cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAPCC to NW ABAP using Kerberos Principal Propagation giving Error KDC_ERR_BADOPTION

former_member286284
Discoverer

on ‎02-03-2019 2:16 AM

0 Kudos

We are configuration Authenctication using SAP CPms -> Corporate IDP (ADFS public facing) -> Principal Propagation from SCC using Kerberos token -> NW ABAP(SAP Gateway with SPNEGO)

We are not using SAP Identity Authentication Tenent. Only Corporate IDP (ADFS public facing)

First Part between SAP CPms and ADFS works perfectly. When we access the webIDE or Mobile the page gets redirected to our Corporate IDP and we can enter our Network cerdentials and login to these Apps Okay.

Second Part between SCC => KDC<==>SCC => NW ABAP is where we are facing issues.

2019-02-02 21:57:40,195 +0000#TRACE#com.sap.security.krb5.log.KRB5Logger#tunnel-client-8-1#          #Service ticket for user: FirstName.LastName and SPN: HTTP/sapgateway.xxxx.fakeclient.org, that is still valid, was not found in the cache. Retrieving a new one|
2019-02-02 21:57:40,195 +0000#DEBUG#com.sap.security.krb5.log.KRB5Logger#tunnel-client-8-1#          #Perform operation: Obtain Kerberos service ticket from end user (S4U2Self)|
2019-02-02 21:57:40,195 +0000#TRACE#com.sap.security.krb5.log.KRB5Logger#tunnel-client-8-1#          #Try to use KDC [host=172.60.000.001, port=88]|
2019-02-02 21:57:40,195 +0000#INFO#com.sap.security.krb5.log.KRB5Logger#tunnel-client-8-1#          #Sending TGS-REQ message to KDC (S4U2Self) to obtain ticket from end-user: firstname.lastname for local service: [KDCUSER.SRV] in realm: XXXX.FAKECLIENT.ORG
:
:
:2019-02-02 21:57:40,227 +0000#DEBUG#com.sap.security.krb5.log.KRB5Logger#tunnel-client-8-1#          #Length field to be decoded: Raw value (hex): 000000a0
ASN.1 representation:
Byte array cannot be parsed as ASN.1 structure. Details: Unknown type: 0 (0x00)|
2019-02-02 21:57:40,227 +0000#DEBUG#com.sap.security.krb5.log.KRB5Logger#tunnel-client-8-1#          #Decoded length field: 160|
2019-02-02 21:57:40,227 +0000#DEBUG#com.sap.security.krb5.log.KRB5Logger#tunnel-client-8-1#          #Read kerberos message:
Raw value (hex): 7e819d30819aa003020105a10302011ea411180f32303139303230323231353734305aa50502030e406ca60302010da91c1b1a534552564943452e53414e43545541525947524f55502e4f5247aa363034a003020102a12d302b1b04485454501b2364677761733130312e736572766963652e73616e63747561727967726f75702e6f7267ac1904173015a103020103a20e040c720200c00000000003000000
ASN.1 representation:
Application 30  {
  [SEQUENCE  {
    [0]  [INTEGER  5]
    [1]  [INTEGER  30]
    [4]  [GeneralizedTime  Sat Feb 02 21:57:40 GMT 2019]
    [5]  [INTEGER  933996]
    [6]  [INTEGER  13]
    [9]  [GeneralString  XXXX.FAKECLIENT.ORG]
    [10]  [SEQUENCE  {
      [0]  [INTEGER  2]
      [1]  [SEQUENCE  {
        GeneralString  HTTP
        GeneralString  SAPGW.XXXX.FAKECLIENT.ORG
      }]
    }]
    [12]  [OCTET STRING  3015a103020103a20e040c720200c00000000003000000]
  }]
}|
2019-02-02 21:57:40,227 +0000#ERROR#com.sap.security.krb5.log.KRB5Logger#tunnel-client-8-1#          #Received Kerberos error message (KRB-ERR) with error code 13 [KDC_ERR_BADOPTION (KDC cannot accommodate requested option)]:
[
  [0]  pvno: 5
  [1]  msg-type: 30
  [2]  ctime:
  [3]  cusec:
  [4]  stime: Sat, 2 Feb 2019 21:57:40 GMT
  [5]  susec: 933996
  [6]  error-code: KDC_ERR_BADOPTION
  [7]  crealm:
  [8]  cname:
  [9]  realm: XXXX.FAKECLIENT.ORG
  [10] sname: HTTP/SAPGW.XXXX.FAKECLIENT.ORG
  [11] eText:
  [12] eData: 3015a103020103a20e040c720200c00000000003000000
]
|
2019-02-02 21:57:40,227 +0000#ERROR#com.sap.security.krb5.log.KRB5Logger#tunnel-client-8-1#          #ASN.1 representation of the KRB-ERR message:
Application 30  {
  [SEQUENCE  {
    [0]  [INTEGER  5]
    [1]  [INTEGER  30]
    [4]  [GeneralizedTime  Sat Feb 02 21:57:40 GMT 2019]
    [5]  [INTEGER  933996]
    [6]  [INTEGER  13]
    [9]  [GeneralString  XXXX.FAKECLIENT.ORG]
    [10]  [SEQUENCE  {
      [0]  [INTEGER  2]
      [1]  [SEQUENCE  {
        GeneralString  HTTP
        GeneralString  SAPGW.XXXX.FAKECLIENT.ORG
      }]
    }]
    [12]  [OCTET STRING  3015a103020103a20e040c720200c00000000003000000]
  }]
}|
2019-02-02 21:57:40,227 +0000#ERROR#com.sap.core.connectivity.protocol.http.handlers.HttpAuthenticationHandler#tunnel-client-8-1#0xc52be9a3#Unable to generate authorization token
com.sap.core.connectivity.spi.sso.BackendTokenGenerationException: Could not create SPNego token
    at com.sap.scc.sso.kerberos.SPNegoTokenGenerator.generateToken(SPNegoTokenGenerator.java:59)

1. The Service User created in KDC have Delegation properties assigned as HTTP\SAPGW

2. SAP Documentation did not mention about setting up SPN on SCC server but the error appers to related to SPNs

Configure Kerberos in SAP Cloud Connector

3. Backend SAP GW system have SPNEGO set with the same service user which we are using in SCC kerberos section.

Questions:

1. Do we need to set the SPN on the DMZ server where SAPCC is running?

2. Users in the backend system already use existing SPNEGO configuration for SSO with the same KDC. Am I correct in thinking no more user mapping is required in backend system?

3. Did not see much information/blogs/help on configuring SCC -> NW ABAP using kerberos principal propagation to cross check if I am missing any configuration?


Any help will be much appriciated.

Kind Regards

Mo.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

oppancs
Contributor
‎02-12-2019 8:56 PM
0 Kudos

Dear Masihuddin,


This issue seems more complicated to answer it immediately and it would require deep investigation.


Firstly Issue can be with the KDC server itself that should generate the Kerberos token. If it resets the connection or a network intermediary does the connection fails. You can check the logs of the server and if needed get in touch with the vendor of the KDC server. I would recommend to raise a question on that kind of forums if they exist also. If the server does not show an issue there can be also a network issue.


I am not an expert on ABAP security so I cannot answer your queries, but I requested to involve the Security Tags for this thread. Also I cannot find any useful blogs for this specific scenario either. However, I can confirm that this is not a Cloud Connector issue. But anyway I can give you some hints for resolution:


"BackendTokenGenerationException" "Could not create SPNego token" "KDC cannot accommodate requested option" entries can be caused that the service user has been authenticated but failed to obtain ticket for the service. Most likely the reason for this is that this user is not allowed to do delegation or this service is not in the list of the services for which this user can be used for delegation. Make sure the configuration of the users service is done correctly and has the right permissions. It is also described in the SAP Help:


https://help.sap.com/saphelp_smp308svr/helpdata/en/ea/188755fc49400dba7b40317d19396b/frameset.ht


Best Regards,
Barnabás Paksi

Show replies
Show replies
former_member286284
Discoverer
‎02-14-2019 5:14 PM

There were 2 issues. Which caused this problem:
1. The KDC service user we used for configuring SCC Kerberos configuration was Generic KDC user and did not have SPNs for target gateway system to generate SPNEGO token. To fix this we used the same Service User which we configured SAP Gateway SPNEGO with.

2. The KDC Service user delegation tab had the radio button selected to use 'Kerberos Only' We realised the request was happening on UDP port 88 but the response was being sent on HTTPS 443. To fix this we switched this radio button to 'User any authentication protocol'

Issue now Resolved. The whole thing works like magic. 🙂

Ask a Question