Hi All,
We are in the process of configuring Kerberos authentication for single sign-on into our 2004s SP7 Netweaver Portal on Windows. We have completed the configuration according to the documentation in the following link:
However, the third SPNego config test (i.e. Acquire Credentials) fails with the following error message:
<i><b>GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)</b></i>
The following error messages appear in Log Viewer in Visual Administrator:
<i>Date : 05/08/2006
Time : 10:05:48:614
Message : <b>Error during credentials acquiring.
[EXCEPTION]
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)</b>
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:234)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:31)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:341)
Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Access Denied.
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:231)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
... 9 more
Caused by: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:135)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:154)
... 23 more
Caused by: KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:67)
at sun.security.krb5.KrbAsReq.getReply(DashoA12275:315)
at sun.security.krb5.Credentials.acquireTGT(DashoA12275:361)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:576)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:69)
... 25 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.ah.a(DashoA12275:134)
at sun.security.krb5.internal.av.a(DashoA12275:63)
at sun.security.krb5.internal.av.<init>(DashoA12275:58)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53)
... 30 more
Severity : Error
Category :
Location : com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper
Application : sap.com/irj
Thread : Thread[Thread-117,5,SAPEngine_Application_Thread[impl:3]_Group]
Datasource : 944450950:C:\usr\sap\EPX\JC94\j2ee\cluster\server0\log\defaultTrace.trc
Message ID : 000423A802F0007D0000000000001584000413475E10749D
Source Name : com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper
Argument Objs : GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:234)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:31)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:341)
Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Access Denied.
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:231)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
... 9 more
Caused by: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:135)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:154)
... 23 more
Caused by: KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:67)
at sun.security.krb5.KrbAsReq.getReply(DashoA12275:315)
at sun.security.krb5.Credentials.acquireTGT(DashoA12275:361)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:576)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:69)
... 25 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.ah.a(DashoA12275:134)
at sun.security.krb5.internal.av.a(DashoA12275:63)
at sun.security.krb5.internal.av.<init>(DashoA12275:58)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53)
... 30 more
,
Arguments : GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:234)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:31)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:341)
Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Access Denied.
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:231)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
... 9 more
Caused by: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:135)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:154)
... 23 more
Caused by: KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:67)
at sun.security.krb5.KrbAsReq.getReply(DashoA12275:315)
at sun.security.krb5.Credentials.acquireTGT(DashoA12275:361)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:576)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:69)
... 25 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.ah.a(DashoA12275:134)
at sun.security.krb5.internal.av.a(DashoA12275:63)
at sun.security.krb5.internal.av.<init>(DashoA12275:58)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53)
... 30 more
,
Dsr Component :
Dsr Transaction : c02a3660de9b11dabd1f000423a802f0
Dsr User :
Indent : 0
Level : 0
Message Code :
Message Type : 1
Relatives :
Resource Bundlename :
Session : 2
Source : com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper
ThreadObject : Thread[Thread-117,5,SAPEngine_Application_Thread[impl:3]_Group]
Transaction :
User : Guest
Date : 05/08/2006
Time : 10:05:48:629
Message : <b>Configuration error in SPNegoLoginModule: javax.security.auth.login.LoginException: Acquire credentials failed.</b>
Severity : Error
Category :
Location : com.sap.security.core.server.jaas.SPNegoLoginModule
Application : sap.com/irj
Thread : SAPEngine_Application_Thread[impl:3]_34
Datasource : 944450950:C:\usr\sap\EPX\JC94\j2ee\cluster\server0\log\defaultTrace.trc
Message ID : 000423A802F000610000004300001584000413475E108051
Source Name : com.sap.security.core.server.jaas.SPNegoLoginModule
Argument Objs :
Arguments :
Dsr Component :
Dsr Transaction : c02c8050de9b11da8e4c000423a802f0
Dsr User :
Indent : 0
Level : 0
Message Code :
Message Type : 0
Relatives :
Resource Bundlename :
Session : 2
Source : com.sap.security.core.server.jaas.SPNegoLoginModule
ThreadObject : SAPEngine_Application_Thread[impl:3]_34
Transaction :
User : Guest</i>
I have checked the following:
- the path specified for the krb5.conf file is correct
- the service user is an Administrator on the server and has access to all directories
- keytab file paths are correct
- 1st two SPNego config tests execute successfully
- KPN is not misspelled
Does anyone have any ideas as to what the problem could be?
Thanks!