Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO configuration between Windows ADS and AS JAVA.

Go to solution
Former Member

‎01-13-2010 8:30 AM

0 Kudos

Hi,

We had activated SPnego for authenticating users with Kerberos SSO for AS Java CE 7.11, the UME Data Source is AS ABAP Solution manager 7.0 EHP1.

All configuration was done according documentation and SAP notes (NOTE#994791).

Regardless login form (SAP NW) appears so the Kerberos SSO with Spnego does not work for our AS Java system.

In trace files there are error messages:

...

com.sap.engine.services.security.autentification.calllbackhandler.handle(HttpGetterCallback) Cookie MYSAPSSO2 is not found

...

CreateContext failed: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)

[EXCEPTION]

#1#GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)

...

Login Module

Flag Initialize Login Commit Abort Details

1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule

SUFFICIENT ok false true

2. com.sap.security.core.server.jaas.SPNegoLoginModule

OPTIONAL ok exception true Failure

unspecified at GSS-API level (Mechanism level: Invalid argument (400)

- Cannot find key of appropriate type to decrypt AP REP - RC4 with

HMAC)

3. com.sap.security.core.server.jaas.CreateTicketLoginModule

SUFFICIENT ok false true

4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule

REQUISITE ok false false

5. com.sap.security.core.server.jaas.CreateTicketLoginModule

REQUISITE ok false true

...

Neither SPNego resolution mode simple nor prefixbased doen't work.

The ADS user j2ee-<AS_JAVA_SID> has appropriate property DES encryption.

Regards

Dalibor

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎01-13-2010 8:34 PM

0 Kudos

Hello Dalibor,

While the service account user object has Use DES selected it would appear your user session is still sending the AS Java an RC4 service ticket. This might occur if your user had requested a service ticket before Use DES was selected, or before that setting had replicated to the appropriate domain controller. The fix might be as simple and logging out and logging back in now that some time has passed.

You could also download the Microsoft kerbtray utility and inspect the service ticket enc type to validate this. kerbtray can also be used to clear old tickets and is generally useful for troubleshooting this kind of thing.

Thanks!

Kyle

2 REPLIES 2

Go to solution
Former Member

‎01-13-2010 8:34 PM

0 Kudos

Hello Dalibor,

While the service account user object has Use DES selected it would appear your user session is still sending the AS Java an RC4 service ticket. This might occur if your user had requested a service ticket before Use DES was selected, or before that setting had replicated to the appropriate domain controller. The fix might be as simple and logging out and logging back in now that some time has passed.

You could also download the Microsoft kerbtray utility and inspect the service ticket enc type to validate this. kerbtray can also be used to clear old tickets and is generally useful for troubleshooting this kind of thing.

Thanks!

Kyle

Go to solution
tim_alsop
Active Contributor

‎01-13-2010 11:33 PM

0 Kudos

If you are interested to use an SPNEGO loginmodule which supports RC4 (even when using Java 1.4) then you can find one on SAP EcoHub - just search for spnego.

Thanks,

Tim