on 11-25-2014 10:35 AM
Dear Guru,
We have been trying to configure Secure Login Client (SSO 2.0 SP04).
Upon installation of the Secure Login Client, we were able to acquire Kerberos Tokens, but none for SPNEGO (X.509 Certificates). We have been getting errors like "Supplied credentials not accepted by server".
Installation Reference: scn.sap.com/docs/DOC-40179
Issue was encountered during phase 3 of the reference. We followed the instructions to a tee, and got lost due to some SP differences. Although, we did manage to extract the Root CA and Registry Entries.
Any thoughts or advise on where to check. Thank you.
Regards,
Tom
Hello,
this type of error is typical a misconfiguration on the Domain setup :
Please check with tools like setspn -q and klist :
1. The service principal name has correct format like HTTP/<Service Principal name>
2. The SPNEGO configuration is AS Java is enabled and valid (and with the correct password)
3. There are no double Service Principal name entries in Domain Controller. Check that with setspn -q <service principal name> on the Domain Controler itself.
Also a Secure Login Client trace and a AS Java trace (troubleshooting wizard) can help to identify the problem.
best regards
Alexander Gimbel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Alexander,
Thank you for the response.
We already double checked on the following.
(1)SPN format is correct
(2)SPNEGO configuration is green
(3)No duplicate SPN
As for the trace file, we noticed that the connection to the SLS was successfully established, and it seems that the only problem is that the credentials being supplied by the client is incorrect. Hence, the error "Supplied credentials not accepted by server".
----------------------------------------------------------------------------
Version : 8.4.30 (Sep 25 2014)
System : "windows-x86-32"
InstDir : "C:\Program Files\SAP\FrontEnd\SecureLogin\lib"
Trace file : "C:\Users\tgng\AppData\Local\SAP\SecureLogin\Traces\sec-03548.trc"
Trace level : 3
Process id : 3548
----------------------------------------------------------------------------
[YYYY.MM.DD HH:MM:SS.MIKROS][LEVEL][PROCESS ][MODULE ][THR_ID]
[2014.11.26 09:37:14.498000][INFO ][sbus.exe ][sbusslogin.d][ 5976] Generate RSA Key with keysize 2048
[2014.11.26 09:37:14.530000][INFO ][sbus.exe ][sbusslogin.d][ 5888] Try to enroll SLS URL: http://sapsecu01.maynilad.com.ph:50000/SecureLoginServer/slc2/doLogin?profile=b4a99c34-7d7c-403c-b64...
[2014.11.26 09:37:14.530000][INFO ][sbus.exe ][URL ][ 5888] Successfully connected to
[2014.11.26 09:37:14.530000][INFO ][sbus.exe ][URL ][ 5888] Address 172.18.2.107 (sapsecu01.maynilad.com.ph)
[2014.11.26 09:37:28.367000][INFO ][sbus.exe ][URL ][ 5888] Successfully connected to
[2014.11.26 09:37:28.367000][INFO ][sbus.exe ][URL ][ 5888] Address 172.18.2.107 (sapsecu01.maynilad.com.ph)
[2014.11.26 09:40:04.452000][INFO ][sbus.exe ][sbusslogin.d][ 5800] Generate RSA Key with keysize 2048
[2014.11.26 09:40:04.493000][INFO ][sbus.exe ][sbusslogin.d][ 3536] Try to enroll SLS URL: http://sapsecu01.maynilad.com.ph:50000/SecureLoginServer/slc2/doLogin?profile=b4a99c34-7d7c-403c-b64...
[2014.11.26 09:40:04.504000][INFO ][sbus.exe ][URL ][ 3536] Successfully connected to
[2014.11.26 09:40:04.504000][INFO ][sbus.exe ][URL ][ 3536] Address 172.18.2.107 (sapsecu01.maynilad.com.ph)
Regards,
Tom
Hello,
unfortunately the trace is too short and does not contain the Kerberos request.
I want to see if the client gets a Kerberos ticket or not for the given Service.
Could you please make a developer trace (Developer trace level) of one enroll and attach that file here?
Also a troubleshooting wizard trace from the server side (as best also from one enroll) can show, if the AS Java and the Domain Controller is correctly configured.
thanks.
best regards
Alexander Gimbel
Hi Alexander,
Thank you for the tip, please see developer trace below. It seems to be looking for a missing base.xml, which when I confirmed was really missing. Please advise. Thank you.
[2014.11.26 15:41:11.053000][TRACE][sbus.exe ][sbus.dll ][ 2720] CToken:: Secure Login token [toksw:mem://securelogin/Windows Authentication (SPNEGO)] :: login
[2014.11.26 15:41:11.053000][TRACE][sbus.exe ][IO ][ 2720] BEGIN: io_file_type (C:\Program Files\SAP\FrontEnd\SecureLogin\etc\base.xml)
[2014.11.26 15:41:11.053000][TRACE][sbus.exe ][IO ][ 2720] END : io_file_type
[2014.11.26 15:41:11.053000][TRACE][sbus.exe ][LOADER ][ 2720] Loading config file 'base.xml' failed because file not existing in path 'C:\Program Files\SAP\FrontEnd\SecureLogin\etc\base.xml'
[2014.11.26 15:41:11.053000][TRACE][sbus.exe ][sbus.dll ][ 2720] { SBUSPSE::create_PSE
[2014.11.26 15:41:11.053000][TRACE][sbus.exe ][sbus.dll ][ 2720] { SBUSPSE::SetASC
[2014.11.26 15:41:11.053000][TRACE][sbus.exe ][sbus.dll ][ 2720] } 0
[2014.11.26 15:41:11.053000][TRACE][sbus.exe ][sbus.dll ][ 2720] } 0
[2014.11.26 15:41:11.053000][TRACE][sbus.exe ][sbus.dll ][ 2720] Ctoken_SL: NewPinType: password
[2014.11.26 15:41:11.053000][TRACE][sbus.exe ][sbus.dll ][ 2720] Ctoken_SL: gracePeriod: 0
[2014.11.26 15:41:11.053000][TRACE][sbus.exe ][sbus.dll ][ 2720] Ctoken_SL: inactivityTimeout: 0
[2014.11.26 15:41:11.053000][TRACE][sbus.exe ][sbus.dll ][ 2720] Ctoken_SL: ReAuthentication: 0
[2014.11.26 15:41:11.053000][INFO ][sbus.exe ][sbusslogin.d][ 1552] Generate RSA Key with keysize 2048
[2014.11.26 15:41:11.084000][TRACE][sbus.exe ][sbusresloade][ 2720] { GetLocale
[2014.11.26 15:41:11.084000][TRACE][sbus.exe ][sbusresloade][ 2720] } 0
[2014.11.26 15:41:11.084000][INFO ][sbus.exe ][sbusslogin.d][ 2720] Try to enroll SLS URL: http://sapsecu01.maynilad.com.ph:50000/SecureLoginServer/slc2/doLogin?profile=b4a99c34-7d7c-403c-b64...
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbus.dll ][ 2720] { SBUSPSE::loginBySystemParameters
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbus.dll ][ 2720] { SBUSPSE::needRealPSE
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbus.dll ][ 2720] } 80004001
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbus.dll ][ 2720] } a1e00015
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbus.dll ][ 2720] { SBUSPSE::getAllTrustedCerts
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbus.dll ][ 2720] { SBUSPSE::needRealPSE
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbus.dll ][ 2720] } 80004001
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbus.dll ][ 2720] { CTrust::getAllTrustedCerts
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbus.dll ][ 2720] { CTrust::getTrustedCertList
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbus.dll ][ 2720] { CTrust::Refresh
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbus.dll ][ 2720] { CTrust::InitProviders
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbus.dll ][ 2720] } 1
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbus.dll ][ 2720] } 1
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbus.dll ][ 2720] } 0
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbus.dll ][ 2720] } 0
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbus.dll ][ 2720] } 0
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbus.dll ][ 2720] { SBUSPSE::getOwnCertificate
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbus.dll ][ 2720] { SBUSPSE::needRealPSE
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbus.dll ][ 2720] } 80004001
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbus.dll ][ 2720] { CTokenMgr::GetPCI
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbus.dll ][ 2720] m_apTokens[0]->GetPCI()
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbus.dll ][ 2720] } 0
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbus.dll ][ 2720] } 0
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbusslogin.d][ 2720] { CSecureLogin_Protocol_2_0::Send_Init
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][sbusslogin.d][ 2720] { CSecureLogin::Send_Any
[2014.11.26 15:41:11.099000][INFO ][sbus.exe ][URL ][ 2720] Successfully connected to
[2014.11.26 15:41:11.099000][INFO ][sbus.exe ][URL ][ 2720] Address 172.18.2.107 (sapsecu01.maynilad.com.ph)
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][URL ][ 2720] Family: AF_INET (IPv4)
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][URL ][ 2720] Inner family: AF_INET (IPv4)
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][URL ][ 2720] Protocol: 6
[2014.11.26 15:41:11.099000][TRACE][sbus.exe ][URL ][ 2720] SockType: 1
[2014.11.26 15:41:11.115000][TRACE][sbus.exe ][sbusslogin.d][ 2720] } 0
[2014.11.26 15:41:11.115000][TRACE][sbus.exe ][sbusslogin.d][ 2720] } 0
[2014.11.26 15:41:11.979000][TRACE][sbus.exe ][sbus.dll ][ 2720] Supplied credentials not accepted by the server.Enrollment failed
Regards,
Tom
Hi Tapan,
Thanks for the tip, it did resolve the base.xml file problem, but now I am getting the following error.
Loading config file 'pkcs11.xml' failed because file not existing in path 'C:\Program Files\SAP\FrontEnd\SecureLogin\etc\pkcs11.xml'
My question is that shouldn't these files be included in the installation of the Secure Login Client? If not, where should the files be included? I have already unpacked the Secure Login Library files, but it does not contain the missing files either (not that it matters since the Client should already be provided with the necessary certificates, with or without the Secure Login Library).
Please advise. Thank you.
Regards,
Tom
Hello,
please ignore the missing base.xml/pkcs11.xml files in the trace.
This is a false positive (its not needed), the Secure Login Client installations is fine and complete.
The SAP note is for a CommonCryptoLib installation on an ABAP server.
What I still not see in the traces is that the Secure Login Client tries to get a Kerberos ticket for the SPN.
Could you please search for a line like "got kerberos ticket for 'HTTP/<SPN>" in the traces.
If this is not present, then the client will not get a Kerberos ticket and the there are several root causes for that:
- The client is in the wrong Domain (command klist and check for tickets)
- The SPN is double on the Domain Server (two service users have defined the same SPN)
But you have already checked that.
Could you please provide server traces (trouble shooting wizard) and attach here?
best regards
Alexander Gimbel
Hi Alexander,
As seen in the logs, I am getting lines such as like "got kerberos ticket for 'HTTP/sapsecu01.maynilad.com.ph" in the traces. I have also checked for duplicates of SPN but there are none, and the client is in the correct domain.
Please check on the attachment for the latest log that I have. Thank you.
Regards,
Tom
Hello,
this means that the AS Java can not verify the SPNEGO token send by the client.
Please check the SPNEGO configuration.
You can use the troubleshooting wizard to get a clue what is going wrong.
1. Open Administrator UI on AS Java.
2. Goto Trouble shooting / Logs and traces
3. Open the Security Troubleshooting wizard
4. start diagnostic in Authentication mode (default)
5. enroll with the client
6. stop diagnostic
7. look into the collected traces, search for exceptions.
possible pitfalls:
- SPENGO Realm not enabled
- Wrong REALM Name
- wrong password of the service user entered
- Check the Mapping mode, if you not use the virtual user feature, check that the user exists in the UME.
best regards
Alexander Gimbel
Hello
In addition to capturing Security Troubleshooting Wizard trace, also capture HTTPWatch trace.
Install the free basic edition of Httpwatch that can be downloaded from: http://www.httpwatch.com/download/.
Download the 9.x version.
This is for capturing traces. For reading you need to download paid professional version. If you don't have paid version, you can upload troubleshooting trace and httpwatch trace on the thread and I will check them for you.
Cheers,
Tapan
Hi Alexander,
I have already checked on the pitfalls that you have mentioned. Except for the last one, are you referring to the service user or a common user? (user mapping with mapping mode Principal and Realm, and source ADS Data Source).
Also, I have done some troubleshooting of my own and found out that the error encountered is during the SPNegoLoginModule, where I have defined the option "com.sap.spnego.jgss.name" with value of the domain "maynilad.com.ph".
Regards,
Tom
Hello,
if you have user mapping with mapping mode Principal and Realm, and source ADS Data Source, then each authentication user must be a valid user in the UME. Do you have bind the UME to the same AD?
If you have Problems with that, then you will get a "BaseLoginException: Can not authenticate the user".
You can use the User mapping option: Principal@Realm and Virtual User to solve that issue.
best regards
Alexander Gimbel
Hi Alexander,
I have now modified my user mapping option to Principal@Realm and Virtual User.
I did bind my UME to AD and it was successful, but now that you mentioned, I checked on Identity Management and it seems that users are not being pulled out from LDAP. I think that this is the root of the issue.
Regards,
Tom
Hi.
Did you set your environment variable SECUDIR to $(DIR_INSTANCE)/sec?
Also could you confirm if the password you set in the keytab password during the creation of pse file is the same as the password set for your service user?
Regards,
Florence
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jonu,
You need to create or use an existing profile in the tab Client Management --> Profile groups.
http://help.sap.com/saphelp_nwsso20/helpdata/en/cb/450dc4b326457db9ad423b08c3625a/content.htm
After you finish all the configuration, download and deploy the policy to the client machine.
Regards,
Ridouan
Thx very much Donka/Ridouan
One more question , if we have multiple ABAP and JAVA systems do we need multiple users/SPN created for each abap/java system or just one enough which would be mapped to where the Secure Login Server is and we export the ABap/Root Certs to ABap systems and Root Certs for each JAVA instances and do the user mappings .
Thank you
Jonu Joy
Hello Jonu,
it depends if you need different authentications for different ABAP system or not.
Theoretical you can use one authentication profile for all ABAP and Java Servers or different authentication profiles for each ABPA/JAVA system.
All authentication profile can then be bundled in one Profile Group and will be deployed via the Policy Download Agent in Secure Login Client automatically if configured.
best regarrds
Alexander Gimbel
Hello
1. Check SLC and SLS traces file (after reproducing the issue)? If you can't identify root cause, you can attach the logs here.
2. Which version of NWSSO you're currently using (SP and PL from SLC and SLS);
3. Which Login Module are you using?
4. In your client profile configuration in SLS, please check:
a. Which value has the parameter PSE Type;
b. Which value has the parameter Auto-Enroll;
Cheers,
Tapan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Tapan,
Thank you for the response.
(1) Below are the entries (complete) from the SLC trace file.
----------------------------------------------------------------------------
Version : 8.4.30 (Sep 25 2014)
System : "windows-x86-32"
InstDir : "C:\Program Files\SAP\FrontEnd\SecureLogin\lib"
Trace file : "C:\Users\tgng\AppData\Local\SAP\SecureLogin\Traces\sec-03548.trc"
Trace level : 3
Process id : 3548
----------------------------------------------------------------------------
[YYYY.MM.DD HH:MM:SS.MIKROS][LEVEL][PROCESS ][MODULE ][THR_ID]
[2014.11.26 09:37:14.498000][INFO ][sbus.exe ][sbusslogin.d][ 5976] Generate RSA Key with keysize 2048
[2014.11.26 09:37:14.530000][INFO ][sbus.exe ][sbusslogin.d][ 5888] Try to enroll SLS URL: http://sapsecu01.maynilad.com.ph:50000/SecureLoginServer/slc2/doLogin?profile=b4a99c34-7d7c-403c-b64...
[2014.11.26 09:37:14.530000][INFO ][sbus.exe ][URL ][ 5888] Successfully connected to
[2014.11.26 09:37:14.530000][INFO ][sbus.exe ][URL ][ 5888] Address 172.18.2.107 (sapsecu01.maynilad.com.ph)
[2014.11.26 09:37:28.367000][INFO ][sbus.exe ][URL ][ 5888] Successfully connected to
[2014.11.26 09:37:28.367000][INFO ][sbus.exe ][URL ][ 5888] Address 172.18.2.107 (sapsecu01.maynilad.com.ph)
[2014.11.26 09:40:04.452000][INFO ][sbus.exe ][sbusslogin.d][ 5800] Generate RSA Key with keysize 2048
[2014.11.26 09:40:04.493000][INFO ][sbus.exe ][sbusslogin.d][ 3536] Try to enroll SLS URL: http://sapsecu01.maynilad.com.ph:50000/SecureLoginServer/slc2/doLogin?profile=b4a99c34-7d7c-403c-b64...
[2014.11.26 09:40:04.504000][INFO ][sbus.exe ][URL ][ 3536] Successfully connected to
[2014.11.26 09:40:04.504000][INFO ][sbus.exe ][URL ][ 3536] Address 172.18.2.107 (sapsecu01.maynilad.com.ph)
(2) NWSSO 2.0 SP04
(3) I have not followed any instruction with regards to configuring the Login Modules. Can you please elaborate on this. If you are referring to the user authentication of the Secure Login Client authentication profile for SPNEGO, the policy configuration is SecureLoginDefaultPolicyConfigurationSPNEGO.
(4) Below are the values applied to the registry based on the client profile configurations
(a) pseType - windowslogin
(b) AutoEnroll - 1
Thank you.
Regards,
Tom
User | Count |
---|---|
88 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.