cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO with Secure Login Server: Enrollment Failed

Go to solution
Former Member

on ‎05-14-2013 4:05 PM

0 Kudos

Hi Community gurus,

we are trying to set up NW SSO 1.0 in our SAP environment, using Secure Login Server and X.509 certificates. I've gone through some guides and feel I've got everything ready, but when I log into an end user machine and open the SL Client, it shows a grey X.509 certificate with the text "you are not logged in." The Kerberos token above it looks correct (my user ID and it is active).

When I look into the Secure Login Client trace after such an attempt, I see (among lots of other output I'll spare you unless you need it) this text:

sbus | sbus | Supplied Credentials not accepted by the server.Enrollment failed

What kind of credentials is the Secure Login Server expecting from the client? Do I have to turn on certificate authentication in NWA of the SLS? I thought the Kerberos token was supposed to authenticate me to the SLS and SLS would query the AD for my authenticity?

Any assistance would be greatly appreciated!

Thanks,

Peter

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-14-2013 6:32 PM
0 Kudos

How are you authenticating the clients on the SLS? Have you configured SecureLoginModuleLDAP? NWSSO is probably one of the best documented recently released products with videos and extensive guides available to assist you with the installation. If you are using SPNEGO, can you login to SLS without it prompting for credentials? See the video below on how to configure the SLS with SPNEGO for automatic provisioning of X.509 certificates.

http://scn.sap.com/docs/DOC-32701

Show replies
Show replies
Former Member
‎05-14-2013 6:45 PM
0 Kudos

Hello Samuli,

under "Server Configuration" the External Login JAAS Module is set to SecureLoginModuleLDAP, and under Instance Management -> "DefaultServer Configuration", the Authentication Name is SPNegoLoginModule. Is that the right combination for using the SLS-offered X.509 functionality? I have watched the videos and even grabbed the recent Best Practices guide at

http://scn.sap.com/docs/DOC-32787

I'm all the more confused because all of the docs/videos seem to imply that as soon as the SL Client is installed, the X.509 cert will be issued from SL Server right away. I however keep getting the error in my attached screenshot (above). I'm wondering if my "Profile" might have errors:

Profile Name: X.509 SSO Authentication

PSE Type: windowslogin

Enroll URL: https://<my FQHN>:50001/securelogin/PseServer

HttpProxyURL:

Grace Period: 0

InactivityTimeout: 0

Auto-Reenroll Attempts: 0

Key Size: 1024 (this is the same as the User CA I created in Certificate Management)

NewPinType: pin

Ujnique Client ID:

Network Timeout: 5

Reauthentication: 0

SSL Host Common Name Check: false

SSL Host Alternative Name Check: false

SSL Host Extension Check: false

User Warning MSIE: false

Auto-Enroll: True

Do you all have similar settings, or did I set something wrong? What is the NewPinType for? Do I have to set a Unique Client ID?

Since there is basically no configuration option on the Secure Login Client, I can only assume that these above values are the ones affecting my ability to retrieve a certificate.

Thanks in advance for all your help!

Former Member
‎05-14-2013 9:36 PM
0 Kudos

You didn't answer my question are you able to login to SLS using SPNEGO, without it prompting you for credentials. As far as I know SPNEGO is the only way of having automatic provisioning of X.509 certficates with SLS. Is SSL properly configured on your AS JAVA meaning can you access it with HTTPS, without certificate errors? In the Best Practices guide it is assumed that SSL has been previously setup on AS JAVA.

Former Member
‎05-14-2013 9:47 PM
0 Kudos

Hi Samuli,

I didn't understand your question at first, but the answer is yes-and-no. I have set up SPNEGO as mentioned in the guides, with an AD service user and servicePrincipalName, but I still access the SLS console by logging in with the Admin user. Did I miss something there? Should I have access to SLS via SPNEGO as a pre-requisite?

As for SSL, I have a functioning SSL setup on the AS Java, and I use https when working in the SLS Console, so that part is functioning.

Another question: what Component should I use for NW SSO if I want to open this as a ticket to SAP Support?

thanks a lot!

-Peter

Former Member
‎05-15-2013 5:55 PM
0 Kudos

Hello Samuli,

Now I understand - I had not fully implemented SPNEGO in my SLS Java Server. This is how I solved my issue:

I changed the UME store on my SLS Server (in NWA) from DB only to DB+LDAP (using the Active Directory flat hierarchy read only datasource, in my case). Then I changed the SPNEGO configuration to be Principal Only - matched to UserID. After restarting the Server and ensuring that my UME could now query the LDAP for users, I logged into my end machine again and now I get the X.509 certificate.

So that means that the authentication error was happening on the SPNEGO level: it couldn't match a user in SLS with my user in LDAP. The UME changes above fixed it.

Thanks a lot for your help and for sharing your expertise in the community!

-Peter

Answers (0)

Ask a Question