on 02-08-2006 4:21 PM
Hi,
I am trying to configure the SPNego login module on the portal (sp15). At chapter 7.8 in the installation guide it says that you have to deploy the file spnegoauthlib.sda and add this library to the LoginModuleClassLoaders property.
I cannot find this spnegoauthlib.sda file anywhere and using the test tool to test the configuration (Acquire Credentials) get the error:
Acquiring credentials ... ... failed: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
The logfile tells:
Cannot load login module class com.sap.spnegoauth.jaas.MappingModule.
Looks like the file spnegoauthlib.sda is missing.
Can anyone tell me where to find this file or give me a hint how to solve this error?
Thanx,
Twan
Hi Twan,
With SP15 you do not need the spnegoauthlib.sda
Instead of deploying this sda, you can register the the MappingModule with the following classname:
<b>com.sap.security.core.server.jaas.SPNegoMappingLoginModule</b>
To see how you can change the classname for the login module and/or register the MappingModule with VA, see this topic:
http://help.sap.com/saphelp_nw04/helpdata/en/07/0ce13d8ee4535ee10000000a114084/content.htm
You can also use the official SPNegoLoginModule documentation instead of the installation guide.
Hope this helps....
Best Regards,
Yonko
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Vaib,
You can get to the SPNego documentation from this link:
http://help.sap.com/saphelp_nw04/helpdata/en/43/4bd58c6c5e5f34e10000000a1553f6/content.htm
I would suggest that you start with a more simple configuration scenario and work your way throught the more complicated ones.
If you haven't used Kerberos before you can also take a look at the Kerberos V5 Administrators Guide, available from web.mit.edu. Additional resources are the Microsoft's and Sun's documents about Kerberos.
As for the installation guide mentioned previously, you can use it as well - except for the point about the MappingModule it is good enough.
Hope this helps. Let me know if you have other questions.
Best Regards,
Yonko
Hi Yonko,
thanx for your answer. Changing the class name did solve the "class not found" error. However now I keep getting authentication errors:
KrbException: Pre-authentication information was invalid (24)
I already created a new service user and new keytab file but still no success.
Any ideas?
Regards,
Twan
Hi Twan,
Take alook at this site and see if you've done all the suggestions for the exception you are getting:
http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/Troubleshooting.html
Let me know if it works...
Regards,
Yonko
Hi Twan,
Strange...Apparently the exception occurs in the so called "Kerberos implementation" of the JDK, which in this case is represented by Krb5LoginModule - misspellings could be easy to miss.
Given that all is ok with the keytab configuration, the service user for the J2EE Engine on the KDC and the KDC configuration itself, take a closer look at all the config options for the Krb5LoginModule.
Specifically, make sure that the value for the parameter <b>keytab</b> points to the correct keytab file with its full (and DNS resolvable) path, of course. You can also see if all recommendations for the exceptions in section 11.3 of the installation guide are met.
Either way, the root cause for this exception should be "a password mismatch between the keys contained in the keytab files and the account password of the ADS account"...
Hope it works out this time.
Regards,
Yonko
Hi
Could you please tell what the problem was? I am asking when I have a similar problem and gets the error message: "Acquiring credentials ... ... failed: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!) " when testing the config with the testtool.
However I am trying to configure a scenario, where the Windows/AD/KDC domain is "@NT-DOMAIN.DK" and the portal/J2EE is placed in another domain i.e ".portal-domain.dk". I think this should be possible without windows trust between the two windows domains.
That is: My SPN for the J2EE service created in the windows domain "NT-DOMAIN.DK" is "HTTP/sapportal.portal-domain.dk@NT-DOMAIN.DK" and in the kerberos configuration file I have specified the two different domains as:
--- kerberos5 conf file ---
[domain_realm]
.portal-domain.dk = NT-DOMAIN.DK
[libdefaults]
default_keytab_name = <PATH>
default_realm = NT-DOMAIN.DK
dns_lookup_kdc = true
-
Hi,
did you adjust the browser settings to:
Enable windows integrated authentication on the client:
Tools -> Internet Options -> Advanced -> Security
Add portal url to local intranet sites:
Tools -> Internet Options -> Security -> Local Intranet -> Sites -> Advanced
Did you test with exactly the same SPN as used when creating the jeytab file (use the klist command to fetch the name).
Regards,
Twan
User | Count |
---|---|
87 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.