Skip to Content
After my blog Configuring SPNego with ABAP datasource  (Configuring SPNego with ABAP datasource)  I got quite a few follow up questions. One big issue was that the screenshots I had made were soon out of date when using a higher SP.  Then I had a few questions about scenarios where users would have the same username in ADS and backend, about not mainting the krb5principalname in the UME and so on.   So I decided instead of answering each email with almost the same text to create an updated version of the “Configuring SPNego with ABAP datasource” blog. Here it is.   h5. Using ABAP datasource   At first (again: in response to several Emails I got) I want to quickly explain how to connect your J2EE Engine to an ABAP system. Be very carefuly about that. If you do it once, there is no turning back. (the same of course is true if you already are on ABAP — you cannot switch to database only). If you want more details, please see {code:html}Note 718383 – NetWeaver: Supported UME Data Sources and Change Options{code}  Then make sure that you set Password never expires (please really do that: otherwise I will again get tons of emails after 90 days saying that SPNego stopped working :)). Enable also the DES encryption and you should be fine.   imageAs a final step set the ServicePrinciaplName to the DNS name where  your J2EE Engine is running on.  Now we are done (if you want more details on all these steps, please check {code:html}Configuring and troubleshooting SPNego — Part 1{code})  h5. The ABAP part You basically have three options here: ** UserIds are different and you want to maintain the “mapping” on ABAP ** UserIds are different and you want to maintain the “mapping” on Java h6. UserIds are the same If this is the case then you can simply follow the screenshots from the previous blog. You do not have to create and maintain additional UME attributes. Just run the SPNego wizard:image(notice here: you do not have to maintain the “Mapping attribute” krb5principalname in the first step anymore) in step 3 select the prefix method and enter uniquename. imageThat should be it.    *One comment on the uniquename.* Why are we using this attribute? Just take a look at the dataSourceConfiguration_abap.xml. image
To report this post you need to login first.

30 Comments

You must be Logged on to comment or reply to a post.

  1. Kevin Swann
    Great blog – a very useful topic for many of us.

    Is it possible to use this but still have form based authentication? (i.e. use the standard EP logon page)

    (0) 
      1. Guillaume GARCIA
        Hi,

        Indeed, this blog is much appreciated!
        I would slightly modify the previous question : is it still possible (maybe using a different URL or even through URL parameters) to log under a different user?

        The requirements would be : “I created test users and I want to log on with those, but every time I got automatically logged”  😉

        Thanks in advance.

        Best regards,
        Guillaume

        (0) 
        1. Holger Bruchelt Post author
          Hi,
          out of the box this is not possible (you will always be logged in when SSO is available).
          There are some option that you could do
          * in your browser disable Integrated Windwos Authentication (in my opinion that is a good one-time thing)
          * if you have to log in with a different user more frequently (but do not want to lose SSO for your regular user) you can implement a workaround. Take a look at https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/11039. [original link is broken] [original link is broken] You could deploy this application and assign only the Basic Login Module to this application. Then adjust the JSP so that it only points to the J2EE Engine.

          I have done the latter in several projects and it is working perfectly fine.

          Regards,

          Holger.

          (0) 
    1. Holger Bruchelt Post author
      Hi Guillaume,

      thanks for the remark about the screenshot in step 3. You are absolutely right. The screenshot (and the status message) is very confusing . I will try to update the screenshot.
      The user ROBERT (that is the user the ADS knows) tries to access the J2EE Engine with the Kerberos principal name  robert@DEV16.DEV-WDF.SAP.CORP which is found in the email for user KINGHORNR.
      So it should say:
      Kerberos principal name robert@DEV16.DEV-WDF.SAP.CORP is resolved to user ROBERT in UME (unfortunately the user KINGHORNR is not mentioned here at all)

      Thanks for pointing this out.

      Holger.

      (0) 
  2. Carlos Suaza
    Hi Holger,

    I am configuring LDAP Autentication with Windows Active Directory for SAP Enterprise Portal, but i have this question, i am using the default configuration user for dataSourceConfiguration_abap.xml which is SAPJSF in Identity Management, but i create another user in the Active Directory like USPRUSAP with all of requirements like Password never expires, DES encryption and Service Principal Name etc, when i am configurating SPNego, the user USPRUSAP is ok in all the configurations rules, then in the step 3 of 5, test resolution mode, checking the user USPRUSAP is resolved, but when i try to check another user like my personal user (existing in the Active Directory of the company) or another company user is not resolved, wich could be the problem?. the user in the Abap configuration system must be the same user in the Active Directory?, like your post: Configuring SPNego with ABAP datasource

    Thanks for your help.

    Carlos

    (0) 
    1. Vijay Velayutham
      Hi Carlos,

      I presume that you need to be maintain Kerberos Principal name(custom attribute) in the J2EE end – please refer the Holger’s blogs on how to do this.

      Kind regards,
      Vijay

      (0) 
        1. Holger Bruchelt Post author
          Hi Thomas,

          I guess you have to add it as an additional property in the UME (see first screenshot under “The third option with different userID is to maintain the UserPrincipalName in the UME.”)
          If not, drop me an email and we can discuss.

          Regards,

          Holger.

          (0) 
  3. David Turner
    Hi,

    I’ve configured SPNEGO correctly and it is working fine for most users – SSO works and users not in ldap get a sign on page.

    However, we have some users whose user-id is different in ldap and SAP.

    Is it possible to do some sort of user mapping for these users?

    Thanks.

    Dave

    (0) 
    1. Holger Bruchelt Post author
      Hi Dave,

      I am sorry, but I don’t know of any way around. Currently you can only specify one way in the Resolution Mode step. And here it is either simple (withouth usermapping) or some kind of usermapping via the krb5principalname.

      Maybe — but I haven’t checked this — you could manually add another SPNegoLoginModule in your Security Provider -> Policy Configuration that actually uses krb5principalname.
      So the first SPNegoLoginModule would try to login with simple, and if this fails the second SPNegoLoginModule would try with krb5principalname.
      Drop me an email if you want to discuss and try it out further.

      Regards,

      Holger.

      (0) 
  4. Marc Cockmartin
    Hello,

    I have a small issue when trying to configure SPNego : everything is configured like explained on this blog but when i start the portal address the portal still asks me my username and password, so the sso doesn’t work.
    Is there somebody who had the same problem or who can help me solve this issue please ?

    Regards,
    Marc.

    (0) 
      1. Marc Cockmartin
        Hi Holger,

        Thanks for your quick response.
        The SPNego template is assigned to the component.
        I used the diagtool and in the log i found the following message/error :
        Cannot get kdc for realm ….
        What does kdc stand for ?

        Thanks for your help.

        Regards,
        Marc.

        (0) 
        1. Holger Bruchelt Post author
          Hi Marc,

          KDC is the Key Distribution Center — usually the server where your ADS is running.
          Did you use the SPNego Wizard to configure SPNego? Did you use retrieve “Retrieve Principal” in Step 2 of the configuration? Was it OK?
          Is the realm correct that you entered in this step (can you doublecheck this value with what you get when you issue a “set USERDNSDOMAIN” from a command shell in Windows?)

          Thanks,

          Holger.

          (0) 
          1. Marc Cockmartin
            Holger,

            I used the SPnego Wizard to configure SPNego !
            In step 2 i used the other option “Enter principal”, i will try with option “Retrieve Principal” !
            The realm is correct !

            Regards,
            Marc.

            (0) 
              1. Marc Cockmartin
                Hello,

                I did the configuration step with the link to the ADS (with dataSourceConfiguration_abap.xml) but when i restart the j2ee server he is not coming up. I receive the following error : Cannot find first configured anonymous user: J2EE_GUEST: USER_AUTH_FAILED: User account for logonid “J2EE_GUEST” not found!
                Does the user J2EE_GUEST have to exist on the ADS ?

                Regards,
                Marc.

                (0) 
                1. Holger Bruchelt Post author
                  Hi,
                  can you please take a look at Note 718383
                  (->dataSourceConfiguration_database_only.xml
                  ). You might also want to check whether in the ABAP system that the UME connects to the user sapjsf, J2EE_ADMIN and J2EE_GUEST exist (and not in the J2EE UME). They should have roles SAP_BC_JSF_COMMUNICATION  SAP_J2EE_ADMIN and SAP_J2EE_GUEST respectively                                          
                  Regards,

                  Holger.

                  (0) 
                  1. Marc Cockmartin
                    Hello,

                    I did the configuration like you told in the blog and my java stack started without any problem.
                    The only problem that i have is that when i want to connect the system still asks me for me user and password. Normally this has to work without entering your user and password no ?

                    Regards,
                    Marc Cockmartin

                    (0) 
      1. mango reddi
        Holger:

        We have a EP6.0 configured to use Solution Manager ABAP as UME. We have configured the following steps for SSO using SPNego but still the it is asking for username/password. Any help is greatly appreciated.

        1.Create the KB prinipal user J2EE_XXX
        2.Set setspn for the user using setspn -A HTTP/xxx.corp.local J2EE_XXX
        3. Configure using SPNego wizard (when we test here users YYYY is mapping to UME)
        4. Set the spnego as authintication template in visual admin.

        Thanks.

        (0) 
  5. mango reddi
    Hi,

    We are using EP 6.0 with Solution Manager ABAP as UME. We have followed the steps here but not able to get SSO working and it still asking for username/password.

    Here are the steps we followed:
    1.Create KB user in ADS
    2. Set setspn for the above user
    3. Configure SPNego using wizard (test are ok for user mapping)
    4. Set the spnego as a template in visual admin.

    Thanks.

    (0) 
  6. Sistemas 1
    Hello,

    We are trying to configure SSO in our system. First we have installed SSO with sap logon tickets between our SAP system and the Portal and it worked fine. Then we have tried to configure SSO with SPNego between the Windows Active directory and Java, but the problem was that after finishing the configuration we couldn’t logon to the system via the I Explorer. We logged on perfectly to the visual administrator and to the configtool.

    We have tried to undo the changes that the SPNego wizard, but we still cannot logon: well not exactly. Now, the I. Explorer when we go to http://server:50000 a windows security window ask for a windows user. If we put a windows user, then the sap logon window appears, and you put the user and password and the windows does nothing. If we put the sap user with bad password it says that the authentication fails. But, if we put a sap user in the windows authentication windows, it works and we can logon to the sytem information window (for example). We can logon only to the information pages. We cannot logon to the ume, because the windows authentication window doesn’t appear.

    We have tried to restore to a previous situation and the backup has failed.

    Can you help us to go back to a stable point, please?

    Thanks and best regards,

    (0) 
    1. Holger Bruchelt Post author
      Hi,

      I guess something is wrong with your Authentication template. Can you log in to Visual administrator and make sure that under Security Provider -> Policy Configuration -> Ticket you have the authentication template spnego assigned (see also last screenshot on Configuring and troubleshooting SPNego — Part 1).

      If you just want to revert, then change the configuration back to simple BasicPasswordLogin (e.g. http://help.sap.com/saphelp_nw70/helpdata/en/04/120b40c6c01961e10000000a155106/frameset.htm -> Sample Login Module Stack for Creating and Accepting Logon Tickets).

      Regards,

      Holger.

      (0) 
  7. Bishnu Priya Sahoo
    Hi Holger,

    SP Nego authenticationn is working fine ,but from some PCs,when hitting the portal URL ,we are getting an additional pop up window asking for credentials when the site is not added to the local Intranet sites.If we cancel the window or provide the credentails ,it lands up in the portal page.
    Is there a way to get rid of this window as few URLs in our case are used from Mobile devices and its difficult to log in now.

    Regards,
    Bishnu Priya

    (0) 
  8. Thomas Clemens
    Hi Holger,

    I tried to configure SPNEGO on an Dual-Stack System.
    SSO is not working yet (authentication with username/password necessary) but even worse, I can not login to Visual Administrator tool anymore.

    #1.#005056B9017C007B00000038000015CF0004AEB0D72B63C9#1317974454264#/System/Security/Authentication##com.sap.engine.services.security.authentication.logincontext#J2EE_GUEST#0##n/a##46b11ab0f0ba11e08480005056b9017c#SAPEngine_Application_Thread[impl:3]_29##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED
    User: N/A
    Authentication Stack: SAP-J2EE-Engine

    Login Module Flag Initialize Login Commit Abort Details
    1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok exception false true javax.security.auth.callback.UnsupportedCallbackException: com.sap.engine.services.security.exceptions.BaseUnsupportedCallbackException: <–Localization failed: ResourceBundle=’com.sap.engine.services.security.exceptions.SecurityResourceBundle’, ID=’Handler com.sap.engine.services.adminadapter.gui.tasks.LoginTask@31fc6b does not support callback com.sap.engine.services.security.remote.login.SerializableGetterCallback@1b2f7c7′, Arguments: []–> : Can’t find resource for bundle java.util.PropertyResourceBundle, key Handler com.sap.engine.services.adminadapter.gui.tasks.LoginTask@31fc6b does not support callback com.sap.engine.services.security.remote.login.SerializableGetterCallback@1b2f7c7
    at com.sap.engine.services.security.remoteimpl.login.RemoteCallbackHandlerImpl.handle(RemoteCallbackHandlerImpl.java:92)
    at com.sap.engine.services.security.remoteimpl.login.RemoteCallbackHandlerImpl_Skel.dispatch(RemoteCallbackHandlerImpl_Skel.java:63)
    at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:330)
    at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:201)
    at com.sap.engine.services.rmi_p4.DispatchImpl.run(DispatchImpl.java:721)
    at java.lang.Thread.run(Unknown Source)

    2. com.sap.security.spnego.SPNEGOLoginModule OPTIONAL ok exception true true Could not get authorization header from request. Reason: com.sap.engine.services.security.exceptions.BaseUnsupportedCallbackException: <–Localization failed: ResourceBundle=’com.sap.engine.services.security.exceptions.SecurityResourceBundle’, ID=’Handler com.sap.engine.services.adminadapter.gui.tasks.LoginTask@31fc6b does not support callback com.sap.engine.services.security.remote.login.SerializableGetterCallback@1e33b64′, Arguments: []–> : Can’t find resource for bundle java.util.PropertyResourceBundle, key Handler com.sap.engine.services.adminadapter.gui.tasks.LoginTask@31fc6b does not support callback com.sap.engine.services.security.remote.login.SerializableGetterCallback@1e33b64
    at com.sap.engine.services.security.remoteimpl.login.RemoteCallbackHandlerImpl.handle(RemoteCallbackHandlerImpl.java:92)
    at com.sap.engine.services.security.remoteimpl.login.RemoteCallbackHandlerImpl_Skel.dispatch(RemoteCallbackHandlerImpl_Skel.java:63)
    at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:330)
    at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:201)
    at com.sap.engine.services.rmi_p4.DispatchImpl.run(DispatchImpl.java:721)
    at java.lang.Thread.run(Unknown Source)

    3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false false true
    4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok true true true
    5. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok true exception true javax.security.auth.callback.UnsupportedCallbackException: com.sap.engine.services.security.exceptions.BaseUnsupportedCallbackException: <–Localization failed: ResourceBundle=’com.sap.engine.services.security.exceptions.SecurityResourceBundle’, ID=’Handler com.sap.engine.services.adminadapter.gui.tasks.LoginTask@31fc6b does not support callback com.sap.engine.services.security.remote.login.SerializableGetterCallback@11efdaf’, Arguments: []–> : Can’t find resource for bundle java.util.PropertyResourceBundle, key Handler com.sap.engine.services.adminadapter.gui.tasks.LoginTask@31fc6b does not support callback com.sap.engine.services.security.remote.login.SerializableGetterCallback@11efdaf
    at com.sap.engine.services.security.remoteimpl.login.RemoteCallbackHandlerImpl.handle(RemoteCallbackHandlerImpl.java:92)
    at com.sap.engine.services.security.remoteimpl.login.RemoteCallbackHandlerImpl_Skel.dispatch(RemoteCallbackHandlerImpl_Skel.java:63)
    at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:330)
    at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:201)
    at com.sap.engine.services.rmi_p4.DispatchImpl.run(DispatchImpl.java:721)
    at java.lang.Thread.run(Unknown Source)

    I can login to the Java-Stack via http with the same user.

    Is there another way to change the login module stack than with the visual administrator.

    btw: Java-stack is NW7.0 SPS19 and we deployed the “new” spnego module (Hinweis 1457499 – SPNego-Add-on)

    Deploying with SDM (I tried to deploy the diagtool) is also not possible due to login failure.

    Do you have any hint what can be done?

    Many thanks in advance!

    Best Regards
    Thomas

    (0) 

Leave a Reply