Hi,
We've done the SPNEGO Implementation steps as follow:
1. Created a Service user named portaladsuser
2. executed the following command on DC:
setspn -a HTTP/portaltest.domain.com portaladsuser
3. Ececuted the following commands on DC.
ktpass -princ host/portaltest.domain.com@DOMAIN.COM -pass password -out keytab.txt +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL
ktpass -princ HTTP/portaltest.domain.com@DOMAIN.COM -pass password -out keytab.txt -in keytab.txt -mapUser portaladsuser +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL
4. Imported the template datsource conf. file to portal via configtool
5. run the spnego wizard and gave following as parameter:
Kerberos Realm: DOMAIN.COM
KDC Host/port: <ip_of_dc>:88
Retrieve Principal
Service User: portaladsuser
Service User PAsswd: ****
LDAP Host: <ip_of_dc>
LDAP Port: 389
Select Prefix-based and leave rest as default.
Test resolution mode runs with success.
set ticket and sec_form policy conf. with spnego auth. template
6. Restart System
7. configure IE settings on client
8. Logon with DC user
9. A Popup asks user/passwd when call portal via http://portaltest.domain.com:50000/irj/portal
10. security log shows the following messages
#1.#0050568817F2006900000056000007010004446B36F11860#1201127180802#/System/Security/Authentication#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#Guest#0####38ec2e20ca0211dc9e540050568817f2#SAPEngine_Application_Thread[impl:3]_0##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true Access Denied. No authorization header received.
3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false true
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok false false
5. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok false true #
#1.#0050568817F2007400000063000007010004446B36F25A16#1201127180884#/System/Security/Authentication#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#Guest#0####38f49290ca0211dc80260050568817f2#SAPEngine_Application_Thread[impl:3]_39##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true Access Denied.
3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false true
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok false false
5. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok false true #
#1.#0050568817F2007400000064000007010004446B36F262CC#1201127180886#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#Guest#0####38f49290ca0211dc80260050568817f2#SAPEngine_Application_Thread[impl:3]_39##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | LOGIN.ERROR | null | | Login Method=[default], UserID=[null], IP Address=[10.0.0.12], Reason=[No login module succeeded.]#
Any idea?
BTW. Here our platform details
Portal: Netweaver 7.0 SPS13
Platform : RHEL 4 U4/Oracle 10.2.0.2