on 2008 Jan 22 11:48 AM
Hi,
I have configured SPNego and restarted j2ee. But am still getting the logon pad ofr the portal.This was the error that I got in the trace file .
Acquiring credentials for realm <REALM NAME >failed
[EXCEPTION]
#1#GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
Is it a problem with keytab file which was generated ?
Any help would be most appreciated.
Rgrds
Hi Vineeth,
Kindly Go through this SAP NOTE, hope you have followed every step mentioned in this --
[SAP NOTE 994791|https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=994791&nlang=EN&smpsrv=https%3a%2f%2fwebsmp102%2esap-ag%2ede]
Also this thread deals with a similar issue -
Hope this helps,
Reward points if helpful
Regards,
Shailesh Nagar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi ,
Thanks for your response, but I have done manual configuration accrding to the SAP documentation instead of the wizard. I had also gone through the link , but is it the problem with the keytab file itself?Is there any way of verifying the same? I had already run the klist command and it showed two entries which should be proper.
Could someone clarify if the key type and KV no have anything do with this?
Rgrds
Holger,
The entry for SPNego login module is also the same as previous .Hope order of attributes in the module is irrelevant to the issue.
Is there any way to verify the keytab file.
When i run klist command, it gives 2 entries with details for kvno and keytype as follows
1) KVNO:1. keytype :3
2)KVNO:3.keytype:3
Also could it be a problem with the service user.
Thanks for your help on this.
Rgrds
Holger,
I had checked with the command as suggested , but even that gives 2 entries as I had got earlier, one for host and http.
Both service principals also are fine here.
Would i need to check the service user too?
I was checking the SPNego Login module in user management->security stores and found it had no entries at all.
But there are entires for SPNego Login module in the policy configuration , Will this suffice or should there be entries in the security stores too.?
Thanks again.
Rgds
Hi,
the keytab file you created depends on the service user. So if you whatever SPNs you have defined for this user will also appear in the keytab file.
How did you configure SPNego. Did you follow the guide [here|http://help.sap.com/saphelp_nw70/helpdata/en/43/49a22dfd975f89e10000000a1553f6/frameset.htm]. Then you should have some settings for the SPNego module (please take a look [here|http://help.sap.com/saphelp_nw70/helpdata/en/43/4bf48061215f6be10000000a1553f6/frameset.htm]).
I really would recommend to use the Wizard if possible.
Regards,
Holger.
Hi Holger,
This is from the trace,
+com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#Guest#0####84c3b210c97011dca9d60002a54ea95e#SAPEngine_Application_Thread[impl:3]_4##0#0#Error##Java###Acquiring credentials for realm <REALM Name> failed
#GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
+ at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:+
+
The problem seems to be in SPNegoLogin module.
Is it ok if I delete the module and and again add a new one with the attributes and add that to to the policy configuration.
I had earlier followed the link which you had sent itself.
The very same configuration worked for us in a different server.That is why I am confused about this one
thanks for being patient about this
Rgds
Hi,
When running the ktpass command for host and HTTP we specify the j2ee server name. Is this also case sensitive?
because we normally access the portal using url as <portalname:port no> ,but now the computer name (j2ee server name which is the portalname in the url) seems to be a mixture of both lower and upper case, Which I could make out now.
Could this be a problem, Sorry if this sounds confusing..
I frankly cant think of anything else.
Rgds
Holger,
Sorry, I was not able to retreive the whole log from the server, but managed to get the spnego error in the log.
Hope this would provide some clue
com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#Guest#0####4887a8f0c9c611dca0c10002a54ea95e#SAPEngine_Application_Thread[impl:3]_22##0#0#Error##Java###Acquiring credentials for realm DOMAIN.DOM failed
[EXCEPTION]
#1#GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
+ at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:82)+
+ at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)+
+ at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)+
+ at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)+
+ at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)+
+ at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)+
+ at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:236)+
+ at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)+
+ at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:337)+
I will try to get the log in the meantime,
Thank you
Rgds
Hi,
please take a look at Note 1130190 - SPNego fails with "Failed to find any Kerberos Key".
This will hopefully help!
Regards,
Holger.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
70 | |
10 | |
10 | |
10 | |
10 | |
8 | |
8 | |
7 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.