https://community.sap.com/t5/application-development-and-automation-discussions/configuring-kerberos-authentication-on-j2ee-engine-errors/m-p/1796595#M342283 <HTML><HEAD></HEAD><BODY><P>Please find our policy configurations used for the </P><P>SPNego/Kerberos authentication from the diagtool log.</P><P></P><P></P><P>[com.sun.security.jgss.accept] (size: 2)</P><P> 1. (REQUISITE) com.sun.security.auth.module.Krb5LoginModule</P><P> #1 useKeyTab=true</P><P> #2 keyTab=C:\SSO-files\portal-sso.keytab</P><P> #3 useTicketCache=true</P><P> #4 storeKey=true</P><P> #5 principal=host/hostname_of_J2EE.abc2.com@ABC2.COM</P><P> #6 Debug=true (Unknown option)</P><P> #7 doNotPrompt=true</P><P></P><P> 2. ( OPTIONAL ) com.sap.security.core.server.jaas.SPNegoMappingLoginModule</P><P> #1 com.sap.spnego.uid.resolution.attr = krb5principalname</P><P></P><P>[Info] Dec 27, 2006 3:43:55 PM </P><P></P><P>{[ticket]}(size: 5)</P><P> 1. ( SUFFICIENT ) com.sap.security.core.server.jaas.EvaluateTicketLoginModule</P><P> #1 ume.configuration.active = true</P><P> 2. ( OPTIONAL ) com.sap.security.core.server.jaas.SPNegoLoginModule</P><P> #1 com.sap.spnego.creds_in_thread = true</P><P> #2 com.sap.spnego.uid.resolution.attr = Kpnprefix</P><P> #3 com.sap.spnego.jgss.name = host/hostname_of_J2EE.abc2.com@ABC2.COM</P><P> #4 com.sap.spnego.uid.resolution.mode = Prefixbased</P><P> #5 com.sap.spnego.uid.resolution.dn = dn</P><P> 3. ( SUFFICIENT ) com.sap.security.core.server.jaas.CreateTicketLoginModule</P><P> #1 Ume.configuration.active = true</P><P> 4. ( REQUISITE ) com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule</P><P> 5. ( OPTIONAL ) com.sap.security.core.server.jaas.CreateTicketLoginModule</P><P> #1 ume.configuration.active = true</P><P></P><P>Also find LoginModuleTest from diagtool log:</P><P></P><P> (Krb5LoginModule) com.sun.security.auth.module.Krb5LoginModule</P><P> #1 debug=true</P><P> #2 useKeyTab=true</P><P> #3 keyTab=c:\SSO-files\portal-sso.keytab</P><P> #4 useTicketCache=true</P><P> #5 storeKey=true</P><P> #6 principal=host/hostname_of_J2EE.abc2.com@ABC2.COM</P><P> #7 doNotPrompt=true</P><P></P><P> (SPNegoMappingLoginModule) com.sap.security.core.server.jaas.SPNegoMappingLoginModule</P><P> #1 com.sap.spnego.uid.resolution.attr = krb5principalname</P><P></P><P> (MappingModule) com.sap.security.core.server.jaas.SPNegoMappingLoginModule</P><P> #1 com.sap.spnego.uid.resolution.attr = krb5principalname</P><P></P><P> (SPNegoLoginModule) com.sap.security.core.server.jaas.SPNegoLoginModule</P><P> #1 com.sap.spnego.creds_in_thread = true</P><P> #2 com.sap.spnego.uid.resolution.attr = kpnprefix</P><P> #3 com.sap.spnego.jgss.name = portal-sso@ABC2.COM</P><P> #4 com.sap.spnego.uid.resolution.mode = prefixbased</P><P> #5 com.sap.spnego.uid.resolution.dn = dn</P></BODY></HTML> Thu, 28 Dec 2006 20:11:26 GMT Former Member 2006-12-28T20:11:26Z https://community.sap.com/t5/application-development-and-automation-discussions/configuring-kerberos-authentication-on-j2ee-engine-errors/m-p/1796594#M342282 <HTML><HEAD></HEAD><BODY><P>We have configured Kerberos authentication on our J2EE Engine (NW04s SP8), Active Directory (Windows 2003). We are running the diagtool and SPNegoLoginModule Test Configuration Web Application to test our configuration.</P><P></P><P>When we run the diagtool, we get an 'ERROR: HTTP request was not successful. Returned code is 200'. We found the following errors when looking at the default trace:</P><P></P><P>- USER_AUTH_FAILED: User account for loginid "zuser@ABC2.COM" not found.</P><P>- Can not refresh user zuser@ABC.COM</P><P>- Replay cache for zuser@ABC2.COM is null</P><P>- Error in some of the login modules</P><P>- Login Module <SPAN __jive_macro_name="0"></SPAN> from authentication stack <SPAN __jive_macro_name="1"></SPAN> errors while authenticating the caller. Most probably the authentication stack is not set up correctly.</P><P>- Credentials of zuser@ABC.COM cannot be delegated.</P><P>- SPNego authentication succeeds. Authenticated user name is zuser@ABC2.COM</P><P></P><P>When we run the SPNegoLoginModule Test Configuration Web Application, we get 'Cannot acquire credentials' on the third screen i.e. the application is able to find the user and krb5 file.</P><P></P><P>Any suggestions of why this is not working? Everything is looking good on the active directory side. We have re-looked at the login modules and there seems to be not problem there as well.</P><P></P><P>Any help will be greatly appreciated.</P></BODY></HTML> Thu, 28 Dec 2006 16:48:17 GMT https://community.sap.com/t5/application-development-and-automation-discussions/configuring-kerberos-authentication-on-j2ee-engine-errors/m-p/1796594#M342282 Former Member 2006-12-28T16:48:17Z https://community.sap.com/t5/application-development-and-automation-discussions/configuring-kerberos-authentication-on-j2ee-engine-errors/m-p/1796595#M342283 <HTML><HEAD></HEAD><BODY><P>Please find our policy configurations used for the </P><P>SPNego/Kerberos authentication from the diagtool log.</P><P></P><P></P><P>[com.sun.security.jgss.accept] (size: 2)</P><P> 1. (REQUISITE) com.sun.security.auth.module.Krb5LoginModule</P><P> #1 useKeyTab=true</P><P> #2 keyTab=C:\SSO-files\portal-sso.keytab</P><P> #3 useTicketCache=true</P><P> #4 storeKey=true</P><P> #5 principal=host/hostname_of_J2EE.abc2.com@ABC2.COM</P><P> #6 Debug=true (Unknown option)</P><P> #7 doNotPrompt=true</P><P></P><P> 2. ( OPTIONAL ) com.sap.security.core.server.jaas.SPNegoMappingLoginModule</P><P> #1 com.sap.spnego.uid.resolution.attr = krb5principalname</P><P></P><P>[Info] Dec 27, 2006 3:43:55 PM </P><P></P><P>{[ticket]}(size: 5)</P><P> 1. ( SUFFICIENT ) com.sap.security.core.server.jaas.EvaluateTicketLoginModule</P><P> #1 ume.configuration.active = true</P><P> 2. ( OPTIONAL ) com.sap.security.core.server.jaas.SPNegoLoginModule</P><P> #1 com.sap.spnego.creds_in_thread = true</P><P> #2 com.sap.spnego.uid.resolution.attr = Kpnprefix</P><P> #3 com.sap.spnego.jgss.name = host/hostname_of_J2EE.abc2.com@ABC2.COM</P><P> #4 com.sap.spnego.uid.resolution.mode = Prefixbased</P><P> #5 com.sap.spnego.uid.resolution.dn = dn</P><P> 3. ( SUFFICIENT ) com.sap.security.core.server.jaas.CreateTicketLoginModule</P><P> #1 Ume.configuration.active = true</P><P> 4. ( REQUISITE ) com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule</P><P> 5. ( OPTIONAL ) com.sap.security.core.server.jaas.CreateTicketLoginModule</P><P> #1 ume.configuration.active = true</P><P></P><P>Also find LoginModuleTest from diagtool log:</P><P></P><P> (Krb5LoginModule) com.sun.security.auth.module.Krb5LoginModule</P><P> #1 debug=true</P><P> #2 useKeyTab=true</P><P> #3 keyTab=c:\SSO-files\portal-sso.keytab</P><P> #4 useTicketCache=true</P><P> #5 storeKey=true</P><P> #6 principal=host/hostname_of_J2EE.abc2.com@ABC2.COM</P><P> #7 doNotPrompt=true</P><P></P><P> (SPNegoMappingLoginModule) com.sap.security.core.server.jaas.SPNegoMappingLoginModule</P><P> #1 com.sap.spnego.uid.resolution.attr = krb5principalname</P><P></P><P> (MappingModule) com.sap.security.core.server.jaas.SPNegoMappingLoginModule</P><P> #1 com.sap.spnego.uid.resolution.attr = krb5principalname</P><P></P><P> (SPNegoLoginModule) com.sap.security.core.server.jaas.SPNegoLoginModule</P><P> #1 com.sap.spnego.creds_in_thread = true</P><P> #2 com.sap.spnego.uid.resolution.attr = kpnprefix</P><P> #3 com.sap.spnego.jgss.name = portal-sso@ABC2.COM</P><P> #4 com.sap.spnego.uid.resolution.mode = prefixbased</P><P> #5 com.sap.spnego.uid.resolution.dn = dn</P></BODY></HTML> Thu, 28 Dec 2006 20:11:26 GMT https://community.sap.com/t5/application-development-and-automation-discussions/configuring-kerberos-authentication-on-j2ee-engine-errors/m-p/1796595#M342283 Former Member 2006-12-28T20:11:26Z