Skip to Content
avatar image
Former Member

SAP NW 7.40 : SPNego authentication failed

Hello,

I used SPNego on NW 7.01.

I have upgraded my system from NW7.01 to NW 7.40.

I have regenerated the spnego by SPNego Wizard.

I have recreated the entry spnego by offlinecfgeditor (template=spnego).....I had to delete it after upgrade to be able to connect to the system.

Now, I can't connect using SPNego :

LOGIN.FAILED

User: N/A

IP Address: 128.41.15.233

Authentication Stack: sap.com/SSOEAR*login

Authentication Stack Properties:

        policy_domain = /login

        realm_name = Upload Protected Area

Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details

1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false                 true      

        #1 trusteddn1 = CN=D39,OU=DSIRH,OU=DGRH,O=SAP Trust Community,C=DE

        #2 trustediss1 = CN=D39,OU=DSIRH,OU=DGRH,O=SAP Trust Community,C=DE

        #3 trustedsys1 = D39,000

        #4 ume.configuration.active = true

2. com.sap.security.core.server.jaas.SPNegoLoginModule                     OPTIONAL    ok          exception             true      SPNego authentication has failed during previous attempt.

        #1 com.sap.security.spnego.legacy = false

        #2 com.sap.spnego.creds_in_thread = true

        #3 com.sap.spnego.jgss.name = DJ1SAPSSO@EMEA.LOREAL.INTRA

        #4 com.sap.spnego.uid.resolution.attr = krb5principalname

        #5 com.sap.spnego.uid.resolution.mode = simple

3. com.sap.security.core.server.jaas.CreateTicketLoginModule               SUFFICIENT  ok          false                 true      

        #1 ume.configuration.active = true

4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          false                 false     

5. com.sap.security.core.server.jaas.CreateTicketLoginModule               REQUISITE   ok          false                 true      

        #1 ume.configuration.active = true

No logon policy was applied


Can you help me?

Regards

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Apr 17, 2014 at 01:09 PM

    Hello,

    I would like to point out that the error you have provided "SPNego authentication has failed during previous attempt" does not show us why SPNego is failing. This means there is still references in the cache and the trace will not show us the real reason for failure.

    Please clear the browser cache then close all browser sessions

    Reproduce a logon with the security troubleshooting wizard again and paste the output here.

    Regards,

    David

    Add comment
    10|10000 characters needed characters exceeded

  • Apr 17, 2014 at 08:16 AM

    Your stack looks wrong.

    Instead of:

    com.sap.security.core.server.jaas.CreateTicketLoginModule               SUFFICIENT

    com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE

    com.sap.security.core.server.jaas.CreateTicketLoginModule               REQUISITE


    I would expect to see:


    com.sap.security.core.server.jaas.CreateTicketLoginModule               SUFFICIENT

    com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE

    com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL


    Thanks

    Tim


    Add comment
    10|10000 characters needed characters exceeded

    • It was wrong in your old system as well as being wrong in new system.

      You might find that when SPNEGO fails and user id password is used instead that the user enters their password and it won't generate a logon ticket. This is why it needs to be correct.

      Thanks

      Tim

  • Jun 10, 2014 at 11:07 AM

    Hello Chris,

    I am having the exact same problem, only the target stack is NW 7.31 instead of 7.4.

    Did you manage to solve this?

    If so, how?

    Add comment
    10|10000 characters needed characters exceeded

    • Hello Chris,

      Thanks for the prompt answer.

      In my system, when I added the SPNegoLoginModule and went to the SPNego tab I already found the "old" Realm configured.

      So what you did was to "Remove" that realm recreating it reimporting the old keytab into the Wizard?

      Thanks

      Marco

  • avatar image
    Former Member
    Jun 19, 2014 at 06:50 AM

    Hello,

    yes, I removed the old Realm, restarted the system and then launched SPNego wizard.

    After that, I have reimported the old keytab.

    Regards

    Add comment
    10|10000 characters needed characters exceeded