Skip to Content
0
Jan 23, 2008 at 10:31 PM

SPNEGO Problem

56 Views

Hi,

We've done the SPNEGO Implementation steps as follow:

1. Created a Service user named portaladsuser

2. executed the following command on DC:

setspn -a HTTP/portaltest.domain.com portaladsuser

3. Ececuted the following commands on DC.

ktpass -princ host/portaltest.domain.com@DOMAIN.COM -pass password -out keytab.txt +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL

ktpass -princ HTTP/portaltest.domain.com@DOMAIN.COM -pass password -out keytab.txt -in keytab.txt -mapUser portaladsuser +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL

4. Imported the template datsource conf. file to portal via configtool

5. run the spnego wizard and gave following as parameter:

Kerberos Realm: DOMAIN.COM

KDC Host/port: <ip_of_dc>:88

Retrieve Principal

Service User: portaladsuser

Service User PAsswd: ****

LDAP Host: <ip_of_dc>

LDAP Port: 389

Select Prefix-based and leave rest as default.

Test resolution mode runs with success.

set ticket and sec_form policy conf. with spnego auth. template

6. Restart System

7. configure IE settings on client

8. Logon with DC user

9. A Popup asks user/passwd when call portal via http://portaltest.domain.com:50000/irj/portal

10. security log shows the following messages

#1.#0050568817F2006900000056000007010004446B36F11860#1201127180802#/System/Security/Authentication#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#Guest#0####38ec2e20ca0211dc9e540050568817f2#SAPEngine_Application_Thread[impl:3]_0##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED

User: N/A

Authentication Stack: ticket

Login Module Flag Initialize Login Commit Abort Details

1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true

2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true Access Denied. No authorization header received.

3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false true

4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok false false

5. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok false true #

#1.#0050568817F2007400000063000007010004446B36F25A16#1201127180884#/System/Security/Authentication#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#Guest#0####38f49290ca0211dc80260050568817f2#SAPEngine_Application_Thread[impl:3]_39##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED

User: N/A

Authentication Stack: ticket

Login Module Flag Initialize Login Commit Abort Details

1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true

2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true Access Denied.

3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false true

4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok false false

5. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok false true #

#1.#0050568817F2007400000064000007010004446B36F262CC#1201127180886#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#Guest#0####38f49290ca0211dc80260050568817f2#SAPEngine_Application_Thread[impl:3]_39##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | LOGIN.ERROR | null | | Login Method=[default], UserID=[null], IP Address=[10.0.0.12], Reason=[No login module succeeded.]#

Any idea?

BTW. Here our platform details

Portal: Netweaver 7.0 SPS13

Platform : RHEL 4 U4/Oracle 10.2.0.2