cancel
Showing results for 
Search instead for 
Did you mean: 

SPNego Suddenly Stops Working

0 Kudos
174

Hi,

I have an issue in SAP Portal & Windows AD enviorment SSO. It was working from last 8-9 months suddenly users are getting Login screen, When I am using Diagtool I am getting below messages. My Windows team is saying they have no issue on Wintel DC end and from UNIX stand also we are able to execute below commands successfully.

  1. /usr/bin/kinit -V -k HTTP/xxxeppdbci.xxx.comXXXXX.XXXIS.COM

Authenticated to Kerberos v5

13:17:30:618 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is HTTP/XXXabcdbci.XXX.com#XYZAB.XXXIS.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Refreshing Kerberos configuration

13:17:30:628 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KeyTabInputStream, readName(): XYZAB.XXXIS.COM

13:17:30:629 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KeyTabInputStream, readName(): HTTP

13:17:30:629 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KeyTabInputStream, readName(): XXXabcdbci.XXX.com

13:17:30:631 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KeyTab: load() entry length: 66; type: 3

13:17:30:632 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out principal's key obtained from the keytab

13:17:30:632 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out Acquire TGT using AS Exchange

13:17:30:636 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbAsReq calling createMessage

13:17:30:637 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbAsReq in createMessage

13:17:30:641 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbAsReq etypes are: 1

>>> KrbKdcReq send: kdc=ukldn001.XYZAB.XXXis.com UDP:88, timeout=30000, number of retries =3, #bytes=161

13:17:30:793 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KDCCommunication: kdc=ukldn001.XYZAB.XXXis.com UDP:88, timeout=30000,Attempt =1, #bytes=161

13:17:30:944 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbKdcReq send: #bytes read=193

13:17:30:944 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbKdcReq send: #bytes read=193

13:17:30:946 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KDCRep: init() encoding tag is 126 req type is 11

13:17:30:948 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>>KRBError:

13:17:30:949 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out sTime is Sat Mar 05 13:17:30 PST 2011 1299359850000

13:17:30:949 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out suSec is 418970

13:17:30:949 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out error code is 25

13:17:30:950 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out error Message is Additional pre-authentication required

13:17:30:950 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out realm is XYZAB.XXXIS.COM

13:17:30:950 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out sname is krbtgt/XYZAB.XXXIS.COM

13:17:30:951 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out eData provided.

13:17:30:951 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>>Pre-Authentication Data:

13:17:30:952 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out PA-DATA type = 11

13:17:30:952 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out PA-ETYPE-INFO etype = 1

13:17:30:952 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>>Pre-Authentication Data:

13:17:30:953 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out PA-DATA type = 2

13:17:30:953 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out PA-ENC-TIMESTAMP

13:17:30:953 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>>Pre-Authentication Data:

13:17:30:953 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out PA-DATA type = 15

13:17:30:954 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ

13:17:30:954 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out Updated salt from pre-auth = XYZAB.XXXIS.COMHTTPXXXabcdbci.XXX.com

13:17:30:954 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>>KrbAsReq salt is XYZAB.XXXIS.COMHTTPXXXabcdbci.XXX.com

13:17:30:956 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType

13:17:30:960 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbAsReq calling createMessage

13:17:30:960 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbAsReq in createMessage

13:17:30:961 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbAsReq etypes are: 1

>>> KrbKdcReq send: kdc=ukldn001.XYZAB.XXXis.com UDP:88, timeout=30000, number of retries =3, #bytes=248

13:17:30:961 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KDCCommunication: kdc=ukldn001.XYZAB.XXXis.com UDP:88, timeout=30000,Attempt =1, #bytes=248

13:17:31:364 Info Guest ~ngine_Application_Thread[impl:3]_Group] ~ap.engine.services.security.roles.audit ACCESS.OK: Authorization check for caller assignment to J2EE security role [SAP-J2EE-Engine : guests].

13:17:31:479 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbKdcReq send: #bytes read=1367

13:17:31:479 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbKdcReq send: #bytes read=1367

13:17:31:481 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType

13:17:31:484 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>>crc32: b7fff843

13:17:31:484 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>>crc32: 10110111111111111111100001000011

13:17:31:487 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out >>> KrbAsRep cons in KrbAsReq.getReply HTTP/XXXabcdbci.XXX.com

13:17:31:492 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out Added server's keyKerberos Principal HTTP/XXXabcdbci.XXX.com#XYZAB.XXXIS.COMKey Version 1key EncryptionKey: keyType=3 keyBytes (hex dump)=

0000: 64 C7 85 52 86 6E 8A 68

13:17:31:493 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out [Krb5LoginModule] added Krb5Principal HTTP/XXXabcdbci.XXX.com#XYZAB.XXXIS.COM to Subject

13:17:31:493 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out Commit Succeeded

13:17:31:494 Info Guest ~ngine_Application_Thread[impl:3]_Group] ~es.security.authentication.logincontext LOGIN.OK

User: HTTP/XXXabcdbci.XXX.com#XYZAB.XXXIS.COM

Authentication Stack: com.sun.security.jgss.accept

Login Module Flag Initialize Login Commit Abort Details

1. com.sun.security.auth.module.Krb5LoginModule OPTIONAL ok true true

#1 debug = true

#2 doNotPrompt = true

#3 principal = HTTP/XXXabcdbci.XXX.com#XYZAB.XXXIS.COM

#4 refreshKrb5Config = true

#5 storeKey = true

#6 useKeyTab = true

#7 useTicketCache = false

Central Checks true

13:17:31:495 Info Guest ~ngine_Application_Thread[impl:3]_Group] System.out Found key for HTTP/XXXabcdbci.XXX.com#XYZAB.XXXIS.COM

13:17:31:496 Debug Guest SAPEngine_Application_Thread[impl:3]_11 ~on.loginmodule.spnego.SPNegoLoginModule Credentials for realm XYZAB.XXXIS.COM successfully acquired: HTTP/XXXabcdbci.XXX.com#XYZAB.XXXIS.COM

13:17:31:497 Debug Guest SAPEngine_Application_Thread[impl:3]_11 ~on.loginmodule.spnego.SPNegoLoginModule Access Denied - responseHeader is NULL

13:17:31:498 Debug Guest SAPEngine_Application_Thread[impl:3]_11 ~es.security.authentication.logincontext Login module com.sap.security.core.server.jaas.SPNegoLoginModule from authentication stack ticket does not authenticate the caller.

13:17:31:499 Path Guest SAPEngine_Application_Thread[impl:3]_11 ~.ticket.CreateTicketLoginModule.login() Entering method

13:17:31:499 Info Guest SAPEngine_Application_Thread[impl:3]_11 ~inmodule.ticket.CreateTicketLoginModule No authenticated user found.

13:17:31:499 Path Guest SAPEngine_Application_Thread[impl:3]_11 ~inmodule.ticket.CreateTicketLoginModule Exiting method with false

13:17:31:500 Debug Guest SAPEngine_Application_Thread[impl:3]_11 ~on.loginmodule.BasicPasswordLoginModule No user name provided.

13:17:31:500 Path Guest SAPEngine_Application_Thread[impl:3]_11 ~.ticket.CreateTicketLoginModule.login() Entering method

13:17:31:500 Info Guest SAPEngine_Application_Thread[impl:3]_11 ~inmodule.ticket.CreateTicketLoginModule No authenticated user found.

13:17:31:501 Path Guest SAPEngine_Application_Thread[impl:3]_11 ~inmodule.ticket.CreateTicketLoginModule Exiting method with false

Accepted Solutions (0)

Answers (1)

Answers (1)

ImtiazKaredia
Active Contributor
0 Kudos

Has the User used in SPNego got expired or password changed?

Has the Windows AD domain been changed? or Windows AD upgraded to newer version?

You can rerun the SPNego configuration and see if it corrects the problem. You may even reload SPNego datasource configuration file

Check below blog

/people/holger.bruchelt/blog/2008/01/09/configuring-and-troubleshooting-spnego--part-1