Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Could not validate SPNEGO token.java.lang.Exception: Checksum error.

Former Member
0 Kudos

Hello consultant:

We are trying configurated SSO usind SPNEGO module

We have a portal 7.0 ehp1 and Active Directory Microsoft versión 2003 native

we have followed the steps described in note Sap 1457499"Note 1457499 - SPNego add-on"

When we have logged with user Active Directory and we try access to portal we obtain following error:

Authorization check user error

We have Deploy the Web diagtool from SAP Note 1045019 on the J2EE server, run it and perform the

following steps:

1. Select "Component" = "security" and "Activity" = "all"

2. Click the "Go" button, followed by the "Add All" button

3. Select "Component" = "All" and in the "Search pattern" field write "com.sap.security.spnego"

4. Click the "Go" button, followed by the "Add All" button

5. Start the tool

Then we have reproduce the problem and stop the tool. The generated zip file will contain following error:

15:45:20:078 Error J2EE_GST_PRD SAPEngine_Application_Thread[impl:3]_15 ~p.security.spnego.krb5.crypto.DesCrypto Checksum error! checksum: 0xc46bfed8d0dbc54221ee75405c8cd5ac; calculated checksum: 0x6ead7e801608b729a6957597327f2ba5

15:45:20:078 Error J2EE_GST_PRD SAPEngine_Application_Thread[impl:3]_15 ~m.sap.security.spnego.SPNEGOLoginModule Could not validate SPNEGO token.

java.lang.Exception: Checksum error.

at com.sap.security.spnego.krb5.crypto.DesCrypto.decrypt(DesCrypto.java:43)

at com.sap.security.spnego.krb5.KrbEncryptedData.decrypt(KrbEncryptedData.java:81)

at com.sap.security.spnego.krb5.KrbApReq.decrypt(KrbApReq.java:67)

at com.sap.security.spnego.SPNEGOLoginModule.parseAndValidateSPNEGOToken(SPNEGOLoginModule.java:234)

at com.sap.security.spnego.SPNEGOLoginModule.processAuthorizationHeader(SPNEGOLoginModule.java:385)

at com.sap.security.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:102)

at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)

at java.security.AccessController.doPrivileged(AccessController.java:246)

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)

at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:88)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:61)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)

at java.lang.reflect.Method.invoke(Method.java:391)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)

at java.security.AccessController.doPrivileged(AccessController.java:246)

at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)

at javax.security.auth.login.LoginContext.login(LoginContext.java:557)

at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:912)

at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:367)

at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:126)

at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:181)

at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:541)

at java.security.AccessController.doPrivileged(AccessController.java:246)

at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:430)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)

at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)

at com.sap.portal.navigation.Gateway.service(Gateway.java:126)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)

at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)

at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)

at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)

at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(AccessController.java:219)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)

Could you help us?

Many thanks for your collaboration

4 REPLIES 4

martin_voros
Active Contributor
0 Kudos

Hi,

it looks like SAP assumes that DES is used for encrypting token. I remember that since some release Microsoft disabled this old block cipher and it uses AES by default. There should be a note related to this issue. But it might be something else.

Cheers

cathal_ohare
Employee
Employee
0 Kudos

Hi,

The Checksum error usually means that there is a difference between the information in the token sent by the browser and the information in the SPNego configuration, so you will have to reconfigure your spnego again.

I recommend doing it from scratch, creating a new serivce user (don't select DES in this case because you are using the new add-on, It is supported but RC4 encryption will be the standard encryption with the modern OS's).

- Then set the spn's (make sure they are unique to avoid issue's with ntml tokens)

- Create the keytab file (using ktpass from a 1.6 jdk)

- Then run the new wizard again.

I have created a KBA that should assist:[ 1568553 - Checksum error, Spnego add-on |https://bosap-support.wdf.sap.corp/sap/support/notes/1568553]

Kind regards,

Cathal

0 Kudos

Hi,

Could you please explain me what does this mean?

u201Cktab u2013a <principal_name>@<REALM> -k <keytab_file_name>u201D

<principal_name> is the name of the service user or the j2ee server?

What happened with the spnego wizzard configuration if I install the new one?

Regards

Edited by: jorge velasquez on Jun 1, 2011 2:28 PM

0 Kudos

The Wizard configuration can be handled via a keytab file, if you don't have keytab file then you have to supply all the values manually in SPNEGO wizard.

Also you can check with the klist command in CMD to see if you are getting a ticket from the server where you have configured SPNEGO.

klist

klist purge - to clear out all the issued tickets.

Thanks,

Kamal