Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SPNEgo with UME-ABAP.

Former Member

‎06-25-2008 6:31 PM

0 Kudos

Hi All,

I have configured integrated login with SPNEGO wizard with UME-ABAP.

All the settings seems to be ok, including the cases of service user name and KDC.

I have checked the ticket using 'kerbtray'.

But integrated logon is not functioning. When I am checking the security log, the failure is associated with the J2EE_GUEST user instead of the user name I am trying to logon with.

I have been searching for any link between J2EE_GUEST and the logon procedure without success.

Please find the extract of the log below.

Anyone could please help me..

#1.5 #0018FEFB6245006A0000003100003B780004506C9ACD8563#1214327290750#/System/Security/Authentication#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#J2EE_GUEST#0##n/a##1f9129e1421011dd8aba0018fefb6245#SAPEngine_Application_Thread[impl:3]_7##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED

User: N/A

Authentication Stack: ticket

Login Module Flag Initialize Login Commit Abort Details

1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true

2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true Unable to acquire GSS credentials for at least one Kerberos realm

3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false true

4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok false false

5. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok false true #

#1.5 #0018FEFB624500610000002E00003B780004506C9B3C6EBD#1214327298016#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#J2EE_GUEST#118##n/a##04c75d60420f11ddc8080018fefb6245#Thread[Thread-56,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###: Authorization check for caller assignment to J2EE security role [ : ].#3#ACCESS.OK#SAP-J2EE-Engine#guests# #1.5 #0018FEFB624500610000002F00003B780004506C9BD50F8E#1214327308032#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#J2EE_GUEST#119##n/a##04c75d60420f11ddc8080018fefb6245#Thread[Thread-56,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###: Authorization check for caller assignment to J2EE security role [ : ].#3#ACCESS.OK#SAP-J2EE-Engine#guests# #1.5 #0018FEFB624500610000003000003B780004506C9C6DB02C#1214327318032#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#J2EE_GUEST#120##n/a##04c75d60420f11ddc8080018fefb6245#Thread[Thread-56,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###: Authorization check for caller assignment to J2EE security role [ : ].#3#ACCESS.OK#SAP-J2EE-Engine#guests#

thanks & regards

K. Muhammed Ali

3 REPLIES 3

former_member698570
Active Participant

‎06-26-2008 10:06 AM

0 Kudos

Hi,

I think the message you should worry about is the following:

Unable to acquire GSS credentials for at least one Kerberos realm

Have you already increased the loglevel to get additional information?

Please increase the loglevel for Location com/sap/security/core/server/jaas and also System/err and System/out using the Log Configurator Service (All logs will be written to default trace)

When you found more information that might be useful to help you post it here.

Did you create a service user for Kerberos and added a custom attribute krb5prinicipalname in the UME?

If not try creating a service user in your ABAP Stack (say SPNEGOSVC). Add the custom attribute krb5prinicipalname to J2EE UME. Edit the SPNEGOSVC user withinthe UME User Administration and edit the attribute krb5principalname. Enter the principal (e.g. host/<FQDN>@<REALM>)

FQDN should be the full qualified name of your engine host such as myhost.domain.com and REALM the realm as configured in the krb5.conf File and when creating the service principal name in your Domain Controller

Cheers

Former Member

‎06-26-2008 11:26 AM

0 Kudos

Hi ,

Thanks a lot for the help.

I have maintained the krb5principalname for the serviceuser (j2ee_ep1) in ABAP with user principal name (j2ee_ep1@REALMNAME). Your suggestion is to put the hostname. Could you please clarify whether I am doing wrong.

Please find the detailed trace with current settings.

1.5 #0018FEFB624501420000000000003B780004508EDC9E3C3C#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain###Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null KeyTab is null refreshKrb5Config is true principal is j2ee_ep1@REALMNAME tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Refreshing Kerberos configuration#

#1.5 #0018FEFB624501420000000100003B780004508EDC9E3E78#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain###Refreshing Keytab#

#1.5 #0018FEFB624501420000000200003B780004508EDC9E3FB1#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain###>>> KeyTabInputStream, readName(): REALMNAME#

#1.5 #0018FEFB624501420000000300003B780004508EDC9E3FF7#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain###>>> KeyTabInputStream, readName(): j2ee_ep1#

#1.5 #0018FEFB624501420000000400003B780004508EDC9E4047#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain###>>> KeyTab: load() entry length: 46; type: 3#

#1.5 #0018FEFB624501420000000500003B780004508EDC9E40AB#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain###principal's key obtained from the keytab#

#1.5 #0018FEFB624501420000000600003B780004508EDC9E40E5#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain###principal is j2ee_ep1@REALMNAME#

#1.5 #0018FEFB624501420000000700003B780004508EDC9E41B2#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain###>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType#

#1.5 #0018FEFB624501420000000800003B780004508EDC9E45F2#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain###>>> KrbAsReq calling createMessage#

#1.5 #0018FEFB624501420000000900003B780004508EDC9E462E#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain###>>> KrbAsReq in createMessage#

#1.5 #0018FEFB624501420000000A00003B780004508EDC9E47C4#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain###>>> KrbAsReq etypes are: 1

>>> KrbKdcReq send: kdc=saffsj.REALMNAME UDP:88, timeout=30000, number of retries =3, \#bytes=222#

#1.5 #0018FEFB624501420000000B00003B780004508EDC9E49F1#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain###>>> KDCCommunication: kdc=saffsj.REALMNAME UDP:88, timeout=30000,Attempt =1, \#bytes=222#

#1.5 #0018FEFB624501420000000C00003B780004508EDC9E520C#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain###>>> KrbKdcReq send: \#bytes read=150#

#1.5 #0018FEFB624501420000000D00003B780004508EDC9E525B#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain###>>> KrbKdcReq send: \#bytes read=150#

#1.5 #0018FEFB624501420000000E00003B780004508EDC9E52A6#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain###>>> KDCRep: init() encoding tag is 126 req type is 11#

#1.5 #0018FEFB624501420000000F00003B780004508EDC9E5388#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain###>>>KRBError:#

#1.5 #0018FEFB624501420000001000003B780004508EDC9E53F8#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain### sTime is Thu Jun 26 13:00:23 GMT+03:00 2008 1214474423000#

#1.5 #0018FEFB624501420000001100003B780004508EDC9E5437#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain### suSec is 529248#

#1.5 #0018FEFB624501420000001200003B780004508EDC9E5474#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain### error code is 24#

#1.5 #0018FEFB624501420000001300003B780004508EDC9E54BC#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain### error Message is Pre-authentication information was invalid#

#1.5 #0018FEFB624501420000001400003B780004508EDC9E54F5#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain### realm is REALMNAME#

#1.5 #0018FEFB624501420000001500003B780004508EDC9E552C#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain### sname is krbtgt/REALMNAME#

#1.5 #0018FEFB624501420000001600003B780004508EDC9E555F#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain### eData provided.#

#1.5 #0018FEFB624501420000001700003B780004508EDC9E55B0#1214474423775#System.out#sap.com/irj#System.out#J2EE_GUEST#0##n/a##b1af16f0436611ddc5e20018fefb6245#Thread[Thread-283,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info##Plain### [Krb5LoginModule] authentication failed

Pre-authentication information was invalid (24)#

#1.5 #0018FEFB6245006A0000030B00003B780004508EDC9E6EA6#1214474423791#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#J2EE_GUEST#0##n/a##b1af16f1436611dd994e0018fefb6245#SAPEngine_Application_Thread[impl:3]_7##0#0#Error##Java###Acquiring credentials for realm REALMNAME failed

[EXCEPTION]

#1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)

at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)

at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)

at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)

at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)

at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)

at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)

at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)

Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:180)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)

at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)

at sun.reflect.GeneratedMethodAccessor279.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:324)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)

at javax.security.auth.login.LoginContext.login(LoginContext.java:534)

at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)

at java.security.AccessController.doPrivileged(Native Method)

at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)

... 9 more

Caused by: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:175)

... 24 more

Caused by: KrbException: Pre-authentication information was invalid (24)

at sun.security.krb5.KrbAsRep.<init>(DashoA12275:67)

at sun.security.krb5.KrbAsReq.getReply(DashoA12275:315)

at sun.security.krb5.Credentials.acquireTGT(DashoA12275:361)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:576)

at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)

at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)

... 24 more

Caused by: KrbException: Identifier doesn't match expected value (906)

at sun.security.krb5.internal.ah.a(DashoA12275:134)

at sun.security.krb5.internal.av.a(DashoA12275:63)

at sun.security.krb5.internal.av.<init>(DashoA12275:58)

at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53)

... 30 more

thanks & regards

K. Muhammed Ali

Former Member

‎06-26-2008 11:40 AM

0 Kudos

Hi,

do you have read this SAP note? Note 958107 - Using Diagtool for Troubleshooting Kerberos

I have used a Wireshark program to find errors....