Configuring SPNego with ABAP datasource — Part 2
After my blog Configuring SPNego with ABAP datasource (Configuring SPNego with ABAP datasource) I got quite a few follow up questions. One big issue was that the screenshots I had made were soon out of date when using a higher SP. Then I had a few questions about scenarios where users would have the same username in ADS and backend, about not mainting the krb5principalname in the UME and so on. So I decided instead of answering each email with almost the same text to create an updated version of the “Configuring SPNego with ABAP datasource” blog. Here it is. h5. Using ABAP datasource At first (again: in response to several Emails I got) I want to quickly explain how to connect your J2EE Engine to an ABAP system. Be very carefuly about that. If you do it once, there is no turning back. (the same of course is true if you already are on ABAP — you cannot switch to database only). If you want more details, please see {code:html}Note 718383 – NetWeaver: Supported UME Data Sources and Change Options{code} Then make sure that you set Password never expires (please really do that: otherwise I will again get tons of emails after 90 days saying that SPNego stopped working :)). Enable also the DES encryption and you should be fine. 
As a final step set the ServicePrinciaplName to the DNS name where your J2EE Engine is running on. Now we are done (if you want more details on all these steps, please check {code:html}Configuring and troubleshooting SPNego — Part 1{code}) h5. The ABAP part You basically have three options here: ** UserIds are different and you want to maintain the “mapping” on ABAP ** UserIds are different and you want to maintain the “mapping” on Java h6. UserIds are the same If this is the case then you can simply follow the screenshots from the previous blog. You do not have to create and maintain additional UME attributes. Just run the SPNego wizard:
(notice here: you do not have to maintain the “Mapping attribute” krb5principalname in the first step anymore) in step 3 select the prefix method and enter uniquename. 
That should be it. *One comment on the uniquename.* Why are we using this attribute? Just take a look at the dataSourceConfiguration_abap.xml. 
As a final step set the ServicePrinciaplName to the DNS name where your J2EE Engine is running on. Now we are done (if you want more details on all these steps, please check {code:html}Configuring and troubleshooting SPNego — Part 1{code}) h5. The ABAP part You basically have three options here: ** UserIds are different and you want to maintain the “mapping” on ABAP ** UserIds are different and you want to maintain the “mapping” on Java h6. UserIds are the same If this is the case then you can simply follow the screenshots from the previous blog. You do not have to create and maintain additional UME attributes. Just run the SPNego wizard:(notice here: you do not have to maintain the “Mapping attribute” krb5principalname in the first step anymore) in step 3 select the prefix method and enter uniquename. That should be it. *One comment on the uniquename.* Why are we using this attribute? Just take a look at the dataSourceConfiguration_abap.xml.
Is it possible to use this but still have form based authentication? (i.e. use the standard EP logon page)
Regards,
Holger.
Indeed, this blog is much appreciated!
I would slightly modify the previous question : is it still possible (maybe using a different URL or even through URL parameters) to log under a different user?
The requirements would be : "I created test users and I want to log on with those, but every time I got automatically logged" 😉
Thanks in advance.
Best regards,
Guillaume
out of the box this is not possible (you will always be logged in when SSO is available).
There are some option that you could do
* in your browser disable Integrated Windwos Authentication (in my opinion that is a good one-time thing)
* if you have to log in with a different user more frequently (but do not want to lose SSO for your regular user) you can implement a workaround. Take a look at https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/11039. [original link is broken] [original link is broken] You could deploy this application and assign only the Basic Login Module to this application. Then adjust the JSP so that it only points to the J2EE Engine.
I have done the latter in several projects and it is working perfectly fine.
Regards,
Holger.
Perfect!
Many thanks.
Best regards,
Guillaume
Confusing message
thanks for the remark about the screenshot in step 3. You are absolutely right. The screenshot (and the status message) is very confusing . I will try to update the screenshot.
The user ROBERT (that is the user the ADS knows) tries to access the J2EE Engine with the Kerberos principal name robert@DEV16.DEV-WDF.SAP.CORP which is found in the email for user KINGHORNR.
So it should say:
Kerberos principal name robert@DEV16.DEV-WDF.SAP.CORP is resolved to user ROBERT in UME (unfortunately the user KINGHORNR is not mentioned here at all)
Thanks for pointing this out.
Holger.
I am configuring LDAP Autentication with Windows Active Directory for SAP Enterprise Portal, but i have this question, i am using the default configuration user for dataSourceConfiguration_abap.xml which is SAPJSF in Identity Management, but i create another user in the Active Directory like USPRUSAP with all of requirements like Password never expires, DES encryption and Service Principal Name etc, when i am configurating SPNego, the user USPRUSAP is ok in all the configurations rules, then in the step 3 of 5, test resolution mode, checking the user USPRUSAP is resolved, but when i try to check another user like my personal user (existing in the Active Directory of the company) or another company user is not resolved, wich could be the problem?. the user in the Abap configuration system must be the same user in the Active Directory?, like your post: Configuring SPNego with ABAP datasource
Thanks for your help.
Carlos
I presume that you need to be maintain Kerberos Principal name(custom attribute) in the J2EE end - please refer the Holger's blogs on how to do this.
Kind regards,
Vijay
I've got the same problem, but i don't see the property krb5principalname.
We have EP 7, is that a problem?
Regards
Thomas
I guess you have to add it as an additional property in the UME (see first screenshot under "The third option with different userID is to maintain the UserPrincipalName in the UME.")
If not, drop me an email and we can discuss.
Regards,
Holger.
I've configured SPNEGO correctly and it is working fine for most users - SSO works and users not in ldap get a sign on page.
However, we have some users whose user-id is different in ldap and SAP.
Is it possible to do some sort of user mapping for these users?
Thanks.
Dave
I am sorry, but I don't know of any way around. Currently you can only specify one way in the Resolution Mode step. And here it is either simple (withouth usermapping) or some kind of usermapping via the krb5principalname.
Maybe -- but I haven't checked this -- you could manually add another SPNegoLoginModule in your Security Provider -> Policy Configuration that actually uses krb5principalname.
So the first SPNegoLoginModule would try to login with simple, and if this fails the second SPNegoLoginModule would try with krb5principalname.
Drop me an email if you want to discuss and try it out further.
Regards,
Holger.
I have a small issue when trying to configure SPNego : everything is configured like explained on this blog but when i start the portal address the portal still asks me my username and password, so the sso doesn't work.
Is there somebody who had the same problem or who can help me solve this issue please ?
Regards,
Marc.
did you assign the SPNego Template to the [ticket] component? If yes, take a look at the diagtool trace (Configuring and troubleshooting SPNego -- Part 3) Maybe you find something useful there.
Regards,
Holger.
Thanks for your quick response.
The SPNego template is assigned to the component.
I used the diagtool and in the log i found the following message/error :
Cannot get kdc for realm ....
What does kdc stand for ?
Thanks for your help.
Regards,
Marc.
KDC is the Key Distribution Center -- usually the server where your ADS is running.
Did you use the SPNego Wizard to configure SPNego? Did you use retrieve "Retrieve Principal" in Step 2 of the configuration? Was it OK?
Is the realm correct that you entered in this step (can you doublecheck this value with what you get when you issue a "set USERDNSDOMAIN" from a command shell in Windows?)
Thanks,
Holger.
I used the SPnego Wizard to configure SPNego !
In step 2 i used the other option "Enter principal", i will try with option "Retrieve Principal" !
The realm is correct !
Regards,
Marc.
I did the test but nothing changed, i still have the same problem !
Do you have any ideas ?
Regards,
Marc.
I did the configuration step with the link to the ADS (with dataSourceConfiguration_abap.xml) but when i restart the j2ee server he is not coming up. I receive the following error : Cannot find first configured anonymous user: J2EE_GUEST: USER_AUTH_FAILED: User account for logonid "J2EE_GUEST" not found!
Does the user J2EE_GUEST have to exist on the ADS ?
Regards,
Marc.
can you please take a look at Note 718383
(->dataSourceConfiguration_database_only.xml
). You might also want to check whether in the ABAP system that the UME connects to the user sapjsf, J2EE_ADMIN and J2EE_GUEST exist (and not in the J2EE UME). They should have roles SAP_BC_JSF_COMMUNICATION SAP_J2EE_ADMIN and SAP_J2EE_GUEST respectively
Regards,
Holger.
I did the configuration like you told in the blog and my java stack started without any problem.
The only problem that i have is that when i want to connect the system still asks me for me user and password. Normally this has to work without entering your user and password no ?
Regards,
Marc Cockmartin
can you take a look at the WebDiag trace (Configuring and troubleshooting SPNego -- Part 3). This would be the first thing to analyse.
Regards,
Holger.
We have a EP6.0 configured to use Solution Manager ABAP as UME. We have configured the following steps for SSO using SPNego but still the it is asking for username/password. Any help is greatly appreciated.
1.Create the KB prinipal user J2EE_XXX
2.Set setspn for the user using setspn -A HTTP/xxx.corp.local J2EE_XXX
3. Configure using SPNego wizard (when we test here users YYYY is mapping to UME)
4. Set the spnego as authintication template in visual admin.
Thanks.
We are using EP 6.0 with Solution Manager ABAP as UME. We have followed the steps here but not able to get SSO working and it still asking for username/password.
Here are the steps we followed:
1.Create KB user in ADS
2. Set setspn for the above user
3. Configure SPNego using wizard (test are ok for user mapping)
4. Set the spnego as a template in visual admin.
Thanks.
We are trying to configure SSO in our system. First we have installed SSO with sap logon tickets between our SAP system and the Portal and it worked fine. Then we have tried to configure SSO with SPNego between the Windows Active directory and Java, but the problem was that after finishing the configuration we couldn't logon to the system via the I Explorer. We logged on perfectly to the visual administrator and to the configtool.
We have tried to undo the changes that the SPNego wizard, but we still cannot logon: well not exactly. Now, the I. Explorer when we go to http://server:50000 a windows security window ask for a windows user. If we put a windows user, then the sap logon window appears, and you put the user and password and the windows does nothing. If we put the sap user with bad password it says that the authentication fails. But, if we put a sap user in the windows authentication windows, it works and we can logon to the sytem information window (for example). We can logon only to the information pages. We cannot logon to the ume, because the windows authentication window doesn't appear.
We have tried to restore to a previous situation and the backup has failed.
Can you help us to go back to a stable point, please?
Thanks and best regards,
I guess something is wrong with your Authentication template. Can you log in to Visual administrator and make sure that under Security Provider -> Policy Configuration -> Ticket you have the authentication template spnego assigned (see also last screenshot on Configuring and troubleshooting SPNego -- Part 1).
If you just want to revert, then change the configuration back to simple BasicPasswordLogin (e.g. http://help.sap.com/saphelp_nw70/helpdata/en/04/120b40c6c01961e10000000a155106/frameset.htm -> Sample Login Module Stack for Creating and Accepting Logon Tickets).
Regards,
Holger.
SP Nego authenticationn is working fine ,but from some PCs,when hitting the portal URL ,we are getting an additional pop up window asking for credentials when the site is not added to the local Intranet sites.If we cancel the window or provide the credentails ,it lands up in the portal page.
Is there a way to get rid of this window as few URLs in our case are used from Mobile devices and its difficult to log in now.
Regards,
Bishnu Priya
I tried to configure SPNEGO on an Dual-Stack System.
SSO is not working yet (authentication with username/password necessary) but even worse, I can not login to Visual Administrator tool anymore.
#1.#005056B9017C007B00000038000015CF0004AEB0D72B63C9#1317974454264#/System/Security/Authentication##com.sap.engine.services.security.authentication.logincontext#J2EE_GUEST#0##n/a##46b11ab0f0ba11e08480005056b9017c#SAPEngine_Application_Thread[impl:3]_29##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: SAP-J2EE-Engine
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok exception false true javax.security.auth.callback.UnsupportedCallbackException: com.sap.engine.services.security.exceptions.BaseUnsupportedCallbackException: <--Localization failed: ResourceBundle='com.sap.engine.services.security.exceptions.SecurityResourceBundle', ID='Handler com.sap.engine.services.adminadapter.gui.tasks.LoginTask@31fc6b does not support callback com.sap.engine.services.security.remote.login.SerializableGetterCallback@1b2f7c7', Arguments: []--> : Can't find resource for bundle java.util.PropertyResourceBundle, key Handler com.sap.engine.services.adminadapter.gui.tasks.LoginTask@31fc6b does not support callback com.sap.engine.services.security.remote.login.SerializableGetterCallback@1b2f7c7
at com.sap.engine.services.security.remoteimpl.login.RemoteCallbackHandlerImpl.handle(RemoteCallbackHandlerImpl.java:92)
at com.sap.engine.services.security.remoteimpl.login.RemoteCallbackHandlerImpl_Skel.dispatch(RemoteCallbackHandlerImpl_Skel.java:63)
at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:330)
at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:201)
at com.sap.engine.services.rmi_p4.DispatchImpl.run(DispatchImpl.java:721)
at java.lang.Thread.run(Unknown Source)
2. com.sap.security.spnego.SPNEGOLoginModule OPTIONAL ok exception true true Could not get authorization header from request. Reason: com.sap.engine.services.security.exceptions.BaseUnsupportedCallbackException: <--Localization failed: ResourceBundle='com.sap.engine.services.security.exceptions.SecurityResourceBundle', ID='Handler com.sap.engine.services.adminadapter.gui.tasks.LoginTask@31fc6b does not support callback com.sap.engine.services.security.remote.login.SerializableGetterCallback@1e33b64', Arguments: []--> : Can't find resource for bundle java.util.PropertyResourceBundle, key Handler com.sap.engine.services.adminadapter.gui.tasks.LoginTask@31fc6b does not support callback com.sap.engine.services.security.remote.login.SerializableGetterCallback@1e33b64
at com.sap.engine.services.security.remoteimpl.login.RemoteCallbackHandlerImpl.handle(RemoteCallbackHandlerImpl.java:92)
at com.sap.engine.services.security.remoteimpl.login.RemoteCallbackHandlerImpl_Skel.dispatch(RemoteCallbackHandlerImpl_Skel.java:63)
at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:330)
at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:201)
at com.sap.engine.services.rmi_p4.DispatchImpl.run(DispatchImpl.java:721)
at java.lang.Thread.run(Unknown Source)
3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false false true
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok true true true
5. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok true exception true javax.security.auth.callback.UnsupportedCallbackException: com.sap.engine.services.security.exceptions.BaseUnsupportedCallbackException: <--Localization failed: ResourceBundle='com.sap.engine.services.security.exceptions.SecurityResourceBundle', ID='Handler com.sap.engine.services.adminadapter.gui.tasks.LoginTask@31fc6b does not support callback com.sap.engine.services.security.remote.login.SerializableGetterCallback@11efdaf', Arguments: []--> : Can't find resource for bundle java.util.PropertyResourceBundle, key Handler com.sap.engine.services.adminadapter.gui.tasks.LoginTask@31fc6b does not support callback com.sap.engine.services.security.remote.login.SerializableGetterCallback@11efdaf
at com.sap.engine.services.security.remoteimpl.login.RemoteCallbackHandlerImpl.handle(RemoteCallbackHandlerImpl.java:92)
at com.sap.engine.services.security.remoteimpl.login.RemoteCallbackHandlerImpl_Skel.dispatch(RemoteCallbackHandlerImpl_Skel.java:63)
at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:330)
at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:201)
at com.sap.engine.services.rmi_p4.DispatchImpl.run(DispatchImpl.java:721)
at java.lang.Thread.run(Unknown Source)
I can login to the Java-Stack via http with the same user.
Is there another way to change the login module stack than with the visual administrator.
btw: Java-stack is NW7.0 SPS19 and we deployed the "new" spnego module (Hinweis 1457499 - SPNego-Add-on)
Deploying with SDM (I tried to deploy the diagtool) is also not possible due to login failure.
Do you have any hint what can be done?
Many thanks in advance!
Best Regards
Thomas