Skip to Content
avatar image
Former Member

SSO configuration between Windows ADS and AS JAVA.

Hi,

We had activated SPnego for authenticating users with Kerberos SSO for AS Java CE 7.11, the UME Data Source is AS ABAP Solution manager 7.0 EHP1.

All configuration was done according documentation and SAP notes (NOTE#994791).

Regardless login form (SAP NW) appears so the Kerberos SSO with Spnego does not work for our AS Java system.

In trace files there are error messages:

...

com.sap.engine.services.security.autentification.calllbackhandler.handle(HttpGetterCallback) Cookie MYSAPSSO2 is not found

...

CreateContext failed: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)

[EXCEPTION]

#1#GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)

...

Login Module

Flag Initialize Login Commit Abort Details

1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule

SUFFICIENT ok false true

2. com.sap.security.core.server.jaas.SPNegoLoginModule

OPTIONAL ok exception true Failure

unspecified at GSS-API level (Mechanism level: Invalid argument (400)

- Cannot find key of appropriate type to decrypt AP REP - RC4 with

HMAC)

3. com.sap.security.core.server.jaas.CreateTicketLoginModule

SUFFICIENT ok false true

4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule

REQUISITE ok false false

5. com.sap.security.core.server.jaas.CreateTicketLoginModule

REQUISITE ok false true

...

Neither SPNego resolution mode simple nor prefixbased doen't work.

The ADS user j2ee-<AS_JAVA_SID> has appropriate property DES encryption.

Regards

Dalibor

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    avatar image
    Former Member
    Jan 13, 2010 at 08:34 PM

    Hello Dalibor,

    While the service account user object has Use DES selected it would appear your user session is still sending the AS Java an RC4 service ticket. This might occur if your user had requested a service ticket before Use DES was selected, or before that setting had replicated to the appropriate domain controller. The fix might be as simple and logging out and logging back in now that some time has passed.

    You could also download the Microsoft kerbtray utility and inspect the service ticket enc type to validate this. kerbtray can also be used to clear old tickets and is generally useful for troubleshooting this kind of thing.

    Thanks!

    Kyle

    Add comment
    10|10000 characters needed characters exceeded

  • Jan 13, 2010 at 11:33 PM

    If you are interested to use an SPNEGO loginmodule which supports RC4 (even when using Java 1.4) then you can find one on SAP EcoHub - just search for spnego.

    Thanks,

    Tim

    Add comment
    10|10000 characters needed characters exceeded