cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Netweaver 7.4 spnego configuration Error

Go to solution
Former Member

on ‎11-02-2013 3:09 PM

0 Kudos

Hi,

I have recently Installed SAP Netweaver 7.4 Java only server, after which i have followed the template specific configuration, in which the prime configuration was BI Java where in the main motive was to configure my portal as a landscape to retrieve reports from BI ABAP systems. So, a system and SSO for BI ABAP has been configured successfully. BEX analyzer was working smoothly. After this i have configured SPNEGO and performed the complete activities. The windows authentication scheme to login to portal without User ID and password was working perfectly fine. But ABAP SSO was not working, So i raised a ticket to SAP wherein they have suggested me to follow the below ticket entries:

Original Entry:

1. EvaluateTicketLoginModule SUFFICIENT

ume.configuration.active=true

2. SPNegoLoginModule SUFFICIENT

3. BasicPasswordLoginModule REQUISITE

4. CreateTicketLoginModule OPTIONAL

SAP requested changes:

1. EvaluateTicketLoginModule SUFFICIENT

ume.configuration.active=true

2. SPNegoLoginModule SUFFICIENT

3. CreateTicketLoginModule SUFFICIENT

4. BasicPasswordLoginModule REQUISITE

5. CreateTicketLoginModule OPTIONAL

After changing with SAP entries my SPNEGO is not working and everytime i login their is a prompt for user id and password. This is weird and am not getting any ideas since there is no change in the configuration. Kindly help!! then later i have changed these entries to the old one, recreated SPNEGO entry in the configuration wizard but still no luck. Attached is the latest error log!! Please help!!

Regards,

Mohammed Imran

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎11-02-2013 3:37 PM
0 Kudos

You forgot to include the attachment. Go to the Security Troubleshooting Wizard, activate, reproduce and include the log as an attachment, not embedded in the message body.

Show replies
Show replies
Former Member
‎11-02-2013 3:47 PM
0 Kudos

Thanks for the reply, Please find the attachment.

Error log.txt.zip
Former Member
‎11-02-2013 4:11 PM
0 Kudos

Is that trace from the Security Troubleshooting Wizard? The trace looks a bit weird to me since there are no SPNEGO authentication headers. It looks like your SPNEGO doesn't even get triggered, as if the configuration was in some weird state. Try to disable the realm, delete it, recreate it and enable. See if it makes a difference. Are you 100% sure SPNEGO was working before? I mean that you were actually authenticated using SPNEGO and not by a session cookie from a shared browser session?

Former Member
‎11-02-2013 4:40 PM
0 Kudos

The trace logs are from Security Troubleshooting wizard, since this message area not accepting any HTML or any ZIP file attachments, I copied the content to a txt file and uploaded. Am 100% sure it was working perfectly fine, after a change in Ticket area it was not working, i dont know why? Moreover already i have deleted and re-created the SPNEGO config, but no luck. Is there any aread where i can attach the HTML logs whree in you can find the SPNEGO is triggering and failing. Am not able to extract the exact error.

Former Member
‎11-03-2013 7:00 AM
0 Kudos

LOGIN.FAILED

User: N/A

IP Address: 192.50.1.8

Authentication Stack: ticket

Authentication Stack Properties:

Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details

1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false                 true      

        #1 trusteddn1 = OU=J2EE,CN=SPR

        #2 trusteddn2 = CN=SPR

        #3 trusteddn3 = CN=BDV

        #4 trusteddn4 = CN=EDV

        #5 trusteddn5 = CN=BDV

        #6 trustediss1 = OU=J2EE,CN=SPR

        #7 trustediss2 = CN=SPR

        #8 trustediss3 = CN=BDV

        #9 trustediss4 = CN=EDV

        #10 trustediss5 = CN=BDV

        #11 trustedsys1 = SPR,000

        #12 trustedsys2 = SPR,001

        #13 trustedsys3 = BDV,400

        #14 trustedsys4 = EDV,140

        #15 trustedsys5 = BDV,000

        #16 ume.configuration.active = true

2. com.sap.security.core.server.jaas.SPNegoLoginModule                     SUFFICIENT  ok          exception             true       Trigger SPNEGO authentication.

3. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          false                 false     

4. com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok          false                 true      

No logon policy was applied

Former Member
‎11-04-2013 7:27 AM
0 Kudos

Are you sure about the configuration for the SPNEGO login module?

Sufficient would mean to exit, if successful, which would lead to an SPNEGO reauthenticaiton all the time. I would have expected to see something like:

1. EvaluateTicketLoginModule SUFFICIENT

ume.configuration.active=true

2. SPNegoLoginModule OPTIONAL <--

3. CreateTicketLoginModule SUFFICIENT

4. BasicPasswordLoginModule REQUISITE

5. CreateTicketLoginModule OPTIONAL

However the original change does not explain why the authentication all of a sudden fails. In this case it should have failed before as well (unless there were other changes at the same time).

Given 1. and 2. being sufficient, 1 will usually fail, if there was no prior successful authentication to systems SPR, BDV or EDV (please note PDV is missing there, although it should exist from my understanding, as the system in this case should trust itself).

When 2 is successful, authentication will be successful but every access to the portal will result in a new SPNEGO authentication. The reminder of the stack will not be touched.

Can you check, whether you did any changes to the SPNEGO config itself?

Regards,

Patrick

Former Member
‎11-06-2013 9:00 AM
0 Kudos

Hi,

I have simultaneously raised a High priority message with SAP. They have concluded the same to maintain the ticket authentication stack as advised by you.

1. EvaluateTicketLoginModule SUFFICIENT

ume.configuration.active=true

2. SPNegoLoginModule OPTIONAL <--

3. CreateTicketLoginModule SUFFICIENT

4. BasicPasswordLoginModule REQUISITE

5. CreateTicketLoginModule OPTIONAL

After this now all the problem has solved, SPNEGO & ABAP SSO both are working fine. Major change was

2. SPNegoLoginModule SUFFICIENT to OPTIONAL

Thanks for the help!!

Former Member
‎04-17-2014 8:50 AM
0 Kudos

Hello,

I have the same issue after upgrading my system from 7.01 to 7.40.

SPnego worked before upgrade.

Now, I have this :

LOGIN.FAILED
User: N/A
IP Address: 128.41.15.233
Authentication Stack: sap.com/SSOEAR*login
Authentication Stack Properties:
        policy_domain = /login
        realm_name = Upload Protected Area

Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false                 true      
        #1 trusteddn1 = CN=D39,OU=DSIRH,OU=DGRH,O=SAP Trust Community,C=DE
        #2 trustediss1 = CN=D39,OU=DSIRH,OU=DGRH,O=SAP Trust Community,C=DE
        #3 trustedsys1 = D39,000
        #4 ume.configuration.active = true
2. com.sap.security.core.server.jaas.SPNegoLoginModule                     OPTIONAL    ok          exception             true      SPNego authentication has failed during previous attempt.
        #1 com.sap.security.spnego.legacy = false
        #2 com.sap.spnego.creds_in_thread = true
        #3 com.sap.spnego.jgss.name = DJ1SAPSSO@EMEA.LOREAL.INTRA
        #4 com.sap.spnego.uid.resolution.attr = krb5principalname
        #5 com.sap.spnego.uid.resolution.mode = simple
3. com.sap.security.core.server.jaas.CreateTicketLoginModule               SUFFICIENT  ok          false                 true      
        #1 ume.configuration.active = true
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          false                 false     
5. com.sap.security.core.server.jaas.CreateTicketLoginModule               REQUISITE   ok          false                 true      
        #1 ume.configuration.active = true
No logon policy was applied



and authentication window appears to put my credentials.....


Can you help me ?

Regards

tim_alsop
Active Contributor
‎04-17-2014 8:58 AM
0 Kudos

You will get better response on SCN if you open a new thread rather than adding details onto an existing thread. This thread is already marked as answered.

Answers (0)

Ask a Question