Hello SDN,
we have implemented the SPNego Authentication for our Portal. It works fine for the most user.
But at two of these users we facing the following problem. The authentication fails with response code 401. The log of the j2ee reports the following:
#1.5#0030058016C00013000000000000350C000423C467D392DF#1165226371530#com.sap.security.core.server.jaas.SPNegoLoginModule#sap.com/irj#com.sap.security.core.server.jaas.SPNegoLoginModule#Guest#2####2315a2a0837e11dbaacc0030058016c0#SAPEngine_Application_Thread[impl:3]_10##0#0#Error##Java###Decoding error in parsing of spnego token.
[EXCEPTION]
#1#iaik.asn1.CodingException: Error reading ASN.1 datastructure: null at iaik.asn1.DerCoder.decode(Unknown Source) at com.sap.security.core.server.jaas.SPNegoLoginModule.doHandshake(SPNegoLoginModule.java:573) at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:321) at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:154) at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:69) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:170) at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607) at javax.security.auth.login.LoginContext.login(LoginContext.java:534) at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:86) at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303) at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96) at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186) at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:545) at java.security.AccessController.doPrivileged(Native Method) at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321) at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377) at com.sap.portal.navigation.Gateway.service(Gateway.java:101) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241) at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170) # #1.5#0030058016C00013000000010000350C000423C467D397D3#1165226371546#com.sap.security.core.server.jaas.SPNegoLoginModule#sap.com/irj#com.sap.security.core.server.jaas.SPNegoLoginModule#Guest#2####2315a2a0837e11dbaacc0030058016c0#SAPEngine_Application_Thread[impl:3]_10##0#0#Error##Plain###Error during handshake (has already been reported). Authentication failed.# #1.5#0030058016C00013000000030000350C000423C467D454E3#1165226371593#com.sap.security.core.imp#sap.com/irj#com.sap.security.core.imp.[cf=com.sap.security.core.sapmimp.logon.SAPMLogonLogic][md=doLogon][cl=20293]#Guest#2####2315a2a0837e11dbaacc0030058016c0#SAPEngine_Application_Thread[impl:3]_10##0#0#Error##Java###doLogon failed [EXCEPTION] #1#com.sap.security.core.logon.imp.UMELoginException
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:339)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:367)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:126)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:545)
at java.security.AccessController.doPrivileged(Native Method)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.sap.portal.navigation.Gateway.service(Gateway.java:101)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
#
#1.5#0030058016C00013000000040000350C000423C467D4700D#1165226371593#com.sap.security.core.util#sap.com/irj#com.sap.security.core.util.[cf=com.sap.security.core.util.ResourceBean][md=print][cl=17007]#Guest#2####2315a2a0837e11dbaacc0030058016c0#SAPEngine_Application_Thread[impl:3]_10##0#0#Error##Java###Message ID (UNKNOWN_ERROR) not found in properties files-UNKNOWN_ERROR
[EXCEPTION]
#1#java.util.MissingResourceException: Can't find resource for bundle java.util.PropertyResourceBundle, key UNKNOWN_ERROR at java.util.ResourceBundle.getObject(ResourceBundle.java:325) at java.util.ResourceBundle.getObject(ResourceBundle.java:322) at java.util.ResourceBundle.getString(ResourceBundle.java:285) at com.sap.security.core.util.ResourceBean.getString(ResourceBean.java:115) at com.sap.security.core.util.ResourceBean.print(ResourceBean.java:129) at sapportalsjspumLogonPage.subDoContent(_sapportalsjsp_umLogonPage.java:514) at sapportalsjspumLogonPage.doContent(_sapportalsjsp_umLogonPage.java:67) at sapportalsjspumLogonPage.service(_sapportalsjsp_umLogonPage.java:47) at com.sapportals.portal.prt.core.broker.PortalComponentItemFacade.service(PortalComponentItemFacade.java:360) at com.sapportals.portal.prt.core.broker.PortalComponentItem.service(PortalComponentItem.java:934) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:435) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:527) at com.sapportals.portal.prt.component.AbstractComponentResponse.include(AbstractComponentResponse.java:89) at com.sapportals.portal.prt.component.PortalComponentResponse.include(PortalComponentResponse.java:232) at com.sap.security.core.logonadmin.ComponentAccessToLogic.gotoPage(ComponentAccessToLogic.java:109) at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.doLogon(SAPMLogonLogic.java:994) at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.executeRequest(SAPMLogonLogic.java:240) at com.sapportals.portal.ume.component.logon.SAPMLogonComponent.doContent(SAPMLogonComponent.java:36) at com.sapportals.portal.prt.component.AbstractPortalComponent.serviceDeprecated(AbstractPortalComponent.java:209) at com.sapportals.portal.prt.component.AbstractPortalComponent.service(AbstractPortalComponent.java:114) at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189) at com.sapportals.portal.prt.component.PortalComponentResponse.include(PortalComponentResponse.java:215) at com.sapportals.portal.ume.component.logon.SAPMLogonCertComponent.doContent(SAPMLogonCertComponent.java:33) at com.sapportals.portal.prt.component.AbstractPortalComponent.serviceDeprecated(AbstractPortalComponent.java:209) at com.sapportals.portal.prt.component.AbstractPortalComponent.service(AbstractPortalComponent.java:114) at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189) at com.sapportals.portal.prt.component.PortalComponentResponse.include(PortalComponentResponse.java:215) at com.sapportals.portal.prt.pom.PortalNode.service(PortalNode.java:646) at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189) at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:753) at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240) at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:545) at java.security.AccessController.doPrivileged(Native Method) at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321) at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377) at com.sap.portal.navigation.Gateway.service(Gateway.java:101) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241) at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170) # #1.5#0030058016C00013000000050000350C000423C467D482FC#1165226371593#com.sap.security.core.util#sap.com/irj#com.sap.security.core.util.[cf=com.sap.security.core.util.ResourceBean][md=print][cl=17007]#Guest#2####2315a2a0837e11dbaacc0030058016c0#SAPEngine_Application_Thread[impl:3]_10##0#0#Error##Java###Message ID (UNKNOWN_ERROR) not found in properties files-UNKNOWN_ERROR [EXCEPTION] #1#java.util.MissingResourceException: Can't find resource for bundle java.util.PropertyResourceBundle, key UNKNOWN_ERROR
at java.util.ResourceBundle.getObject(ResourceBundle.java:325)
at java.util.ResourceBundle.getObject(ResourceBundle.java:322)
at java.util.ResourceBundle.getString(ResourceBundle.java:285)
at com.sap.security.core.util.ResourceBean.getString(ResourceBean.java:115)
at com.sap.security.core.util.ResourceBean.print(ResourceBean.java:129)
at sapportalsjspumLogonPage.subDoContent(_sapportalsjsp_umLogonPage.java:514)
at sapportalsjspumLogonPage.doContent(_sapportalsjsp_umLogonPage.java:67)
at sapportalsjspumLogonPage.service(_sapportalsjsp_umLogonPage.java:47)
at com.sapportals.portal.prt.core.broker.PortalComponentItemFacade.service(PortalComponentItemFacade.java:360)
at com.sapportals.portal.prt.core.broker.PortalComponentItem.service(PortalComponentItem.java:934)
at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:435)
at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:527)
at com.sapportals.portal.prt.component.AbstractComponentResponse.include(AbstractComponentResponse.java:89)
at com.sapportals.portal.prt.component.PortalComponentResponse.include(PortalComponentResponse.java:232)
at com.sap.security.core.logonadmin.ComponentAccessToLogic.gotoPage(ComponentAccessToLogic.java:109)
at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.executeRequest(SAPMLogonLogic.java:259)
at com.sapportals.portal.ume.component.logon.SAPMLogonComponent.doContent(SAPMLogonComponent.java:36)
at com.sapportals.portal.prt.component.AbstractPortalComponent.serviceDeprecated(AbstractPortalComponent.java:209)
at com.sapportals.portal.prt.component.AbstractPortalComponent.service(AbstractPortalComponent.java:114)
at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328)
at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136)
at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189)
at com.sapportals.portal.prt.component.PortalComponentResponse.include(PortalComponentResponse.java:215)
at com.sapportals.portal.ume.component.logon.SAPMLogonCertComponent.doContent(SAPMLogonCertComponent.java:33)
at com.sapportals.portal.prt.component.AbstractPortalComponent.serviceDeprecated(AbstractPortalComponent.java:209)
at com.sapportals.portal.prt.component.AbstractPortalComponent.service(AbstractPortalComponent.java:114)
at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328)
at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136)
at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189)
at com.sapportals.portal.prt.component.PortalComponentResponse.include(PortalComponentResponse.java:215)
at com.sapportals.portal.prt.pom.PortalNode.service(PortalNode.java:646)
at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328)
at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136)
at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189)
at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:753)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:545)
at java.security.AccessController.doPrivileged(Native Method)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.sap.portal.navigation.Gateway.service(Gateway.java:101)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
*********************************************************************************************
One user is able to authenticate to the production system but not able to authenticate to the test system. The second user is not able to authenticate at both via SPNego.
I have found the follwoing SAP Note: 934138 and the Microsoft note KB902409.
The clients seems to be send a NTLM instead of a Kerberos token.
Both does not help.
Do you have any idea what to do.
Thanks.
Best Regards.
Olaf Reis