Skip to Content
0
Former Member
Oct 16, 2006 at 02:29 AM

SPNego Not Working

38 Views

Hello,

We wanted to have desktop single sign on by using SPNEgo and we have configured everything as said in SAP Help document and we could not achieve single sign on. Not sure where we are going wrong.

When we run the Diagtool, we are getting the error "Cannot login user" and " Error sending krb5 token".

Need your inputs and suggestions and corrections in this. Below are the details.

<b>Landscape information:</b>

Active Directory – Windows 2003 SP1

Active Directory Domain – ED.ET.COM

Portal – EP 7.0 (NW2004s SPS8)

Portal OS – AIX 5.3

Database – DB2 UDB

Portal/J2EE Engine domain – comp.com

JDK – IBM JDK

Client / Workstation – Windows XP SP1 (Domain – ED.ET.COM)

Portal sysid – B01

<b>Steps</b>

1. Created the User j2ee-b01 in the active directory, with password never expires option

2. Created keytab files using windows ktpass.

ktpass -princ host/g023us08.comp.com@ED.ET.COM -pass password –out g023us08.keytab -mapUser j2ee-b01 +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL

ktpass –princ HTTP/g023us08.comp.com@ED.ET.COM –pass password –out g023us08.keytab -in g023us08.keytab -mapUser j2ee-b01 +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL

3. setspn –A HTTP/g023us08.comp.com j2ee-b01

4. Placed the g023us08.keytab and krb5.conf under /usr/sap/B01/certfiles.

5.Jave parameters are added in the configtool

6. Resolution mode = <b>simple</b> and in the UME added the attribute "<b>krb5principalname</b>" and physicalAtrrbibute "<b>userprincipalname</b>".

7. Configured of login to use SPNego Login Module.

8.The maintained parameters for SPNegoLoginModule are

com.sap.spnego.jgss.name = g023us08.comp.com@ED.ET.COM

com.sap.spnego.uid.resolution.mode = simple

com.sap.spnego.uid.resolution.attr = krb5principalname

<b>Krb5.conf contents.</b>

-


[domain_realm]

.comp.com = ED.ET.COM

[libdefaults]

default_keytab_name = /usr/sap/B01/certfiles/g023us08.keytab

default_realm = ED.ET.COM

dns_lookup_kdc = true

default_tgs_enctypes=des-cbc-md5;des-cbc-crc

default_tkt_enctypes=des-cbc-md5;des-cbc-crc

[realms]

ED.ET.COM = {

admin_server = g1432dc01.ed.et.com

kdc = g1432dc01.ed.et.com

}

[appdefaults]

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}

-


Thanks in Advance.

Regards,

Praveen<b></b><b></b>