Skip to Content
0
Former Member
Sep 27, 2010 at 08:39 PM

SPNego Configuration with SPNEGO Add-on

65 Views

Hi, I'm trying to configure SPNego for a new client, I have done it multiple times with good results, but this time the client is running Domain Controllers over Windows 2008 and Clients over Citrix (Windows Server 2008 and IE8 too) and Windows 7.

I already downloaded the SPNEGO Add-on from note 1457499 and tried to follow the instructions but I still have some doubts. I had tried to configure the old way (old SPNEGO wizard) and of course it failed (due to the "DES encryption" deprecated by microsoft).

Modified the user to remove the "Use DES encryption" option and then tried to configure the new module (after deploying suscessfully). My questions are:

- Reading the new documentation, it does not say anything about the "krb5principalname; kpnprefix; dn" attributes, I have them on the ume.admin.addattrs parameter on the UME configuration on config tool. should I remove those?

- I created the keytab file with kdt on the jdk (1.6), but when I went to place the file on /usr/sap/<SID>/SYS/global/kerberos there is also a sub-folder with a krb5.conf file, should I delete this file? remember the old keytab was using DES encryption so I needed to create a new one for RC4.

- I'm configuring with Microsoft AD anybody knows what is the default mapping mode?

I really appreciate the effort from SAP to update the SPNEGO login module but it is obvious that there is lack of documentation about it.

Right now I'm getting "Login module com.sap.security.spnego.SPNEGOLoginModule from authentication stack ticket does not authenticate the caller." and on the summary of the "ticket" component, it gives me:

com.sap.security.spnego.SPNEGOLoginModule OPTIONAL ok exception true "Trigger SPNEGO authentication"

Any help is greatly appreciated.

Regards!