https://community.sap.com/t5/application-development-and-automation-discussions/sso-configuration-between-windows-ads-and-as-java/m-p/6545985#M1428839 <HTML><HEAD></HEAD><BODY><P>Hello Dalibor,</P><P></P><P>While the service account user object has <STRONG>Use DES</STRONG> selected it would appear your user session is still sending the AS Java an RC4 service ticket. This might occur if your user had requested a service ticket before <STRONG>Use DES</STRONG> was selected, or before that setting had replicated to the appropriate domain controller. The fix might be as simple and logging out and logging back in now that some time has passed.</P><P></P><P>You could also download the Microsoft kerbtray utility and inspect the service ticket enc type to validate this. kerbtray can also be used to clear old tickets and is generally useful for troubleshooting this kind of thing.</P><P></P><P>Thanks!</P><P>Kyle</P></BODY></HTML> Wed, 13 Jan 2010 20:34:35 GMT Former Member 2010-01-13T20:34:35Z https://community.sap.com/t5/application-development-and-automation-discussions/sso-configuration-between-windows-ads-and-as-java/m-p/6545984#M1428838 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>We had activated SPnego for authenticating users with Kerberos SSO for AS Java CE 7.11, the UME Data Source is AS ABAP Solution manager 7.0 EHP1.</P><P>All configuration was done according documentation and SAP notes (NOTE#994791).</P><P>Regardless login form (SAP NW) appears so the Kerberos SSO with Spnego does not work for our AS Java system.</P><P></P><P>In trace files there are error messages:</P><P>...</P><P>com.sap.engine.services.security.autentification.calllbackhandler.handle(HttpGetterCallback) Cookie MYSAPSSO2 is not found </P><P>...</P><P>CreateContext failed: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC) </P><P>[EXCEPTION]</P><P> <SPAN __jive_macro_name="0"></SPAN>#1#GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)</P><P>...</P><P>Login Module</P><P> Flag Initialize Login Commit Abort Details</P><P>1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule</P><P> SUFFICIENT ok false true</P><P>2. com.sap.security.core.server.jaas.SPNegoLoginModule</P><P> OPTIONAL ok exception true Failure</P><P>unspecified at GSS-API level (Mechanism level: Invalid argument (400)</P><P>- Cannot find key of appropriate type to decrypt AP REP - RC4 with</P><P>HMAC)</P><P>3. com.sap.security.core.server.jaas.CreateTicketLoginModule</P><P> SUFFICIENT ok false true</P><P>4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule</P><P> REQUISITE ok false false</P><P>5. com.sap.security.core.server.jaas.CreateTicketLoginModule</P><P> REQUISITE ok false true</P><P></P><P>...</P><P>Neither SPNego resolution mode simple nor prefixbased doen't work.</P><P>The ADS user j2ee-&lt;AS_JAVA_SID&gt; has appropriate property DES encryption.</P><P></P><P></P><P>Regards</P><P>Dalibor</P></BODY></HTML> Wed, 13 Jan 2010 08:30:46 GMT https://community.sap.com/t5/application-development-and-automation-discussions/sso-configuration-between-windows-ads-and-as-java/m-p/6545984#M1428838 Former Member 2010-01-13T08:30:46Z https://community.sap.com/t5/application-development-and-automation-discussions/sso-configuration-between-windows-ads-and-as-java/m-p/6545985#M1428839 <HTML><HEAD></HEAD><BODY><P>Hello Dalibor,</P><P></P><P>While the service account user object has <STRONG>Use DES</STRONG> selected it would appear your user session is still sending the AS Java an RC4 service ticket. This might occur if your user had requested a service ticket before <STRONG>Use DES</STRONG> was selected, or before that setting had replicated to the appropriate domain controller. The fix might be as simple and logging out and logging back in now that some time has passed.</P><P></P><P>You could also download the Microsoft kerbtray utility and inspect the service ticket enc type to validate this. kerbtray can also be used to clear old tickets and is generally useful for troubleshooting this kind of thing.</P><P></P><P>Thanks!</P><P>Kyle</P></BODY></HTML> Wed, 13 Jan 2010 20:34:35 GMT https://community.sap.com/t5/application-development-and-automation-discussions/sso-configuration-between-windows-ads-and-as-java/m-p/6545985#M1428839 Former Member 2010-01-13T20:34:35Z https://community.sap.com/t5/application-development-and-automation-discussions/sso-configuration-between-windows-ads-and-as-java/m-p/6545986#M1428840 <HTML><HEAD></HEAD><BODY><P>If you are interested to use an SPNEGO loginmodule which supports RC4 (even when using Java 1.4) then you can find one on SAP EcoHub - just search for spnego.</P><P></P><P>Thanks,</P><P>Tim</P></BODY></HTML> Wed, 13 Jan 2010 23:33:35 GMT https://community.sap.com/t5/application-development-and-automation-discussions/sso-configuration-between-windows-ads-and-as-java/m-p/6545986#M1428840 tim_alsop 2010-01-13T23:33:35Z