cancel
Showing results for 
Search instead for 
Did you mean: 

Spnego not working

rezaejersbo
Participant
0 Kudos

Hello All,

I had konfigurer SSO sap portal with ldap.

The system user is createt createt, java part done by spnego wizard.

Browser set up is correcet.

There is no error on trace file. I get prompt for logon page. I can not any selution for this for some times.

I have this from trace file:

Thanks for any help

Reza

Accepted Solutions (1)

Accepted Solutions (1)

former_member198633
Contributor
0 Kudos

Hello Reza,

A TSHW trace should be created as per note 1332726 and the SPNego related messages should be reviewed. There must be another SPNego login attempt above. This message does not contain information about the root cause.

Best Regards,

Peter

rezaejersbo
Participant
0 Kudos

Hello Peter,

Thanks for replay,

I am looking for  some solution for  this connection problem.

I am adding trace file. When I run portal URL I prompt for  logon page.

Thanks for any help.

Reza 

former_member198633
Contributor
0 Kudos

Hello Reza,

As I see the SPNego authentication is triggered properly. The first LOGIN.FAILED message is fine and expected. But then the AS JAVA receives a non expected token (Negox). We should see an SPNego token received message here.

It is similar issue than described in this KBA (though not the same): 1649110.

Best Regards,

Peter

rezaejersbo
Participant
0 Kudos

Hello Peter.

I had used the same service user for UME connection with LDAP and Spnego configuration.

Is it possible i get this (Negox) becuse i this?

Thanks

Reza

former_member198633
Contributor
0 Kudos

Hello Reza,

From the logs I cannot tell. But service user misconfiguration can be a potential root case. The note I mentioned may be helpful, and may provide hints what to check.

Regards,

Peter

rezaejersbo
Participant
0 Kudos

Hello Peter.

I get this error when I run ldifde command.

Please se the added text file.

Thanks

Reza

hemanth2
Product and Topic Expert
Product and Topic Expert
0 Kudos

Dear reza,

This command should work:

ldifde -r (samaccountname=XXX) -f output.txt

Incase of issues, please see SAP Note 565397 and :


Ldifde

Hope this helps.

_ _ _ _ _ _ _ __ _ _

Kind Regards,

Hemanth

rezaejersbo
Participant
0 Kudos

Hello,

If an HTTP proxy is used between the client and server, can be the reson for we get  this error and SSO not working?:

Thanks

Reza

hemanth2
Product and Topic Expert
Product and Topic Expert
0 Kudos

Dear Reza,

Hope you are doing good.

Please check SAP Note 1639133 - Not able to login after new spnego failed due to NegoEx

The browser or AD is sending the SAP system a NegEx token instead of a Kerberos token and thats the issue. If the token is correct, the value should be started "YII" but not "YIG" (as in your case).

Another option would be to unselect DES on the AD side for the service user, then recreate the keytab file again (with a 1.6 jdk as per the documentation attached to note 1488409).

Hope this helps.

_ _ _ _ _ _ _ __ _ _

Kind Regards,

Hemanth

SAP Product Support

_ _ _ _ _ _ _ _ _ _ _

Join me online: http://scn.sap.com/people/hemanth.kumar/content

rezaejersbo
Participant
0 Kudos

Dear Hemanth,

DES on the AD side for server user is allredy is not selected. I had used Spnego Wizard for Spnego configuration.

Can it be the reson for NegoEx?

Thanks 

hemanth2
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi reza, Just to rule out a SAP BUG, are you on the patch level mentioned in SAP Note 1639133?

ENGINEAPI 7.20SP005000009
SP006000003
SP007000000
ENGINEAPI 7.30SP004000004
SP005000008
SP007000000
ENGINEAPI 7.31SP001000002
SP002000000
J2EE ENGINE SERVERCORE 7.20SP005000015
SP006000002
SP007000000
J2EE ENGINE SERVERCORE 7.30SP004000004
SP005000002
SP007000000
J2EE ENGINE SERVERCORE 7.31SP001000001
SP002000000
SAP J2EE ENGINE 6.40SP027000020
SP028000008
SAP J2EE ENGINE CORE 6.40SP029000000
SAP J2EE ENGINE CORE 7.00SP023000014
SP024000006
SP025000003
SP026000000
SAP J2EE ENGINE CORE 7.01SP008000012
SP009000010
SP010000004
SP011000000
SAP J2EE ENGINE CORE 7.02SP006000015
SP007000011
SP008000007
SP009000006
SP010000001
SP011000000
rezaejersbo
Participant
0 Kudos

Dear Hemanth,

This installation is in 7.31 sp18.

I have find different way to create a Service user in AD server for Spnego connection.

I am not sure about "Use DES encryption" should be selected or not.

I had used this on.

Can it be the reson for my error?

I have find this solution too:

Which one is correcet when we using Spnego Wizard to create  ktab with?

Thanks

Reza

hemanth2
Product and Topic Expert
Product and Topic Expert
0 Kudos

Dear Reza,

The SP level is fine.

You need to run the wizard again, de-selecting DES (then you will see the token value starting with "YII" in the traces).

Please try the below options:

1. Delete the service user on LDAP server

2. Create a new service user

3. Select the #Password never expires# check on the user#s account

4. Make sure the #Use DES encryption# check on the user#s account is not

   selected.

5. Set the SPN accordingly

   Make sure while searching by the following command, only 1 entry is

   found:

   ldifde -r (serviceprincipalname=SPN)

6. Create the keytab file using a Java 1.6 version as you did earlier:

ktab #a <principal_name>@<REALM> -k <keytab_file_name>

7. Run the SPNego Wizard again

Hope this helps.

_ _ _ _ _ _ _ __ _ _

Kind Regards,

Hemanth

SAP Product Support

_ _ _ _ _ _ _ _ _ _ _

Join me online: http://scn.sap.com/people/hemanth.kumar/content

rezaejersbo
Participant
0 Kudos

Hello Hemanth,

I had deleted the service user from AD and created a new one. But I still get the same error.

please see the added trace file.

Thanks for any help.

Reza

Former Member
0 Kudos

Hello Reza,

please check if SPN is unique with setspn -T * -X. Then, please tell us how you set the SPN and how do you access your portal? With dns alias or directly? With shortname or FQDN?

Best regards,

Andy

hemanth2
Product and Topic Expert
Product and Topic Expert
0 Kudos

Dear Reza,

 

Hope you are doing good.

The .ZIP file does not seem to be complete; it is just 30 Kb in size.

Can you attach the complete log?

_ _ _ _ _ _ _ __ _ _

Kind Regards,

Hemanth

rezaejersbo
Participant
0 Kudos

Dear Hemanth,

Here is last trace file, I can not fid any solution for this.''

Thanks for any help

Reza

rezaejersbo
Participant
0 Kudos

Hello Andy,

Thanks for reply.

We access Portal with FQDN. We used "setspn -a http/JAVA_SERVER_FQDN JAVA_SERVICE_USER".

Can I use "setspn -T *_x" for check if SPN is unique?

Thanks

Reza

Former Member
0 Kudos

Hello Reza,

yes you can check with setspn -T * -X for unique SPN. Is your AD service user created with capitals?

Best regards,

Andy

hemanth2
Product and Topic Expert
Product and Topic Expert
0 Kudos

Dear Reza,

Hope you are doing good.

It still looks like Negox token is received.

I have run out of ideas, sorry about this. I would suggest that you involve Microsoft's support on this case. This error happens when the SAP System doesn't receive a Kerberos token. Since the SAP System doesn't have any control over the token that's being sent to it, Microsoft should check why the NegoEx token is being sent.


_ _ _ _ _ _ _ __ _ _

Kind Regards,

Hemanth

SAP Product Support

_ _ _ _ _ _ _ _ _ _ _

Join me online: http://scn.sap.com/people/hemanth.kumar/content

rezaejersbo
Participant
0 Kudos

Hello Hemanth,

Thanks Again for reply and help.

I will do that.

Thanks

Reza

Answers (0)