01-13-2010 8:30 AM
Hi,
We had activated SPnego for authenticating users with Kerberos SSO for AS Java CE 7.11, the UME Data Source is AS ABAP Solution manager 7.0 EHP1.
All configuration was done according documentation and SAP notes (NOTE#994791).
Regardless login form (SAP NW) appears so the Kerberos SSO with Spnego does not work for our AS Java system.
In trace files there are error messages:
...
com.sap.engine.services.security.autentification.calllbackhandler.handle(HttpGetterCallback) Cookie MYSAPSSO2 is not found
...
CreateContext failed: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
[EXCEPTION]
#1#GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
...
Login Module
Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule
SUFFICIENT ok false true
2. com.sap.security.core.server.jaas.SPNegoLoginModule
OPTIONAL ok exception true Failure
unspecified at GSS-API level (Mechanism level: Invalid argument (400)
- Cannot find key of appropriate type to decrypt AP REP - RC4 with
HMAC)
3. com.sap.security.core.server.jaas.CreateTicketLoginModule
SUFFICIENT ok false true
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule
REQUISITE ok false false
5. com.sap.security.core.server.jaas.CreateTicketLoginModule
REQUISITE ok false true
...
Neither SPNego resolution mode simple nor prefixbased doen't work.
The ADS user j2ee-<AS_JAVA_SID> has appropriate property DES encryption.
Regards
Dalibor
01-13-2010 8:34 PM
Hello Dalibor,
While the service account user object has Use DES selected it would appear your user session is still sending the AS Java an RC4 service ticket. This might occur if your user had requested a service ticket before Use DES was selected, or before that setting had replicated to the appropriate domain controller. The fix might be as simple and logging out and logging back in now that some time has passed.
You could also download the Microsoft kerbtray utility and inspect the service ticket enc type to validate this. kerbtray can also be used to clear old tickets and is generally useful for troubleshooting this kind of thing.
Thanks!
Kyle
01-13-2010 8:34 PM
Hello Dalibor,
While the service account user object has Use DES selected it would appear your user session is still sending the AS Java an RC4 service ticket. This might occur if your user had requested a service ticket before Use DES was selected, or before that setting had replicated to the appropriate domain controller. The fix might be as simple and logging out and logging back in now that some time has passed.
You could also download the Microsoft kerbtray utility and inspect the service ticket enc type to validate this. kerbtray can also be used to clear old tickets and is generally useful for troubleshooting this kind of thing.
Thanks!
Kyle
01-13-2010 11:33 PM
If you are interested to use an SPNEGO loginmodule which supports RC4 (even when using Java 1.4) then you can find one on SAP EcoHub - just search for spnego.
Thanks,
Tim