Skip to Content
0
Former Member
May 08, 2006 at 05:26 PM

Kerberos Configuration - GSSException

367 Views

Hi All,

We are in the process of configuring Kerberos authentication for single sign-on into our 2004s SP7 Netweaver Portal on Windows. We have completed the configuration according to the documentation in the following link:

http://help.sap.com/saphelp_nw2004s/helpdata/en/43/4bd58c6c5e5f34e10000000a1553f6/frameset.htmhttp://help.sap.com/saphelp_nw2004s/helpdata/en/43/4bd58c6c5e5f34e10000000a1553f6/frameset.htm">http://help.sap.com/saphelp_nw2004s/helpdata/en/43/4bd58c6c5e5f34e10000000a1553f6/frameset.htm>

However, the third SPNego config test (i.e. Acquire Credentials) fails with the following error message:

<i><b>GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)</b></i>

The following error messages appear in Log Viewer in Visual Administrator:

<i>Date : 05/08/2006

Time : 10:05:48:614

Message : <b>Error during credentials acquiring.

[EXCEPTION]

GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)</b>

at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)

at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)

at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)

at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)

at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)

at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:234)

at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:31)

at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:341)

Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Access Denied.

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:231)

at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:324)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)

at javax.security.auth.login.LoginContext.login(LoginContext.java:534)

at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)

at java.security.AccessController.doPrivileged(Native Method)

at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)

... 9 more

Caused by: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:135)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:154)

... 23 more

Caused by: KrbException: Pre-authentication information was invalid (24)

at sun.security.krb5.KrbAsRep.<init>(DashoA12275:67)

at sun.security.krb5.KrbAsReq.getReply(DashoA12275:315)

at sun.security.krb5.Credentials.acquireTGT(DashoA12275:361)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:576)

at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:69)

... 25 more

Caused by: KrbException: Identifier doesn't match expected value (906)

at sun.security.krb5.internal.ah.a(DashoA12275:134)

at sun.security.krb5.internal.av.a(DashoA12275:63)

at sun.security.krb5.internal.av.<init>(DashoA12275:58)

at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53)

... 30 more

Severity : Error

Category :

Location : com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper

Application : sap.com/irj

Thread : Thread[Thread-117,5,SAPEngine_Application_Thread[impl:3]_Group]

Datasource : 944450950:C:\usr\sap\EPX\JC94\j2ee\cluster\server0\log\defaultTrace.trc

Message ID : 000423A802F0007D0000000000001584000413475E10749D

Source Name : com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper

Argument Objs : GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)

at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)

at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)

at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)

at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)

at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:234)

at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:31)

at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:341)

Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Access Denied.

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:231)

at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:324)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)

at javax.security.auth.login.LoginContext.login(LoginContext.java:534)

at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)

at java.security.AccessController.doPrivileged(Native Method)

at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)

... 9 more

Caused by: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:135)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:154)

... 23 more

Caused by: KrbException: Pre-authentication information was invalid (24)

at sun.security.krb5.KrbAsRep.<init>(DashoA12275:67)

at sun.security.krb5.KrbAsReq.getReply(DashoA12275:315)

at sun.security.krb5.Credentials.acquireTGT(DashoA12275:361)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:576)

at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:69)

... 25 more

Caused by: KrbException: Identifier doesn't match expected value (906)

at sun.security.krb5.internal.ah.a(DashoA12275:134)

at sun.security.krb5.internal.av.a(DashoA12275:63)

at sun.security.krb5.internal.av.<init>(DashoA12275:58)

at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53)

... 30 more

,

Arguments : GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)

at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)

at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)

at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)

at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)

at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentials(ConfigurationHelper.java:234)

at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:31)

at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:341)

Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Access Denied.

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:231)

at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:324)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)

at javax.security.auth.login.LoginContext.login(LoginContext.java:534)

at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)

at java.security.AccessController.doPrivileged(Native Method)

at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)

... 9 more

Caused by: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:135)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:154)

... 23 more

Caused by: KrbException: Pre-authentication information was invalid (24)

at sun.security.krb5.KrbAsRep.<init>(DashoA12275:67)

at sun.security.krb5.KrbAsReq.getReply(DashoA12275:315)

at sun.security.krb5.Credentials.acquireTGT(DashoA12275:361)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:576)

at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:69)

... 25 more

Caused by: KrbException: Identifier doesn't match expected value (906)

at sun.security.krb5.internal.ah.a(DashoA12275:134)

at sun.security.krb5.internal.av.a(DashoA12275:63)

at sun.security.krb5.internal.av.<init>(DashoA12275:58)

at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53)

... 30 more

,

Dsr Component :

Dsr Transaction : c02a3660de9b11dabd1f000423a802f0

Dsr User :

Indent : 0

Level : 0

Message Code :

Message Type : 1

Relatives :

Resource Bundlename :

Session : 2

Source : com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper

ThreadObject : Thread[Thread-117,5,SAPEngine_Application_Thread[impl:3]_Group]

Transaction :

User : Guest

Date : 05/08/2006

Time : 10:05:48:629

Message : <b>Configuration error in SPNegoLoginModule: javax.security.auth.login.LoginException: Acquire credentials failed.</b>

Severity : Error

Category :

Location : com.sap.security.core.server.jaas.SPNegoLoginModule

Application : sap.com/irj

Thread : SAPEngine_Application_Thread[impl:3]_34

Datasource : 944450950:C:\usr\sap\EPX\JC94\j2ee\cluster\server0\log\defaultTrace.trc

Message ID : 000423A802F000610000004300001584000413475E108051

Source Name : com.sap.security.core.server.jaas.SPNegoLoginModule

Argument Objs :

Arguments :

Dsr Component :

Dsr Transaction : c02c8050de9b11da8e4c000423a802f0

Dsr User :

Indent : 0

Level : 0

Message Code :

Message Type : 0

Relatives :

Resource Bundlename :

Session : 2

Source : com.sap.security.core.server.jaas.SPNegoLoginModule

ThreadObject : SAPEngine_Application_Thread[impl:3]_34

Transaction :

User : Guest</i>

I have checked the following:

- the path specified for the krb5.conf file is correct

- the service user is an Administrator on the server and has access to all directories

- keytab file paths are correct

- 1st two SPNego config tests execute successfully

- KPN is not misspelled

Does anyone have any ideas as to what the problem could be?

Thanks!