Skip to Content
avatar image
Former Member

Could not validate SPNEGO token.java.lang.Exception: Checksum error.

Hello consultant:

We are trying configurated SSO usind SPNEGO module

We have a portal 7.0 ehp1 and Active Directory Microsoft versión 2003 native

we have followed the steps described in note Sap 1457499"Note 1457499 - SPNego add-on"

When we have logged with user Active Directory and we try access to portal we obtain following error:

Authorization check user error

We have Deploy the Web diagtool from SAP Note 1045019 on the J2EE server, run it and perform the

following steps:

1. Select "Component" = "security" and "Activity" = "all"

2. Click the "Go" button, followed by the "Add All" button

3. Select "Component" = "All" and in the "Search pattern" field write "com.sap.security.spnego"

4. Click the "Go" button, followed by the "Add All" button

5. Start the tool

Then we have reproduce the problem and stop the tool. The generated zip file will contain following error:

15:45:20:078 Error J2EE_GST_PRD SAPEngine_Application_Thread[impl:3]_15 ~p.security.spnego.krb5.crypto.DesCrypto Checksum error! checksum: 0xc46bfed8d0dbc54221ee75405c8cd5ac; calculated checksum: 0x6ead7e801608b729a6957597327f2ba5

15:45:20:078 Error J2EE_GST_PRD SAPEngine_Application_Thread[impl:3]_15 ~m.sap.security.spnego.SPNEGOLoginModule Could not validate SPNEGO token.

java.lang.Exception: Checksum error.

at com.sap.security.spnego.krb5.crypto.DesCrypto.decrypt(DesCrypto.java:43)

at com.sap.security.spnego.krb5.KrbEncryptedData.decrypt(KrbEncryptedData.java:81)

at com.sap.security.spnego.krb5.KrbApReq.decrypt(KrbApReq.java:67)

at com.sap.security.spnego.SPNEGOLoginModule.parseAndValidateSPNEGOToken(SPNEGOLoginModule.java:234)

at com.sap.security.spnego.SPNEGOLoginModule.processAuthorizationHeader(SPNEGOLoginModule.java:385)

at com.sap.security.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:102)

at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)

at java.security.AccessController.doPrivileged(AccessController.java:246)

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)

at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:88)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:61)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)

at java.lang.reflect.Method.invoke(Method.java:391)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)

at java.security.AccessController.doPrivileged(AccessController.java:246)

at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)

at javax.security.auth.login.LoginContext.login(LoginContext.java:557)

at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:912)

at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:367)

at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:126)

at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:181)

at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:541)

at java.security.AccessController.doPrivileged(AccessController.java:246)

at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:430)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)

at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)

at com.sap.portal.navigation.Gateway.service(Gateway.java:126)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)

at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)

at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)

at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)

at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(AccessController.java:219)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)

Could you help us?

Many thanks for your collaboration

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • avatar image
    Former Member
    Apr 05, 2011 at 02:49 PM

    Hi,

    The Checksum error usually means that there is a difference between the information in the token sent by the browser and the information in the SPNego configuration, so you will have to reconfigure your spnego again.

    I recommend doing it from scratch, creating a new serivce user (don't select DES in this case because you are using the new add-on, It is supported but RC4 encryption will be the standard encryption with the modern OS's).

    - Then set the spn's (make sure they are unique to avoid issue's with ntml tokens)

    - Create the keytab file (using ktpass from a 1.6 jdk)

    - Then run the new wizard again.

    I have created a KBA that should assist:[ 1568553 - Checksum error, Spnego add-on |https://bosap-support.wdf.sap.corp/sap/support/notes/1568553]

    Kind regards,

    Cathal

    Add comment
    10|10000 characters needed characters exceeded

    • The Wizard configuration can be handled via a keytab file, if you don't have keytab file then you have to supply all the values manually in SPNEGO wizard.

      Also you can check with the klist command in CMD to see if you are getting a ticket from the server where you have configured SPNEGO.

      klist

      klist purge - to clear out all the issued tickets.

      Thanks,

      Kamal

  • Mar 17, 2011 at 10:27 PM

    Hi,

    it looks like SAP assumes that DES is used for encrypting token. I remember that since some release Microsoft disabled this old block cipher and it uses AES by default. There should be a note related to this issue. But it might be something else.

    Cheers

    Add comment
    10|10000 characters needed characters exceeded