SSO 2.0 SP04 Assistance

November 25, 2014, 2:35 am

Latest and popular articles on SAP ERP

≫ Next: Re: SSO 2.0 SP04 Assistance

≪ Previous: Re: SSO (MSAD PKI) X.509 certificate attributes for user mapping in Secure Login Client

$

0

0

Dear Guru,

 

We have been trying to configure Secure Login Client (SSO 2.0 SP04).

 

Upon installation of the Secure Login Client, we were able to acquire Kerberos Tokens, but none for SPNEGO (X.509 Certificates). We have been getting errors like "Supplied credentials not accepted by server".

 

Installation Reference: scn.sap.com/docs/DOC-40179

 

Issue was encountered during phase 3 of the reference. We followed the instructions to a tee, and got lost due to some SP differences. Although, we did manage to extract the Root CA and Registry Entries.

 

Any thoughts or advise on where to check. Thank you.

 

Regards,

 

 

Tom

---

Re: SSO 2.0 SP04 Assistance

November 25, 2014, 5:40 am

Latest and popular articles on SAP ERP

≫ Next: Re: SSO 2.0 SP04 Assistance

≪ Previous: SSO 2.0 SP04 Assistance

$

0

0

Hello

 

 

1. Check SLC and SLS traces file (after reproducing the issue)? If you can't identify root cause, you can attach the logs here.

 

2. Which version of NWSSO you're currently using (SP and PL from SLC and SLS);

3. Which Login Module are you using?

4. In your client profile configuration in SLS, please check:
a. Which value has the parameter PSE Type;
b. Which value has the parameter Auto-Enroll;

 

 

Cheers,

Tapan

Re: SSO 2.0 SP04 Assistance

November 25, 2014, 6:14 am

Latest and popular articles on SAP ERP

≫ Next: Re: SSO 2.0 SP04 Assistance

≪ Previous: Re: SSO 2.0 SP04 Assistance

$

0

0

Hello,

 

this type of error is typical a misconfiguration on the Domain setup :

Please check with tools like setspn -q and klist :

 

1. The service principal name has correct format like HTTP/<Service Principal name>

2. The SPNEGO configuration is AS Java is enabled and valid (and with the correct password)

3. There are no double Service Principal name entries in Domain Controller. Check that with setspn -q <service principal name> on the Domain Controler itself.

 

Also a Secure Login Client trace and a AS Java trace (troubleshooting wizard) can help to identify the problem.

 

best regards

 

Alexander Gimbel

Re: SSO 2.0 SP04 Assistance

November 25, 2014, 6:38 pm

Latest and popular articles on SAP ERP

≫ Next: Re: SSO 2.0 SP04 Assistance

≪ Previous: Re: SSO 2.0 SP04 Assistance

$

0

0

Hi Tapan,

 

 

 

Thank you for the response.

 

 

 

(1) Below are the entries (complete) from the SLC trace file.

 

 

----------------------------------------------------------------------------

Version      : 8.4.30 (Sep 25 2014)

System       : "windows-x86-32"

InstDir      : "C:\Program Files\SAP\FrontEnd\SecureLogin\lib"

Trace file   : "C:\Users\tgng\AppData\Local\SAP\SecureLogin\Traces\sec-03548.trc"

Trace level  : 3

Process id   : 3548

----------------------------------------------------------------------------

[YYYY.MM.DD HH:MM:SS.MIKROS][LEVEL][PROCESS             ][MODULE      ][THR_ID]

[2014.11.26 09:37:14.498000][INFO ][sbus.exe            ][sbusslogin.d][  5976] Generate RSA Key with keysize 2048

[2014.11.26 09:37:14.530000][INFO ][sbus.exe            ][sbusslogin.d][  5888] Try to enroll SLS URL: http://sapsecu01.maynilad.com.ph:50000/SecureLoginServer/slc2/doLogin?profile=b4a99c34-7d7c-403c-b649-c00487122cf4

[2014.11.26 09:37:14.530000][INFO ][sbus.exe            ][URL         ][  5888] Successfully connected to

[2014.11.26 09:37:14.530000][INFO ][sbus.exe            ][URL         ][  5888] Address 172.18.2.107 (sapsecu01.maynilad.com.ph)

[2014.11.26 09:37:28.367000][INFO ][sbus.exe            ][URL         ][  5888] Successfully connected to

[2014.11.26 09:37:28.367000][INFO ][sbus.exe            ][URL         ][  5888] Address 172.18.2.107 (sapsecu01.maynilad.com.ph)

[2014.11.26 09:40:04.452000][INFO ][sbus.exe            ][sbusslogin.d][  5800] Generate RSA Key with keysize 2048

[2014.11.26 09:40:04.493000][INFO ][sbus.exe            ][sbusslogin.d][  3536] Try to enroll SLS URL: http://sapsecu01.maynilad.com.ph:50000/SecureLoginServer/slc2/doLogin?profile=b4a99c34-7d7c-403c-b649-c00487122cf4

[2014.11.26 09:40:04.504000][INFO ][sbus.exe            ][URL         ][  3536] Successfully connected to

[2014.11.26 09:40:04.504000][INFO ][sbus.exe            ][URL         ][  3536] Address 172.18.2.107 (sapsecu01.maynilad.com.ph)

 

 

 

(2) NWSSO 2.0 SP04

 

 

 

(3) I have not followed any instruction with regards to configuring the Login Modules. Can you please elaborate on this. If you are referring to the user authentication of the Secure Login Client authentication profile for SPNEGO, the policy configuration is SecureLoginDefaultPolicyConfigurationSPNEGO.

 

 

 

(4) Below are the values applied to the registry based on the client profile configurations

(a) pseType - windowslogin

(b) AutoEnroll - 1

 

 

 

Thank you.

 

 

 

Regards,

 

 

Tom

Re: SSO 2.0 SP04 Assistance

November 25, 2014, 6:39 pm

Latest and popular articles on SAP ERP

≫ Next: Re: SSO 2.0 SP04 Assistance

≪ Previous: Re: SSO 2.0 SP04 Assistance

$

0

0

Hi Alexander,

 

 

 

Thank you for the response.

 

 

 

We already double checked on the following.

 

(1)SPN format is correct

 

(2)SPNEGO configuration is green

 

(3)No duplicate SPN

 

 

 

As for the trace file, we noticed that the connection to the SLS was successfully established, and it seems that the only problem is that the credentials being supplied by the client is incorrect. Hence, the error "Supplied credentials not accepted by server".

 

 

 

----------------------------------------------------------------------------

Version      : 8.4.30 (Sep 25 2014)

System       : "windows-x86-32"

InstDir      : "C:\Program Files\SAP\FrontEnd\SecureLogin\lib"

Trace file   : "C:\Users\tgng\AppData\Local\SAP\SecureLogin\Traces\sec-03548.trc"

Trace level  : 3

Process id   : 3548

----------------------------------------------------------------------------

[YYYY.MM.DD HH:MM:SS.MIKROS][LEVEL][PROCESS             ][MODULE      ][THR_ID]

[2014.11.26 09:37:14.498000][INFO ][sbus.exe            ][sbusslogin.d][  5976] Generate RSA Key with keysize 2048

[2014.11.26 09:37:14.530000][INFO ][sbus.exe            ][sbusslogin.d][  5888] Try to enroll SLS URL: http://sapsecu01.maynilad.com.ph:50000/SecureLoginServer/slc2/doLogin?profile=b4a99c34-7d7c-403c-b649-c00487122cf4

[2014.11.26 09:37:14.530000][INFO ][sbus.exe            ][URL         ][  5888] Successfully connected to

[2014.11.26 09:37:14.530000][INFO ][sbus.exe            ][URL         ][  5888] Address 172.18.2.107 (sapsecu01.maynilad.com.ph)

[2014.11.26 09:37:28.367000][INFO ][sbus.exe            ][URL         ][  5888] Successfully connected to

[2014.11.26 09:37:28.367000][INFO ][sbus.exe            ][URL         ][  5888] Address 172.18.2.107 (sapsecu01.maynilad.com.ph)

[2014.11.26 09:40:04.452000][INFO ][sbus.exe            ][sbusslogin.d][  5800] Generate RSA Key with keysize 2048

[2014.11.26 09:40:04.493000][INFO ][sbus.exe            ][sbusslogin.d][  3536] Try to enroll SLS URL: http://sapsecu01.maynilad.com.ph:50000/SecureLoginServer/slc2/doLogin?profile=b4a99c34-7d7c-403c-b649-c00487122cf4

[2014.11.26 09:40:04.504000][INFO ][sbus.exe            ][URL         ][  3536] Successfully connected to

[2014.11.26 09:40:04.504000][INFO ][sbus.exe            ][URL         ][  3536] Address 172.18.2.107 (sapsecu01.maynilad.com.ph)

 

 

 

Regards,

 

 

 

Tom

Re: SSO 2.0 SP04 Assistance

November 25, 2014, 11:21 pm

Latest and popular articles on SAP ERP

≫ Next: Re: SSO 2.0 SP04 Assistance

≪ Previous: Re: SSO 2.0 SP04 Assistance

$

0

0

Hello,

 

unfortunately the trace is too short and does not contain the Kerberos request.
I want to see if the client gets a Kerberos ticket or not for the given Service.

Could you please make a developer trace (Developer trace level) of one enroll and attach that file here?

Also a troubleshooting wizard trace from the server side (as best also from one enroll) can show, if the AS Java and the Domain Controller is correctly configured.

thanks.

 

best regards

 

Alexander Gimbel

Re: SSO 2.0 SP04 Assistance

November 25, 2014, 11:47 pm

Latest and popular articles on SAP ERP

≫ Next: Unable to Start Up ABAP Instance due to snc/enable=1

≪ Previous: Re: SSO 2.0 SP04 Assistance

$

0

0

Hi Alexander,

 

Thank you for the tip, please see developer trace below. It seems to be looking for a missing base.xml, which when I confirmed was really missing. Please advise. Thank you.

 

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][sbus.dll    ][  2720] CToken:: Secure Login token [toksw:mem://securelogin/Windows Authentication (SPNEGO)] :: login

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][IO          ][  2720] BEGIN: io_file_type (C:\Program Files\SAP\FrontEnd\SecureLogin\etc\base.xml)

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][IO          ][  2720] END  : io_file_type

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][LOADER      ][  2720] Loading config file 'base.xml' failed because file not existing in path 'C:\Program Files\SAP\FrontEnd\SecureLogin\etc\base.xml'

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { SBUSPSE::create_PSE

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { SBUSPSE::SetASC

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][sbus.dll    ][  2720] }        0

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][sbus.dll    ][  2720] }        0

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][sbus.dll    ][  2720] Ctoken_SL: NewPinType: password

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][sbus.dll    ][  2720] Ctoken_SL: gracePeriod: 0

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][sbus.dll    ][  2720] Ctoken_SL: inactivityTimeout: 0

[2014.11.26 15:41:11.053000][TRACE][sbus.exe            ][sbus.dll    ][  2720] Ctoken_SL: ReAuthentication: 0

[2014.11.26 15:41:11.053000][INFO ][sbus.exe            ][sbusslogin.d][  1552] Generate RSA Key with keysize 2048

[2014.11.26 15:41:11.084000][TRACE][sbus.exe            ][sbusresloade][  2720] { GetLocale

[2014.11.26 15:41:11.084000][TRACE][sbus.exe            ][sbusresloade][  2720] }        0

[2014.11.26 15:41:11.084000][INFO ][sbus.exe            ][sbusslogin.d][  2720] Try to enroll SLS URL: http://sapsecu01.maynilad.com.ph:50000/SecureLoginServer/slc2/doLogin?profile=b4a99c34-7d7c-403c-b649-c00487122cf4

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { SBUSPSE::loginBySystemParameters

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { SBUSPSE::needRealPSE

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] } 80004001

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] } a1e00015

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { SBUSPSE::getAllTrustedCerts

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { SBUSPSE::needRealPSE

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] } 80004001

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { CTrust::getAllTrustedCerts

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { CTrust::getTrustedCertList

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { CTrust::Refresh

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { CTrust::InitProviders

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] }        1

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] }        1

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] }        0

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] }        0

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] }        0

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { SBUSPSE::getOwnCertificate

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { SBUSPSE::needRealPSE

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] } 80004001

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] { CTokenMgr::GetPCI

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] m_apTokens[0]->GetPCI()

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] }        0

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbus.dll    ][  2720] }        0

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbusslogin.d][  2720] { CSecureLogin_Protocol_2_0::Send_Init

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][sbusslogin.d][  2720] { CSecureLogin::Send_Any

[2014.11.26 15:41:11.099000][INFO ][sbus.exe            ][URL         ][  2720] Successfully connected to

[2014.11.26 15:41:11.099000][INFO ][sbus.exe            ][URL         ][  2720] Address 172.18.2.107 (sapsecu01.maynilad.com.ph)

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][URL         ][  2720] Family: AF_INET (IPv4)

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][URL         ][  2720] Inner family: AF_INET (IPv4)

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][URL         ][  2720] Protocol: 6

[2014.11.26 15:41:11.099000][TRACE][sbus.exe            ][URL         ][  2720] SockType: 1

[2014.11.26 15:41:11.115000][TRACE][sbus.exe            ][sbusslogin.d][  2720] }        0

[2014.11.26 15:41:11.115000][TRACE][sbus.exe            ][sbusslogin.d][  2720] }        0

[2014.11.26 15:41:11.979000][TRACE][sbus.exe            ][sbus.dll    ][  2720] Supplied credentials not accepted by the server.Enrollment failed

 

Regards,

 

Tom

Unable to Start Up ABAP Instance due to snc/enable=1

November 26, 2014, 2:02 am

Latest and popular articles on SAP ERP

≫ Next: Re: Unable to Start Up ABAP Instance due to snc/enable=1

≪ Previous: Re: SSO 2.0 SP04 Assistance

$

0

0

Hi All,

 

I'm having some issue on starting my ABAP instance due to tryout of the SSO.

the error as such

 

how do I configure this credential SAPKerberosABC in my ABAP instance?

My environment is ECC6 EPH7, steps that I done as such:

1. copy gx64krb5.dll to system32 folder (note 353395)

2. created an username in my AD and accept Kerberos e.g. SAPKerberosABC

3. set the profile

 

snc/enable = 1

snc/gssapi_lib = c:\Windows\System32\gx64krb5.dll

 

now I need to disable manually the snc/enable from the work directory in order for me to start up the ABAP instance.

 

any clue on how to configure SSO?

 

Thank you,

 

Regards,,

Ura

---

Re: Unable to Start Up ABAP Instance due to snc/enable=1

November 26, 2014, 2:09 am

Latest and popular articles on SAP ERP

≫ Next: Re: SSO 2.0 SP04 Assistance

≪ Previous: Unable to Start Up ABAP Instance due to snc/enable=1

$

0

0

Hi Ura,

 

To disable parameter snc/enable = 0 try to search under profile at OS level and change the value from 1 to 0.Share the results after re check if any.

 

Regards,

Gaurav

Re: SSO 2.0 SP04 Assistance

November 26, 2014, 2:19 am

Latest and popular articles on SAP ERP

≫ Next: Re: Unable to Start Up ABAP Instance due to snc/enable=1

≪ Previous: Re: Unable to Start Up ABAP Instance due to snc/enable=1

$

0

0

Hello

 

 

You can check sap note:

 

1996839 - Configuration Files for SNC on CommonCryptoLib

 

 

Cheers,

Tapan

Re: Unable to Start Up ABAP Instance due to snc/enable=1

November 26, 2014, 4:27 am

Latest and popular articles on SAP ERP

≫ Next: Re: SSO 2.0 SP04 Assistance

≪ Previous: Re: SSO 2.0 SP04 Assistance

$

0

0

Hi Ura,

 

 

Hope you are doing good.

 

I think I know what the issue is. Are you using SSO encryption? If not, could you please set the parameter snc/data_protection/min to 1 and see if the issue persists? Check SAP Notes 150380 and 352295 for implementation of SSO using Kerberos in Microsoft Windows OS.

____________

 

Kind Regards,

 

Hemanth

 

SAP AGS

Re: SSO 2.0 SP04 Assistance

November 26, 2014, 11:46 pm

Latest and popular articles on SAP ERP

≫ Next: Re: SSO 2.0 SP04 Assistance

≪ Previous: Re: Unable to Start Up ABAP Instance due to snc/enable=1

$

0

0

Hello,

 

please ignore the missing base.xml/pkcs11.xml files in the trace.

This is a false positive (its not needed), the Secure Login Client installations is fine and complete.

The SAP note is for a CommonCryptoLib installation on an ABAP server.

 

What I still not see in the traces is that the Secure Login Client tries to get a Kerberos ticket for the SPN.
Could you please search for a line like "got kerberos ticket for 'HTTP/<SPN>" in the traces.

If this is not present, then the client will not get a Kerberos ticket and the there are several root causes for that:

- The client is in the wrong Domain (command klist and check for tickets)

- The SPN is double on the Domain Server (two service users have defined the same SPN)

 

But you have already checked that.
Could you please provide server traces (trouble shooting wizard) and attach here?

 

best regards

 

Alexander Gimbel

Re: SSO 2.0 SP04 Assistance

November 27, 2014, 12:48 am

Latest and popular articles on SAP ERP

≫ Next: Re: SSO 2.0 SP04 Assistance

≪ Previous: Re: SSO 2.0 SP04 Assistance

$

0

0

Hi Alexander,

 

As seen in the logs, I am getting lines such as like "got kerberos ticket for 'HTTP/sapsecu01.maynilad.com.ph" in the traces. I have also checked for duplicates of SPN but there are none, and the client is in the correct domain.

 

Please check on the attachment for the latest log that I have. Thank you.

 

Regards,

 

Tom

Re: SSO 2.0 SP04 Assistance

November 27, 2014, 2:31 am

Latest and popular articles on SAP ERP

≫ Next: Re: Unable to Start Up ABAP Instance due to snc/enable=1

≪ Previous: Re: SSO 2.0 SP04 Assistance

$

0

0

Hello,

 

this means that the AS Java can not verify the SPNEGO token send by the client.

 

Please check the SPNEGO configuration.

 

You can use the troubleshooting wizard to get a clue what is going wrong.

 

1. Open Administrator UI on AS Java.

2. Goto Trouble shooting / Logs and traces

3. Open the Security Troubleshooting wizard

4. start diagnostic in Authentication mode (default)

5. enroll with the client

6. stop  diagnostic

7. look into the collected traces, search for exceptions.

 

possible pitfalls:

 

- SPENGO Realm not enabled

- Wrong REALM Name

- wrong password of the service user entered

- Check the Mapping mode, if you not use the virtual user feature, check that the user exists in the UME.

 

 

 

best regards

 

Alexander Gimbel

Re: Unable to Start Up ABAP Instance due to snc/enable=1

November 27, 2014, 5:27 am

Latest and popular articles on SAP ERP

≫ Next: Re: Unable to Start Up ABAP Instance due to snc/enable=1

≪ Previous: Re: SSO 2.0 SP04 Assistance

$

0

0

Did you set you SECUDIR environment to $(DIR_INSTANCE)/sec?

 

**If you are using SAP NW AS ABAP 7.0, you need to set the environment variable <SECUDIR> to $(DIR_INSTANCE)/sec. Otherwise SAP NW AS ABAP 7.0 does not start.

 

Regards,

Florence

---

Re: Unable to Start Up ABAP Instance due to snc/enable=1

November 27, 2014, 5:34 am

Latest and popular articles on SAP ERP

≫ Next: Re: SSO 2.0 SP04 Assistance

≪ Previous: Re: Unable to Start Up ABAP Instance due to snc/enable=1

$

0

0

Hi Ura,

 

the Server SNC Name you configure is: "p:CN=CN=SAP..."

Actually it should be "p:CN=SAP..."

You have one "CN=" too much.

 

KR

Valerie

Re: SSO 2.0 SP04 Assistance

November 27, 2014, 7:14 am

Latest and popular articles on SAP ERP

≫ Next: Is it possible to use SSO between web browser and ABAP without SSO 1 and sso 2 installed

≪ Previous: Re: Unable to Start Up ABAP Instance due to snc/enable=1

$

0

0

Hello

 

In addition to capturing Security Troubleshooting Wizard trace, also capture HTTPWatch trace.

Install the free basic edition of Httpwatch that can be downloaded from: http://www.httpwatch.com/download/. 

 

Download the 9.x version.

 

This is for capturing traces. For reading you need to download paid professional version. If you don't have paid version, you can upload troubleshooting trace and httpwatch trace on the thread and I will check them for you.

 

 

Cheers,

Tapan

Is it possible to use SSO between web browser and ABAP without SSO 1 and sso 2 installed

November 27, 2014, 9:45 am

Latest and popular articles on SAP ERP

≫ Next: Re: SSO 2.0 SP04 Assistance

≪ Previous: Re: SSO 2.0 SP04 Assistance

$

0

0

Hallo Is it possible to use any of SSO methods between web browser from desktop or android mobile device and ABAP without product SSO 1 and sso 2 installed?

Re: SSO 2.0 SP04 Assistance

November 27, 2014, 7:35 pm

Latest and popular articles on SAP ERP

≫ Next: Re: SSO 2.0 SP04 Assistance

≪ Previous: Is it possible to use SSO between web browser and ABAP without SSO 1 and sso 2 installed

$

0

0

Hi Alexander,

 

I have already checked on the pitfalls that you have mentioned. Except for the last one, are you referring to the service user or a common user? (user mapping with mapping mode Principal and Realm, and source ADS Data Source).

 

Also, I have done some troubleshooting of my own and found out that the error encountered is during the SPNegoLoginModule, where I have defined the option "com.sap.spnego.jgss.name" with value of the domain "maynilad.com.ph".

 

Regards,

 

Tom

Re: SSO 2.0 SP04 Assistance

November 27, 2014, 11:22 pm

Latest and popular articles on SAP ERP

≫ Next: Re: SSO 2.0 SP04 Assistance

≪ Previous: Re: SSO 2.0 SP04 Assistance

$

0

0

Hello,

 

if you have user mapping with mapping mode Principal and Realm, and source ADS Data Source, then each authentication user must be a valid user in the UME. Do you have bind the UME to the same AD?

If you have Problems with that, then you will get a "BaseLoginException: Can not authenticate the user".

You can use the User mapping option: Principal@Realm and Virtual User to solve that issue.

 

 

best regards

 

Alexander Gimbel