cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SPNEGO - NTLM token received in authorization header

Go to solution
former_member325046
Explorer

on ‎02-27-2019 1:58 PM

0 Kudos

Hi,

I am trying to authenticate to SAP Netweaver Portal 75 with Active Directory user. It works if I use these entries:

http://host1:50500/irj/portal

http://host1.domain.es:50500/irj/portal

http://host1.subdomain.domain.es:50500/irj/portal

http://servername:50500/irj/portal

http://servername.domain.es:50500/irj/portal

http://servername.subdomain.domain.es:50500/irj/portal

But they also have configured in F5 rules a new address:

http://host2.domain.es

They want to access the Portal with that URL without port (obviuosly it is 80).

When I access to the firsts 6 entries it works and login is done with Windows user. When I access to this last URL it returns an error and prompts login page witohout login to de SAP Portal. The error is:

NTLM token received in authorization header

I have also made some nslookup queries:

1.- The first 6 entries return servername.domain.es

2.- The last entry returns host2.domain.es

One last thing, the Realm is configured:

- Principal only. Logon ID.

- HTTP/servername.domain.es@REALM

What could I do? Do I have to config 2 different setspn for both servername.domain.es and host2.domain.es?

Thanks.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Colt
Active Contributor
‎02-27-2019 2:25 PM

Hi, correct. You have to register every URL as SPN. Make sure you are not using CNAME (Alias).

If you are using a CNAME alias, register SPNs to the actual hostname and the CNAME. You must register the Kerberos service principal names (SPNs), the hostname, and the fully-qualified domain name (FQDN) for all the new DNS alias (CNAME) records. If you do not do this, a Kerberos ticket request for a DNS alias (CNAME) record may fail and your browser tries to NTLM authentication, which leads to that issue.

Cheers
Carsten

Show replies
Show replies

Answers (1)

Answers (1)

oppancs
Contributor
‎02-27-2019 2:32 PM
0 Kudos

Dear Iker,


For successful Kerberos authentication, the Netweaver AS Java expects the browser to send a SPNego token containing a valid Kerberos ticket. The Netweaver AS Java does not support the use of NTLM tokens for authentication. From AS Java perspective it is not an issue as it eats that what is given to it.


You can check best practices and hints in the KBA: 1649110 - NTLM token received in authorization header, SPNego for Kerberos Authentication.


If this KBA does not help it is worth to raise a question in e.g. another vendor's (which supports KDC) forum.


Best Regards,
Barnabás Paksi

Show replies
Show replies
Ask a Question