Skip to Content

LOGIN.FAILED (Guest) shortly before successful certificate enrollment via SLS

Hi Experts,

we have implemented SLS at one of our customers and everything is working fine. During a regular system check we notices some warnings in the AS Java trace. I am just wondering what causes this issue and trying to find an answer for this, had no luck with google so far.

Environment:

- SAP AS Java 7.50 (UME is local)

- Secure Login Server 3.0 SP1 PL3

- User authentication via SPNEGOLoginModule with Virtual User Mapping

We haven't modified somehow the default login stack "ticket" - it is still standard with (1)EvaluateTicket.. / (2)Basic Password.. / (3)CreateTicket..

Manual password based login using the admin user via NWA is working fine and does not generate any errors.

The Secure Login Client users are authenticating using a SLS Policy using SPNEGO authentication against the SLS. With every successful certificate creation we have a Warning message in the AS Java authentication trace:

LOGIN.FAILED
User: N/A
Authentication Stack: SecureLoginDefaultPolicyConfigurationSPNEGO
Authentication Stack Properties:

Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.SPNegoLoginModule SUFFICIENT ok exception true Trigger SPNEGO authentication.
No logon policy was applied

This happens for each user and each successful certificate enrollment via SLS and always milliseconds before the LOGIN.OK

See example screenshots / every authentication produces similar WARNING:

1) LOGIN.FAILED (Guest)

2) LOGON.OK (SLC via SPNEGO) = user is authenticated / virtual user was created

3) Certificate creation process (messages)

Details of the warning:

Someone has an idea what triggers the warning? Possibly this is caused by the virtual user mapping configuration, but I am unsure. Maybe normal behavior?

Thank you for your support

Cheers,

Carsten

1.jpg (410.1 kB)
2.jpg (410.3 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    Jul 12, 2017 at 06:50 AM

    Hi Carsten,

    This is completely normal according to the SPNego protocol. The client tries to login without any credentials, the server then sends the authentication header 401. (This is the part that that you see as LOGIN FAILED). In a second step, the client sends the ticket for authentication. It is 2 step process, and the first one the client does not have the token and therefore you get a LOGIN FAILED. It's everything completely normal.

    Marcus

    Add comment
    10|10000 characters needed characters exceeded

    • Yes, part of the normal auth flow 401 with header WWW-Authenticate: Negotiate. My assumption was, the SAP system (with SPNego enabled) somehow is able to suppress this in the logs ;)

  • Jul 10, 2017 at 10:15 AM

    Update to myself - seems to be normal behavior ;)

    Add comment
    10|10000 characters needed characters exceeded