on 08-19-2016 7:20 PM
Hello All,
I had konfigurer SSO sap portal with ldap.
The system user is createt createt, java part done by spnego wizard.
Browser set up is correcet.
There is no error on trace file. I get prompt for logon page. I can not any selution for this for some times.
I have this from trace file:
Thanks for any help
Reza
Hello Reza,
A TSHW trace should be created as per note 1332726 and the SPNego related messages should be reviewed. There must be another SPNego login attempt above. This message does not contain information about the root cause.
Best Regards,
Peter
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Reza,
As I see the SPNego authentication is triggered properly. The first LOGIN.FAILED message is fine and expected. But then the AS JAVA receives a non expected token (Negox). We should see an SPNego token received message here.
It is similar issue than described in this KBA (though not the same): 1649110.
Best Regards,
Peter
Dear reza,
This command should work:
ldifde -r (samaccountname=XXX) -f output.txt
Incase of issues, please see SAP Note 565397 and :
Hope this helps.
_ _ _ _ _ _ _ __ _ _
Kind Regards,
Hemanth
Dear Reza,
Hope you are doing good.
Please check SAP Note 1639133 - Not able to login after new spnego failed due to NegoEx
The browser or AD is sending the SAP system a NegEx token instead of a Kerberos token and thats the issue. If the token is correct, the value should be started "YII" but not "YIG" (as in your case).
Another option would be to unselect DES on the AD side for the service user, then recreate the keytab file again (with a 1.6 jdk as per the documentation attached to note 1488409).
Hope this helps.
_ _ _ _ _ _ _ __ _ _
Kind Regards,
Hemanth
SAP Product Support
_ _ _ _ _ _ _ _ _ _ _
Join me online: http://scn.sap.com/people/hemanth.kumar/content
Hi reza, Just to rule out a SAP BUG, are you on the patch level mentioned in SAP Note 1639133?
ENGINEAPI 7.20 | SP005 | 000009 |
SP006 | 000003 | |
SP007 | 000000 | |
ENGINEAPI 7.30 | SP004 | 000004 |
SP005 | 000008 | |
SP007 | 000000 | |
ENGINEAPI 7.31 | SP001 | 000002 |
SP002 | 000000 | |
J2EE ENGINE SERVERCORE 7.20 | SP005 | 000015 |
SP006 | 000002 | |
SP007 | 000000 | |
J2EE ENGINE SERVERCORE 7.30 | SP004 | 000004 |
SP005 | 000002 | |
SP007 | 000000 | |
J2EE ENGINE SERVERCORE 7.31 | SP001 | 000001 |
SP002 | 000000 | |
SAP J2EE ENGINE 6.40 | SP027 | 000020 |
SP028 | 000008 | |
SAP J2EE ENGINE CORE 6.40 | SP029 | 000000 |
SAP J2EE ENGINE CORE 7.00 | SP023 | 000014 |
SP024 | 000006 | |
SP025 | 000003 | |
SP026 | 000000 | |
SAP J2EE ENGINE CORE 7.01 | SP008 | 000012 |
SP009 | 000010 | |
SP010 | 000004 | |
SP011 | 000000 | |
SAP J2EE ENGINE CORE 7.02 | SP006 | 000015 |
SP007 | 000011 | |
SP008 | 000007 | |
SP009 | 000006 | |
SP010 | 000001 | |
SP011 | 000000 |
Dear Hemanth,
This installation is in 7.31 sp18.
I have find different way to create a Service user in AD server for Spnego connection.
I am not sure about "Use DES encryption" should be selected or not.
I had used this on.
Can it be the reson for my error?
I have find this solution too:
Which one is correcet when we using Spnego Wizard to create ktab with?
Thanks
Reza
Dear Reza,
The SP level is fine.
You need to run the wizard again, de-selecting DES (then you will see the token value starting with "YII" in the traces).
Please try the below options:
1. Delete the service user on LDAP server
2. Create a new service user
3. Select the #Password never expires# check on the user#s account
4. Make sure the #Use DES encryption# check on the user#s account is not
selected.
5. Set the SPN accordingly
Make sure while searching by the following command, only 1 entry is
found:
ldifde -r (serviceprincipalname=SPN)
6. Create the keytab file using a Java 1.6 version as you did earlier:
ktab #a <principal_name>@<REALM> -k <keytab_file_name>
7. Run the SPNego Wizard again
Hope this helps.
_ _ _ _ _ _ _ __ _ _
Kind Regards,
Hemanth
SAP Product Support
_ _ _ _ _ _ _ _ _ _ _
Join me online: http://scn.sap.com/people/hemanth.kumar/content
Dear Reza,
Hope you are doing good.
It still looks like Negox token is received.
I have run out of ideas, sorry about this. I would suggest that you involve Microsoft's support on this case. This error happens when the SAP System doesn't receive a Kerberos token. Since the SAP System doesn't have any control over the token that's being sent to it, Microsoft should check why the NegoEx token is being sent.
_ _ _ _ _ _ _ __ _ _
Kind Regards,
Hemanth
SAP Product Support
_ _ _ _ _ _ _ _ _ _ _
Join me online: http://scn.sap.com/people/hemanth.kumar/content
User | Count |
---|---|
84 | |
24 | |
12 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.