cancel
Showing results for 
Search instead for 
Did you mean: 

SSO 2.0 SP04 Assistance

Former Member
0 Kudos

Dear Guru,

We have been trying to configure Secure Login Client (SSO 2.0 SP04).

Upon installation of the Secure Login Client, we were able to acquire Kerberos Tokens, but none for SPNEGO (X.509 Certificates). We have been getting errors like "Supplied credentials not accepted by server".

Installation Reference: scn.sap.com/docs/DOC-40179

Issue was encountered during phase 3 of the reference. We followed the instructions to a tee, and got lost due to some SP differences. Although, we did manage to extract the Root CA and Registry Entries.

Any thoughts or advise on where to check. Thank you.

Regards,

Tom

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hello,

this type of error is typical a misconfiguration on the Domain setup :

Please check with tools like setspn -q and klist :

1. The service principal name has correct format like HTTP/<Service Principal name>

2. The SPNEGO configuration is AS Java is enabled and valid (and with the correct password)

3. There are no double Service Principal name entries in Domain Controller. Check that with setspn -q <service principal name> on the Domain Controler itself.

Also a Secure Login Client trace and a AS Java trace (troubleshooting wizard) can help to identify the problem.

best regards

Alexander Gimbel

Former Member
0 Kudos

Hi Alexander,

Thank you for the response.

We already double checked on the following.

(1)SPN format is correct

(2)SPNEGO configuration is green

(3)No duplicate SPN

As for the trace file, we noticed that the connection to the SLS was successfully established, and it seems that the only problem is that the credentials being supplied by the client is incorrect. Hence, the error "Supplied credentials not accepted by server".

----------------------------------------------------------------------------

Version      : 8.4.30 (Sep 25 2014)

System       : "windows-x86-32"

InstDir      : "C:\Program Files\SAP\FrontEnd\SecureLogin\lib"

Trace file   : "C:\Users\tgng\AppData\Local\SAP\SecureLogin\Traces\sec-03548.trc"

Trace level  : 3

Process id   : 3548

----------------------------------------------------------------------------

[YYYY.MM.DD HH:MM:SS.MIKROS][LEVEL][PROCESS             ][MODULE      ][THR_ID]

[2014.11.26 09:37:14.498000][INFO ][sbus.exe            ][sbusslogin.d][  5976] Generate RSA Key with keysize 2048

[2014.11.26 09:37:14.530000][INFO ][sbus.exe            ][sbusslogin.d][  5888] Try to enroll SLS URL: http://sapsecu01.maynilad.com.ph:50000/SecureLoginServer/slc2/doLogin?profile=b4a99c34-7d7c-403c-b64...

[2014.11.26 09:37:14.530000][INFO ][sbus.exe            ][URL         ][  5888] Successfully connected to

[2014.11.26 09:37:14.530000][INFO ][sbus.exe            ][URL         ][  5888] Address 172.18.2.107 (sapsecu01.maynilad.com.ph)

[2014.11.26 09:37:28.367000][INFO ][sbus.exe            ][URL         ][  5888] Successfully connected to

[2014.11.26 09:37:28.367000][INFO ][sbus.exe            ][URL         ][  5888] Address 172.18.2.107 (sapsecu01.maynilad.com.ph)

[2014.11.26 09:40:04.452000][INFO ][sbus.exe            ][sbusslogin.d][  5800] Generate RSA Key with keysize 2048

[2014.11.26 09:40:04.493000][INFO ][sbus.exe            ][sbusslogin.d][  3536] Try to enroll SLS URL: http://sapsecu01.maynilad.com.ph:50000/SecureLoginServer/slc2/doLogin?profile=b4a99c34-7d7c-403c-b64...

[2014.11.26 09:40:04.504000][INFO ][sbus.exe            ][URL         ][  3536] Successfully connected to

[2014.11.26 09:40:04.504000][INFO ][sbus.exe            ][URL         ][  3536] Address 172.18.2.107 (sapsecu01.maynilad.com.ph)

Regards,

Tom

Former Member
0 Kudos

Hello,

unfortunately the trace is too short and does not contain the Kerberos request.
I want to see if the client gets a Kerberos ticket or not for the given Service.

Could you please make a developer trace (Developer trace level) of one enroll and attach that file here?

Also a troubleshooting wizard trace from the server side (as best also from one enroll) can show, if the AS Java and the Domain Controller is correctly configured.

thanks.

best regards

Alexander Gimbel

Former Member
0 Kudos

Hi Alexander,

Thank you for the tip, please see developer trace below. It seems to be looking for a missing base.xml, which when I confirmed was really missing. Please advise. Thank you.

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][sbus.dll    ][  2720] CToken:: Secure Login token [toksw:mem://securelogin/Windows Authentication (SPNEGO)] :: login

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][IO          ][  2720] BEGIN: io_file_type (C:\Program Files\SAP\FrontEnd\SecureLogin\etc\base.xml)

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][IO          ][  2720] END  : io_file_type

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][LOADER      ][  2720] Loading config file 'base.xml' failed because file not existing in path 'C:\Program Files\SAP\FrontEnd\SecureLogin\etc\base.xml'

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { SBUSPSE::create_PSE

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { SBUSPSE::SetASC

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][sbus.dll    ][  2720] }        0

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][sbus.dll    ][  2720] }        0

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][sbus.dll    ][  2720] Ctoken_SL: NewPinType: password

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][sbus.dll    ][  2720] Ctoken_SL: gracePeriod: 0

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][sbus.dll    ][  2720] Ctoken_SL: inactivityTimeout: 0

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][sbus.dll    ][  2720] Ctoken_SL: ReAuthentication: 0

[2014.11.26 15:41:11.053000][INFO ][sbus.exe            ][sbusslogin.d][  1552] Generate RSA Key with keysize 2048

[2014.11.26 15:41:11.084000][TRACE][sbus.exe            ][sbusresloade][  2720] { GetLocale

[2014.11.26 15:41:11.084000][TRACE][sbus.exe            ][sbusresloade][  2720] }        0

[2014.11.26 15:41:11.084000][INFO ][sbus.exe            ][sbusslogin.d][  2720] Try to enroll SLS URL: http://sapsecu01.maynilad.com.ph:50000/SecureLoginServer/slc2/doLogin?profile=b4a99c34-7d7c-403c-b64...

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { SBUSPSE::loginBySystemParameters

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { SBUSPSE::needRealPSE

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] } 80004001

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] } a1e00015

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { SBUSPSE::getAllTrustedCerts

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { SBUSPSE::needRealPSE

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] } 80004001

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { CTrust::getAllTrustedCerts

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { CTrust::getTrustedCertList

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { CTrust::Refresh

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { CTrust::InitProviders

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] }        1

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] }        1

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] }        0

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] }        0

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] }        0

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { SBUSPSE::getOwnCertificate

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { SBUSPSE::needRealPSE

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] } 80004001

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { CTokenMgr::GetPCI

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] m_apTokens[0]->GetPCI()

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] }        0

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] }        0

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbusslogin.d][  2720] { CSecureLogin_Protocol_2_0::Send_Init

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbusslogin.d][  2720] { CSecureLogin::Send_Any

[2014.11.26 15:41:11.099000][INFO ][sbus.exe            ][URL         ][  2720] Successfully connected to

[2014.11.26 15:41:11.099000][INFO ][sbus.exe            ][URL         ][  2720] Address 172.18.2.107 (sapsecu01.maynilad.com.ph)

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][URL         ][  2720] Family: AF_INET (IPv4)

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][URL         ][  2720] Inner family: AF_INET (IPv4)

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][URL         ][  2720] Protocol: 6

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][URL         ][  2720] SockType: 1

[2014.11.26 15:41:11.115000][TRACE][sbus.exe            ][sbusslogin.d][  2720] }        0

[2014.11.26 15:41:11.115000][TRACE][sbus.exe            ][sbusslogin.d][  2720] }        0

[2014.11.26 15:41:11.979000][TRACE][sbus.exe            ][sbus.dll    ][  2720] Supplied credentials not accepted by the server.Enrollment failed

Regards,

Tom

Former Member
0 Kudos

Hello

You can check sap note:

1996839 - Configuration Files for SNC on CommonCryptoLib

Cheers,

Tapan

Former Member
0 Kudos

Hi Tapan,

Thanks for the tip, it did resolve the base.xml file problem, but now I am getting the following error.

Loading config file 'pkcs11.xml' failed because file not existing in path 'C:\Program Files\SAP\FrontEnd\SecureLogin\etc\pkcs11.xml'

My question is that shouldn't these files be included in the installation of the Secure Login Client? If not, where should the files be included? I have already unpacked the Secure Login Library files, but it does not contain the missing files either (not that it matters since the Client should already be provided with the necessary certificates, with or without the Secure Login Library).

Please advise. Thank you.

Regards,

Tom

Former Member
0 Kudos

Hello,

please ignore the missing base.xml/pkcs11.xml files in the trace.

This is a false positive (its not needed), the Secure Login Client installations is fine and complete.

The SAP note is for a CommonCryptoLib installation on an ABAP server.

What I still not see in the traces is that the Secure Login Client tries to get a Kerberos ticket for the SPN.
Could you please search for a line like "got kerberos ticket for 'HTTP/<SPN>" in the traces.

If this is not present, then the client will not get a Kerberos ticket and the there are several root causes for that:

- The client is in the wrong Domain (command klist and check for tickets)

- The SPN is double on the Domain Server (two service users have defined the same SPN)

 

But you have already checked that.
Could you please provide server traces (trouble shooting wizard) and attach here?

best regards

Alexander Gimbel

Former Member
0 Kudos

Hi Alexander,

As seen in the logs, I am getting lines such as like "got kerberos ticket for 'HTTP/sapsecu01.maynilad.com.ph" in the traces. I have also checked for duplicates of SPN but there are none, and the client is in the correct domain.

Please check on the attachment for the latest log that I have. Thank you.

Regards,

Tom

Former Member
0 Kudos

Hello,

this means that the AS Java can not verify the SPNEGO token send by the client.

Please check the SPNEGO configuration.

You can use the troubleshooting wizard to get a clue what is going wrong.

1. Open Administrator UI on AS Java.

2. Goto Trouble shooting / Logs and traces

3. Open the Security Troubleshooting wizard

4. start diagnostic in Authentication mode (default)

5. enroll with the client

6. stop  diagnostic

7. look into the collected traces, search for exceptions.

possible pitfalls:

- SPENGO Realm not enabled

- Wrong REALM Name

- wrong password of the service user entered

- Check the Mapping mode, if you not use the virtual user feature, check that the user exists in the UME.

best regards

Alexander Gimbel


Former Member
0 Kudos

Hello

In addition to capturing Security Troubleshooting Wizard trace, also capture HTTPWatch trace.

Install the free basic edition of Httpwatch that can be downloaded from: http://www.httpwatch.com/download/. 

Download the 9.x version.

This is for capturing traces. For reading you need to download paid professional version. If you don't have paid version, you can upload troubleshooting trace and httpwatch trace on the thread and I will check them for you.

Cheers,

Tapan

Former Member
0 Kudos

Hi Alexander,

I have already checked on the pitfalls that you have mentioned. Except for the last one, are you referring to the service user or a common user? (user mapping with mapping mode Principal and Realm, and source ADS Data Source).

Also, I have done some troubleshooting of my own and found out that the error encountered is during the SPNegoLoginModule, where I have defined the option "com.sap.spnego.jgss.name" with value of the domain "maynilad.com.ph".

Regards,

Tom

Former Member
0 Kudos

Hello,

if you have user mapping with mapping mode Principal and Realm, and source ADS Data Source, then each authentication user must be a valid user in the UME. Do you have bind the UME to the same AD?


If you have Problems with that, then you will get a "BaseLoginException: Can not authenticate the user".

You can use the User mapping option: Principal@Realm and Virtual User to solve that issue.

best regards

Alexander Gimbel

Former Member
0 Kudos

Hi Alexander,

I have now modified my user mapping option to Principal@Realm and Virtual User.

I did bind my UME to AD and it was successful, but now that you mentioned, I checked on Identity Management and it seems that users are not being pulled out from LDAP. I think that this is the root of the issue.

Regards,


Tom

Answers (2)

Answers (2)

Former Member
0 Kudos

Hi.

Did you set your environment variable SECUDIR to $(DIR_INSTANCE)/sec?

Also could you confirm if the password you set in the keytab password during the creation of pse file  is the same as the password set for your service user?

Regards,

Florence

former_member217468
Participant
0 Kudos

Hi All,

Would anyone guide us on how to establish a connection between a Secure Login Client and the Secure Login Server .

Thank you

Jonu Joy

donka_dimitrova
Contributor
0 Kudos

Hello Jonu,

Please, look at the steps how to set up single sign-on using X.509 digital certificates with SAP Single Sign-On 2.0 here:

Regards,

Donka Dimitrova

former_member190695
Participant
0 Kudos

Hi Jonu,

You need to create or use an existing profile in the tab Client Management --> Profile groups.

http://help.sap.com/saphelp_nwsso20/helpdata/en/cb/450dc4b326457db9ad423b08c3625a/content.htm

After you finish all the configuration, download and deploy the policy to the client machine.

Regards,

Ridouan

former_member217468
Participant
0 Kudos

Thx very much Donka/Ridouan

One more question , if we have multiple ABAP and JAVA systems do we need  multiple users/SPN created for each abap/java system or just one enough which would be mapped to where the Secure Login Server is and we export the ABap/Root Certs to ABap systems and Root Certs for each JAVA instances and do the user mappings .

Thank you

Jonu Joy

Former Member
0 Kudos

Hello Jonu,

it depends if you need different authentications for different ABAP system or not.

Theoretical you can use one authentication profile for all ABAP and Java Servers or different authentication profiles for each ABPA/JAVA system.

All authentication profile can then be bundled in one Profile Group and will be deployed via the Policy Download Agent in Secure Login Client automatically if configured.


best regarrds

Alexander Gimbel

Former Member
0 Kudos

Hello

1. Check SLC and SLS traces file (after reproducing the issue)? If you can't identify root cause, you can attach the logs here.

2. Which version of NWSSO you're currently using (SP and PL from SLC and SLS);

3. Which Login Module are you using?

4. In your client profile configuration in SLS, please check:
a. Which value has the parameter PSE Type;
b. Which value has the parameter Auto-Enroll;

Cheers,

Tapan

Former Member
0 Kudos

Hi Tapan,

Thank you for the response.

(1) Below are the entries (complete) from the SLC trace file.

----------------------------------------------------------------------------

Version      : 8.4.30 (Sep 25 2014)

System       : "windows-x86-32"

InstDir      : "C:\Program Files\SAP\FrontEnd\SecureLogin\lib"

Trace file   : "C:\Users\tgng\AppData\Local\SAP\SecureLogin\Traces\sec-03548.trc"

Trace level  : 3

Process id   : 3548

----------------------------------------------------------------------------

[YYYY.MM.DD HH:MM:SS.MIKROS][LEVEL][PROCESS             ][MODULE      ][THR_ID]

[2014.11.26 09:37:14.498000][INFO ][sbus.exe            ][sbusslogin.d][  5976] Generate RSA Key with keysize 2048

[2014.11.26 09:37:14.530000][INFO ][sbus.exe            ][sbusslogin.d][  5888] Try to enroll SLS URL: http://sapsecu01.maynilad.com.ph:50000/SecureLoginServer/slc2/doLogin?profile=b4a99c34-7d7c-403c-b64...

[2014.11.26 09:37:14.530000][INFO ][sbus.exe            ][URL         ][  5888] Successfully connected to

[2014.11.26 09:37:14.530000][INFO ][sbus.exe            ][URL         ][  5888] Address 172.18.2.107 (sapsecu01.maynilad.com.ph)

[2014.11.26 09:37:28.367000][INFO ][sbus.exe            ][URL         ][  5888] Successfully connected to

[2014.11.26 09:37:28.367000][INFO ][sbus.exe            ][URL         ][  5888] Address 172.18.2.107 (sapsecu01.maynilad.com.ph)

[2014.11.26 09:40:04.452000][INFO ][sbus.exe            ][sbusslogin.d][  5800] Generate RSA Key with keysize 2048

[2014.11.26 09:40:04.493000][INFO ][sbus.exe            ][sbusslogin.d][  3536] Try to enroll SLS URL: http://sapsecu01.maynilad.com.ph:50000/SecureLoginServer/slc2/doLogin?profile=b4a99c34-7d7c-403c-b64...

[2014.11.26 09:40:04.504000][INFO ][sbus.exe            ][URL         ][  3536] Successfully connected to

[2014.11.26 09:40:04.504000][INFO ][sbus.exe            ][URL         ][  3536] Address 172.18.2.107 (sapsecu01.maynilad.com.ph)

(2) NWSSO 2.0 SP04

(3) I have not followed any instruction with regards to configuring the Login Modules. Can you please elaborate on this. If you are referring to the user authentication of the Secure Login Client authentication profile for SPNEGO, the policy configuration is SecureLoginDefaultPolicyConfigurationSPNEGO.

(4) Below are the values applied to the registry based on the client profile configurations

(a) pseType - windowslogin

(b) AutoEnroll - 1

Thank you.

Regards,

Tom