Skip to Content
0

LOGIN.FAILED (Guest) shortly before successful certificate enrollment via SLS

Jun 20, 2017 at 11:21 AM

63

avatar image

Hi Experts,

we have implemented SLS at one of our customers and everything is working fine. During a regular system check we notices some warnings in the AS Java trace. I am just wondering what causes this issue and trying to find an answer for this, had no luck with google so far.

Environment:

- SAP AS Java 7.50 (UME is local)

- Secure Login Server 3.0 SP1 PL3

- User authentication via SPNEGOLoginModule with Virtual User Mapping

We haven't modified somehow the default login stack "ticket" - it is still standard with (1)EvaluateTicket.. / (2)Basic Password.. / (3)CreateTicket..

Manual password based login using the admin user via NWA is working fine and does not generate any errors.

The Secure Login Client users are authenticating using a SLS Policy using SPNEGO authentication against the SLS. With every successful certificate creation we have a Warning message in the AS Java authentication trace:

LOGIN.FAILED
User: N/A
Authentication Stack: SecureLoginDefaultPolicyConfigurationSPNEGO
Authentication Stack Properties:

Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.SPNegoLoginModule SUFFICIENT ok exception true Trigger SPNEGO authentication.
No logon policy was applied

This happens for each user and each successful certificate enrollment via SLS and always milliseconds before the LOGIN.OK

See example screenshots / every authentication produces similar WARNING:

1) LOGIN.FAILED (Guest)

2) LOGON.OK (SLC via SPNEGO) = user is authenticated / virtual user was created

3) Certificate creation process (messages)

Details of the warning:

Someone has an idea what triggers the warning? Possibly this is caused by the virtual user mapping configuration, but I am unsure. Maybe normal behavior?

Thank you for your support

Cheers,

Carsten

1.jpg (410.1 kB)
2.jpg (410.3 kB)
10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Best Answer
Marcus Quintino Kuhnen
Jul 12, 2017 at 06:50 AM
0

Hi Carsten,

This is completely normal according to the SPNego protocol. The client tries to login without any credentials, the server then sends the authentication header 401. (This is the part that that you see as LOGIN FAILED). In a second step, the client sends the ticket for authentication. It is 2 step process, and the first one the client does not have the token and therefore you get a LOGIN FAILED. It's everything completely normal.

Marcus

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Yes, part of the normal auth flow 401 with header WWW-Authenticate: Negotiate. My assumption was, the SAP system (with SPNego enabled) somehow is able to suppress this in the logs ;)

0
Carsten Olt Jul 10, 2017 at 10:15 AM
0

Update to myself - seems to be normal behavior ;)

Share
10 |10000 characters needed characters left characters exceeded