cancel
Showing results for 
Search instead for 
Did you mean: 

SPNEGO Kerberos - Root configuration spnego not found

Former Member
0 Kudos

Hi,

We've got a strange problem with a portal system which was created through a system copy.

After some DES related changes on Active Directory, we have re-run the SPNEGO wizard and I believe that the setup has some how got corrupted.

This is the exception we now get.

It occurs during the initialisation of the SPNegoLoginModule.

I assume the "configuration with the path 'spnego'" refers to the authentcation template that is used in the security provider service under the ticket login stack. But what does the authentication template refer to ?

Root configuration not found.

[EXCEPTION]

{0}#1#com.sap.engine.frame.core.configuration.NameNotFoundException: A configuration with the path "spnego" does not exist.

at com.sap.engine.core.configuration.impl.persistence.rdbms.DBAccessDefault.getConfiguration(DBAccessDefault.java:586)

at com.sap.engine.core.configuration.impl.persistence.rdbms.PersistenceHandler.readConfig(PersistenceHandler.java:102)

at com.sap.engine.core.configuration.impl.cache.CachedConfiguration.<init>(CachedConfiguration.java:62)

at com.sap.engine.core.configuration.impl.cache.ConfigurationCache.getCachedConfiguration(ConfigurationCache.java:848)

at com.sap.engine.core.configuration.impl.cache.ConfigurationCache.getCachedConfiguration(ConfigurationCache.java:882)

at com.sap.engine.core.configuration.impl.cache.ConfigurationCache.openConfiguration(ConfigurationCache.java:748)

at com.sap.engine.core.configuration.impl.ConfigurationHandlerImpl.openConfiguration(ConfigurationHandlerImpl.java:734)

at com.sap.engine.core.configuration.impl.ConfigurationHandlerImpl.openConfiguration(ConfigurationHandlerImpl.java:693)

at com.sap.security.core.server.jaas.spnego.cfg.SPNEGOUtil.existRootConfiguration(SPNEGOUtil.java:39)

at com.sap.security.core.server.jaas.spnego.cfg.SPNEGOStorage.existRootConfiguration(SPNEGOStorage.java:45)

at com.sap.security.core.server.jaas.spnego.cfg.SPNEGOConfiguration.exists(SPNEGOConfiguration.java:47)

at com.sap.security.core.server.jaas.SPNegoLoginModule.initialize(SPNegoLoginModule.java:80)

at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.initialize(LoginModuleLoggingWrapperImpl.java:173)

at com.sap.engine.services.security.login.LoginContextFactory.initializeLoginContext(LoginContextFactory.java:192)

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:144)

at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)

Regards

Dagfinn

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

What portal version are you running?

Has your portal been patched since you ran the SPNego wizard the last time? If yes and you have now used the new SPNego implementation, there are steps that need to be done in order to migrate the configuration to the new SPNego implementation. See SAP notes 1457499 and 1488409. The latter contains an useful document as an attachment.

0 Kudos

We have the same issue after upgrading SAP Portal NW7.0 to NW7.31.

Unfortunately SAP notes 1457499 and 1488409do not seem to apply to NW7.31

Former Member
0 Kudos

The SAP notes might not provide corrections for NW 7.31 but they are still relevant in the context of explaining what has been changed in the new SPNEGO implementation and what needs to be done in order to make it work. Unless you have a better source of information?

Regarding Dagfinn's (and maybe also your's) problem, the most likely reason for SPNEGO not working after the upgrade in my experience is:

1) LoginModule configuration incorrect (explained in the PDF)

2) Usage of DES encryption (might not be supported by default in the landscape)

3) Configuration of encryption keys (ciphers, key numbers)

0 Kudos

Thanks for replying, Samuli Kaski

We have configured keytab etc with http://host/spnego wizard and user lookup works.

Security Troubleshooting Wizard shows

CreateContext failed: GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))

[EXCEPTION]

GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))

indeed, the fresh keytab shows KVNO: 1 where Windows AD shows msDS-KeyVersionNumber: 4

Former Member
0 Kudos

That could be the reason, proceed as described in the discussion below in order to get the KVNOs to match. With newer JDKs/SDKs, you can set the KVNO directly from the command line.

http://scn.sap.com/thread/3287040

0 Kudos

You rock!

I was able to use ktab to increase KVNO to 4 and now SSO works!

Thanks a lot for your quick and precise effort!

best regards Rasmus