on 02-03-2016 11:36 PM
Hello,
We are facing some issues with kerberos authentication (using SAML2). We are switching from an identity provider server (Site A) to another (Site B)
The Identity provider configuration is: NW AS Java 7.4 + SAML2 and IDM federation ( with SPNego).
The Service provider is an Abap server.
Authentication Stack is kerberos followed by Login/Password (PasswordProtectedAuthentication using https).
Redirection to Idp is working fine but kerberos does not work and we go to the login password form. After checking traces we have this message.
"NTLM token found in authorization header during SPNego authentication"
I think it is an issue with the server aliases or the Active directory Service user So no kerberos token was generated. But we are unable to find the issue.
This is my spn configuration:
SAP/SAPServiceSSP
HTTPS/<Site A alias >.domain.com
HTTP/<Site A alias>.domain.com
HTTP/<sp alias>.domain.com
HTTPS/<sp alias>.domain.com
HTTPS/<Site B alias >.domain.com
HTTP/<Site B alias>.domain.com
SAP Secure login client is correctly installed and Kerbors works fine with the other systems and the old configuration (Idp from site A).
Thank you and regards,
Mehdi.
Hi Mehdi,
About the
"NTLM token found in authorization header during SPNego authentication"
, you may check the following note.
934138 - IE browser sends NTLM token instead of Kerberos
Hope this note helps.
Best regards,
Shuai
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
Problem solved!! The issue was from the host file. Many aliases was assigned to one ip address and one hostname.
Kerberos is working fine now
Regards,
Mehdi.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Mehdi,
Are you sure below SPN are only binded to service user SAPServiceSSPRA?
HTTPS/<Site B alias >.domain.com
HTTP/<Site B alias>.domain.com
Better to run ldifde command to verify this points. As long as one SPN name
is binded to more than one service user, SPNego will never work.
See ldifde example as below:
ldifde -r (serviceprincipalname=HTTP/test.domain.com) -f out.txt
ldifde -r (serviceprincipalname=HTTPS/test.domain.com) -f out.txt
Best regards,
Amy
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Amy,
Thank you for your help.
The client host file is configured as follow:
In SAML2 traces I received another canonical hostname (which is not declared in the client host file). I think this configuration is not clean. I will test from another machine and let you know the result.
Thank you,
Mehdi.
Hello Mohamed,
Please check out this KBA: 1649110. Basically this error is coming because the SAP side (AS Java) triggers an SPNego token to be issued, but what it receives from the other end (browser) is an NTLM token. So usually it is out of SAP scope, as our end is suffering from this problem and not causes it.
Best Regards,
Peter
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Peter,
I agree with you. This is an issue from the client side (not from the SAP Server Side).
Kerberos authentication is working fine with other systems.
So there is an issue with my AD configuration.
Do I need to declare the service provider SPN (<sp alias>.domain.com) under the user SAPServiceSSPRA? Because it is used by the old SAPServiceSSP.
Thx and regards,
Mehdi.
Hello Mohamed,
Please refer to the attachment of this note: 1488409 - New SPNego Implementation, Chapter #3, where this is described.
Best Regards,
Peter
User | Count |
---|---|
84 | |
24 | |
11 | |
9 | |
7 | |
6 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.