Additional Blogs by SAP
Showing results for 
Search instead for 
Did you mean: 
Former Member
0 Kudos

The Single Sign On (SSO) solution via SPNego is quite popular now on the J2EE Engine. It is not only used very often in Portals or other SAP Applications, but also a popular way to achieve Single Sign On to BSP pages from Duet's Action Pane.

The SPNego Wizard that is available makes the configuration quite easy now. Additional there is a great support in the forums and via Configuring and troubleshooting SPNego -- Part 1. 🙂

Unfortunately the number of issues regarding SPNego increased in the last few weeks. Often when a customer is running Windows 7 or is using Windows Server 2008 R2, SSO stops working. 

As you might know the SPNego solution used by the 7.00 & 6.40 AS Java is based on Java 1.4.2. Unfortunately Java 1.4.2 does only support the DES Encryption type for Kerberos (that is why you have to set the "User DES Encryption" flag when creating your SPNego Service user). 

With Windows 7 and Windows 2008 R2, Microsoft decided to stop supporting DES Kerberos encryption by default. This is all documented in a TechNet article (Update: Microsoft has also published a KB explaining this topic: The security principals and the services that use only DES encryption for Kerberos authentication ar...). We also have a note available that points out the issue: Note 1396724 - SPNEGO fails with Windows 7 and Windows Server 2008 R2 

Our develeopment is already working on a new SPNego login module so that you will not have to change anything on the client. However, until that is ready and tested I want to show you the steps that you need to perform in order to get SPNego working again on the affected clients.

First take a look at a fresh Windows 7 installation. If I call a portal page that was working before with SPNego I do get an error messages 401 Unauthorized.

A closer look with Wireshark reveals why this is the case. We can see the TGS Request for several Kerberos encryption types, but the required DES_CBC_MD5 is not there.

So logically instead of the Kerberos ticket we get an error:

Since now the client cannot send a Kerberos ticket to the J2EE Engine usually it defaults back to NTLM. In the Configuring and troubleshooting SPNego -- Part 3 you will then see entries like this: 

NTLM token found in authorization header during SPNego authentication.

As a result authentication via the SPNego login module fails.

In order to get SPNego working again we have to enable DES_CBC_MD5 encryption. Start GPEDIT.msc on the Windows 7 client (of course this can also be done centrally on the domain controller and rolled out to all Windows 7 clients)

Then go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options [sorry for the German screenshot, but I hope you get the point where it is located]

Double click on "Network security: Configure encryption types allowed for Kerberos" and select (at least) the entry DES_CBC_MD5 which from now on allows Kerberos tokens that are encrypted with DES_CBC_MD5 (in order to prevent issues with other applications you might want to consider to enable all other encryption types as well or at least the ones that were active by default before).

Finally you should restart the client and try to access your SPNego enabled AS Java again -- and it should work:

If you take a look at a Wireshark trace again you can see that the TGS Request contains now the previously missing DES_CBC_MD5 encryption type:

And of course with that we get a valid ticket which can be used for authentication

I hope this helps a little in order to get your Windows 7 / Windows 2008 R2 clients up and running again. Feel free to check the note 1396724 mentioned above in order to see when we have a final fix avaialable.




The new Login Module for 640 and 700 is here. Go to and download the  attached ZIP files. It also includes a PDF with installation  instructions!