cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SPNEGO - NTLM token received in authorization header

Go to solution
former_member325046
Explorer

on ‎02-27-2019 1:58 PM

0 Kudos

Hi,

I am trying to authenticate to SAP Netweaver Portal 75 with Active Directory user. It works if I use these entries:

http://host1:50500/irj/portal

http://host1.domain.es:50500/irj/portal

http://host1.subdomain.domain.es:50500/irj/portal

http://servername:50500/irj/portal

http://servername.domain.es:50500/irj/portal

http://servername.subdomain.domain.es:50500/irj/portal

But they also have configured in F5 rules a new address:

http://host2.domain.es

They want to access the Portal with that URL without port (obviuosly it is 80).

When I access to the firsts 6 entries it works and login is done with Windows user. When I access to this last URL it returns an error and prompts login page witohout login to de SAP Portal. The error is:

NTLM token received in authorization header

I have also made some nslookup queries:

1.- The first 6 entries return servername.domain.es

2.- The last entry returns host2.domain.es

One last thing, the Realm is configured:

- Principal only. Logon ID.

- HTTP/servername.domain.es@REALM

What could I do? Do I have to config 2 different setspn for both servername.domain.es and host2.domain.es?

Thanks.

Show replies
Show replies
Answer
View Entire Topic
Colt
Active Contributor
‎02-27-2019 2:25 PM

Hi, correct. You have to register every URL as SPN. Make sure you are not using CNAME (Alias).

If you are using a CNAME alias, register SPNs to the actual hostname and the CNAME. You must register the Kerberos service principal names (SPNs), the hostname, and the fully-qualified domain name (FQDN) for all the new DNS alias (CNAME) records. If you do not do this, a Kerberos ticket request for a DNS alias (CNAME) record may fail and your browser tries to NTLM authentication, which leads to that issue.

Cheers
Carsten

Show replies
Show replies
Ask a Question