Showing results for 
Search instead for 
Did you mean: 

Kerberos Authentication (SPNego) on J2ee Cluster

Former Member
0 Kudos


I am checking configuration of authentication kerberos (SPNego) in Webas Java (Nw2004s, 7.00 SP11).

We have a cluster, two machines (j2ee1.domain) and j2ee2.domain.

Cluster name is j2eecluster.domain.

Instance name is WDD.

KDC is on a machine called kdc.domain, and Microsoft ADS is on a cluster (ads1.domain and ads2.domain).

ON J2ee machine we have installed SUN SDK 1.4.2_13 ( I read the was problem with 1.4.2_14, 15 and 16).

We follow instructions on SAP documentacion and some blogs in SDN.

These are the steps we did:

-Created a user on ADS called SAPJ2EEWDD (password never expire, etc,..)

-created keytab file with the script

ktpass –princ host/j2eecluster.domain@DOMAIN -pass **** –out keytabWDD.keytab –mapUser SAPJ2EEWDD +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL

(here I put the name of teh cluster , j2eecluster.domain)

-Register Principal with script

setspn –A HTTP/s- j2eecluster.domain SAPJ2EEWDD

(also use cluster name)

Should I alse register for the two nodes, j2ee1 and j2ee2u00BF?

-copied keytab file two both servers, j2ee1 and j2ee2.

-Created krb5.conf file on both servers; here is teh content


domain = DOMAIN


default_keytab_name =


default_realm = DOMAIN

dns_lookup_kdc = true






admin_server = kdc.domain

kdc = kdc.domain


Also, I did check keytab file is correct, I did teh test:


C:\j2sdk1.4.2_13\bin\klist -e -f -k -K C:\j2sdk1.4.2_13\keytabWDD.keytab

Key tab: C:\j2sdk1.4.2_13\keytabWDD.keytab, 1 entry found.

[1] Service principal: host/j2eecluster.domain@DOMAIN


Key type: 3

Key: 0xfedf5843edc49b3

Test OK u00A1.

-added java parameters on server nodes in Config Tool\usr\sap\WDD\kerberos\krb5.conf

Should I put here
j2eeclsuter\sapmnt\WDD\kerberos\krb5.conf u00BF? I am not sure...

Then I modified xml configuration file, dataSourceConfiguration_ads_readonly_db_with_krb5.xml

I added parameters indicated in SAP documentation

<attribute name="kpnprefix"/>

<attribute name="krb5principalname"/>

<attribute name="dn" />


<attribute name="kpnprefix">

<physicalAttribute name="samaccountname"/>


<attribute name="krb5principalname">

<physicalAttribute name="userprincipalname"/>


<attribute name="dn">

<physicalAttribute name="distinguishedname"/>

Finally adjusted loginmodules as documentation says.

Added SPNegoLoginModule in ticket policy configuration, with OPTIONAL flag, true

- created login module Krb5LoginModule and MappingModule ;

-created policy group com.sun.securuty.jgss.accept and added to it Krb5LoginModule and MappingModule ;

Finally configured Iexplorer browser with options indicated in SAP documentation.

When I call J2ee URL, login pop up appearsu00BF?

What is wrongu00BF?

Any ideau00BF?

Thanks and Regards


Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

I get this error in defaultrace files:

#1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)



Caused by: Client not found in Kerberos database (6)

Any idea¿?

Thanks in advance