Skip to Content
author's profile photo
Former Member

Log into the portal with format DOMAIN\user

Hi everyone,

We are configuring SAP EP 7.02 to authenticate against an Active Directory.

We have achieved that using this user format: user@domain

This portal should be accesed by a Microsoft UAG implementing SSO with Kerberos (SPNEGO). We have noticed that the kerberos ticket issued by UAG sends user in format DOMAIN\user so authentication fails.

It's possible to configure EP to accept users in this format?

We have tried samaccountname (user) and userprincipalname (user@domain) but we don't know hpw to do it in the format issued by UAG.

Tell me if you need XML configuration files to attach it.

Thanks in advance!

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

6 Answers

  • Posted on Apr 27, 2011 at 03:02 PM

    Daniel,

    What do you mean by 'UAG sends user in format DOMAIN\user' ? Are you saying that the Kerberos service ticket issued by Active Directory contains a principal name which is in this format ? if not, where exactly do you see this name format ?

    Thanks,

    Tim

    Add comment
    10|10000 characters needed characters exceeded

  • author's profile photo
    Former Member
    Posted on Apr 27, 2011 at 04:28 PM

    I mean exactly that.

    The ticket issued by AD contains the user in this format...

    Thanks

    Add comment
    10|10000 characters needed characters exceeded

  • author's profile photo
    Former Member
    Posted on Apr 28, 2011 at 07:21 AM

    Hi Tim,

    I'll capture a trace on whireshark and send it to you as soon as possible.

    Thanks in advance.

    Add comment
    10|10000 characters needed characters exceeded

  • author's profile photo
    Former Member
    Posted on May 04, 2011 at 09:57 AM

    Hi,

    We have made some changes in configuration and now we are achieving this error:

    Acquiring credentials for realm PYC.COM failed

    [EXCEPTION]

    GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

    at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)

    at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)

    at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)

    at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)

    at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)

    at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)

    at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)

    at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)

    at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)

    at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)

    Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.

    at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:180)

    at java.security.AccessController.doPrivileged(Native Method)

    at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)

    at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

    at java.lang.reflect.Method.invoke(Method.java:331)

    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)

    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)

    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)

    at java.security.AccessController.doPrivileged(Native Method)

    at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)

    at javax.security.auth.login.LoginContext.login(LoginContext.java:534)

    at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)

    at java.security.AccessController.doPrivileged(Native Method)

    at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)

    ... 9 more

    Caused by: javax.security.auth.login.LoginException: KDC has no support for encryption type (14)

    at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:175)

    ... 25 more

    Caused by: KrbException: KDC has no support for encryption type (14)

    at sun.security.krb5.KrbAsRep.<init>(DashoA12275:69)

    at sun.security.krb5.KrbAsReq.getReply(DashoA12275:437)

    at sun.security.krb5.Credentials.a(DashoA12275:407)

    at sun.security.krb5.Credentials.acquireTGT(DashoA12275:359)

    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:629)

    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:511)

    at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)

    at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)

    ... 25 more

    Caused by: KrbException: Identifier doesnt match expected value (906)

    at sun.security.krb5.internal.ah.a(DashoA12275:134)

    at sun.security.krb5.internal.ax.a(DashoA12275:63)

    at sun.security.krb5.internal.ax. (DashoA12275:58)

    at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53)

    ... 32 more

    Will investigate this issue and comment you the result.

    Thanx.

    Add comment
    10|10000 characters needed characters exceeded

  • author's profile photo
    Former Member
    Posted on May 05, 2011 at 09:44 AM

    Again we hame made some changes in conf and now we are getting this error:

    doLogon failed

    [EXCEPTION]

    com.sap.security.core.logon.imp.UMELoginException

    at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:1028)

    at com.sap.security.core.logonadmin.ServletAccessToLogic.logon(ServletAccessToLogic.java:219)

    at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.doLogon(SAPMLogonLogic.java:914)

    at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.executeRequest(SAPMLogonLogic.java:227)

    at com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doPost(SAPMLogonServlet.java:60)

    at com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doGet(SAPMLogonServlet.java:78)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)

    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)

    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)

    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)

    at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)

    at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)

    at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)

    at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)

    at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

    at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

    at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

    at java.security.AccessController.doPrivileged(Native Method)

    at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)

    at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)

    I will capture some wireshark traces and attach them to the messages.

    Add comment
    10|10000 characters needed characters exceeded

  • author's profile photo
    Former Member
    Posted on May 05, 2011 at 10:27 AM

    We open another thread to follow this issue.

    Next thread is: Problem with SAP EP 7.02 SP3 and SPNEGO

    In that one, we attach wireshark traces and information updated.

    Add comment
    10|10000 characters needed characters exceeded