Skip to Content
author's profile photo Former Member
0
Former Member

Log into the portal with format DOMAIN\user

Posted on Apr 27, 2011 at 02:44 PM 43 Views

Hi everyone,

We are configuring SAP EP 7.02 to authenticate against an Active Directory.

We have achieved that using this user format: user@domain

This portal should be accesed by a Microsoft UAG implementing SSO with Kerberos (SPNEGO). We have noticed that the kerberos ticket issued by UAG sends user in format DOMAIN\user so authentication fails.

It's possible to configure EP to accept users in this format?

We have tried samaccountname (user) and userprincipalname (user@domain) but we don't know hpw to do it in the format issued by UAG.

Tell me if you need XML configuration files to attach it.

Thanks in advance!

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

6 Answers

  • author's profile photo Tim Alsop
    Tim Alsop
    Posted on Apr 27, 2011 at 03:02 PM
    0

    Daniel,

    What do you mean by 'UAG sends user in format DOMAIN\user' ? Are you saying that the Kerberos service ticket issued by Active Directory contains a principal name which is in this format ? if not, where exactly do you see this name format ?

    Thanks,

    Tim

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Apr 27, 2011 at 04:28 PM
    0

    I mean exactly that.

    The ticket issued by AD contains the user in this format...

    Thanks

    Add a comment
    10|10000 characters needed characters exceeded

    Comment on This Answer
  • author's profile photo Former Member
    Former Member
    Posted on Apr 28, 2011 at 07:21 AM
    0

    Hi Tim,

    I'll capture a trace on whireshark and send it to you as soon as possible.

    Thanks in advance.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on May 04, 2011 at 09:57 AM
    0

    Hi,

    We have made some changes in configuration and now we are achieving this error:

    Acquiring credentials for realm PYC.COM failed

    [EXCEPTION]

    GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

    at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)

    at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)

    at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)

    at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)

    at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)

    at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)

    at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)

    at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)

    at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)

    at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)

    Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.

    at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:180)

    at java.security.AccessController.doPrivileged(Native Method)

    at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)

    at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

    at java.lang.reflect.Method.invoke(Method.java:331)

    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)

    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)

    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)

    at java.security.AccessController.doPrivileged(Native Method)

    at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)

    at javax.security.auth.login.LoginContext.login(LoginContext.java:534)

    at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)

    at java.security.AccessController.doPrivileged(Native Method)

    at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)

    ... 9 more

    Caused by: javax.security.auth.login.LoginException: KDC has no support for encryption type (14)

    at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:175)

    ... 25 more

    Caused by: KrbException: KDC has no support for encryption type (14)

    at sun.security.krb5.KrbAsRep.<init>(DashoA12275:69)

    at sun.security.krb5.KrbAsReq.getReply(DashoA12275:437)

    at sun.security.krb5.Credentials.a(DashoA12275:407)

    at sun.security.krb5.Credentials.acquireTGT(DashoA12275:359)

    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:629)

    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:511)

    at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)

    at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)

    ... 25 more

    Caused by: KrbException: Identifier doesnt match expected value (906)

    at sun.security.krb5.internal.ah.a(DashoA12275:134)

    at sun.security.krb5.internal.ax.a(DashoA12275:63)

    at sun.security.krb5.internal.ax. (DashoA12275:58)

    at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53)

    ... 32 more

    Will investigate this issue and comment you the result.

    Thanx.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on May 05, 2011 at 09:44 AM
    0

    Again we hame made some changes in conf and now we are getting this error:

    doLogon failed

    [EXCEPTION]

    com.sap.security.core.logon.imp.UMELoginException

    at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:1028)

    at com.sap.security.core.logonadmin.ServletAccessToLogic.logon(ServletAccessToLogic.java:219)

    at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.doLogon(SAPMLogonLogic.java:914)

    at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.executeRequest(SAPMLogonLogic.java:227)

    at com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doPost(SAPMLogonServlet.java:60)

    at com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doGet(SAPMLogonServlet.java:78)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)

    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)

    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)

    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)

    at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)

    at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)

    at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)

    at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)

    at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

    at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

    at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

    at java.security.AccessController.doPrivileged(Native Method)

    at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)

    at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)

    I will capture some wireshark traces and attach them to the messages.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on May 05, 2011 at 10:27 AM
    0

    We open another thread to follow this issue.

    Next thread is: Problem with SAP EP 7.02 SP3 and SPNEGO

    In that one, we attach wireshark traces and information updated.

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.