cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

spnego issues after ad win2008 upgrade

Go to solution
Former Member

on ‎11-13-2012 12:37 AM

0 Kudos

Hello

Ive been trying to figure out how to reproduce in a sandbox environment a behavior we are seeing after the AD team began to upgrade the AD servers from 2003 to 2008.

Basically we get a double logon screen with the UNKNOWN ERROR at it.

**Note 1005209 doesnt apply due the versions.

We believe it is related to the DES encryption issue with Win 2008, cause until that date we were using spnego fine.

First I found a note 1457499 where it has an add-on and some details about the new spnego.

Our sandbox system was 701 sp06 so we set the spnego2 add-on, unfortunately we got the same result.

Then we tried updating the j2ee-core to sp09 as our remaining ep systems, still we got the same result.

Ive read some threads about a bug in some Sun JDK level, we are using SAPJAVA 4.

Not sure if i need to do the spnego from scratch and if so, not sure if i need to undeploy the components we set originally from note 994791.

Ive also brought the question to SAP, where they asked for the diagtool trace, we saw that theres the NTLM entry, since the issue in prod is random, we think is related to the momment, if the session goes to a 2003 AD server it works, if the session goes to a 2008 it fails.

Thats why we are trying to reproduce it in sandbox.

One funny thing is that im not seeing the ADD REALM button, and im wondering if the look and feel of the wizard should be as the spnego2, cause im seeing the old wizard all the time.

Any ideas will be very much appreciated!

Thanks

G

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

MG3
Contributor
‎11-14-2012 1:02 AM
0 Kudos

Hi Gabriel

We had a very similar issue and we resolved it by moving to the (then) new SPNego2 module, re-configuring the SPNego (which was required in our case). This is what we did:

1. Deployed the sda and ear files as per note 1457499

2. Disabled DES encryption on the service user

3. Generated key tab files and ensure we had the key type 23 for RC4-HMAC

4. Call up the URL <protocol>://<fqdn>:<port>/spnego2/cfg

5. Added the realm and other information

6. Imported the key tab file (step3) and select the RC4 encryption, and finish the config.

You may also need to check and adjust your Visual Admin> Security provider>ticket if you have selected the new spnego module.

Also, have a look at the pdf document in Note 1488409 - New SPNego Implementation.

Also, if you are still facing issues, using Wireshark tool to troubleshoot will provide you with a clear picture of what's happening.

Manoj

Show replies
Show replies
Former Member
‎11-14-2012 5:26 PM
0 Kudos

Hi Manoj

I have tried the spnego 2 setup, ill give it a shot again, double checking your inputs.

By any chance do you remember which version of J2ee core components did you have at that moment?

I have sp09 in the j2ee components, so im wondering if that could be an issue.

Thanks for your help and ill post what happens later today

Thnx

Gabriel

Answers (1)

Answers (1)

Former Member
‎11-27-2012 9:26 PM
0 Kudos

So here is the current status.

Regardless the version of sp componets i had, (j2eecor sp9) i kept seeing the old wizard of spnego

So i took the spnego 2 components again and import them, then i downloaded the jdk1.6 myself and created the keytab.

Previous keytabs were being done with DES encryption only this was our show stopper.

Right now i have 2 Realms working, and only 1 with an issue, so i have requested the AD team to look into the user details, spn and user details seems to be the same, anyway at least we validate that the setup on sap side is correct and working fine.

Thanks

Gabriel

Show replies
Show replies
Ask a Question