cancel
Showing results for 
Search instead for 
Did you mean: 

Kerberos authentication Failed: NTLM token found in authorization header

former_member182832
Participant
0 Kudos

Hello,

We are facing some issues with kerberos authentication (using SAML2). We are switching from an identity provider server (Site A) to another (Site B)

The Identity provider configuration is:  NW AS Java 7.4 + SAML2 and IDM federation ( with SPNego).

The Service provider is an Abap server.

Authentication Stack is kerberos followed by Login/Password (PasswordProtectedAuthentication using https).

Redirection to Idp is working fine but kerberos does not work and we go to the login password form. After checking traces we have this message.

"NTLM token found in authorization header during SPNego authentication"

I think it is an issue  with the server aliases or the Active directory Service user So no kerberos token was generated. But we are unable to find the issue.

This is my spn configuration:

  • Service user (Site A): SAPServiceSSP
  • Service user (Site B): SAPServiceSSPRA

  • setspn -l SAPServiceSSP

SAP/SAPServiceSSP

HTTPS/<Site A alias >.domain.com

HTTP/<Site A alias>.domain.com

HTTP/<sp alias>.domain.com

HTTPS/<sp alias>.domain.com

  • setspn -l SAPServiceSSPRA

HTTPS/<Site B alias >.domain.com

HTTP/<Site B alias>.domain.com


SAP Secure login client is correctly installed and Kerbors works fine with the other systems and the old configuration (Idp from site A).

Thank you and regards,

Mehdi.

Accepted Solutions (1)

Accepted Solutions (1)

shuai_liang
Participant
0 Kudos

Hi Mehdi,

About the

"NTLM token found in authorization header during SPNego authentication"

, you may check the following note.


934138 - IE browser sends NTLM token instead of Kerberos


Hope this note helps.


Best regards,

Shuai


former_member182832
Participant
0 Kudos

Hi Shuai

Thank you for the answer.

Regarding the SAP Note, IE is correctly configured (it works well with the other systems)

Also, SPN user is unique in LDAP.

I think it is an issue with the DNS name. we will check if it is the alias and not the hostname

Regards,

Mehdi.

shuai_liang
Participant
0 Kudos

Hi Medhi,

Yes, and you may get the http trace by the httpwatch tool.
The httpwatch trace will be helpful for analyzing the what hostname is used in http request.

Best regards,
Shuai

former_member182832
Participant
0 Kudos

Thank you I will try with http watch and let you know the result.

Thnak you,

Mehdi.

Answers (3)

Answers (3)

former_member182832
Participant
0 Kudos

Hello,

Problem solved!! The issue was from the host file. Many aliases was assigned to one ip address and one hostname.

Kerberos is working fine now

Regards,

Mehdi.

amylv
Explorer
0 Kudos

Hi Mehdi,

Are you sure below SPN are only binded to service user SAPServiceSSPRA?

HTTPS/<Site B alias >.domain.com

HTTP/<Site B alias>.domain.com

Better to run ldifde command to verify this points. As long as one SPN name

is binded to more than one service user, SPNego will never work.

See ldifde example as below:

ldifde -r (serviceprincipalname=HTTP/test.domain.com) -f out.txt

ldifde -r (serviceprincipalname=HTTPS/test.domain.com) -f out.txt

Best regards,

Amy

former_member182832
Participant
0 Kudos

Hello Amy,

Thank you for your help.

The client host file is configured as follow:

  • ip hostname1 alias1 hostname2 alias2

In SAML2 traces I received another canonical hostname (which is not declared in the client host file). I think this configuration is not clean. I will test from another machine and let you know the result.

Thank you,

Mehdi.

former_member198633
Contributor
0 Kudos

Hello Mohamed,

Please check out this KBA: 1649110. Basically this error is coming because the SAP side (AS Java) triggers an SPNego token to be issued, but what it receives from the other end (browser) is an NTLM token. So usually it is out of SAP scope, as our end is suffering from this problem and not causes it.

Best Regards,

Peter

former_member182832
Participant
0 Kudos

Hi Peter,

I agree with you. This is an issue from the client side (not from the SAP Server Side).

Kerberos authentication is working fine with other systems.
So there is an issue with my AD configuration.

Do I need to declare the service provider SPN (<sp alias>.domain.com) under the user SAPServiceSSPRA? Because it is used by the old SAPServiceSSP.

Thx and regards,

Mehdi.

former_member198633
Contributor
0 Kudos

Hello Mohamed,

Please refer to the attachment of this note: 1488409 - New SPNego Implementation, Chapter #3, where this is described.

Best Regards,

Peter

former_member182832
Participant
0 Kudos

Thank you Peter,

I will check again the IE client and SPN config otherwise I will test with another machine client.

Thank you,

Mehdi.