Incomplete SPNEGO settings or problem in keytab file

You may face issues even after making all the settings for SPNego in the guide available with SAP Note 1488409 – New SPNego Implementation.

The reason may be incomplete settings in Visual Administrator not mentioned in the guide above or incorrect keytab file or issue with Client IE Settings or the Password of UME user (the mapped user in UME WAS Java 7.02 correspondingto Active Directory user you have logged-in in the client machine) has expired (initial or productive password) or wrong user mapping defined in SPNego.

We will deal with two of these issues as under:

1. INCOMPLETE SPNEGO SETTINGS:

Go to Visual Administrator

Server0

Services

Security Providers

Under “Runtime” “Policy Configurations”

Under Components Window: Select the “ticket”

In “Authentication” Tab, make sure that “Authentication Template” is “no”

Then add the 5 Login Modules in Order as follows:

EvaluateTicketLoginModule – SUFFICIENT

SPNegoLoginModule – OPTIONAL

CreateTicketLoginModule – SUFFICIENT

BasicPasswordLoginModule – REQUIRED

CreateTicketLoginModule – REQUIRED

Do no bother if nothing is visible in “Options” Tab as yet.

Now, from menu, click on “User Management” and see “Manage Security Stores” at bottom right. Click the Edit button (Pencil at Top) if it is showing Disabled. Then click on “Manage Security Stores” again.

You will see three options under User Stores. Click on”UME User Store” and select “SPNegoLoginModule” and click “View Change Properties” at bottom right.

Under Options Section, type the following in each line (if only 4 lines are visible, do not worry. After clicking “Enter” button in 4th Entry, a new line will be inserted)

Name  Value

com.sap.security.spnego.legacy false

com.sap.spnego.uid.resolution.mode simple

com.sap.spnego.creds_in_thread true

com.sap.spnego.uid.resolution.attr krb5principalname

com.sap.spnego.jgss.name <kerberos-service-user>@<KERBEROS-REALM-IN-CAPITAL LETTERS>

Then save the changes by pressing “OK”

Note: Kerberos realm name is ALWAYS capital letter of Windows Domain Name. If your domain name is company.co.in then Kerberos realm is COMPANY.CO.IN

Also, if you have configured Single-Sign-On with a Backend ABAP or Java System, then check that entries appear under “EvaluateTicketLoginModule”.

Then press the “View” (Spectacles) button again to save the changes.

DO NOT exit Visual Administrator. First check whether you are able to login to http://your-server:5xx00/useradmin with administrator user. If successful, close the Visual Admin. If you face issue in login, either revert the settings in Visual Administrator or search for SAP Note 1082560 – SAP AS Java can not start after running SPNego wizard which resets the settings through ConfigTool.

If you face any issue while accessing other pages of server (modules) in web-browser  (for example, /osp/TicketIssuer ) or if the server prompts for “Basic Authentication” and not accepting Kerberos Ticket (SPNego Authentication) then:

Go to “Security Providers” in Visual Administrator and go to that Component:

For example, go to

sap.com/xapps~osp~services~enterpriseapp*osp_TicketIssuer

In right side, in “Authentication Template” if “basic” is selected, change the same to “ticket”

Do the same for all the “Components” where you face authentication issue.

2. KEYTAB file is wrong or has problem

You can create KEYTAB file with JAVA SDK command ktab.exe or using ktpass.exe available in Windows 2003 Support Tools (or in Domain Controller). See the syntax of each as per your requirement. Sometimes when two versions of Java (JRE or JDK) are installed on the client machine, you may assume that latest JDK is used but the reality may be otherwise. It is important to note that keytab file can be generated anywhere and not necessarily in Domain Controller server which may not have JDK installed. The keytab file contains user’s Kerberos pass-phrase (password) and the name of the service user. The KVNO property may not be relevant. However, if you face issue related to KVNO, open the ADSIEDIT.MSC under Windows 2003 Support Tool, search for the SPNego service user in the AD and click on “Properties”.  See the value of  msDS-KeyVersionNumber and analyze if its value should be what it is. The best remedy is DELETE this user in AD and recreate the same with Original Password.

A quick check on ktab.exe is here:

Go to “Control Panel” and Programs and Feature and make a list of all the Java products installed. Then in command-prompt type the following:

c:> where java.exe

c:> where javac.exe

c:> where ktab.exe

For creating a RC4-HMAC keytab, you must use ktab.exe from JAVA 1.6 SDK platform.

c:\> <path-to-java-1.6-jdk-bin>\ktab.exe -k <keytab-file> -a <spnego-service-user>@<REALM-IN-CAPITAL>

Enter the same password as there for spnego-service-user. Also make sure that password of this user has not expired in AD by log-in to this user. Upload the new keytab file to spnego wizard.

If the issue persists, install the web_diagtool.SDA  tool as per SAP Note 1045019 – Web diagtool for collecting traces and analyze the issue.

If you suspect  that there is issue in client regarding generating Kerberos Ticket (SPNego Token) then download KERBTRAY.EXE tool from Microsoft Site and see if tickets (tokens) are getting generated. You may purge the old tickets to make sure that new tickets are generated.

If you have configured SSO from WAS Java to Backend SAP Systems, make sure that SSO is working correctly before further analysis.