(SRVA085_BWT_00)ID1206139550DB329bdf23b2611714efcf9111a6e5e8bf766be6d0End; Version=1; Domain=.lossburg.arburg.com; Path=/

      a

      ——-

      GET /irj/portal HTTP/1.1
      Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
      Accept-Language: de-DE,en-US;q=0.5
      UA-CPU: x86
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322; .NET CLR 3.5.21022)
      Host: sapbwt.lossburg.arburg.com:50000
      Connection: Keep-Alive

      (0) 
        1. Florian Lusch
          Thanks.

          i started the diagtool the following way:

          go.bat conf\spnego.conf D:\usr\sap\BWT\DVEBMGS00\j2ee\configtool

          It shows me version, host etc..that it crashes.

          java.lang.reflect.InvocationTargetExpetion

          Caused by: java.lang.Error: getenv no longer supported, use properties and -D instead: debug

          (0) 
      1. Former Member Post author
        Can you send me an email, so that we can work on this offline. Reading logs here in the comments is not really working…

        Regards,

        Holger.

        (0) 
  16. Former Member
    Hi Holger,

    Nice blog. We have a different scenario and thought will have a suggestion from you. The UME for our Java is ABAP and userids in  ABAP are different from LDAP userids.Our plan is to populate one of the user fields with their LDAP userids and achieve spnego. Can you please suggest any steps for this on how this mapping can be achieved?

    (0) 
    1. Former Member Post author
      Hi,

      if I understand you correct, you want to populate some field in the ABAP system. If that is the case I would recommend that you take a look at the new SPNEGO Login module (you should do that anyway…, New SPNego login module – just around the corner, https://service.sap.com/sap/support/notes/1457499) Then you can populate the Logon Alias with the LDAP userids.
      Other options are also explain in my blog http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/13265. [original link is broken] [original link is broken]

      Hope this helps!

      Regards,

      Holger.

      (0) 
      1. Former Member
        That was spot on for us. Thank you. There is one more request. Do we still need to do the LDAP configuration setting when our UME source is ABAP as this is greyed out.
        (0) 
        1. Former Member Post author
          Hi,
          in the UME you do not have to do any LDAP configuration. But you will have to provide the REALM information during the SPNEGO Configuration — but that is it.

          Regards,

          Holger.

          (0) 
  17. Former Member
    Hi Holger
    This is probably independant of SPNEGO but I will mention it anyway as it is one of the config steps in your blog.

    I have added the custom UME attribute ‘ krb5principalname’ but it is not visible on the user profile in portal. What I have noticed is that after entering the attribute it only appears under ‘Local Properties’ whilst ‘Custom Value’ still reads blank.

    Thanks, Vipul

    (0) 
    1. Former Member
      Hi Holger
      I have got this resolved. I needed to change the global attribute, from the screenshots it appeared to be instance attribute.

      I have got another question now – the first screen of the SPNEGO wizard is not displaying ‘mapping attribute’.

      cheers, vipul

      (0) 
      1. Former Member Post author
        Hi Vipul,

        that is probably because this setting is now moved to a different screen later on.
        So don’t worry about that now…

        Regards,

        Holger.

        (0) 
        1. Former Member
          Thanks Holger
          I realised later that there was no need to create ‘krb5principalname’ attribute as we keep abap users in sync with ADS users. So in 4/5 screen name resolution worked fine based on ‘uniqueattribute’.

          However, after assigning template to ticket component in VA and restart of the cluster, SSO has not worked.

          I will look at blog Configuring and troubleshooting SPNego — Part 3 and see how it goes.

          Regards
          Vipul

          (0) 
  18. Former Member
    Hi Holger – firstly many many thanks for the SPNego blogs – extremely helpful.
    I have configured a JAVA system (DP1) which already uses the UME on the associated ABAP system (D01)to use authenticcation from our ADS, as per you instructions and I can log on without entering id or password and see the kerberos ticket being issued and all works well.
    The problem comes when the (ABAP\JAVA)user has to change their SAP password – then the standard Logon Credentials are requested, asking for the user to change their SAP password.  I thought that the authentication came from the ADS and so the user would not be required to change their SAP password? Or have I configured something incorrectly?
    FYI – I am using the new spnego2 wizard for the configuration and have configured the Mapping Mode with “principal only” as the user names are identical in ADS and SAP.
    Regards
    Phil
    (0) 
  19. Former Member
    Hi Holger – firstly many many thanks for the SPNego blogs – extremely helpful.
    I have configured a JAVA system (DP1) which already uses the UME on the associated ABAP system (D01)to use authenticcation from our ADS, as per you instructions and I can log on without entering id or password and see the kerberos ticket being issued and all works well.
    The problem comes when the (ABAP\JAVA)user has to change their SAP password – then the standard Logon Credentials are requested, asking for the user to change their SAP password.  I thought that the authentication came from the ADS and so the user would not be required to change their SAP password? Or have I configured something incorrectly?
    FYI – I am using the new spnego2 wizard for the configuration and have configured the Mapping Mode with “principal only” as the user names are identical in ADS and SAP.
    Regards
    Phil
    (0) 
      1. Former Member
        Hi Holger – WOW, how quick was that!! That’s it fixed, many thanks.
        One further question, if you don’t mind – I was attempting to use the ?spnego=disabled switch after the url of the portal, in order to bring up the standard logon, but I can not get it to work on I.E.8, however it appears to work fine on Firefox3.6.  Any idea what browser it was been tested on, or why it might not work on I.E.8?
        (0) 
          1. Former Member
            Hi Moti,

            if you are refering to the SAP password expiring when we expected the to use the ADS password, you need to set ume.logon.force_password_change_on_sso as Holger stated. 
            However if you are refering to the I.E. issues these are not directly resolvable as it is a “feature” of I.E. – see note “1159129 Password reset not possible in SPNego scenario”.
            Please mail me if you need any further help (phil underscore jones at biscuits dot com).
            Regards
            Phil

            (0) 
      2. Former Member
        Hi Holger,
        As you have been so helpfull previously I was hoping you could help with a new issue:
        We have just implemented SSO for our Portal (which is connected to the UME in the backend ABAP ECC system) using spnego2 wizard.
        We have a mixed client base with some PC’s in the AD and some not in AD, so some PC’s can use SSO to logon and some default to standard Portal logon.
        The PC’s in the AD use SSO successfully and have no issues.
        The PC’s NOT in the AD have no issues until their SAP password expires. When their SAP password expires, the logon fails but issues no
        message and does not ask for the password to be changed. Once the initial password is set (within the ECC system) they still cannot logon, as the logon does not ask them to change their
        password from this initial password.
        We have tried setting the “ume.logon.force_password_change_on_sso”
        to both false and true and it appears to make no difference to the logon on
        the non-AD PC’s.
        How can we get the NON-AD (NON-SSO) clients to still recieve a password change request?
        Hope this makes sense and you can help,
        Regards,
        Phil Jones
        (0) 
  20. Former Member
    Hi,

    Thanks for very nice blog. I have very strange error during SPNego Wizard, I hope you have sonme ideas.
    We have ABAP+Java System on one host – Unix (AIX). User Data source for Portal is ABAP.
    We already configured Kerberos SSO to allow SAP Logon without password. SSO via SAP Logon Ticket between Portal ans ABAP is also already configured.
    No I am trying to configure spnego for Portal Login.
    Service user in ADS is created, I hope I can use one service user for ABAP part and Portal part.
    Last 5th confirmation screen ands with error – “Failed to create keytab file”. “Show Logs” button shows only one error –

    Error saving SPNego configuration due to: java.lang.Exception: Realm must be in uppercase.

    com.sap.engine.services.security.jmx.spnego.impl.SPNegoConfigurationManagerImpl
    sap.com/tc~wd~dispwda

    But Realm on this confirmation screen IS in uppercase. Do you have ideas where this realm can be written in wrong case? I didn’t find any parameter in Config tool regarding realm name. Is it possible to manually run this command for creating keytab file?

    Thanks,
    Ilgvars

    (0) 
  21. Former Member
    Hi Holger,

    Very helpful post!!

    We are currently working in providing transport layer security (SSL) to Spnego. Is there any guide which describes the required steps to accomplish this?

    Our UME use ABAP DB as a datasource btw.

    Thanks in advance.

    Regards

    (0) 
  22. Former Member

    Hi

    I wan to know if it is possible to configure SPNEGO with two diferent AD, for example I have Portal system with ABAP Ume, now customer wants users from its company and from another (2 different active directory) log automatically to portal withou asking again user and password.

    Is it possiblle this configuration?

    Also Portal system is 7.0 SP23 I guess this configuration is for lower versions.

    Regards

    Andy,

    (0) 
    1. Former Member

      Hi did you get response about how tu use SPNEGO with abaps source using multidomains….I am using abap source and now i have two domains….I would like to know how to set up.

      Thanks,

      (0) 
      1. Former Member

        Hi, yes

        this is the procedure

        1. Your sap portal has to be in domain A (this your domain)
        2. Set trust relationship between domain A and domain B (target domain) (this is necessary becuase let kerberos ticket travel between different domains)
        3. In domain B (Active Directory) set your user for SPNEGO (execute SPN comands as the guide tells)
        4. Then in Portal go to spnego link and configure the access to domain B and also customize your stack authentication (there is a guide for SPNEGO configuration, it’s very helpful)
        5. In user mapping for domain B you have to set the attibute for matching your user from abap source with the user from active directory from domain B, I worked with email attribute.
        Keep in mind the policy passwords for users are from your abap source.
        Which version of Portal do you have?

        If you any doubt you can contact me, this is my skype account andygio87

        This works for me.

        (0) 
  23. Former Member

    Hello Sir,

    We’ve been implementing this on our site but we get no results.

    I’ve followed all mentioned steps but, UME can’t use ADS users to authenticate (Can do using ABAP ones).

    In our case we don’t have ABAP users identical to ADS ones.

    Please, advise if any further more steps are needed to be followed.

    Thanks in advances.

    (0) 
  24. ROBERTO MARIANI

    Hi Holger

    please SPNEGO can be used in case of a scenario Windows 2012 / Netweaver Java 701 or Netweaver 740 , both with ABAP UME ?

    Which j2sdk should be used Β on Win 2012 ?

    Regards and thanks in advance

    (0) 

Leave a Reply