cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP NW 7.40 : SPNego authentication failed

Former Member

on ‎04-17-2014 9:12 AM

0 Kudos

Hello,

I used SPNego on NW 7.01.

I have upgraded my system from NW7.01 to NW 7.40.

I have regenerated the spnego by SPNego Wizard.

I have recreated the entry spnego by offlinecfgeditor (template=spnego).....I had to delete it after upgrade to be able to connect to the system.

Now, I can't connect using SPNego :

LOGIN.FAILED

User: N/A

IP Address: 128.41.15.233

Authentication Stack: sap.com/SSOEAR*login

Authentication Stack Properties:

        policy_domain = /login

        realm_name = Upload Protected Area

Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details

1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false                 true      

        #1 trusteddn1 = CN=D39,OU=DSIRH,OU=DGRH,O=SAP Trust Community,C=DE

        #2 trustediss1 = CN=D39,OU=DSIRH,OU=DGRH,O=SAP Trust Community,C=DE

        #3 trustedsys1 = D39,000

        #4 ume.configuration.active = true

2. com.sap.security.core.server.jaas.SPNegoLoginModule                     OPTIONAL    ok          exception             true      SPNego authentication has failed during previous attempt.

        #1 com.sap.security.spnego.legacy = false

        #2 com.sap.spnego.creds_in_thread = true

        #3 com.sap.spnego.jgss.name = DJ1SAPSSO@EMEA.LOREAL.INTRA

        #4 com.sap.spnego.uid.resolution.attr = krb5principalname

        #5 com.sap.spnego.uid.resolution.mode = simple

3. com.sap.security.core.server.jaas.CreateTicketLoginModule               SUFFICIENT  ok          false                 true      

        #1 ume.configuration.active = true

4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          false                 false     

5. com.sap.security.core.server.jaas.CreateTicketLoginModule               REQUISITE   ok          false                 true      

        #1 ume.configuration.active = true

No logon policy was applied


Can you help me?

Regards

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

Former Member
‎06-19-2014 7:50 AM
0 Kudos

Hello,

yes, I removed the old Realm, restarted the system and then launched SPNego wizard.

After that, I have reimported the old keytab.

Regards

Show replies
Show replies
former_member187483
Explorer
‎06-10-2014 12:07 PM
0 Kudos

Hello Chris,

I am having the exact same problem, only the target stack is NW 7.31 instead of 7.4.

Did you manage to solve this?

If so, how?

Show replies
Show replies
Former Member
‎06-10-2014 12:18 PM
0 Kudos

Hello,

I had to re-import keytab generated with JDK 1.4.2 in SPNego wizard.

Regards

former_member187483
Explorer
‎06-10-2014 12:46 PM
0 Kudos

Hello Chris,

Thanks for the prompt answer.

In my system, when I added the SPNegoLoginModule and went to the SPNego tab I already found the "old" Realm configured.

So what you did was to "Remove" that realm recreating it reimporting the old keytab into the Wizard?

Thanks

Marco

davefitzgibbon
Advisor
Advisor
‎04-17-2014 2:09 PM
0 Kudos

Hello,

I would like to point out that the error you have provided "SPNego authentication has failed during previous attempt" does not show us why SPNego is failing. This means there is still references in the cache and the trace will not show us the real reason for failure.

Please clear the browser cache then close all browser sessions

Reproduce a logon with the security troubleshooting wizard again and paste the output here.

Regards,

David

Show replies
Show replies
tim_alsop
Active Contributor
‎04-17-2014 9:16 AM
0 Kudos

Your stack looks wrong.

Instead of:

com.sap.security.core.server.jaas.CreateTicketLoginModule               SUFFICIENT

com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE

com.sap.security.core.server.jaas.CreateTicketLoginModule               REQUISITE


I would expect to see:


com.sap.security.core.server.jaas.CreateTicketLoginModule               SUFFICIENT

com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE

com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL


Thanks

Tim


Show replies
Show replies
Former Member
‎04-17-2014 9:26 AM
0 Kudos

Hello,

where could I change it?

Do I need to remove and do again SPNego Wizard?

Regards

tim_alsop
Active Contributor
‎04-17-2014 9:34 AM
0 Kudos

The login module auth stack is found in NWA or in Visual Administrator (depending on which version of NetWeaver you are using)

Thanks

Tim

Former Member
‎04-17-2014 9:41 AM
0 Kudos

OK.

I found it in NWA but even if I use edit mode, I can't change it.

Furthermore, I take a look in an old system (NW 7.01) and it works with :

CreateTicketLoginModule               REQUISITE


Regards

tim_alsop
Active Contributor
‎04-17-2014 9:43 AM
0 Kudos

It was wrong in your old system as well as being wrong in new system.

You might find that when SPNEGO fails and user id password is used instead that the user enters their password and it won't generate a logon ticket. This is why it needs to be correct.

Thanks

Tim

Ask a Question