Skip to Content
avatar image
Former Member

NTLM token found in authorization header during SPNego authentication

HI,

I am facing :NTLM token found in authorization header during SPNego authentication" error for some of the users.Can any one help to solve this.

errors:

NTLM token found in authorization header during SPNego authentication.

14:11:39:472 Warning Guest ~n_Thread[impl:3]_43 ~on.loginmodule.spnego.SPNegoLoginModule Authentication failed. Error during handshake. Check the trace file for details.

14:11:39:473 Warning Guest ~n_Thread[impl:3]_43 ~on.loginmodule.spnego.SPNegoLoginModule Error during handshake.

[EXCEPTION]

com.sap.security.core.server.jaas.spnego.SPNegoProtocolException: NTLM token received in authorization header.

at com.sap.security.core.server.jaas.SPNegoLoginModule.checkAuthorizationHeaderToken(SPNegoLoginModule.java:410)

at com.sap.security.core.server.jaas.SPNegoLoginModule.doHandshake(SPNegoLoginModule.java:686)

at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:362)

at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)

at java.security.AccessController.doPrivileged(AccessController.java:231)

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:177)

at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)

at java.lang.reflect.Method.invoke(Method.java:391)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)

at java.security.AccessController.doPrivileged(AccessController.java:231)

at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)

at javax.security.auth.login.LoginContext.login(LoginContext.java:557)

at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:145)

at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)

at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)

at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)

at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)

at java.security.AccessController.doPrivileged(AccessController.java:231)

at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)

at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)

at com.sap.portal.navigation.Gateway.service(Gateway.java:126)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)

at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)

at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)

at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)

at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(AccessController.java:207)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)

14:11:39:474 Debug Guest ~n_Thread[impl:3]_43 ~on.loginmodule.spnego.SPNegoLoginModule set Satus Code On Fail = 401

14:11:39:474 Debug Guest ~n_Thread[impl:3]_43 ~es.security.authentication.logincontext Login module com.sap.security.core.server.jaas.SPNegoLoginModule from authentication stack spnego does not authenticate the caller.

14:11:39:474 Path Guest ~n_Thread[impl:3]_43 ~.ticket.CreateTicketLoginModule.login() Entering method

14:11:39:475 Info Guest ~n_Thread[impl:3]_43 ~inmodule.ticket.CreateTicketLoginModule No authenticated user found.

14:11:39:475 Path Guest ~n_Thread[impl:3]_43 ~inmodule.ticket.CreateTicketLoginModule Exiting method with false

14:11:39:475 Debug Guest ~n_Thread[impl:3]_43 ~on.loginmodule.BasicPasswordLoginModule No user name provided.

14:11:39:475 Path Guest ~n_Thread[impl:3]_43 ~.ticket.CreateTicketLoginModule.login() Entering method

14:11:39:475 Info Guest ~n_Thread[impl:3]_43 ~inmodule.ticket.CreateTicketLoginModule No authenticated user found.

14:11:39:475 Path Guest ~n_Thread[impl:3]_43 ~inmodule.ticket.CreateTicketLoginModule Exiting method with false

14:11:39:476 Path Guest ~n_Thread[impl:3]_43 ~engine.services.security.authentication Exception : Cannot authenticate the user

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Aug 08, 2008 at 08:10 AM

    Krishnam,

    SPNEGO = Simple and Protected GSSAPI Negotiation Mechanism.

    In short, this means that when you use SPNEGO, a negotiation of security mechanism takes place. The implementation of SPNEGO in Microsoft Web browsers negotiates between Kerberos and NTLM mechanisms. This means that if both browser and Web server support Kerberos, this will be used, but if for some reason Kerberos is not possible the browser will try NTLM. You therefore might be getting NTLM tokens sent to the SAP server because the browser is unable to authenticate using Kerberos. The SAP SPNEGO login module only supports Kerberos tokens, not NTLM.

    Common reasons why browser cannot support Kerberos are:

    1. A request for a service ticket is sent to Active Directory DC, and ticket was not issued for some reason - checking traces or event logs will show this. You can also use kerbtray tool on workstation to check if the ticket was issued.

    2. There might be a clock skew issue between workstation time and time on DC

    3. You might be using a browser that does not support Kerberos

    4. The wrong url is entered in browser, so browser is unable to construct the name of the service principal to request from the DC

    I hope this helps.

    Tim

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 08, 2008 at 08:27 AM

    Hi again,

    Please use the following link to Troubleshooting Kerberos Errors

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

    Regards,

    Satish

    Add comment
    10|10000 characters needed characters exceeded

    • >

      > Thanks Tim, i have posted a new thread for this issue. "Authentication failed. Error during handshake: SPNEGO AUthentication fails". Kindly provide me some inputs as to how to debug this issue or any other tools I can deploy and run to pin-point the issue.

      I have not seen this thread yet. did you post it in the security forum, or somewhere else on SDN ?