Dear Hemanth,

Thanks for reply, I have actually done this and it working.

I need some advice for SSO connection. I am in EP Portal 7.31. last sp.

I have don configuration in identity management so UME has contact with LDAP and I configure Spnego.

Now I can not login on Portal whit my LDAP user?  SSO not working.

Do I  forget something.

The only thing I havenot don is add server name in browser security sites. becuse that is grey out.

Thanks

Reza

Dear Reza,

Only the trace files will help us here. Kindly run the web diag tool as outlined in  SAP Note No. 1332726-Troubleshooting Wizard SAP AS Java 7.20 and above with incident "General Security" and reproduce the issue.  Click on Start, reproduce the error, click on stop and attach to this

message the zip file generated. Also attach the below files as well when you reproduced the issue

along with the diagtool output:

/usr/sap/<SID>/J<nr>/j2ee/cluster/server0/logs/default trace (latest).

Hope this helps.

_ _ _ _ _ _ _ __ _ _

Kind Regards,

Hemanth

SAP Product Support

_ _ _ _ _ _ _ _ _ _ _

Join me online: http://scn.sap.com/people/hemanth.kumar/content

Dear Hemanth,

Strang now I can login in portal but still with user name and password,, There is no error.

I had added trace file, please remove the txt this is a zfile.

Thanks

Reza

Dear Reza,

Hope you are doing good.

Thank you for the logs. They have been very helpful. The error is:

*****************************************

NTLM token found in authorization header during SPNEGO authentication2. com.sap.security.core.server.jaas.SPNegoLoginModule                     OPTIONAL    ok          exception             true       NTLM token received in authorization header.

*****************************************

Can you please review and apply the following SAP Note:1649110 - SPNego for Kerberos Authentication: NTLM token received in authorization header.

In such cases the issue is either with your  browser or Active directory configuration.

Hope this helps.

_ _ _ _ _ _ _ _ _

Kind Regards,

Hemanth

SAP Product Support

_ _ _ _ _ _ _ _ _

Join me online: http://scn.sap.com/people/hemanth.kumar/content

Dear Hemanth,

I have tried to logon in EP portal from another server. And I get another error in trace file.

The first trace file is when I tried to logon from portal server.

Any idea?

Thanks

Reza

Dear Reza,

In this case, BasicPasswordLoginModule  was used and SPNEGO was bypassed:

*******************************************************************

Logon is successful.

22:11:25:756 Debug XREJ HTTP Worker [@496326755],5,D... ...ogon(request, response, authscheme) The logon user principal is: XREJ (authentication method: password)

*******************************************************************

Actually SPNEGO failed.

This trace is not valid. Please clear all the cache and login again and trigger a trace if needed.

_ _ _ _ _ _ _ _ _

Kind Regards,

Hemanth

Dear Memanth,

Actually this is the problem SPNEGO was bypassed. I get prompt for logon and password.

My user are synchronized with LDAP and SPnego is configured by wizard on 7.31.

Here is last trace after clear the cache.

thanks

Reza

Dear Reza,

Even now, SPNEGO was not used:

*******************************************************************

SPNego authentication has failed during previous attempt.The logon user principal is: XREJ (authentication method: password)

*******************************************************************

SPNEGO did fail; but this has not been captured.

You have to log off from the OS (so that LDAP log off also happens), then  reproduce the issue so that SPNEGO fails.

_ _ _ _ _ _ _ _ _

Kind Regards,

Hemanth

Dear Hemanth,

I had log off form os, actullay restart sap portal and server. But still the same i get prompot  for login and password.

I had start trace wizard from sap server and tried to log on in portal  from another server. The same.

Thanks

Reza

Hi reza,

Did you check SAP Note 1649110 that I mentioned earlier? In your case, the browser sends a request which contains an NTLM token, instead of a Kerberos one, so AS Java rejects it and as a result the login fails, since AS Java needs a Kerberos token for the authentication. Please contact the domain controller vendor and the browser vendor in order to check why the browser sends an NTLM token to AS Java, instead of a Kerberos one.

I am not sure whether there are any more steps from the SAP Application Server JAVA end.

_ _ _ _ _ _ _ __ _ _

Kind Regards,

Hemanth

SAP Product Support

_ _ _ _ _ _ _ _ _ _ _

Join me online: http://scn.sap.com/people/hemanth.kumar/content

Dear Hemanth,

Thanks Again for reply.

Yes i did check the mentioned note.

I will contacet the domain controller vendor and ask them to run -

ldifde -r command and check the result for AD system user.

And contacet browser vendor too.

I am wondring if it possible to delete the SPNego connection and recreatet it by wizard  again. 

Thanks

Reza

Yes, that is a possibility as well.

Please see SAP NOTE 2029432 - Spnego wizard walkthrough for 7.3/7.4 netweaver versions

As you already know there are 3 participants in an SPNego authentication scenario: KDC, browser and AS Java.

So, the issue resolution depends on which area is affected.

I had used the same note for configur Spnego. I blive I get it from you.

I will first check with browser and domain controller vendor. To see every thing is working.

Thanks  again. I will come back withh result.

Reza

Dear Hemanth,

I had used the same system user for configure UME with LDAP server and Spnego configuration.

Can it be the reason Spnego not working? Becuse I had used the same user?

Thanks

Reza

Dear Hermanth,

I am still trying to find a solution for this connection. There is no error in trace,

Is it possible the problem is the pc my user using for login to SAP Portal is belong to another Domain controller.

I have tis from trace file:

Thanks

Reza

Hi reza,

That is not an error. When SPNEGO is used, the first logon attempt fails and only then SPNEGO is triggered; so that part is fine.

_ _ _ _ _ _ _ __ _ _

Kind Regards,

Hemanth