cancel
Showing results for 
Search instead for 
Did you mean: 

Login module

Former Member
0 Kudos

Hi,

I am trying to configure the SPNego login module on the portal (sp15). At chapter 7.8 in the installation guide it says that you have to deploy the file spnegoauthlib.sda and add this library to the LoginModuleClassLoaders property.

I cannot find this spnegoauthlib.sda file anywhere and using the test tool to test the configuration (Acquire Credentials) get the error:

Acquiring credentials ... ... failed: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

The logfile tells:

Cannot load login module class com.sap.spnegoauth.jaas.MappingModule.

Looks like the file spnegoauthlib.sda is missing.

Can anyone tell me where to find this file or give me a hint how to solve this error?

Thanx,

Twan

Accepted Solutions (0)

Answers (1)

Answers (1)

yonko_yonchev
Active Participant
0 Kudos

Hi Twan,

With SP15 you do not need the spnegoauthlib.sda

Instead of deploying this sda, you can register the the MappingModule with the following classname:

<b>com.sap.security.core.server.jaas.SPNegoMappingLoginModule</b>

To see how you can change the classname for the login module and/or register the MappingModule with VA, see this topic:

http://help.sap.com/saphelp_nw04/helpdata/en/07/0ce13d8ee4535ee10000000a114084/content.htm

You can also use the official SPNegoLoginModule documentation instead of the installation guide.

Hope this helps....

Best Regards,

Yonko

Former Member
0 Kudos

Yonko,

Could you provide me the official documentation for the SPNego Login Module.

Vaib

yonko_yonchev
Active Participant
0 Kudos

Hi Vaib,

You can get to the SPNego documentation from this link:

http://help.sap.com/saphelp_nw04/helpdata/en/43/4bd58c6c5e5f34e10000000a1553f6/content.htm

I would suggest that you start with a more simple configuration scenario and work your way throught the more complicated ones.

If you haven't used Kerberos before you can also take a look at the Kerberos V5 Administrator’s Guide, available from web.mit.edu. Additional resources are the Microsoft's and Sun's documents about Kerberos.

As for the installation guide mentioned previously, you can use it as well - except for the point about the MappingModule it is good enough.

Hope this helps. Let me know if you have other questions.

Best Regards,

Yonko

Former Member
0 Kudos

Hi Yonko,

thanx for your answer. Changing the class name did solve the "class not found" error. However now I keep getting authentication errors:

KrbException: Pre-authentication information was invalid (24)

I already created a new service user and new keytab file but still no success.

Any ideas?

Regards,

Twan

yonko_yonchev
Active Participant
0 Kudos

Hi Twan,

Take alook at this site and see if you've done all the suggestions for the exception you are getting:

http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/Troubleshooting.html

Let me know if it works...

Regards,

Yonko

Former Member
0 Kudos

Hi Yonko,

I did find this site too.

First I generated a new keytab file and afterwards I even created a new system user and a new keytab file.

There was no significant difference in the system times.

Error still exists.

Regards,

Twan

yonko_yonchev
Active Participant
0 Kudos

Hi Twan,

Strange...Apparently the exception occurs in the so called "Kerberos implementation" of the JDK, which in this case is represented by Krb5LoginModule - misspellings could be easy to miss.

Given that all is ok with the keytab configuration, the service user for the J2EE Engine on the KDC and the KDC configuration itself, take a closer look at all the config options for the Krb5LoginModule.

Specifically, make sure that the value for the parameter <b>keytab</b> points to the correct keytab file with its full (and DNS resolvable) path, of course. You can also see if all recommendations for the exceptions in section 11.3 of the installation guide are met.

Either way, the root cause for this exception should be "a password mismatch between the keys contained in the keytab files and the account password of the ADS account"...

Hope it works out this time.

Regards,

Yonko

Former Member
0 Kudos

Hi Yonko,

There was a mix-up with the domains I used.

I got it working now.

Thanx for your help.

regards,

Twan

tombo_larsen
Active Participant
0 Kudos

Hi

Could you please tell what the problem was? I am asking when I have a similar problem and gets the error message: "Acquiring credentials ... ... failed: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!) " when testing the config with the testtool.

However I am trying to configure a scenario, where the Windows/AD/KDC domain is "@NT-DOMAIN.DK" and the portal/J2EE is placed in another domain i.e ".portal-domain.dk". I think this should be possible without windows trust between the two windows domains.

That is: My SPN for the J2EE service created in the windows domain "NT-DOMAIN.DK" is "HTTP/sapportal.portal-domain.dk@NT-DOMAIN.DK" and in the kerberos configuration file I have specified the two different domains as:

--- kerberos5 conf file ---

[domain_realm]

.portal-domain.dk = NT-DOMAIN.DK

[libdefaults]

default_keytab_name = <PATH>

default_realm = NT-DOMAIN.DK

dns_lookup_kdc = true

-


Former Member
0 Kudos

Hi,

did you adjust the browser settings to:

Enable windows integrated authentication on the client:

Tools -> Internet Options -> Advanced -> Security

Add portal url to local intranet sites:

Tools -> Internet Options -> Security -> Local Intranet -> Sites -> Advanced

Did you test with exactly the same SPN as used when creating the jeytab file (use the klist command to fetch the name).

Regards,

Twan