cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Portal SPNEGO Issue

yasin_kurtulus
Explorer

on ‎03-21-2019 1:35 PM

0 Kudos

Hello Experts,

I have been trying to configure SPNEGO for the Portal System.

But I can not login to the system directly it asks username password.

NW version is 7.50

My Portal configurations are as below

https://<host>/SPNEGO

I have sent LDAP SPN configuration to the customer IT as attached PDF in KBA 1488409.

LDAP configurations are ok, Portal users come from LDAP.

Could you please advise me?

My trace log is below:

#2.0#2019 03 19 09:58:43:849#+0300#Error#com.sap.security.core.server.jaas.spnego.krb5.crypto.AesCrypto#
#BC-JAS-SEC#security#C0000ACF096D056E0000000300001A84#2286750000000004#sap.com/irj#com.sap.security.core.server.jaas.spnego.krb5.crypto.AesCrypto#Guest#0##680DA0574A1411E982F300000022E49E#680da0574a1411e982f300000022e49e##0#Thread[HTTP Worker [@1000574548],5,Dedicated_Application_Thread]#Plain##
Checksum error! checksum: 0xfb8fb64c6cdf296ce006e57f; calculated checksum: 0x6d976e70046dd9f130dca045#

#2.0#2019 03 19 09:58:43:849#+0300#Error#com.sap.security.core.server.jaas.SPNegoLoginModule#
#BC-JAS-SEC#security#C0000ACF096D056E0000000400001A84#2286750000000004#sap.com/irj#com.sap.security.core.server.jaas.SPNegoLoginModule#Guest#0##680DA0574A1411E982F300000022E49E#680da0574a1411e982f300000022e49e##0#Thread[HTTP Worker [@1000574548],5,Dedicated_Application_Thread]#Plain##
Could not validate SPNEGO token.
[EXCEPTION]
java.lang.Exception: Checksum error.
at com.sap.security.core.server.jaas.spnego.krb5.crypto.AesCrypto.decrypt(AesCrypto.java:45)
at com.sap.security.core.server.jaas.spnego.krb5.KrbEncryptedData.decrypt(KrbEncryptedData.java:85)
at com.sap.security.core.server.jaas.spnego.krb5.KrbApReq.decrypt(KrbApReq.java:70)
at com.sap.security.core.server.jaas.SPNegoLoginModule.validateKerberosToken(SPNegoLoginModule.java:328)
at com.sap.security.core.server.jaas.SPNegoLoginModule.processAuthorizationHeader(SPNegoLoginModule.java:537)
at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:164)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:254)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:66)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:285)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:877)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:343)
at com.sapportals.portal.prt.service.hook.SecurityHookService.doNodeHook(SecurityHookService.java:151)
at com.sapportals.portal.prt.connection.PortalHook.doNodeHook(PortalHook.java:383)
at com.sap.portal.prt.pom.factory.ComponentNodeFactory.newInstance(ComponentNodeFactory.java:136)
at com.sap.portal.prt.pom.factory.ComponentNodeFactory.newInstance(ComponentNodeFactory.java:49)
at com.sap.portal.prt.pom.PortalNode.createComponentNode(PortalNode.java:266)
at com.sap.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:435)
at com.sapportals.portal.prt.connection.ServletConnection._handleRequest(ServletConnection.java:224)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:101)
at com.sap.portal.prt.dispatcher.DispatcherServlet.service(DispatcherServlet.java:132)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:202)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:103)
at com.sap.portal.prt.dispatcher.CustomHeaderFilter.doFilter(CustomHeaderFilter.java:58)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:79)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:340)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:501)
at com.sap.portal.navigation.Gateway.service(Gateway.java:161)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:202)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:103)
at com.sap.portal.http.EnrichNavRequestFilter.doFilter(EnrichNavRequestFilter.java:49)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:79)
at com.sap.portal.prt.dispatcher.CustomHeaderFilter.doFilter(CustomHeaderFilter.java:58)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:79)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:441)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:210)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:441)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:430)
at com.sap.engine.services.servlets_jsp.filters.DSRWebContainerFilter.process(DSRWebContainerFilter.java:38)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.servlets_jsp.filters.ServletSelector.process(ServletSelector.java:81)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.servlets_jsp.filters.ApplicationSelector.process(ApplicationSelector.java:278)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.WebContainerInvoker.process(WebContainerInvoker.java:81)
at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.ResponseLogWriter.process(ResponseLogWriter.java:60)
at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.DefineHostFilter.process(DefineHostFilter.java:27)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.MonitoringFilter.process(MonitoringFilter.java:29)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.SessionSizeFilter.process(SessionSizeFilter.java:26)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.MemoryStatisticFilter.process(MemoryStatisticFilter.java:57)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.DSRHttpFilter.process(DSRHttpFilter.java:43)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.server.Processor.chainedRequest(Processor.java:468)
at com.sap.engine.services.httpserver.server.Processor$FCAProcessorThread.process(Processor.java:262)
at com.sap.engine.services.httpserver.server.rcm.RequestProcessorThread.run(RequestProcessorThread.java:56)
at com.sap.engine.core.thread.execution.Executable.run(Executable.java:122)
at com.sap.engine.core.thread.execution.Executable.run(Executable.java:101)
at com.sap.engine.core.thread.execution.CentralExecutor$SingleThread.run(CentralExecutor.java:328)

#

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

Colt
Active Contributor
‎03-29-2019 2:09 PM

Hi Yasin! AS Java can't decrypt the SPNEGO token aka Service Ticket from the Client. On the client you test, execute the CLI command klist and check the output for your ticket related to your Portal / Java http/<host>. Which encryption is used?

As it throws errors at com.sap.security.core.server.jaas.spnego.krb5.crypto.AesCrypto.decrypt it sounds like AES is used, at least I assume. Check the exact spelling of the username. In case you have enabled AES encryption for the AD account the username itself is CASEsensitive. Make sure you type it in exactly as it is created from your AD Admin and double check the password and SPN using setspn -q http/<host> (does it return the right account) and runas /user:<account>@DOMAIN cmd.exe - type in the password you use to setup SPNego, does it work?

Cheers

Carsten

Show replies
Show replies
Matt_Fraser
Active Contributor
‎03-29-2019 2:57 PM
0 Kudos

Yasin,

I think you might have some misconfiguration in your Authentication Stack Login Modules setup. This is how we have ours, and you'll note some differences that I believe are important:

You also didn't talk about how you setup the SPN for your service user, so it's quite possible that you have a misconfiguration there.

Not to toot my own horn, but you may get some points from an old blog post on this subject I wrote a few years ago. Granted, at the time I was describing setting up SPNego for a 7.01 portal, but most of the procedure hasn't changed in 7.5 (which is what we are using today, and yes, we do now have AES encryption working, where before it was only RC4).

https://blogs.sap.com/2016/02/08/single-sign-on-for-java/

Cheers,
Matt

Show replies
Show replies
oppancs
Contributor
‎03-24-2019 9:25 PM
0 Kudos

Dear Yasin,


Plase check the KBA for solution:


1568553 - Checksum error, Spnego add-on


You can get hints for solution.


Best Regards,
Barnabás Paksi

Show replies
Show replies
LutzR
Active Contributor
‎03-22-2019 10:22 AM
0 Kudos

Hi Yasin, I would recommend the Guided Answers for Authentication issues to you.

In your case it recommends to renew the keytab.

Cheers, Lutz

Show replies
Show replies
Ask a Question