Hello,
We wanted to have desktop single sign on by using SPNEgo and we have configured everything as said in SAP Help document and we could not achieve single sign on. Not sure where we are going wrong.
When we run the Diagtool, we are getting the error "Cannot login user" and " Error sending krb5 token".
Need your inputs and suggestions and corrections in this. Below are the details.
<b>Landscape information:</b>
Active Directory Windows 2003 SP1
Active Directory Domain ED.ET.COM
Portal EP 7.0 (NW2004s SPS8)
Portal OS AIX 5.3
Database DB2 UDB
Portal/J2EE Engine domain comp.com
JDK IBM JDK
Client / Workstation Windows XP SP1 (Domain ED.ET.COM)
Portal sysid B01
<b>Steps</b>
1. Created the User j2ee-b01 in the active directory, with password never expires option
2. Created keytab files using windows ktpass.
ktpass -princ host/g023us08.comp.com@ED.ET.COM -pass password out g023us08.keytab -mapUser j2ee-b01 +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL
ktpass princ HTTP/g023us08.comp.com@ED.ET.COM pass password out g023us08.keytab -in g023us08.keytab -mapUser j2ee-b01 +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL
3. setspn A HTTP/g023us08.comp.com j2ee-b01
4. Placed the g023us08.keytab and krb5.conf under /usr/sap/B01/certfiles.
5.Jave parameters are added in the configtool
6. Resolution mode = <b>simple</b> and in the UME added the attribute "<b>krb5principalname</b>" and physicalAtrrbibute "<b>userprincipalname</b>".
7. Configured of login to use SPNego Login Module.
8.The maintained parameters for SPNegoLoginModule are
com.sap.spnego.jgss.name = g023us08.comp.com@ED.ET.COM
com.sap.spnego.uid.resolution.mode = simple
com.sap.spnego.uid.resolution.attr = krb5principalname
<b>Krb5.conf contents.</b>
-
[domain_realm]
[libdefaults]
default_keytab_name = /usr/sap/B01/certfiles/g023us08.keytab
default_realm = ED.ET.COM
dns_lookup_kdc = true
default_tgs_enctypes=des-cbc-md5;des-cbc-crc
default_tkt_enctypes=des-cbc-md5;des-cbc-crc
[realms]
ED.ET.COM = {
admin_server = g1432dc01.ed.et.com
kdc = g1432dc01.ed.et.com
}
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
-
Thanks in Advance.
Regards,
Praveen<b></b><b></b>