Skip to Content
author's profile photo Bhargava Kamal
0
Bhargava Kamal
Mar 05, 2011 at 09:44 PM

SPNego Suddenly Stops Working

102 Views

Hi,

I have an issue in SAP Portal & Windows AD enviorment SSO. It was working from last 8-9 months suddenly users are getting Login screen, When I am using Diagtool I am getting below messages. My Windows team is saying they have no issue on Wintel DC end and from UNIX stand also we are able to execute below commands successfully.

  1. /usr/bin/kinit -V -k HTTP/xxxeppdbci.xxx.comXXXXX.XXXIS.COM

Authenticated to Kerberos v5

13:17:30:618 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is HTTP/XXXabcdbci.XXX.com#XYZAB.XXXIS.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Refreshing Kerberos configuration

13:17:30:628 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KeyTabInputStream, readName(): XYZAB.XXXIS.COM

13:17:30:629 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KeyTabInputStream, readName(): HTTP

13:17:30:629 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KeyTabInputStream, readName(): XXXabcdbci.XXX.com

13:17:30:631 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KeyTab: load() entry length: 66; type: 3

13:17:30:632 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out principal's key obtained from the keytab

13:17:30:632 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out Acquire TGT using AS Exchange

13:17:30:636 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbAsReq calling createMessage

13:17:30:637 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbAsReq in createMessage

13:17:30:641 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbAsReq etypes are: 1

>>> KrbKdcReq send: kdc=ukldn001.XYZAB.XXXis.com UDP:88, timeout=30000, number of retries =3, #bytes=161

13:17:30:793 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KDCCommunication: kdc=ukldn001.XYZAB.XXXis.com UDP:88, timeout=30000,Attempt =1, #bytes=161

13:17:30:944 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbKdcReq send: #bytes read=193

13:17:30:944 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbKdcReq send: #bytes read=193

13:17:30:946 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KDCRep: init() encoding tag is 126 req type is 11

13:17:30:948 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>>KRBError:

13:17:30:949 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out sTime is Sat Mar 05 13:17:30 PST 2011 1299359850000

13:17:30:949 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out suSec is 418970

13:17:30:949 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out error code is 25

13:17:30:950 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out error Message is Additional pre-authentication required

13:17:30:950 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out realm is XYZAB.XXXIS.COM

13:17:30:950 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out sname is krbtgt/XYZAB.XXXIS.COM

13:17:30:951 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out eData provided.

13:17:30:951 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>>Pre-Authentication Data:

13:17:30:952 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out PA-DATA type = 11

13:17:30:952 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out PA-ETYPE-INFO etype = 1

13:17:30:952 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>>Pre-Authentication Data:

13:17:30:953 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out PA-DATA type = 2

13:17:30:953 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out PA-ENC-TIMESTAMP

13:17:30:953 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>>Pre-Authentication Data:

13:17:30:953 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out PA-DATA type = 15

13:17:30:954 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ

13:17:30:954 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out Updated salt from pre-auth = XYZAB.XXXIS.COMHTTPXXXabcdbci.XXX.com

13:17:30:954 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>>KrbAsReq salt is XYZAB.XXXIS.COMHTTPXXXabcdbci.XXX.com

13:17:30:956 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType

13:17:30:960 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbAsReq calling createMessage

13:17:30:960 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbAsReq in createMessage

13:17:30:961 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbAsReq etypes are: 1

>>> KrbKdcReq send: kdc=ukldn001.XYZAB.XXXis.com UDP:88, timeout=30000, number of retries =3, #bytes=248

13:17:30:961 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KDCCommunication: kdc=ukldn001.XYZAB.XXXis.com UDP:88, timeout=30000,Attempt =1, #bytes=248

13:17:31:364 Info Guest ~ngine_Application_Thread[impl:3]_Group] ~ap.engine.services.security.roles.audit ACCESS.OK: Authorization check for caller assignment to J2EE security role [SAP-J2EE-Engine : guests].

13:17:31:479 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbKdcReq send: #bytes read=1367

13:17:31:479 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbKdcReq send: #bytes read=1367

13:17:31:481 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType

13:17:31:484 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>>crc32: b7fff843

13:17:31:484 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>>crc32: 10110111111111111111100001000011

13:17:31:487 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbAsRep cons in KrbAsReq.getReply HTTP/XXXabcdbci.XXX.com

13:17:31:492 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out Added server's keyKerberos Principal HTTP/XXXabcdbci.XXX.com#XYZAB.XXXIS.COMKey Version 1key EncryptionKey: keyType=3 keyBytes (hex dump)=

0000: 64 C7 85 52 86 6E 8A 68

13:17:31:493 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out [Krb5LoginModule] added Krb5Principal HTTP/XXXabcdbci.XXX.com#XYZAB.XXXIS.COM to Subject

13:17:31:493 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out Commit Succeeded

13:17:31:494 Info Guest ~ngine_Application_Thread[impl:3]_Group] ~es.security.authentication.logincontext LOGIN.OK

User: HTTP/XXXabcdbci.XXX.com#XYZAB.XXXIS.COM

Authentication Stack: com.sun.security.jgss.accept

Login Module Flag Initialize Login Commit Abort Details

1. com.sun.security.auth.module.Krb5LoginModule OPTIONAL ok true true

#1 debug = true

#2 doNotPrompt = true

#3 principal = HTTP/XXXabcdbci.XXX.com#XYZAB.XXXIS.COM

#4 refreshKrb5Config = true

#5 storeKey = true

#6 useKeyTab = true

#7 useTicketCache = false

Central Checks true

13:17:31:495 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out Found key for HTTP/XXXabcdbci.XXX.com#XYZAB.XXXIS.COM

13:17:31:496 Debug Guest SAPEngine_Application_Thread[impl:3]_11 ~on.loginmodule.spnego.SPNegoLoginModule Credentials for realm XYZAB.XXXIS.COM successfully acquired: HTTP/XXXabcdbci.XXX.com#XYZAB.XXXIS.COM

13:17:31:497 Debug Guest SAPEngine_Application_Thread[impl:3]_11 ~on.loginmodule.spnego.SPNegoLoginModule Access Denied - responseHeader is NULL

13:17:31:498 Debug Guest SAPEngine_Application_Thread[impl:3]_11 ~es.security.authentication.logincontext Login module com.sap.security.core.server.jaas.SPNegoLoginModule from authentication stack ticket does not authenticate the caller.

13:17:31:499 Path Guest SAPEngine_Application_Thread[impl:3]_11 ~.ticket.CreateTicketLoginModule.login() Entering method

13:17:31:499 Info Guest SAPEngine_Application_Thread[impl:3]_11 ~inmodule.ticket.CreateTicketLoginModule No authenticated user found.

13:17:31:499 Path Guest SAPEngine_Application_Thread[impl:3]_11 ~inmodule.ticket.CreateTicketLoginModule Exiting method with false

13:17:31:500 Debug Guest SAPEngine_Application_Thread[impl:3]_11 ~on.loginmodule.BasicPasswordLoginModule No user name provided.

13:17:31:500 Path Guest SAPEngine_Application_Thread[impl:3]_11 ~.ticket.CreateTicketLoginModule.login() Entering method

13:17:31:500 Info Guest SAPEngine_Application_Thread[impl:3]_11 ~inmodule.ticket.CreateTicketLoginModule No authenticated user found.

13:17:31:501 Path Guest SAPEngine_Application_Thread[impl:3]_11 ~inmodule.ticket.CreateTicketLoginModule Exiting method with false