Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Log into the portal with format DOMAIN\user

Former Member

‎04-27-2011 3:44 PM

0 Kudos

Hi everyone,

We are configuring SAP EP 7.02 to authenticate against an Active Directory.

We have achieved that using this user format: user@domain

This portal should be accesed by a Microsoft UAG implementing SSO with Kerberos (SPNEGO). We have noticed that the kerberos ticket issued by UAG sends user in format DOMAIN\user so authentication fails.

It's possible to configure EP to accept users in this format?

We have tried samaccountname (user) and userprincipalname (user@domain) but we don't know hpw to do it in the format issued by UAG.

Tell me if you need XML configuration files to attach it.

Thanks in advance!

9 REPLIES 9

tim_alsop
Active Contributor

‎04-27-2011 4:02 PM

0 Kudos

Daniel,

What do you mean by 'UAG sends user in format DOMAIN\user' ? Are you saying that the Kerberos service ticket issued by Active Directory contains a principal name which is in this format ? if not, where exactly do you see this name format ?

Thanks,

Tim

Former Member

‎04-27-2011 5:28 PM

0 Kudos

I mean exactly that.

The ticket issued by AD contains the user in this format...

Thanks

tim_alsop
Active Contributor
In response to Former Member

‎04-27-2011 6:40 PM

0 Kudos

Daniel,

Is UAG effectively looking like a web browser to the SAP system, and sending the service ticket inside a GSS token, wrapped in an SPNEGO message ? Then, SAP system login module is decrypting the GSS token during the accept security context and the principal name of the authenticated user is DOMAIN\user instead of user@REALM format ?

Thanks,

Tim

tim_alsop
Active Contributor
In response to Former Member

‎04-28-2011 7:37 AM

0 Kudos

Daniel,

When a user authenticates to AD, they are issued an initial ticket (TGT) and this ticket is used to request a service ticket. The service ticket is then sent to the Kerberos service (e.g. SAP system) and decrypted to find the principal name of the user who authenticated. What you are implying is that MS AD put the users principal name in the TGT in the form DOMAIN\user. I am afraid this is not how MS AD works, so I am not sure if I understand how you are getting this form of principal name.

Of course, to get a TGT, a user can enter DOMAIN\user, but this is changed to user@domain in order to find out which domain controller to send the request to, and the domain controller (e.g. a Kerberos KDC) will issue a ticket for the requested principal. The ticket issued will contain a principal name in Kerberos format, e.g. user@REALM and not DOMAIN\user.

Thanks,

TIm

tim_alsop
Active Contributor
In response to Former Member

‎04-28-2011 7:39 AM

0 Kudos

Maybe you can send me a wireshark trace showing the communication between the Kerberos client and MS AD, so I can see AD issuing a ticket in this format ?

Tim

Former Member

‎04-28-2011 8:21 AM

0 Kudos

Hi Tim,

I'll capture a trace on whireshark and send it to you as soon as possible.

Thanks in advance.

Former Member

‎05-04-2011 10:57 AM

0 Kudos

Hi,

We have made some changes in configuration and now we are achieving this error:

Acquiring credentials for realm PYC.COM failed

[EXCEPTION]

GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)

at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)

at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)

at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)

at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)

at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)

at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)

at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)

Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:180)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)

at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:331)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)

at javax.security.auth.login.LoginContext.login(LoginContext.java:534)

at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)

at java.security.AccessController.doPrivileged(Native Method)

at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)

... 9 more

Caused by: javax.security.auth.login.LoginException: KDC has no support for encryption type (14)

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:175)

... 25 more

Caused by: KrbException: KDC has no support for encryption type (14)

at sun.security.krb5.KrbAsRep.<init>(DashoA12275:69)

at sun.security.krb5.KrbAsReq.getReply(DashoA12275:437)

at sun.security.krb5.Credentials.a(DashoA12275:407)

at sun.security.krb5.Credentials.acquireTGT(DashoA12275:359)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:629)

at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:511)

at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)

... 25 more

Caused by: KrbException: Identifier doesnt match expected value (906)

at sun.security.krb5.internal.ah.a(DashoA12275:134)

at sun.security.krb5.internal.ax.a(DashoA12275:63)

at sun.security.krb5.internal.ax.<init>(DashoA12275:58)

at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53)

... 32 more

Will investigate this issue and comment you the result.

Thanx.

Former Member

‎05-05-2011 10:44 AM

0 Kudos

Again we hame made some changes in conf and now we are getting this error:

doLogon failed

[EXCEPTION]

com.sap.security.core.logon.imp.UMELoginException

at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:1028)

at com.sap.security.core.logonadmin.ServletAccessToLogic.logon(ServletAccessToLogic.java:219)

at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.doLogon(SAPMLogonLogic.java:914)

at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.executeRequest(SAPMLogonLogic.java:227)

at com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doPost(SAPMLogonServlet.java:60)

at com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doGet(SAPMLogonServlet.java:78)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)

at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)

at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)

at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)

at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)

I will capture some wireshark traces and attach them to the messages.

Former Member

‎05-05-2011 11:27 AM

0 Kudos

We open another thread to follow this issue.

Next thread is:

In that one, we attach wireshark traces and information updated.