Hi everyone,
We are configuring SAP EP 7.02 to authenticate against an Active Directory.
We have achieved that using this user format: user@domain
This portal should be accesed by a Microsoft UAG implementing SSO with Kerberos (SPNEGO). We have noticed that the kerberos ticket issued by UAG sends user in format DOMAIN\user so authentication fails.
It's possible to configure EP to accept users in this format?
We have tried samaccountname (user) and userprincipalname (user@domain) but we don't know hpw to do it in the format issued by UAG.
Tell me if you need XML configuration files to attach it.
Thanks in advance!
6 Answers
-
Posted on Apr 27, 2011 at 03:02 PM
Daniel,
What do you mean by 'UAG sends user in format DOMAIN\user' ? Are you saying that the Kerberos service ticket issued by Active Directory contains a principal name which is in this format ? if not, where exactly do you see this name format ?
Thanks,
Tim
Add comment
-
Former MemberPosted on May 04, 2011 at 09:57 AMHi,
We have made some changes in configuration and now we are achieving this error:
Acquiring credentials for realm PYC.COM failed
[EXCEPTION]
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:180)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:331)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
... 9 more
Caused by: javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:175)
... 25 more
Caused by: KrbException: KDC has no support for encryption type (14)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:69)
at sun.security.krb5.KrbAsReq.getReply(DashoA12275:437)
at sun.security.krb5.Credentials.a(DashoA12275:407)
at sun.security.krb5.Credentials.acquireTGT(DashoA12275:359)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:629)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:511)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
... 25 more
Caused by: KrbException: Identifier doesnt match expected value (906)
at sun.security.krb5.internal.ah.a(DashoA12275:134)
at sun.security.krb5.internal.ax.a(DashoA12275:63)
at sun.security.krb5.internal.ax. (DashoA12275:58)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53)
... 32 more
Will investigate this issue and comment you the result.
Thanx.
Add comment
-
Former MemberPosted on May 05, 2011 at 09:44 AM
Again we hame made some changes in conf and now we are getting this error:
doLogon failed
[EXCEPTION]
com.sap.security.core.logon.imp.UMELoginException
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:1028)
at com.sap.security.core.logonadmin.ServletAccessToLogic.logon(ServletAccessToLogic.java:219)
at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.doLogon(SAPMLogonLogic.java:914)
at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.executeRequest(SAPMLogonLogic.java:227)
at com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doPost(SAPMLogonServlet.java:60)
at com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doGet(SAPMLogonServlet.java:78)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
I will capture some wireshark traces and attach them to the messages.
Add comment
-
Former MemberPosted on May 05, 2011 at 10:27 AM
We open another thread to follow this issue.
Next thread is: Problem with SAP EP 7.02 SP3 and SPNEGO
In that one, we attach wireshark traces and information updated.
Add comment
Add comment