cancel
Showing results for 
Search instead for 
Did you mean: 

Configuring SSO

former_member203984
Participant
0 Kudos

Hi All,

I am having EHP1 for NW 7.3 installed on windows 2008 R2 and I am trying to do SSO with ADS.

I am following the  steps as below :

1. Created administrator user user1 and disabled "Use Kerberos DES encryption type for this Account" and checked "Password never expire option"

2. setspn -a HTTP/javahost.mydomain.com user1

3. Logged into javahost:port/nwa

4. Generated Keytab file in Domain server:

ktab -a user1@MYDOMAIN.COM -k keytab

5. Imported the keytab into the JAVA system :

http://javahost:port/spnego

Kerberos Realm--> edit --> Keys--> Update Keys -> uploading keytab file --> browse --> selected file and IMPORT --> Save.

6. Activate the REALM.

7. Adjusted the authentication stack:

EvaluateTicketLoginModule     SUFFICIENT

SPNegoLoginModule              OPTIONAL

CreateTicketLoginModule       SUFFICIENT

BasicPasswordLoginModule     REQUIRED

CreateTicketLoginModule       REQUIRED

-->Save.

8. Did the settings in the browser, but SSO is not working.

I am getting a error as  "No key (etype: 18) for realm".

When I googled I found that the error is due to "AES256-CTS-HMAC-SHA1-96" as attached in SS.

Actually My keytab generates "DES-CBC-MD5","AES128-CTS-HMAC-SHA1-96","RC4-HMAC".

I updated my java policy as per the note and I got "AES256-CTS-HMAC-SHA1-96" .

Now I am getting "Could not validate SPNEGO token.
[EXCEPTION]
java.security.InvalidKeyException: Illegal key size
"

Can you please guide on this?

Regards

G.Partheeban

Accepted Solutions (1)

Accepted Solutions (1)

former_member203984
Participant
0 Kudos

Hi All,

Thanks ...

Solved this issue by upgrading the SP.

Regards

G.Partheeban

Answers (3)

Answers (3)

former_member203984
Participant
0 Kudos

Hi All,

I got the solution and I got all the LDAP users imported.

But Now my MII menu and other webdynpro pages are throwing error as "500 Internal error"

Failed to process request. Please contact your system administrator.

While processing the current request, an exception occured which could not be handled by the application or the framework.

If the information contained on this page doesn't help you to find and correct the cause of the problem, please contact your system administrator. To facilitate analysis of the problem, keep a copy of this error page. Hint: Most browsers allow to select all content, copy it and then paste it into an empty document (e.g. email or simple text file).

For further information about the Web Dynpro error page, error analysis and a description of well-known error situations, see SAP note 1113811.

Correction Hints

Exception could be caused by the development component: sap.com/xapps~xmii~ui~admin~navigation

Note: The above hints are only a guess. They are automatically derived from the exception that occurred and therefore can't be guaranteed to address the original problem in all cases.

How to solve this any idea?

Regards

G.Partheeban

Former Member
0 Kudos

It's totally unrelated to configuring SSO, create a new discussion thread in the correct space.

former_member203984
Participant
0 Kudos

Hi Samuli,

Created new

Exception occured during processing of Web Dynp... | SCN

Can you please suggest me a solution?

Regards

G.Partheeban

former_member203984
Participant
0 Kudos

HI All,

Now I am getting the following error as below:

Could not search for user by logon id: p1gnana
[EXCEPTION]
com.sap.security.api.NoSuchUserException: USER_AUTH_FAILED: User account for logonid "p1gnana" not found!

Kerberos principal [p1gnana@VALENET.VALEGLOBAL.NET] cannot be mapped to any local user.

Even I had configured LDAP. But I am not able to?

So please let me know where is the issue.

I think it cannot able to find the user.

Regards

G.Partheeban

Former Member
0 Kudos

Check your user mapping mode in SPNEGO Wizard, you probably want to use "Principal only" or "Principal and REALM".

former_member203984
Participant
0 Kudos

HI Experts,

Can any one help me with this?

Regards

G.Partheeban

former_member186228
Active Participant
0 Kudos

Dear Partheeban,

Have you updated cryptographic library. if not update it. And also add one more service prinipal name HTTP/javahost (Not fully qualified name)

Regards,

Jithin

former_member203984
Participant
0 Kudos

HI Jithin,

Right now I am facing "NTML token authorization header failed".

Can you explain what do you mean by "updated cryptographic library"?

Regards

G.Partheeban

Former Member
0 Kudos

I would recommend that you to generate the keys with the SPNEGO Wizard (not upload them) to avoid further incompatibility issues. With NW731 you are most likely using SAP JVM 6, the installed Java policy files must support AES256. See SAP KBA 1810884 on how to update the policy files. With NW731 the installed SAP Cryptographic Library should support AES256 so there shouldn't be any need to update it.