on 2019 Mar 21 1:35 PM
Hello Experts,
I have been trying to configure SPNEGO for the Portal System.
But I can not login to the system directly it asks username password.
NW version is 7.50
My Portal configurations are as below
I have sent LDAP SPN configuration to the customer IT as attached PDF in KBA 1488409.
LDAP configurations are ok, Portal users come from LDAP.
Could you please advise me?
My trace log is below:
#2.0#2019 03 19 09:58:43:849#+0300#Error#com.sap.security.core.server.jaas.spnego.krb5.crypto.AesCrypto#
#BC-JAS-SEC#security#C0000ACF096D056E0000000300001A84#2286750000000004#sap.com/irj#com.sap.security.core.server.jaas.spnego.krb5.crypto.AesCrypto#Guest#0##680DA0574A1411E982F300000022E49E#680da0574a1411e982f300000022e49e##0#Thread[HTTP Worker [@1000574548],5,Dedicated_Application_Thread]#Plain##
Checksum error! checksum: 0xfb8fb64c6cdf296ce006e57f; calculated checksum: 0x6d976e70046dd9f130dca045#
#2.0#2019 03 19 09:58:43:849#+0300#Error#com.sap.security.core.server.jaas.SPNegoLoginModule#
#BC-JAS-SEC#security#C0000ACF096D056E0000000400001A84#2286750000000004#sap.com/irj#com.sap.security.core.server.jaas.SPNegoLoginModule#Guest#0##680DA0574A1411E982F300000022E49E#680da0574a1411e982f300000022e49e##0#Thread[HTTP Worker [@1000574548],5,Dedicated_Application_Thread]#Plain##
Could not validate SPNEGO token.
[EXCEPTION]
java.lang.Exception: Checksum error.
at com.sap.security.core.server.jaas.spnego.krb5.crypto.AesCrypto.decrypt(AesCrypto.java:45)
at com.sap.security.core.server.jaas.spnego.krb5.KrbEncryptedData.decrypt(KrbEncryptedData.java:85)
at com.sap.security.core.server.jaas.spnego.krb5.KrbApReq.decrypt(KrbApReq.java:70)
at com.sap.security.core.server.jaas.SPNegoLoginModule.validateKerberosToken(SPNegoLoginModule.java:328)
at com.sap.security.core.server.jaas.SPNegoLoginModule.processAuthorizationHeader(SPNegoLoginModule.java:537)
at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:164)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:254)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:66)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:285)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:877)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:343)
at com.sapportals.portal.prt.service.hook.SecurityHookService.doNodeHook(SecurityHookService.java:151)
at com.sapportals.portal.prt.connection.PortalHook.doNodeHook(PortalHook.java:383)
at com.sap.portal.prt.pom.factory.ComponentNodeFactory.newInstance(ComponentNodeFactory.java:136)
at com.sap.portal.prt.pom.factory.ComponentNodeFactory.newInstance(ComponentNodeFactory.java:49)
at com.sap.portal.prt.pom.PortalNode.createComponentNode(PortalNode.java:266)
at com.sap.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:435)
at com.sapportals.portal.prt.connection.ServletConnection._handleRequest(ServletConnection.java:224)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:101)
at com.sap.portal.prt.dispatcher.DispatcherServlet.service(DispatcherServlet.java:132)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:202)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:103)
at com.sap.portal.prt.dispatcher.CustomHeaderFilter.doFilter(CustomHeaderFilter.java:58)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:79)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:340)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:501)
at com.sap.portal.navigation.Gateway.service(Gateway.java:161)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:202)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:103)
at com.sap.portal.http.EnrichNavRequestFilter.doFilter(EnrichNavRequestFilter.java:49)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:79)
at com.sap.portal.prt.dispatcher.CustomHeaderFilter.doFilter(CustomHeaderFilter.java:58)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:79)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:441)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:210)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:441)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:430)
at com.sap.engine.services.servlets_jsp.filters.DSRWebContainerFilter.process(DSRWebContainerFilter.java:38)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.servlets_jsp.filters.ServletSelector.process(ServletSelector.java:81)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.servlets_jsp.filters.ApplicationSelector.process(ApplicationSelector.java:278)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.WebContainerInvoker.process(WebContainerInvoker.java:81)
at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.ResponseLogWriter.process(ResponseLogWriter.java:60)
at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.DefineHostFilter.process(DefineHostFilter.java:27)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.MonitoringFilter.process(MonitoringFilter.java:29)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.SessionSizeFilter.process(SessionSizeFilter.java:26)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.MemoryStatisticFilter.process(MemoryStatisticFilter.java:57)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.DSRHttpFilter.process(DSRHttpFilter.java:43)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.server.Processor.chainedRequest(Processor.java:468)
at com.sap.engine.services.httpserver.server.Processor$FCAProcessorThread.process(Processor.java:262)
at com.sap.engine.services.httpserver.server.rcm.RequestProcessorThread.run(RequestProcessorThread.java:56)
at com.sap.engine.core.thread.execution.Executable.run(Executable.java:122)
at com.sap.engine.core.thread.execution.Executable.run(Executable.java:101)
at com.sap.engine.core.thread.execution.CentralExecutor$SingleThread.run(CentralExecutor.java:328)
#
Hi Yasin! AS Java can't decrypt the SPNEGO token aka Service Ticket from the Client. On the client you test, execute the CLI command klist and check the output for your ticket related to your Portal / Java http/<host>. Which encryption is used?
As it throws errors at com.sap.security.core.server.jaas.spnego.krb5.crypto.AesCrypto.decrypt it sounds like AES is used, at least I assume. Check the exact spelling of the username. In case you have enabled AES encryption for the AD account the username itself is CASEsensitive. Make sure you type it in exactly as it is created from your AD Admin and double check the password and SPN using setspn -q http/<host> (does it return the right account) and runas /user:<account>@DOMAIN cmd.exe - type in the password you use to setup SPNego, does it work?
Cheers
Carsten
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yasin,
I think you might have some misconfiguration in your Authentication Stack Login Modules setup. This is how we have ours, and you'll note some differences that I believe are important:
You also didn't talk about how you setup the SPN for your service user, so it's quite possible that you have a misconfiguration there.
Not to toot my own horn, but you may get some points from an old blog post on this subject I wrote a few years ago. Granted, at the time I was describing setting up SPNego for a 7.01 portal, but most of the procedure hasn't changed in 7.5 (which is what we are using today, and yes, we do now have AES encryption working, where before it was only RC4).
https://blogs.sap.com/2016/02/08/single-sign-on-for-java/
Cheers,
Matt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Yasin,
Plase check the KBA for solution:
1568553 - Checksum error, Spnego add-on
You can get hints for solution.
Best Regards,
Barnabás Paksi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Yasin, I would recommend the Guided Answers for Authentication issues to you.
In your case it recommends to renew the keytab.
Cheers, Lutz
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
66 | |
10 | |
10 | |
10 | |
10 | |
8 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.