cancel
Showing results for 
Search instead for 
Did you mean: 

TREX crawler: Failed with 401 unauthorized / no assertion ticket - on production only

IngoBiermann
Explorer
0 Kudos

Hello,

here is a problem we encounter with TREX indexing portal KM repositories.

A) Dev System works fine, for example:

1. Indexing is triggered by "Redindexing" a queue

2. The queue starts working, the TREX monitor shows documents process across the several states (e.g. preprocessing) etc.

3. you can see from the portal log that the user index_service accesses the portal to retrieve content:

LOGIN.OK

User: index_service

IP Address: xxx.xx.xx.xx

Authentication Stack: ticket

Authentication Stack Properties:

logon_policy = default

Login Module Flag Initialize Login Commit Abort Details

1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok true true

[...]

#10 ume.configuration.active = true

2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok true

3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false

4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok true

5. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok false

Central Checks true

Logon policies are disabled

As you can see the EvaluateTicketLoginModule is successful for user index_service

B) Production System does not work

1. Indexing is triggered by "Redindexing" a queue

2. The queue starts working, the TREX monitor shows all documents size > 10 KByte fail in state "Preprocessing failed" / 401 unauthorized

3. The log on the TREX server shows that the crawler wants to access a certain KM document for content retrieval (with a correct access URL)

4. you can see from the portal log that the user index_service is not able to log on the portal to retrieve content:

User: N/A

IP Address: xxx.xx.xx.xx

Authentication Stack: ticket

Authentication Stack Properties:

logon_policy = default

Login Module Flag Initialize Login Commit Abort Details

1. com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule SUFFICIENT ok exception true Received no SAP Authentication Assertion Ticket.

[...]

2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true SPNego authentication has failed during previous attempt.

3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false true

4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok false false

5. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok false true

No logon policy was applied

As you can see the error message during logon is "Recieved no SAP Authenticatino Assertion Ticket".

Of course we THINK that configuration of both systems is the same. But obviously this is not the case.

So Question:

What can cause the fact, that in case B) no assertion ticket is present at the requests from TREX?

What kind of configuration or difference can be the reason?

Best regards

Ingo

Accepted Solutions (0)

Answers (1)

Answers (1)

cathal_kelly
Participant
0 Kudos


Hi Ingo,

I would normally expect to see 401 unauthorized errors being returned in relation to the indexing of KM Content if the alternative host has not been configured in the URL Generator Service (System Admin > System Configuration > KM > CM > Global Services). It should be configured as outlined in the following documentation -

https://css.wdf.sap.corp/sap(bD1lbiZjPTAwMQ==)/bc/bsp/sno/ui_entry/entry.htm?param=69765F6D6F64653D3...

IngoBiermann
Explorer
0 Kudos

Thanks Cathal for your recommendation. I double checked the alternative host in KMC Configuration. It is set to the correct hostname of the portal system.

Unfortunately I am not able to open the link you have provided (it's SAP internal only). Is this content also available for public? Or could you provide the most important facts here?

Best regards

Ingo

former_member217429
Active Contributor
0 Kudos

Hi Ingo,

what's the TREX version you use ? Is it Linux or Windows installation?
Do you see any exceptions in the TREXPreprocessor and/or TREXNameServer traces?

Best regards,
Mikhail

IngoBiermann
Explorer
0 Kudos

Hi Mikhail,

this is a TREX 7.0.06.0 on Windows 2003.

The TREX Log says:

[26604] 2015-04-27 15:04:31.205 e preprocessor Preprocessor.cpp(00891) :

HTTPHEAD failed for URL http://s*********p:50000/irj/go/km/docs/MarketingDokumente_Neu/MarketingPR/Metal%20Components/Produk... with Httpstatus 401

[26604] 2015-04-16 14:58:31.205 e preprocessor Preprocessor.cpp(03454) : HANDLE: DISPATCH - Processing Document with key '/MarketingDokumente_Neu/MarketingPR/Metal Components/Alu-Grauguss/Produktfotos/GG_GGG/GG_011.jpg' failed, returning PREPROCESSOR_ACTIVITY_ERROR (Code 6401)

Does this mean anything to you?

Best regards

Ingo

former_member217429
Active Contributor
0 Kudos

Hi Ingo,

I'm very surprised to see  so old version of TREX installed on your system . As I remember the
REV 06 was a pilot version of the TREX 7.00 and supposed to be replaced by the Revision 25 as soon as this was released in 2006 . Anyway this version is extremly old (more than 9 years) now and need to be updated. As I remember we have had some issues with the updating of the topology file in TREX with the ticket information generated by KM/Portal.
Unfortunately an update to the newest TREX 700 REV 51 isn't possible , so you need to
uninstall TREX instance and install either TREX 700 REV 51 or TREX 710 REV 64 . The TREX 710 is 64 bit application , so most likely you can not install this on the same host where TREX 700 is currently running . However the Windows 2003 will be out of support starting 14.07.2015 .Is there a schedule plan by you to migrate to Win 2008/2012?

Best regards,
Mikhail

IngoBiermann
Explorer
0 Kudos

Hm, you are right. The TREX console shows

Install Time: 2006-08-18

Nevertheless we have three systems running perfectly fine with this server

1. Portal 7.0 Dev

2. Portal 7.0 Prod

3. Portal 7.4 Dev

and only one system not working for files > 10 KByte

4. Portal 7.4 Prod

Having this in mind we would of course prefer to make the no. 4. running just like the no. 3 does already.

Best regards

Ingo

former_member217429
Active Contributor
0 Kudos


Hi Ingo,

all documents under 10 KB are sent to TREX as content directly , so we don't need to resolve URLs . NW 740 need TREX 710  and can not be usually connected to TREX 700.

I would like to recommend to update all existing TREX instances to 710 REV 64 . For the EP/KMC 700 is  the TREX  700 still fine , however TREX 710 is recommended due to best stability and performance.

Best regards,
Mikhail

olivier_segol
Active Participant
0 Kudos

Hello Ingo,

Mikhail is right about the different way of indexing depending of the size of the file. We had a similar issue few years ago (an error code 6403 ("HTTP Status Code 403: Forbidden") with status

PReparation failed) with file > 10kb.

We solved it by addin the index_service user and password to the pre-processor.ini file.

Perhaps, check your TREX conf in this way, as you have the (logon,psw) login module it could work.

Olivier