Skip to Content

Malformed SPNEGO token name syntax received - looking for solution to control name construction

Hi! A customer of us is using the MSFT Web Application Proxy (WAP) and has issues with Kerberos Ticket creation because of alternative UPNs. WAP is authenticating the user with AD FS - Preauthentication. After the user is authenticated, the AD FS server issues a security token, the ‘edge token’ and redirects the HTTPS request back to the Web Application Proxy server. Using the value from the UPN (Edge Token) it queries AD to determine the AD user account and request a kerberos ticket on behalf of the user for the service through kerberos constrained delegation (KCD).

In this use case we try to logon to SAP ABAP Webgui (or any SICF service) which supports standard Kerberos/SPNEGO and then will map the sAMAcount@REALM e.g. jdoe(at)domain.local to its local user in the SAP user master data to a user mapping value like p:CN=JDOE(at)DOMAIN.LOCAL.

This works well from the intranet or with users having set no explicit UPN (attribute in the AD). The customer had to introduce the corporate email address as the explicit UPN for Office 365. As soon as a user has defined a UPN attribute, the kerberos service ticket issued on behalf of user, no longer contains the standard conform sAMAccountName@REALM but the UPN value from the AD attribute + REALM. Thus the kerberos based logon does not work because now the ticket contains sAMAccountName(at)anyDNSdomain@REALM e. g. jdoe(at) instead the standard conform user@REALM. Thus the mapping attribute in the SAP user master data no longer matches.

Of course it works if we change the SNC Name to p:CN=JDOE(at)MAILDOMAIN.COM(at)DOMAIN.LOCAL

This is only true when authentication is performed via WAP, all other normal (internal) kerberos tickets still containing the expected (normal?) name syntax, at least that is what the Kerberos RFCs state. Years ago i had similar issues with UAG from MSFT when it comes to SPNEGO for AS Java.

Seems there is no chance to change this behavior in the MSFT solution, any change to influence SNC/SPNEGO name conversion through the CCL? Seems as if spnego/construct_SNC_name would not help us in that case.

Thank you!


Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

0 Answers