on 11-02-2013 3:09 PM
Hi,
I have recently Installed SAP Netweaver 7.4 Java only server, after which i have followed the template specific configuration, in which the prime configuration was BI Java where in the main motive was to configure my portal as a landscape to retrieve reports from BI ABAP systems. So, a system and SSO for BI ABAP has been configured successfully. BEX analyzer was working smoothly. After this i have configured SPNEGO and performed the complete activities. The windows authentication scheme to login to portal without User ID and password was working perfectly fine. But ABAP SSO was not working, So i raised a ticket to SAP wherein they have suggested me to follow the below ticket entries:
Original Entry:
1. EvaluateTicketLoginModule SUFFICIENT
ume.configuration.active=true
2. SPNegoLoginModule SUFFICIENT
3. BasicPasswordLoginModule REQUISITE
4. CreateTicketLoginModule OPTIONAL
SAP requested changes:
1. EvaluateTicketLoginModule SUFFICIENT
ume.configuration.active=true
2. SPNegoLoginModule SUFFICIENT
3. CreateTicketLoginModule SUFFICIENT
4. BasicPasswordLoginModule REQUISITE
5. CreateTicketLoginModule OPTIONAL
After changing with SAP entries my SPNEGO is not working and everytime i login their is a prompt for user id and password. This is weird and am not getting any ideas since there is no change in the configuration. Kindly help!! then later i have changed these entries to the old one, recreated SPNEGO entry in the configuration wizard but still no luck. Attached is the latest error log!! Please help!!
Regards,
Mohammed Imran
You forgot to include the attachment. Go to the Security Troubleshooting Wizard, activate, reproduce and include the log as an attachment, not embedded in the message body.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Is that trace from the Security Troubleshooting Wizard? The trace looks a bit weird to me since there are no SPNEGO authentication headers. It looks like your SPNEGO doesn't even get triggered, as if the configuration was in some weird state. Try to disable the realm, delete it, recreate it and enable. See if it makes a difference. Are you 100% sure SPNEGO was working before? I mean that you were actually authenticated using SPNEGO and not by a session cookie from a shared browser session?
The trace logs are from Security Troubleshooting wizard, since this message area not accepting any HTML or any ZIP file attachments, I copied the content to a txt file and uploaded. Am 100% sure it was working perfectly fine, after a change in Ticket area it was not working, i dont know why? Moreover already i have deleted and re-created the SPNEGO config, but no luck. Is there any aread where i can attach the HTML logs whree in you can find the SPNEGO is triggering and failing. Am not able to extract the exact error.
LOGIN.FAILED
User: N/A
IP Address: 192.50.1.8
Authentication Stack: ticket
Authentication Stack Properties:
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
#1 trusteddn1 = OU=J2EE,CN=SPR
#2 trusteddn2 = CN=SPR
#3 trusteddn3 = CN=BDV
#4 trusteddn4 = CN=EDV
#5 trusteddn5 = CN=BDV
#6 trustediss1 = OU=J2EE,CN=SPR
#7 trustediss2 = CN=SPR
#8 trustediss3 = CN=BDV
#9 trustediss4 = CN=EDV
#10 trustediss5 = CN=BDV
#11 trustedsys1 = SPR,000
#12 trustedsys2 = SPR,001
#13 trustedsys3 = BDV,400
#14 trustedsys4 = EDV,140
#15 trustedsys5 = BDV,000
#16 ume.configuration.active = true
2. com.sap.security.core.server.jaas.SPNegoLoginModule SUFFICIENT ok exception true Trigger SPNEGO authentication.
3. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok false false
4. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok false true
No logon policy was applied
Are you sure about the configuration for the SPNEGO login module?
Sufficient would mean to exit, if successful, which would lead to an SPNEGO reauthenticaiton all the time. I would have expected to see something like:
1. EvaluateTicketLoginModule SUFFICIENT
ume.configuration.active=true
2. SPNegoLoginModule OPTIONAL <--
3. CreateTicketLoginModule SUFFICIENT
4. BasicPasswordLoginModule REQUISITE
5. CreateTicketLoginModule OPTIONAL
However the original change does not explain why the authentication all of a sudden fails. In this case it should have failed before as well (unless there were other changes at the same time).
Given 1. and 2. being sufficient, 1 will usually fail, if there was no prior successful authentication to systems SPR, BDV or EDV (please note PDV is missing there, although it should exist from my understanding, as the system in this case should trust itself).
When 2 is successful, authentication will be successful but every access to the portal will result in a new SPNEGO authentication. The reminder of the stack will not be touched.
Can you check, whether you did any changes to the SPNEGO config itself?
Regards,
Patrick
Hi,
I have simultaneously raised a High priority message with SAP. They have concluded the same to maintain the ticket authentication stack as advised by you.
1. EvaluateTicketLoginModule SUFFICIENT
ume.configuration.active=true
2. SPNegoLoginModule OPTIONAL <--
3. CreateTicketLoginModule SUFFICIENT
4. BasicPasswordLoginModule REQUISITE
5. CreateTicketLoginModule OPTIONAL
After this now all the problem has solved, SPNEGO & ABAP SSO both are working fine. Major change was
2. SPNegoLoginModule SUFFICIENT to OPTIONAL
Thanks for the help!!
Hello,
I have the same issue after upgrading my system from 7.01 to 7.40.
SPnego worked before upgrade.
Now, I have this :
LOGIN.FAILED
User: N/A
IP Address: 128.41.15.233
Authentication Stack: sap.com/SSOEAR*login
Authentication Stack Properties:
policy_domain = /login
realm_name = Upload Protected Area
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
#1 trusteddn1 = CN=D39,OU=DSIRH,OU=DGRH,O=SAP Trust Community,C=DE
#2 trustediss1 = CN=D39,OU=DSIRH,OU=DGRH,O=SAP Trust Community,C=DE
#3 trustedsys1 = D39,000
#4 ume.configuration.active = true
2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true SPNego authentication has failed during previous attempt.
#1 com.sap.security.spnego.legacy = false
#2 com.sap.spnego.creds_in_thread = true
#3 com.sap.spnego.jgss.name = DJ1SAPSSO@EMEA.LOREAL.INTRA
#4 com.sap.spnego.uid.resolution.attr = krb5principalname
#5 com.sap.spnego.uid.resolution.mode = simple
3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false true
#1 ume.configuration.active = true
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok false false
5. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok false true
#1 ume.configuration.active = true
No logon policy was applied
and authentication window appears to put my credentials.....
Can you help me ?
Regards
User | Count |
---|---|
87 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.