04-27-2011 3:44 PM
Hi everyone,
We are configuring SAP EP 7.02 to authenticate against an Active Directory.
We have achieved that using this user format: user@domain
This portal should be accesed by a Microsoft UAG implementing SSO with Kerberos (SPNEGO). We have noticed that the kerberos ticket issued by UAG sends user in format DOMAIN\user so authentication fails.
It's possible to configure EP to accept users in this format?
We have tried samaccountname (user) and userprincipalname (user@domain) but we don't know hpw to do it in the format issued by UAG.
Tell me if you need XML configuration files to attach it.
Thanks in advance!
04-27-2011 4:02 PM
Daniel,
What do you mean by 'UAG sends user in format DOMAIN\user' ? Are you saying that the Kerberos service ticket issued by Active Directory contains a principal name which is in this format ? if not, where exactly do you see this name format ?
Thanks,
Tim
04-27-2011 5:28 PM
I mean exactly that.
The ticket issued by AD contains the user in this format...
Thanks
04-27-2011 6:40 PM
Daniel,
Is UAG effectively looking like a web browser to the SAP system, and sending the service ticket inside a GSS token, wrapped in an SPNEGO message ? Then, SAP system login module is decrypting the GSS token during the accept security context and the principal name of the authenticated user is DOMAIN\user instead of user@REALM format ?
Thanks,
Tim
04-28-2011 7:37 AM
Daniel,
When a user authenticates to AD, they are issued an initial ticket (TGT) and this ticket is used to request a service ticket. The service ticket is then sent to the Kerberos service (e.g. SAP system) and decrypted to find the principal name of the user who authenticated. What you are implying is that MS AD put the users principal name in the TGT in the form DOMAIN\user. I am afraid this is not how MS AD works, so I am not sure if I understand how you are getting this form of principal name.
Of course, to get a TGT, a user can enter DOMAIN\user, but this is changed to user@domain in order to find out which domain controller to send the request to, and the domain controller (e.g. a Kerberos KDC) will issue a ticket for the requested principal. The ticket issued will contain a principal name in Kerberos format, e.g. user@REALM and not DOMAIN\user.
Thanks,
TIm
04-28-2011 7:39 AM
Maybe you can send me a wireshark trace showing the communication between the Kerberos client and MS AD, so I can see AD issuing a ticket in this format ?
Tim
04-28-2011 8:21 AM
Hi Tim,
I'll capture a trace on whireshark and send it to you as soon as possible.
Thanks in advance.
05-04-2011 10:57 AM
Hi,
We have made some changes in configuration and now we are achieving this error:
Acquiring credentials for realm PYC.COM failed
[EXCEPTION]
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:180)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:331)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
... 9 more
Caused by: javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:175)
... 25 more
Caused by: KrbException: KDC has no support for encryption type (14)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:69)
at sun.security.krb5.KrbAsReq.getReply(DashoA12275:437)
at sun.security.krb5.Credentials.a(DashoA12275:407)
at sun.security.krb5.Credentials.acquireTGT(DashoA12275:359)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:629)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:511)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
... 25 more
Caused by: KrbException: Identifier doesnt match expected value (906)
at sun.security.krb5.internal.ah.a(DashoA12275:134)
at sun.security.krb5.internal.ax.a(DashoA12275:63)
at sun.security.krb5.internal.ax.<init>(DashoA12275:58)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53)
... 32 more
Will investigate this issue and comment you the result.
Thanx.
05-05-2011 10:44 AM
Again we hame made some changes in conf and now we are getting this error:
doLogon failed
[EXCEPTION]
com.sap.security.core.logon.imp.UMELoginException
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:1028)
at com.sap.security.core.logonadmin.ServletAccessToLogic.logon(ServletAccessToLogic.java:219)
at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.doLogon(SAPMLogonLogic.java:914)
at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.executeRequest(SAPMLogonLogic.java:227)
at com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doPost(SAPMLogonServlet.java:60)
at com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doGet(SAPMLogonServlet.java:78)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
I will capture some wireshark traces and attach them to the messages.
05-05-2011 11:27 AM