Hi everyone,
We are configuring SAP EP 7.02 to authenticate against an Active Directory.
We have achieved that using this user format: user@domain
This portal should be accesed by a Microsoft UAG implementing SSO with Kerberos (SPNEGO). We have noticed that the kerberos ticket issued by UAG sends user in format DOMAIN\user so authentication fails.
It's possible to configure EP to accept users in this format?
We have tried samaccountname (user) and userprincipalname (user@domain) but we don't know hpw to do it in the format issued by UAG.
Tell me if you need XML configuration files to attach it.
Thanks in advance!
Daniel,
What do you mean by 'UAG sends user in format DOMAIN\user' ? Are you saying that the Kerberos service ticket issued by Active Directory contains a principal name which is in this format ? if not, where exactly do you see this name format ?
Thanks,
Tim
Hi,
We have made some changes in configuration and now we are achieving this error:
Acquiring credentials for realm PYC.COM failed
[EXCEPTION]
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:180)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:331)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
... 9 more
Caused by: javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:175)
... 25 more
Caused by: KrbException: KDC has no support for encryption type (14)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:69)
at sun.security.krb5.KrbAsReq.getReply(DashoA12275:437)
at sun.security.krb5.Credentials.a(DashoA12275:407)
at sun.security.krb5.Credentials.acquireTGT(DashoA12275:359)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:629)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:511)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
... 25 more
Caused by: KrbException: Identifier doesnt match expected value (906)
at sun.security.krb5.internal.ah.a(DashoA12275:134)
at sun.security.krb5.internal.ax.a(DashoA12275:63)
at sun.security.krb5.internal.ax. (DashoA12275:58)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53)
... 32 more
Will investigate this issue and comment you the result.
Thanx.
Again we hame made some changes in conf and now we are getting this error:
doLogon failed
[EXCEPTION]
com.sap.security.core.logon.imp.UMELoginException
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:1028)
at com.sap.security.core.logonadmin.ServletAccessToLogic.logon(ServletAccessToLogic.java:219)
at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.doLogon(SAPMLogonLogic.java:914)
at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.executeRequest(SAPMLogonLogic.java:227)
at com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doPost(SAPMLogonServlet.java:60)
at com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doGet(SAPMLogonServlet.java:78)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
I will capture some wireshark traces and attach them to the messages.
We open another thread to follow this issue.
Next thread is: Problem with SAP EP 7.02 SP3 and SPNEGO
In that one, we attach wireshark traces and information updated.
Add a comment