02-08-2008 12:08 PM
Hello,
we are running an EP6 NW04 SPS 19 on an HP UX. For authentification we
configured kerberos via spnego. This is working fine for all windows
clients and the browsers ie6, ie7 and firefox.
While using Firefox on MacOS X it is not working. We analyzed the error.It is the following
error message in the trace file:
Decoding error in parsing of spnego token.
[EXCEPTION]
iaik.asn1.CodingException: ASN.1 creation error:SPNego OID expected.
Found 1.2.840.113554.1.2.2
As you can see, the mac client is sending the raw kerberos ticket. How
does the WAS handles this ticket?
Kind Regards,
Oliver
02-08-2008 12:26 PM
Oliver,
The SAP SPNEGO login module supports OID 1.3.6.1.5.5.2 only, which is the OID for SPNEGO protocol, and this is why it is called an SPNEGO login module. It does not support other OIDS such as RFC1964 Kerberos V5 (1.2.840.113554.1.2.2) or NTLM (1.3.6.1.4.1.311.2.2.10). If you need to support other OIDS, and not just SPNEGO then you need to use a different login module. I can help you with that if you are interested since my company has a product (comprising a login module which uses Kerberos) which supports SPNEGO as well as other OIDS - it is not 100% SPNEGO based like the login module available from SAP.
Thanks,
Tim
02-08-2008 12:29 PM
Oliver,
Some additional info - you will also find that this OID (1.2.840.113554.1.2.2) is used by Firefox if Firefox has been configured to use a client side gss-api library for IWA instead of SSPI like support (as in IE).
Thanks,
Tim