We're attempting to implement single sign-on using SPNego on our dev portal. It is in an AIX 5.3 - IBM Java 64-bit v1.4.2 SR8 environment, and the LDAP server is Active Directory on Win2003.
After following the configuration steps, we get an "UNKNOWN_ERROR" message on the login page for the portal.
Running the diagtool gives the following error in the first step: "Error initializing lv client" followed by a string of Java classes (see below).
We have a sandbox portal running on W2K3 - Sun 32-bit JDK, and SSO is working fine there with the same krb5.conf values for the ADS server.
We've tried using both HTTP/<hostname>@REALM and host/<hostname>@REALM as the Kerberos principle in the config. with no impact to the results, and we've tried keytab files created on Windows, the Sun JDK and AIX.
We opened an OSS note today, and any SDN help would be greatly appreciated as well.
###
Output of >uname -a
AIX r02dev03 3 5 0022AF7A4C00
Output of >java -fullversion
java full version "J2RE 1.4.2 IBM AIX 5L for PowerPC (64 bit JVM) build caix6414
2ifx-20070509 {SR8 SAP ifix: 119818}"
Relevant diagtool error messages:
<b>Error Messages in Diagtool Header</b>
Error initializing lv client
[EXCEPTION]
com.sap.engine.services.jmx.exception.JmxConnectorException: Unable to connect to connector server.
at com.sap.engine.services.jmx.connector.p4.P4ConnectorClient.<init>(P4ConnectorClient.java:96)
at com.sap.engine.services.jmx.connector.p4.ConnectorFactory.getJmxConnector(ConnectorFactory.java:31)
at com.sap.jmx.remote.JmxConnectionFactory.getConnector(JmxConnectionFactory.java:191)
at com.sap.jmx.remote.JmxConnectionFactory.getMBeanServerConnection(JmxConnectionFactory.java:92)
at com.sap.engine.config.diagtool.util.LVClient.init(LVClient.java:149)
at com.sap.engine.config.diagtool.Launcher.run(Launcher.java:265)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at com.sap.engine.config.diagtool.Launcher.main(Launcher.java:394)
Caused by: com.sap.engine.services.jndi.persistent.exceptions.NoPermissionException: Exception during getInitialContext operation. Wrong security principle/credentials. [Root exception is com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.]
at com.sap.engine.services.jndi.InitialContextFactoryImpl.handleUserProblem(InitialContextFactoryImpl.java:512)
at com.sap.engine.services.jndi.InitialContextFactoryImpl.getInitialContext(InitialContextFactoryImpl.java:366)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:675)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:257)
at javax.naming.InitialContext.init(InitialContext.java:233)
at javax.naming.InitialContext.<init>(InitialContext.java:209)
at com.sap.engine.services.jmx.connector.p4.P4ConnectorClient.<init>(P4ConnectorClient.java:69)
... 11 more
Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:180)
at java.security.AccessController.doPrivileged(AccessController.java:242)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:177)
at com.sap.engine.services.security.remoteimpl.login.RemoteLoginContextHelperImpl.login(RemoteLoginContextHelperImpl.java:72)
at com.sap.engine.services.security.remoteimpl.login.RemoteLoginContextHelperImplp4_Skel.dispatch(RemoteLoginContextHelperImplp4_Skel.java:64)
at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:320)
at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:198)
at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java:129)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(AccessController.java:215)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Authentication did not succeed.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:177)
... 13 more
Error initializing lc client
[EXCEPTION]
com.sap.engine.services.jmx.exception.JmxConnectorException: Unable to connect to connector server.
at com.sap.engine.services.jmx.connector.p4.P4ConnectorClient.<init>(P4ConnectorClient.java:96)
at com.sap.engine.services.jmx.connector.p4.ConnectorFactory.getJmxConnector(ConnectorFactory.java:31)
at com.sap.jmx.remote.JmxConnectionFactory.getConnector(JmxConnectionFactory.java:191)
at com.sap.jmx.remote.JmxConnectionFactory.getMBeanServerConnection(JmxConnectionFactory.java:92)
at com.sap.engine.config.diagtool.util.LCClient.init(LCClient.java:163)
at com.sap.engine.config.diagtool.Launcher.run(Launcher.java:275)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at com.sap.engine.config.diagtool.Launcher.main(Launcher.java:394)
Caused by: com.sap.engine.services.jndi.persistent.exceptions.NoPermissionException: Exception during getInitialContext operation. Wrong security principle/credentials. [Root exception is com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.]
at com.sap.engine.services.jndi.InitialContextFactoryImpl.handleUserProblem(InitialContextFactoryImpl.java:512)
at com.sap.engine.services.jndi.InitialContextFactoryImpl.getInitialContext(InitialContextFactoryImpl.java:366)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:675)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:257)
at javax.naming.InitialContext.init(InitialContext.java:233)
at javax.naming.InitialContext.<init>(InitialContext.java:209)
at com.sap.engine.services.jmx.connector.p4.P4ConnectorClient.<init>(P4ConnectorClient.java:69)
... 11 more
Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:180)
at java.security.AccessController.doPrivileged(AccessController.java:242)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:177)
at com.sap.engine.services.security.remoteimpl.login.RemoteLoginContextHelperImpl.login(RemoteLoginContextHelperImpl.java:72)
at com.sap.engine.services.security.remoteimpl.login.RemoteLoginContextHelperImplp4_Skel.dispatch(RemoteLoginContextHelperImplp4_Skel.java:64)
at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:320)
at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:198)
at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java:129)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(AccessController.java:215)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Authentication did not succeed.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:177)
... 13 more
<b>Error Messages in Step 5</b>
Error connecting to the LDAP server
[EXCEPTION]
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3005)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2752)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2666)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:307)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:190)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:208)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:151)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:81)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:675)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:257)
at javax.naming.InitialContext.init(InitialContext.java:233)
at javax.naming.InitialContext.<init>(InitialContext.java:209)
at com.sap.engine.config.diagtool.lib.ldap.LDAPServer.connect(LDAPServer.java:99)
at com.sap.engine.config.diagtool.tests.authentication.krb.MSActiveDirectoryKrbTest.checkServiceUser(MSActiveDirectoryKrbTest.java:153)
at com.sap.engine.config.diagtool.tests.authentication.krb.MSActiveDirectoryKrbTest.execute(MSActiveDirectoryKrbTest.java:127)
at com.sap.engine.config.diagtool.Task.execute(Task.java:55)
at com.sap.engine.config.diagtool.Launcher.run(Launcher.java:343)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at com.sap.engine.config.diagtool.Launcher.main(Launcher.java:394)
<b>Error Messages in Step 8</b>
LC client was not initialized