SAP Network Blog: Configuring SPNego with ABAP datasource

Blogs

Configuring SPNego with ABAP datasource
Holger Bruchelt
Business Card
Company: SAP AG
Posted on Mar. 10, 2008 12:03 PM in ABAP, Application Server, Enterprise Portal (EP), SAP NetWeaver Platform

	Subscribe
	Print
	Permalink
	Share

After writing three blogs about configuring and troubleshooting SPNego (Part 1, Part 2 and Part 3) I got several questions about what steps are necessary to use SPNego if your J2EE Engine is connected to an ABAP backend.
In this blog I will try to explain just that.

In general the setup is similar to the one mentioned in the video for dataSourceConfiguration_DB attached to the SPNego Wizard.

As in "Configuring and troubleshooting SPNego -- Part 1" the first thing to do is to create a service user in the ADS (even if you are using the ABAP System as the userstore for the J2EE Engine, the ADS still plays an important part).

Create a user like j2ee-SID in the ADS and make sure that the settings
* Password never expires and
* Use DES encryption types for this account
are set. (in the following screenshots I will use j2ee-hbr as the service-user.)

Then run the setspn command to assign the ServicePrincipalName to the user. (this was the URL that you use to access the J2EE Engine -- all these steps are explained in detail in the first blog).

A short ldifde reveals some important parameters that we are going to use later:
sAMAccountName: j2ee-hbr
userPrincipalName: j2ee-hbr@dev16
servicePrincipalName: HTTP/vmw2153

Now, if not already done connect the J2EE to the ABAP System:

In the next screen I also used the user j2ee-hbr to connect the J2EE to the ABAP system (for this I had to created this user in the ABAP system as well). You could also use a service user as mentioned here (Requirements for the System User for UME-ABAP Communication and here Configuring the UME to Use an AS ABAP as Data Source)

Now start the configtool and add the krb5principalname as an additional ume attribute

After a restart this property will be available to all user objects in the UME. Search for your service user (j2ee-hbr, which will now be found in the ABAP system) and set the krb5principalname to the same name as the userPrincipalName of the ADS user (see above) [this can be a little confusing: you now have two users j2ee-hbr. One in the ADS and one in the ABAP system]

Now we can start the SPNego Wizard:

Make sure that krb5principalname is used for Mapping Attribute and continue:

In the next screen make sure that the KPN Prefix is set to uniquename (which is defined in the ABAP dataSourceConfiguration file.)

After testing the resolution mode continue with the next step. I always prefer to create a new template and assign this template later on to my ticket component:

That's it.

Restart the J2EE Engine and you should be done with the wizard.

Now the final step left is to assign the spnego template we created to the ticket component via the Visual Administrator:

That should be it!

Now you should be able to access the portal via SPNego. If it is not working, then please have a look at the previous blogs mentioned above...

Holger Bruchelt is part of the Solution Management team for Duet Enterprise. Before that he has been working in the Regional Implementation Group for Duet and Duet Enterprise and was a technical NetWeaver consultant since 2002.

Comment on this weblog

Showing messages 1 through 79 of 79.

Titles Only Main Topics Oldest First

Use of custom LDAP attribute when UME is ABAP
2012-01-11 07:25:17 Arran Dawkins Business Card [Reply]

Hi Holger,

Have been reviewing your blogs but cannot find any mention of my particular requirement.

Want to use SPNego where Portal UME is ABAP but AD and ABAP ID's are nto identical.

Have seen that mapping in J2EE or ABAP is possible but there is already a custom attribute in the AD that matches the ABAP ID, could the SPNego module be configured to read the custom attribute for UME lookup?

Thanks
Arran

Adding transport layer security to SPnego
2011-08-03 13:01:03 diego quintana Business Card [Reply]

Hi Holger,

Very helpful post!!

We are currently working in providing transport layer security (SSL) to Spnego. Is there any guide which describes the required steps to accomplish this?

Our UME use ABAP DB as a datasource btw.

Thanks in advance.

Regards

Problem - Realm in Upper case
2011-07-13 00:30:27 Ilgvars Lopatko Business Card [Reply]

Hi,

Thanks for very nice blog. I have very strange error during SPNego Wizard, I hope you have sonme ideas.
We have ABAP+Java System on one host - Unix (AIX). User Data source for Portal is ABAP.
We already configured Kerberos SSO to allow SAP Logon without password. SSO via SAP Logon Ticket between Portal ans ABAP is also already configured.
No I am trying to configure spnego for Portal Login.
Service user in ADS is created, I hope I can use one service user for ABAP part and Portal part.
Last 5th confirmation screen ands with error - "Failed to create keytab file". "Show Logs" button shows only one error -

Error saving SPNego configuration due to: java.lang.Exception: Realm must be in uppercase.

com.sap.engine.services.security.jmx.spnego.impl.SPNegoConfigurationManagerImpl
sap.com/tc~wd~dispwda

But Realm on this confirmation screen IS in uppercase. Do you have ideas where this realm can be written in wrong case? I didn't find any parameter in Config tool regarding realm name. Is it possible to manually run this command for creating keytab file?

Thanks,
Ilgvars

SAP Password expiry with SSO SPNego
2011-01-13 02:55:05 Phil Jones Business Card [Reply]

Hi Holger - firstly many many thanks for the SPNego blogs - extremely helpful.
I have configured a JAVA system (DP1) which already uses the UME on the associated ABAP system (D01)to use authenticcation from our ADS, as per you instructions and I can log on without entering id or password and see the kerberos ticket being issued and all works well.
The problem comes when the (ABAP\JAVA)user has to change their SAP password - then the standard Logon Credentials are requested, asking for the user to change their SAP password. I thought that the authentication came from the ADS and so the user would not be required to change their SAP password? Or have I configured something incorrectly?
FYI - I am using the new spnego2 wizard for the configuration and have configured the Mapping Mode with "principal only" as the user names are identical in ADS and SAP.
Regards
Phil
- SAP Password expiry with SSO SPNego
  2011-01-13 03:02:13 Holger Bruchelt Business Card [Reply]
  
  Hi,
  
  thanks!
  
  Can you take a look at the parameter ume.logon.force_password_change_on_sso (see http://help.sap.com/saphelp_nw70/helpdata/EN/52/4c6c3e58d0d064e10000000a114084/frameset.htm)
  If you set this to false users should not be required to change their password anymore.
  
  Regards,
  
  Holger.
  - SAP Password expiry with SSO SPNego
    2011-02-22 00:18:01 Phil Jones Business Card [Reply]
    
    Hi Holger,
    As you have been so helpfull previously I was hoping you could help with a new issue:
    We have just implemented SSO for our Portal (which is connected to the UME in the backend ABAP ECC system) using spnego2 wizard.
    We have a mixed client base with some PC's in the AD and some not in AD, so some PC's can use SSO to logon and some default to standard Portal logon.
    The PC's in the AD use SSO successfully and have no issues.
    The PC's NOT in the AD have no issues until their SAP password expires. When their SAP password expires, the logon fails but issues no
    message and does not ask for the password to be changed. Once the initial password is set (within the ECC system) they still cannot logon, as the logon does not ask them to change their
    password from this initial password.
    We have tried setting the "ume.logon.force_password_change_on_sso"
    to both false and true and it appears to make no difference to the logon on
    the non-AD PC's.
    How can we get the NON-AD (NON-SSO) clients to still recieve a password change request?
    Hope this makes sense and you can help,
    Regards,
    Phil Jones
  - SAP Password expiry with SSO SPNego
    2011-01-13 04:12:49 Phil Jones Business Card [Reply]
    
    Hi Holger - WOW, how quick was that!! That's it fixed, many thanks.
    One further question, if you don't mind - I was attempting to use the ?spnego=disabled switch after the url of the portal, in order to bring up the standard logon, but I can not get it to work on I.E.8, however it appears to work fine on Firefox3.6. Any idea what browser it was been tested on, or why it might not work on I.E.8?
    - SAP Password expiry with SSO SPNego
      2011-04-07 08:46:55 Moti Shaked Business Card [Reply]
      
      Hi Phil/Holdger
      what was the solutiojn for the password expire ? we have the same issue
      thanks,
      Moti
      - SAP Password expiry with SSO SPNego
        2011-04-11 00:50:59 Phil Jones Business Card [Reply]
        
        Hi Moti,
        
        if you are refering to the SAP password expiring when we expected the to use the ADS password, you need to set ume.logon.force_password_change_on_sso as Holger stated.
        However if you are refering to the I.E. issues these are not directly resolvable as it is a "feature" of I.E. - see note "1159129 Password reset not possible in SPNego scenario".
        Please mail me if you need any further help (phil underscore jones at biscuits dot com).
        Regards
        Phil

SAP Password Change still required withh
2011-01-13 02:51:18 Phil Jones Business Card [Reply]

Hi Holger - firstly many many thanks for the SPNego blogs - extremely helpful.
I have configured a JAVA system (DP1) which already uses the UME on the associated ABAP system (D01)to use authenticcation from our ADS, as per you instructions and I can log on without entering id or password and see the kerberos ticket being issued and all works well.
The problem comes when the (ABAP\JAVA)user has to change their SAP password - then the standard Logon Credentials are requested, asking for the user to change their SAP password. I thought that the authentication came from the ADS and so the user would not be required to change their SAP password? Or have I configured something incorrectly?
FYI - I am using the new spnego2 wizard for the configuration and have configured the Mapping Mode with "principal only" as the user names are identical in ADS and SAP.
Regards
Phil

Adding UME attribute
2011-01-11 18:36:43 Vipul Patel Business Card [Reply]

Hi Holger
This is probably independant of SPNEGO but I will mention it anyway as it is one of the config steps in your blog.

I have added the custom UME attribute ' krb5principalname' but it is not visible on the user profile in portal. What I have noticed is that after entering the attribute it only appears under 'Local Properties' whilst 'Custom Value' still reads blank.

Thanks, Vipul
- Adding UME attribute
  2011-01-11 21:31:30 Vipul Patel Business Card [Reply]
  
  Hi Holger
  I have got this resolved. I needed to change the global attribute, from the screenshots it appeared to be instance attribute.
  
  I have got another question now - the first screen of the SPNEGO wizard is not displaying 'mapping attribute'.
  
  cheers, vipul
  - Adding UME attribute
    2011-01-12 01:46:12 Holger Bruchelt Business Card [Reply]
    
    Hi Vipul,
    
    that is probably because this setting is now moved to a different screen later on.
    So don't worry about that now...
    
    Regards,
    
    Holger.
    - Adding UME attribute
      2011-01-12 21:11:29 Vipul Patel Business Card [Reply]
      
      Thanks Holger
      I realised later that there was no need to create 'krb5principalname' attribute as we keep abap users in sync with ADS users. So in 4/5 screen name resolution worked fine based on 'uniqueattribute'.
      
      However, after assigning template to ticket component in VA and restart of the cluster, SSO has not worked.
      
      I will look at blog https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/8313 and see how it goes.
      
      Regards
      Vipul

abap as data source to java
2010-09-10 07:01:58 Venkatesh Koukuntla Business Card [Reply]

Hi Holger,

Nice blog. We have a different scenario and thought will have a suggestion from you. The UME for our Java is ABAP and userids in ABAP are different from LDAP userids.Our plan is to populate one of the user fields with their LDAP userids and achieve spnego. Can you please suggest any steps for this on how this mapping can be achieved?
- abap as data source to java
  2010-09-10 07:10:35 Holger Bruchelt Business Card [Reply]
  
  Hi,
  
  if I understand you correct, you want to populate some field in the ABAP system. If that is the case I would recommend that you take a look at the new SPNEGO Login module (you should do that anyway..., http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/18567, https://service.sap.com/sap/support/notes/1457499) Then you can populate the Logon Alias with the LDAP userids.
  Other options are also explain in my blog http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/13265.
  
  Hope this helps!
  
  Regards,
  
  Holger.
  - abap as data source to java
    2010-09-21 08:25:35 Venkatesh Koukuntla Business Card [Reply]
    
    That was spot on for us. Thank you. There is one more request. Do we still need to do the LDAP configuration setting when our UME source is ABAP as this is greyed out.
    - abap as data source to java
      2010-09-21 08:33:01 Holger Bruchelt Business Card [Reply]
      
      Hi,
      in the UME you do not have to do any LDAP configuration. But you will have to provide the REALM information during the SPNEGO Configuration -- but that is it.
      
      Regards,
      
      Holger.

No SSO, normal logon mask appears
2010-08-02 04:39:30 Florian Lusch Business Card [Reply]

Hello Holger,

I got a problem with configuring SSO in SAP BI 7.0 (Dualstack, conntect to ABAP datasource).

I followed your instructions till the end.
Test resolution works fine..

But when i open the portal url, i get the logon mask. No SSO, no error.

Maybe you got some hints (logs for example), where I can search for the error?

Best regards,
Florian
- No SSO, normal logon mask appears
  2010-08-05 04:33:21 Florian Lusch Business Card [Reply]
  
  finally got the log.
  
  Received�no�SAPLogonTicket.�Authentication�stack:�[ticket].
  Exiting�method�with�<null>
  Creating�new�instance�of�SpNegoState�(negstate=�initial,�mechanism.oid=�null)
  Acquiring�credentials�for�realm�LOSSBURG.ARBURG.COM
  Looking�for�credentials�for�realm�LOSSBURG.ARBURG.COM
  Looking�for�credentials�for�j2ee-bwt@LOSSBURG.ARBURG.COM�in�{}
  Acquiring�credentials�for�GSS�name�j2ee-bwt@LOSSBURG.ARBURG.COM
  GSS�name�type�is:�1
  GSS�name�type�1�is�:1.2.840.113554.1.2.1.1
  GSS�mechanism�is:�1.2.840.113554.1.2.2
  Debug�is��true�storeKey�true�useTicketCache�false�useKeyTab�true�doNotPrompt�true�ticketCache�is�null�isInitiator�true�KeyTab�is�null�refreshKrb5Config�is�true�principal�is�j2ee-bwt@LOSSBURG.ARBURG.COM�tryFirstPass�is�false�useFirstPass�is�false�storePass�is�false�clearPass�is�false
  Refreshing�Kerberos�configuration
  Refreshing�Keytab
  >>>�KeyTabInputStream,�readName():�LOSSBURG.ARBURG.COM
  >>>�KeyTabInputStream,�readName():�j2ee-bwt
  >>>�KeyTab:�load()�entry�length:�54;�type:�3
  principal's�key�obtained�from�the�keytab
  Acquire�TGT�using�AS�Exchange
  Exception�:�Error�in�some�of�the�login�modules.
  java.lang.Exception
  at�com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175)
  at�com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263)
  at�com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:116)
  at�com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:151)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
  at�com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
  at�sun.reflect.GeneratedMethodAccessor372.invoke(Unknown�Source)
  at�sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at�java.lang.reflect.Method.invoke(Method.java:324)
  at�javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
  at�javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
  at�javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
  at�javax.security.auth.login.LoginContext.login(LoginContext.java:534)
  at�sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
  at�sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
  at�sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
  at�sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
  at�sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
  at�sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
  at�sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
  Caused�by:�java.lang.NullPointerException
  at�java.lang.StringBuffer.append(StringBuffer.java:467)
  at�com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:627)
  at�com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:511)
  at�com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
  at�com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
  at�com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
  at�sun.reflect.GeneratedMethodAccessor372.invoke(Unknown�Source)
  at�sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at�java.lang.reflect.Method.invoke(Method.java:324)
  at�javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
  at�javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
  at�javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
  at�javax.security.auth.login.LoginContext.login(LoginContext.java:534)
  at�sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
  at�sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
  at�sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
  at�sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
  at�sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
  at�sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
  at�sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
  Error�in�some�of�the�login�modules.�
  [EXCEPTION]
  �com.sap.engine.services.security.exceptions.BaseLoginException:�Error�in�some�of�the�login�modules.
  at�com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:151)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
  at�com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
  at�sun.reflect.GeneratedMethodAccessor372.invoke(Unknown�Source)
  at�sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at�java.lang.reflect.Method.invoke(Method.java:324)
  at�javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
  at�javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
  at�javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
  at�javax.security.auth.login.LoginContext.login(LoginContext.java:534)
  at�sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
  at�sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
  at�sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
  at�sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
  at�sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
  at�sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
  at�sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
  Caused�by:�java.lang.NullPointerException
  at�java.lang.StringBuffer.append(StringBuffer.java:467)
  at�com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:627)
  at�com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:511)
  at�com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
  at�com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
  ...�24�more
  
  Exception�com.sap.engine.services.security.exceptions.BaseLoginException:�Error�in�some�of�the�login�modules.
  at�com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:151)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
  at�com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
  at�sun.reflect.GeneratedMethodAccessor372.invoke(Unknown�Source)
  at�sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at�java.lang.reflect.Method.invoke(Method.java:324)
  at�javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
  at�javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
  at�javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
  at�javax.security.auth.login.LoginContext.login(LoginContext.java:534)
  at�sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
  at�sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
  at�sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
  at�sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
  at�sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
  at�sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
  at�sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
  Caused�by:�java.lang.NullPointerException
  at�java.lang.StringBuffer.append(StringBuffer.java:467)
  at�com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:627)
  at�com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:511)
  at�com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
  at�com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
  ...�24�more
  Exception�:�Internal�server�error.�An�error�log�with�ID�[005056874DC200860000000D000010D000048D11CD1C9661]�is�created.�For�more�information�contact�your�system�administrator.
  java.lang.Exception
  at�com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175)
  at�com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263)
  at�com.sap.engine.services.security.exceptions.BaseSecurityException.<init>(BaseSecurityException.java:213)
  at�com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:156)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
  at�com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
  at�sun.reflect.GeneratedMethodAccessor372.invoke(Unknown�Source)
  at�sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at�java.lang.reflect.Method.invoke(Method.java:324)
  at�javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
  at�javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
  at�javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
  at�javax.security.auth.login.LoginContext.login(LoginContext.java:534)
  at�sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
  at�sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
  at�sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
  at�sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
  at�sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
  at�sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
  at�sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
  Unsuccessful�login:�no�login�module�succeeded.�The�size�of�the�used�authentication�stack�com.sun.security.jgss.accept�is�1.
  Exception�:�No�login�module�succeeded.
  java.lang.Exception
  at�com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175)
  at�com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263)
  at�com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:136)
  at�com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:188)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:246)
  at�com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
  at�sun.reflect.GeneratedMethodAccessor372.invoke(Unknown�Source)
  at�sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at�java.lang.reflect.Method.invoke(Method.java:324)
  at�javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
  at�javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
  at�javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
  at�javax.security.auth.login.LoginContext.login(LoginContext.java:534)
  at�sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
  at�sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
  at�sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
  at�sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
  at�sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
  at�sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
  at�sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
  Internal�server�error.�An�error�log�with�ID�[005056874DC200860000000D000010D000048D11CD1C9661]�is�created.�For�more�information�contact�your�system�administrator.�
  [EXCEPTION]
  �com.sap.engine.services.security.exceptions.BaseSecurityException:�Internal�server�error.�An�error�log�with�ID�[005056874DC200860000000D000010D000048D11CD1C9661]�is�created.�For�more�information�contact�your�system�administrator.
  at�com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:156)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
  at�com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
  at�sun.reflect.GeneratedMethodAccessor372.invoke(Unknown�Source)
  at�sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at�java.lang.reflect.Method.invoke(Method.java:324)
  at�javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
  at�javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
  at�javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
  at�javax.security.auth.login.LoginContext.login(LoginContext.java:534)
  at�sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
  at�sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
  at�sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
  at�sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
  at�sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
  at�sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
  at�sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
  
  LOGIN.FAILED
  User:�N/A
  Authentication�Stack:�com.sun.security.jgss.accept
  
  Login�Module��Flag��Initialize��Login��Commit��Abort��Details
  1.�com.sun.security.auth.module.Krb5LoginModule��OPTIONAL��ok��exception��false��null
  ��#1�debug�=�true
  ��#2�doNotPrompt�=�true
  ��#3�principal�=�j2ee-bwt@LOSSBURG.ARBURG.COM
  ��#4�refreshKrb5Config�=�true
  ��#5�storeKey�=�true
  ��#6�useKeyTab�=�true
  ��#7�useTicketCache�=�false
  Exception�:�Access�Denied.
  java.lang.Exception
  at�com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175)
  at�com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263)
  at�com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:116)
  at�com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:297)
  at�com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
  at�sun.reflect.GeneratedMethodAccessor372.invoke(Unknown�Source)
  at�sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at�java.lang.reflect.Method.invoke(Method.java:324)
  at�javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
  at�javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
  at�javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
  at�javax.security.auth.login.LoginContext.login(LoginContext.java:534)
  at�sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
  at�sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
  at�sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
  at�sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
  at�sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
  at�sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
  at�sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
  Caused�by:�com.sap.engine.services.security.exceptions.BaseSecurityException:�Internal�server�error.�An�error�log�with�ID�[005056874DC200860000000D000010D000048D11CD1C9661]�is�created.�For�more�information�contact�your�system�administrator.
  at�com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:156)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
  at�com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
  at�sun.reflect.GeneratedMethodAccessor372.invoke(Unknown�Source)
  at�sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at�java.lang.reflect.Method.invoke(Method.java:324)
  at�javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
  at�javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
  at�javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
  at�javax.security.auth.login.LoginContext.login(LoginContext.java:534)
  at�sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
  at�sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
  at�sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
  at�sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
  at�sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
  at�sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
  at�sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
  Acquiring�credentials�for�realm�LOSSBURG.ARBURG.COM�failed�
  [EXCEPTION]
  �GSSException:�No�valid�credentials�provided�(Mechanism�level:�Attempt�to�obtain�new�ACCEPT�credentials�failed!)
  at�sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
  at�sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
  at�sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
  at�sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
  at�sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
  at�sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
  at�sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
  at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
  Caused�by:�com.sap.engine.services.security.exceptions.BaseLoginException:�Access�Denied.
  at�com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:297)
  at�com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
  at�sun.reflect.GeneratedMethodAccessor372.invoke(Unknown�Source)
  at�sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at�java.lang.reflect.Method.invoke(Method.java:324)
  at�javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
  at�javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
  at�javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
  at�javax.security.auth.login.LoginContext.login(LoginContext.java:534)
  at�sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
  ...�9�more
  Caused�by:�com.sap.engine.services.security.exceptions.BaseSecurityException:�Internal�server�error.�An�error�log�with�ID�[005056874DC200860000000D000010D000048D11CD1C9661]�is�created.�For�more�information�contact�your�system�administrator.
  at�com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:156)
  at�java.security.AccessController.doPrivileged(Native�Method)
  at�com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
  ...�22�more
  
  Login�module�com.sap.security.core.server.jaas.SPNegoLoginModule�from�authentication�stack�ticket�does�not�authenticate�the�caller.
  Entering�method
  No�authenticated�user�found.
  Exiting�method�with�false
  No�user�name�provided.
  Entering�method
  No�authenticated�user�found.
  Exiting�method�with�false
  - No SSO, normal logon mask appears
    2010-08-05 09:27:13 Holger Bruchelt Business Card [Reply]
    
    Can you send me an email, so that we can work on this offline. Reading logs here in the comments is not really working...
    
    Regards,
    
    Holger.
- No SSO, normal logon mask appears
  2010-08-02 04:43:46 Florian Lusch Business Card [Reply]
  
  YATT trace:
  
  ------
  HTTP/1.1 401 Unauthorized
  Server: SAP J2EE Engine/7.00
  Transfer-Encoding: chunked
  Content-Type: text/html; charset=UTF-8
  Content-Language: de-DE
  expires: 0
  Content-Encoding: gzip
  Date: Mon, 02 Aug 2010 11:42:10 GMT
  Set-Cookie: saplb_*=(SRVA085_BWT_00)4424850; Version=1; Path=/
  Set-Cookie: PortalAlias=portal; Path=/
  Set-Cookie: JSESSIONID=(SRVA085_BWT_00)ID1206139550DB329bdf23b2611714efcf9111a6e5e8bf766be6d0End; Version=1; Domain=.lossburg.arburg.com; Path=/
  
  a
  �
  
  -------
  
  GET /irj/portal HTTP/1.1
  Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
  Accept-Language: de-DE,en-US;q=0.5
  UA-CPU: x86
  Accept-Encoding: gzip, deflate
  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322; .NET CLR 3.5.21022)
  Host: sapbwt.lossburg.arburg.com:50000
  Connection: Keep-Alive
  - No SSO, normal logon mask appears
    2010-08-02 05:57:30 Holger Bruchelt Business Card [Reply]
    
    Hi,
    
    can you take a look at the diagtool trace like mentioned here: http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/8313
    
    From these logs you should be able to narrow down the problem a little.
    
    Regards,
    
    Holger.
    - No SSO, normal logon mask appears
      2010-08-02 06:12:39 Florian Lusch Business Card [Reply]
      
      Thanks.
      
      i started the diagtool the following way:
      
      go.bat conf\spnego.conf D:\usr\sap\BWT\DVEBMGS00\j2ee\configtool
      
      It shows me version, host etc..that it crashes.
      
      java.lang.reflect.InvocationTargetExpetion
      ...
      Caused by: java.lang.Error: getenv no longer supported, use properties and -D instead: debug
      - No SSO, normal logon mask appears
        2010-08-02 07:24:36 Holger Bruchelt Business Card [Reply]
        
        Hi,
        
        can you please use the WebDiagtool as explained in the blog?
        It's newer and better :-)
        
        Thanks,
        
        Holger.

Access Denied - responseHeader is NULL
2010-04-27 04:53:03 Victor Capi Business Card [Reply]

Hi,

When i try to log to the portal, appear an popup where i have to write the user and password, and after, i have to log again in the portal.

I do a trace with diagtool, and appear this error:
Credentials for realm KMC.LOCAL successfully acquired: j2ee-DM2@KMC.LOCAL
Access Denied - responseHeader is NULLLogin module com.sap.security.core.server.jaas.SPNegoLoginModule from authentication stack ticket does not authenticate the caller.

What happend?

Thanks in advance,
Regards
- Access Denied - responseHeader is NULL
  2010-04-27 05:27:39 Holger Bruchelt Business Card [Reply]
  
  Hi,
  I am not sure if this is the issue. Can you take another look at the trace and see if you find something else (some other errors).
  
  Regards,
  
  Holger.
  - Access Denied - responseHeader is NULL
    2010-04-27 12:29:42 Victor Capi Business Card [Reply]
    
    I see this error:
    
    Clock skew too great (37)
    
    In this blog appear:
    This means, that the time difference between the Client and the Server is to great (there is a default time difference for Kerberos which is usually about 5 minutes). Please check the time of both client and server. You can also try to issue a
    
    net time /set /domain
    
    on the client (and on the server). It will syncronize the time from the client with the one on the domain.
    
    But in the server, i haven�t access, appear error: Access is denied.
    
    How can avoid it?
    
    Thanks in advance,
    Regards,
    - Access Denied - responseHeader is NULL
      2010-04-27 12:34:28 Holger Bruchelt Business Card [Reply]
      
      Hi,
      
      well apparently the clocks are not correct. Windows machines you can run the net time command -- but you have to have permissions to set the time (can you do it manually?).
      I would recommend to run a NTP service (or some similar service to synchronize the times).
      Once they are the same this issue should be resolved.
      
      Regards,
      
      Holger.
      - Access Denied - responseHeader is NULL
        2010-04-28 00:51:55 Victor Capi Business Card [Reply]
        
        Hi,
        
        Lot of thanks, finally, i can do SSO.
        
        The problem was the time, i was able to sync.
        
        Thanks,
        Regards,
      - Access Denied - responseHeader is NULL
        2010-04-27 12:40:00 Victor Capi Business Card [Reply]
        
        Hi,
        
        I can modify the time manually in the clock of menu bar of windows, now two machine has the same time (except the seconds), but appear the same error... Is necessary synchronize with net time?
        
        Thanks in advance,
        Regars,
        
        Access Denied - responseHeader is NULL
        2010-08-05 04:34:07 Florian Lusch Business Card [Reply]
        
        finally got the log:
        
        Received�no�SAPLogonTicket.�Authentication�stack:�[ticket].
        Exiting�method�with�<null>
        Creating�new�instance�of�SpNegoState�(negstate=�initial,�mechanism.oid=�null)
        Acquiring�credentials�for�realm�LOSSBURG.ARBURG.COM
        Looking�for�credentials�for�realm�LOSSBURG.ARBURG.COM
        Looking�for�credentials�for�j2ee-bwt@LOSSBURG.ARBURG.COM�in�{}
        Acquiring�credentials�for�GSS�name�j2ee-bwt@LOSSBURG.ARBURG.COM
        GSS�name�type�is:�1
        GSS�name�type�1�is�:1.2.840.113554.1.2.1.1
        GSS�mechanism�is:�1.2.840.113554.1.2.2
        Debug�is��true�storeKey�true�useTicketCache�false�useKeyTab�true�doNotPrompt�true�ticketCache�is�null�isInitiator�true�KeyTab�is�null�refreshKrb5Config�is�true�principal�is�j2ee-bwt@LOSSBURG.ARBURG.COM�tryFirstPass�is�false�useFirstPass�is�false�storePass�is�false�clearPass�is�false
        Refreshing�Kerberos�configuration
        Refreshing�Keytab
        >>>�KeyTabInputStream,�readName():�LOSSBURG.ARBURG.COM
        >>>�KeyTabInputStream,�readName():�j2ee-bwt
        >>>�KeyTab:�load()�entry�length:�54;�type:�3
        principal's�key�obtained�from�the�keytab
        Acquire�TGT�using�AS�Exchange
        Exception�:�Error�in�some�of�the�login�modules.
        java.lang.Exception
        at�com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175)
        at�com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263)
        at�com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:116)
        at�com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:151)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
        at�com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
        at�sun.reflect.GeneratedMethodAccessor372.invoke(Unknown�Source)
        at�sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at�java.lang.reflect.Method.invoke(Method.java:324)
        at�javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
        at�javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
        at�javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
        at�javax.security.auth.login.LoginContext.login(LoginContext.java:534)
        at�sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
        at�sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
        at�sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
        at�sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
        at�sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
        at�sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
        at�sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
        Caused�by:�java.lang.NullPointerException
        at�java.lang.StringBuffer.append(StringBuffer.java:467)
        at�com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:627)
        at�com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:511)
        at�com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
        at�com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
        at�com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
        at�sun.reflect.GeneratedMethodAccessor372.invoke(Unknown�Source)
        at�sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at�java.lang.reflect.Method.invoke(Method.java:324)
        at�javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
        at�javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
        at�javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
        at�javax.security.auth.login.LoginContext.login(LoginContext.java:534)
        at�sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
        at�sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
        at�sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
        at�sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
        at�sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
        at�sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
        at�sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
        Error�in�some�of�the�login�modules.�
        [EXCEPTION]
        �com.sap.engine.services.security.exceptions.BaseLoginException:�Error�in�some�of�the�login�modules.
        at�com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:151)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
        at�com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
        at�sun.reflect.GeneratedMethodAccessor372.invoke(Unknown�Source)
        at�sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at�java.lang.reflect.Method.invoke(Method.java:324)
        at�javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
        at�javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
        at�javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
        at�javax.security.auth.login.LoginContext.login(LoginContext.java:534)
        at�sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
        at�sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
        at�sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
        at�sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
        at�sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
        at�sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
        at�sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
        Caused�by:�java.lang.NullPointerException
        at�java.lang.StringBuffer.append(StringBuffer.java:467)
        at�com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:627)
        at�com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:511)
        at�com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
        at�com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
        ...�24�more
        
        Exception�com.sap.engine.services.security.exceptions.BaseLoginException:�Error�in�some�of�the�login�modules.
        at�com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:151)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
        at�com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
        at�sun.reflect.GeneratedMethodAccessor372.invoke(Unknown�Source)
        at�sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at�java.lang.reflect.Method.invoke(Method.java:324)
        at�javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
        at�javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
        at�javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
        at�javax.security.auth.login.LoginContext.login(LoginContext.java:534)
        at�sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
        at�sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
        at�sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
        at�sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
        at�sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
        at�sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
        at�sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
        Caused�by:�java.lang.NullPointerException
        at�java.lang.StringBuffer.append(StringBuffer.java:467)
        at�com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:627)
        at�com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:511)
        at�com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
        at�com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
        ...�24�more
        Exception�:�Internal�server�error.�An�error�log�with�ID�[005056874DC200860000000D000010D000048D11CD1C9661]�is�created.�For�more�information�contact�your�system�administrator.
        java.lang.Exception
        at�com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175)
        at�com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263)
        at�com.sap.engine.services.security.exceptions.BaseSecurityException.<init>(BaseSecurityException.java:213)
        at�com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:156)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
        at�com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
        at�sun.reflect.GeneratedMethodAccessor372.invoke(Unknown�Source)
        at�sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at�java.lang.reflect.Method.invoke(Method.java:324)
        at�javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
        at�javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
        at�javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
        at�javax.security.auth.login.LoginContext.login(LoginContext.java:534)
        at�sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
        at�sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
        at�sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
        at�sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
        at�sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
        at�sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
        at�sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
        Unsuccessful�login:�no�login�module�succeeded.�The�size�of�the�used�authentication�stack�com.sun.security.jgss.accept�is�1.
        Exception�:�No�login�module�succeeded.
        java.lang.Exception
        at�com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175)
        at�com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263)
        at�com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:136)
        at�com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:188)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:246)
        at�com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
        at�sun.reflect.GeneratedMethodAccessor372.invoke(Unknown�Source)
        at�sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at�java.lang.reflect.Method.invoke(Method.java:324)
        at�javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
        at�javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
        at�javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
        at�javax.security.auth.login.LoginContext.login(LoginContext.java:534)
        at�sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
        at�sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
        at�sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
        at�sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
        at�sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
        at�sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
        at�sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
        Internal�server�error.�An�error�log�with�ID�[005056874DC200860000000D000010D000048D11CD1C9661]�is�created.�For�more�information�contact�your�system�administrator.�
        [EXCEPTION]
        �com.sap.engine.services.security.exceptions.BaseSecurityException:�Internal�server�error.�An�error�log�with�ID�[005056874DC200860000000D000010D000048D11CD1C9661]�is�created.�For�more�information�contact�your�system�administrator.
        at�com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:156)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
        at�com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
        at�sun.reflect.GeneratedMethodAccessor372.invoke(Unknown�Source)
        at�sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at�java.lang.reflect.Method.invoke(Method.java:324)
        at�javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
        at�javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
        at�javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
        at�javax.security.auth.login.LoginContext.login(LoginContext.java:534)
        at�sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
        at�sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
        at�sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
        at�sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
        at�sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
        at�sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
        at�sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
        
        LOGIN.FAILED
        User:�N/A
        Authentication�Stack:�com.sun.security.jgss.accept
        
        Login�Module��Flag��Initialize��Login��Commit��Abort��Details
        1.�com.sun.security.auth.module.Krb5LoginModule��OPTIONAL��ok��exception��false��null
        ��#1�debug�=�true
        ��#2�doNotPrompt�=�true
        ��#3�principal�=�j2ee-bwt@LOSSBURG.ARBURG.COM
        ��#4�refreshKrb5Config�=�true
        ��#5�storeKey�=�true
        ��#6�useKeyTab�=�true
        ��#7�useTicketCache�=�false
        Exception�:�Access�Denied.
        java.lang.Exception
        at�com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175)
        at�com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263)
        at�com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:116)
        at�com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:297)
        at�com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
        at�sun.reflect.GeneratedMethodAccessor372.invoke(Unknown�Source)
        at�sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at�java.lang.reflect.Method.invoke(Method.java:324)
        at�javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
        at�javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
        at�javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
        at�javax.security.auth.login.LoginContext.login(LoginContext.java:534)
        at�sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
        at�sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
        at�sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
        at�sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
        at�sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
        at�sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
        at�sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
        Caused�by:�com.sap.engine.services.security.exceptions.BaseSecurityException:�Internal�server�error.�An�error�log�with�ID�[005056874DC200860000000D000010D000048D11CD1C9661]�is�created.�For�more�information�contact�your�system�administrator.
        at�com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:156)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
        at�com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
        at�sun.reflect.GeneratedMethodAccessor372.invoke(Unknown�Source)
        at�sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at�java.lang.reflect.Method.invoke(Method.java:324)
        at�javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
        at�javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
        at�javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
        at�javax.security.auth.login.LoginContext.login(LoginContext.java:534)
        at�sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
        at�sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
        at�sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
        at�sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
        at�sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
        at�sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
        at�sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
        Acquiring�credentials�for�realm�LOSSBURG.ARBURG.COM�failed�
        [EXCEPTION]
        �GSSException:�No�valid�credentials�provided�(Mechanism�level:�Attempt�to�obtain�new�ACCEPT�credentials�failed!)
        at�sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
        at�sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
        at�sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
        at�sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
        at�sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
        at�sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
        at�sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
        at�com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)
        Caused�by:�com.sap.engine.services.security.exceptions.BaseLoginException:�Access�Denied.
        at�com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:297)
        at�com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
        at�sun.reflect.GeneratedMethodAccessor372.invoke(Unknown�Source)
        at�sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at�java.lang.reflect.Method.invoke(Method.java:324)
        at�javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
        at�javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
        at�javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
        at�javax.security.auth.login.LoginContext.login(LoginContext.java:534)
        at�sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
        ...�9�more
        Caused�by:�com.sap.engine.services.security.exceptions.BaseSecurityException:�Internal�server�error.�An�error�log�with�ID�[005056874DC200860000000D000010D000048D11CD1C9661]�is�created.�For�more�information�contact�your�system�administrator.
        at�com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:156)
        at�java.security.AccessController.doPrivileged(Native�Method)
        at�com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
        ...�22�more
        
        Login�module�com.sap.security.core.server.jaas.SPNegoLoginModule�from�authentication�stack�ticket�does�not�authenticate�the�caller.
        Entering�method
        No�authenticated�user�found.
        Exiting�method�with�false
        No�user�name�provided.
        Entering�method
        No�authenticated�user�found.
        Exiting�method�with�false
  - Access Denied - responseHeader is NULL
    2010-04-27 09:14:48 Victor Capi Business Card [Reply]
    
    Hi,
    
    Thanks by the answer, i can not fin another error important...
    
    I attach a part of the trace:
    
    The options of CreateTicketLoginModule in [ticket] authentication stack after merge with UME properties are: [{ume.configuration.active=true, system=DM2, client=000, j_authscheme=basicauthentication, inclcert=0, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, ume.logon.security.enforce_secure_cookie=false, validity=8, keystore=TicketKeystore, password=}].
    The options of CreateTicketLoginModule in [ticket] authentication stack after adding the default values are: [{ume.configuration.active=true, system=DM2, client=000, j_authscheme=basicauthentication, inclcert=0, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, sap.security.auth.configuration.name=ticket, ume.logon.security.enforce_secure_cookie=false, validity=8, keystore=TicketKeystore, password=}].
    Exiting method
    Entering method
    Received no SAPLogonTicket. Authentication stack: [ticket].
    Exiting method with <null>
    Creating new instance of SpNegoState (negstate= initial, mechanism.oid= null)
    Acquiring credentials for realm KMC.LOCAL
    Looking for credentials for realm KMC.LOCAL
    Looking for credentials for j2ee-DM2@KMC.LOCAL in {j2ee-DM2@KMC.LOCAL=[GSSCredential:
    j2ee-DM2@KMC.LOCAL 1.2.840.113554.1.2.2 Accept [Kerberos Principal j2ee-DM2@KMC.LOCALKey Version 1key EncryptionKey: keyType=3 keyBytes (hex dump)=
    0000: 62 A2 C1 1A A8 62 29 91
    ]]}
    Found cached credentials for j2ee-DM2@KMC.LOCAL [GSSCredential:
    j2ee-DM2@KMC.LOCAL 1.2.840.113554.1.2.2 Accept [Kerberos Principal j2ee-DM2@KMC.LOCALKey Version 1key EncryptionKey: keyType=3 keyBytes (hex dump)=
    0000: 62 A2 C1 1A A8 62 29 91
    ]]
    Credentials for realm KMC.LOCAL successfully acquired: j2ee-DM2@KMC.LOCAL
    Access Denied - responseHeader is NULL
    Login module com.sap.security.core.server.jaas.SPNegoLoginModule from authentication stack ticket does not authenticate the caller.
    Entering method
    No authenticated user found.
    Exiting method with false
    No user name provided.
    Entering method
    No authenticated user found.
    Exiting method with false
    Exception : Cannot authenticate the user.
    java.lang.Exception
    at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175)
    at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263)
    at com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:158)
    �..
    Entering method
    Internal Login Module data has been reset.
    Exiting method with true
    set Response Status 401
    set Header WWW-Authenticate = Negotiate
    Entering method
    Exiting method with true
    Entering method
    Exiting method with true
    LOGIN.FAILED
    User: N/A
    Authentication Stack: ticket
    
    Login Module Flag Initialize Login Commit Abort Details
    1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
    #1 ume.configuration.active = true
    2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true Access Denied. No authorization header received.
    #1 com.sap.spnego.creds_in_thread = true
    #2 com.sap.spnego.jgss.name = j2ee-DM2@KMC.LOCAL
    #3 com.sap.spnego.uid.resolution.attr = krb5principalname
    #4 com.sap.spnego.uid.resolution.mode = simple
    3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false true
    #1 ume.configuration.active = true
    4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok false false
    5. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok false true
    #1 ume.configuration.active = true

The ABAP backend uses SNC
2009-12-11 07:55:03 Hugo Villa Romero Business Card [Reply]

Hello Holger,

I configured the SPNEGO succesfully in a double-stack system. The SAPJSF user is used to connect the J2EE to the ABAP system. Additionally, I created a user like j2ee-SID in the ADS and set the krb5principalname ume attribute of the SAPJSF user to this ADS user. As SNC is enabled in the ABAP system, we are using SNC between Java and ABAP as well. We are having problems with the Java/ABAP communication when the TGT is expired.

Can you please tell me how to make the j2ee engine to get the TGTs automatically (instead of getting it from the credential cache file) when the SNC is enabled in the ABAP backend?

Thanks in advance
Kind regards
Hugo
- The ABAP backend uses SNC
  2009-12-13 23:34:57 Holger Bruchelt Business Card [Reply]
  
  Hi Hugo,
  
  are you sure this is SNC related?
  If you are talking about the client tickets, this might be an issue with a missing KB (KB899587
  , see also Note 934138).
  Did you check the J2EE logs when it is working, and when not?
  
  Regards,
  
  Holger.
  - The ABAP backend uses SNC
    2009-12-14 14:08:44 Hugo Villa Romero Business Card [Reply]
    
    Hi Holger,
    
    Yes, this is SNC related. When the TGT is expired I see the following error in the security.0.log file of the server node:
    
    Login Module Flag Initialize Login Commit Abort Details
    1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
    2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true Cannot resolve user with attribute krb5principalname and value = <user>@<REALM>
    3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false true
    4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok exception true Authentication did not succeed.
    5. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok true #
    
    Also, the following errors are registered in the dev_server0 trace file:
    
    [Thr 62721] *** ERROR => SncPEstablishContext() failed for target='p:SAPService<SID>/<domain>@<REALM>' [sncxxall_m 3379]
    [Thr 62721] *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall_mt.c 3345]
    [Thr 62721] GSS-API(maj): Miscellaneous failure
    [Thr 62721] GSS-API(min): Cannot find ticket for requested realm
    [Thr 62721] Unable to establish the security context
    [Thr 62721] target="p:SAPService<SID>/<domain>@<REALM>"
    [Thr 62721] <<- SncProcessOutput()==SNCERR_GSSAPI
    
    As SNC is enabled in the Java stack, the GSS library tries to get the ticket from the server. I am not sure the KB899587 will help in this case.
    
    I beleive the key is to make the J2EE engine connects to the ABAP backend (where SNC is enabled) via the SAPJSF without setting the following UME properties:
    
    ume.r3.connection.master.snc_lib
    ume.r3.connection.master.snc_mode
    ume.r3.connection.master.snc_myname
    ume.r3.connection.master.snc_partnername
    
    Can you please provide some ideas.
    
    Thanks and regards,
    Hugo
    - The ABAP backend uses SNC
      2009-12-14 23:23:02 Holger Bruchelt Business Card [Reply]
      
      Hi Hugo,
      
      in order to investigate I need some more invormation/logs. I tried to find your email, but I couldn't.
      Can you please contact me so that I can follow up?
      
      Thanks,
      Holger.

How can I remove SPNEGO
2009-12-02 05:49:05 Renato Moltrasio Business Card [Reply]

Hello Holger,

I configured the SPNEGO succesfully inmmy system. Now after a system copy of that system I need to remove SPNEGO. Can yuou please tell how can this be done? (a oss note, a guide....)

Thanks in Advance
Renato
- How can I remove SPNEGO
  2009-12-02 05:53:32 Holger Bruchelt Business Card [Reply]
  
  Hi,
  you should just unassign the SPNego Template from the ticket component. Set it back to only Evaluate / Basic / Create (like mentioned here: http://help.sap.com/saphelp_nw70/helpdata/en/04/120b40c6c01961e10000000a155106/frameset.htm).
  Then SPNego should not be active anymore. if you want do do more, you can also delete the Kerberos folder from \usr\sap\<SID>\SYS\global\kerberos.
  
  Hope this helps,
  
  Holger.
  - How can I remove SPNEGO
    2009-12-02 06:10:43 Renato Moltrasio Business Card [Reply]
    
    Hello Holger,
    
    thank you very much for you reply.
    It works.
    
    Bye
    Renato

LDAP Tab is Not Visible on UME With dataSourceConfiguration_abap.xml
2009-04-20 13:06:00 Carlos Suaza Business Card [Reply]

Hi Holger,

I am trying to configurate LDAP Autentication with Windows Active Directory for SAP Enterprise Portal, on UME With dataSourceConfiguration_abap.xml, ABAP Datasource, but LDAP Tab is Not Visible or Enable, how can i make visible or enable this tab for continue with this configuration.

Thanks for your help.

Carlos
- LDAP Tab is Not Visible on UME With dataSourceConfiguration_abap.xml
  2009-04-20 13:35:34 Holger Bruchelt Business Card [Reply]
  
  Hi Carlos,
  
  once you are on dataSourceConfigration_abap there is no way back to connect the J2EE directly to an ADS (see Note 718383 - NetWeaver: Supported UME Data Sources and Change Options).
  But depending on the userIDs connecting the ADS might not be necessary. Please also have a look at https://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/13265
  
  Regards,
  
  Holger.

BI Portal integration with Microsoft Active Directory service
2009-02-23 15:44:16 Thirunagari Venkata Ramana Business Card [Reply]

Hi Friends,

I need to Integrate BI portal with Microsoft Active Directory service, so that users can login with into BI Portal with ADS Authentication.

Please provide me the steps need to configure, and any related documents on said subject.

Appreciate ur help.

Thanks inadvance.

Regards,

Venkat
- BI Portal integration with Microsoft Active Directory service
  2009-02-23 23:20:07 Holger Bruchelt Business Card [Reply]
  
  Hi,
  
  is your BI portal connected to the ABAP datasource? Then follow this blog (and the one that will be hopefully released soon).
  If your datasource is already connected to the ADS or to the database, please follow https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/8235
  
  Regards,
  
  Holger.

Great Blog but a Query
2009-02-18 01:51:39 sinhavibhu sinha Business Card [Reply]

I am planning to implement SPNego with ABAP UME for my customer and have already checked the steps mentioned in your weblog:
Also the following link on SAP Help mentions that you can configure SPNego with ABAP UME:

http://help.sap.com/saphelp_nw70/helpdata/en/43/4c3725aeaf30b4e10000000a11466f/frameset.htm

Please let me know if this solution would work in case the user ids in the AD and the ABAP systems are the same? Generally, a user will not be able to authenticate on to the portal if the UME is connected to two different user data sources and both the datasources contain the same id.

Does this blog resolve the issue pertaining to duplicate user ids? Has anyone implemented this scenario?

Thanks in advance,
Vibhu

User assignment
2009-02-11 10:18:51 Prashant Dhas Business Card [Reply]

Hi,

As shown in the screen shot and als the spnego avi files in the wizard, I could not find the krb5principalname while creating the abap user through useradmin. I am using EP7?
Is there any other setting?
- User assignment
  2009-02-11 23:24:44 Holger Bruchelt Business Card [Reply]
  
  You are right (I guess you mean the screenshot here Step 1 of 5). With the new version of the Wizard the dialog changed a little.
  Can you search for "Federated Search between SAP NetWeaver Enterprise Search and Microsoft Search Server 2008" and take a look at this document. On page 8 we describe how to map the KPN to the email field of ABAP (you basically do this now in Step 3). Here you could also enter the krb5principalname.
  Hope this helps,
  Holger.

ABAP UME
2009-02-11 03:18:50 Vijayakumar Velayutham Business Card [Reply]

Very nice blog, it's very useful.

Our current setup is NW2004s(SP16)- Dual Stack(ABAP+JAVA) and by default we are using ABAP as our UME datasource.

I have downloaded SPNegoWizard_645.zip file from the Note: 994791 and I uploaded this "dataSourceConfiguration_ads_readonly_db_with_krb5.xml" as my additional xml file into UME persistence using (Configtool), and tested successfully with connection and authentication test. Once the J2ee engine was restarted, I get stuck with an Error Report as: "503 Service Unavailable";"Message: Dispatcher running but no server connected!"

Could you please have a look at my post

https://www.sdn.sap.com/irj/scn/thread?threadID=1228018&tstart=0

Please help and advice me.

Awaiting for your favorable response.

Kind regards,
Vijay

Nice blog .... one query....
2009-01-22 04:52:25 Basis User Business Card [Reply]

Hi Holger,

Thanks a lot for this wonderful blog. I have used it and is working fine (data source = ABAP, resolution mode = simple)

One query: Is it possible to map UME custom attribute krb5principalname to ABAP user's email field? By this way, I think I can populate krb5principalname automatcally while creating / modifying users in ABAP.

Thanks in advance!
Shaji
- Nice blog .... one query....
  2009-01-22 05:43:40 Holger Bruchelt Business Card [Reply]
  
  Hi,
  
  yes, this will work. If you do not need the email in your ABAP system this is a very nice way of getting the krb5principalnames to your ABAP users.
  
  If you want more details, please have a look at the following whitepaper: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/portal-and-collaboration/search/Federated%20Search%20between%20SAP%20NetWeaver%20Enterprise%20Search%20and%20Microsoft%20Search%20Server%202008.pdf (page 8).
  Just enter "email" for the KPN in the SPNego Wizard.
  
  Regards,
  Holger.
  - Nice blog .... one query....
    2009-01-27 04:17:38 Vangent - Southwark Axon Basis Business Card [Reply]
    
    Thanks Holger,
    
    Just to re-phrase my query: While creating ABAP user-ids, the email field is populated with user's email address, which is used in the ABAP system for mailing.
    
    As the email field is the krb5principalname as well, I would like to know whether I can map this to krb5principalname, so that the field krb5principalname is populated automatically, just by entering the email field while creating the ABAP user-id.
    
    PS: I am unable to access mentioned pdf document. Can you kindly post the link again please?
    
    Thanks a lot, and best regards,
    Shaji
    - Nice blog .... one query....
      2009-01-27 04:28:24 Vangent - Southwark Axon Basis Business Card [Reply]
      
      Thanks again!
      
      Managed to download the pdf and was exactly what I was looking for. Great!
      
      Thanks and best regards,
      Shaji

Great Overview
2008-11-12 09:08:20 Eric Green Business Card [Reply]

The overview is great and extremely helpful.

I have followed the process 100% and have only one issue. It seems that when I hit the java stack from any computer, the system seems to translate the connecting user as <sid>adm and the SPNego fails:

10:52:22:711 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~on.loginmodule.spnego.SPNegoLoginModule gss context established.
10:52:22:711 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~on.loginmodule.spnego.SPNegoLoginModule Credentials of <sid>adm@MyDomain.COM cannot be delegated.
10:52:22:711 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~on.loginmodule.spnego.SPNegoLoginModule SPNego authentication succeeded. Authenticated KPN is <sid>adm@MyDomain.COM
10:52:22:711 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~on.loginmodule.spnego.SPNegoLoginModule Resolution mode is prefixbased
10:52:22:711 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~on.loginmodule.spnego.SPNegoLoginModule uid resolution attribute is set to uniquename. Trying to resolve user.
10:52:22:711 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.spnego Searching for user with (kpnPrefix,kpnSuffix) = (<sid>adm,MyDomain.COM)
10:52:22:727 Error J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.spnego Couldn't find user with (kpnPrefix,kpnSuffix) = (<sid>adm,MyDomain.COM)
10:52:22:727 Warning J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~on.loginmodule.spnego.SPNegoLoginModule Authentication failed. Error during handshake. Check the trace file for details.

After seeing this, I created a user in the ABAP UME <sid>adm. I then attempted to hit the page again and it logged me in as <sid>adm.

Have you seen this and/or do you have any idea as to where to begin looking at why <sid>adm is being authenitcated instead of my user ID?

thanks,
Eric
- Great Overview
  2008-11-12 22:53:10 Holger Bruchelt Business Card [Reply]
  
  Hi Eric,
  
  that is strange. The only way that you should be logged in as <sid>adm is if you were actually logged in with this user on your client (from which you are accessing the J2EE Engine).
  
  Can you run kerbtray on your client after accessing the java stack? What is the Client Principal name (see https://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/8313 - "The Client side")
  
  Regards,
  
  Holger.
  - Great Overview
    2008-11-13 09:04:49 Eric Green Business Card [Reply]
    
    Holger,
    I hate to post this whole output, but maybe it will help you to see my issue... and help any others that may have a similar issue.
    
    Web Diagtool Version : 1.17
    
    Start Time: 2008/11/13 10:43:26
    
    --------------------------------------------------------------------------------
    
    Selected Locations: {com.sap.engine.services.security.authentication=ALL, com.sap.security.core.ticket=ALL}
    Set Severity For Selected Locations: All
    Set Severity For All Other Locations: Error
    Get Traces From Other Locations: true
    Maximum number of collected records: 50000
    
    --------------------------------------------------------------------------------
    
    SAP System Name: <SID>
    Server Version: 700
    SP Level: 16
    
    --------------------------------------------------------------------------------
    
    Canonical Host Name: <localhost>.domain.com
    Host: <localhost>
    IP: .....28
    Operating system name: Windows 2003
    Java Runtime Environment version: 1.4.2_13
    Java Runtime Environment vendor: Sun Microsystems Inc.
    
    --------------------------------------------------------------------------------
    
    Link to the Traces
    
    --------------------------------------------------------------------------------
    
    +login.modules:
    
    +ume.properties:
    
    --------------------------------------------------------------------------------
    Time Severity User Thread Location Message
    
    10:43:33:011 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~entication.programmatic.getLoggedInUser Entering method with (com.sap.engine.services.servlets_jsp.server.runtime.client.HttpServletRequestFacade@6d7689e8, com.sap.engine.services.servlets_jsp.server.runtime.client.HttpServletResponseFacade@158167d)
    10:43:33:011 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~entication.programmatic.getLoggedInUser no user in session, relogin
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~.EvaluateTicketLoginModule.initialize() Entering method with (Subject:
    , javax.security.auth.login.LoginContext$SecureCallbackHandler@29731812)
    10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in [ticket] authentication stack are: [{ume.configuration.active=true, trustediss1=CN=<SID>, trusteddn1=CN=<SID>, trustedsys1=<SID>,010}].
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~t.constructor(Map, Properties, boolean) Entering method with ({System-ID=<SID>, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : [Security Session (0) for J2EE_GUEST created at Thu Nov 13 10:40:15 CST 2008]]}, <null>)
    10:43:33:026 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket got [ume.configuration.active]: [true]
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@43315b00
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~n.loginmodule.ticket.getMergedOptions() Entering method
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@5d4d7f76
    10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in [ticket] authentication stack after merge with UME properties are: [{ume.configuration.active=true, trustediss1=CN=<SID>, system=<SID>, client=997, j_authscheme=basicauthentication, inclcert=0, trusteddn1=CN=<SID>, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, ume.logon.security.enforce_secure_cookie=false, validity=10, keystore=TicketKeystore, trustedsys1=<SID>,010, password=}].
    10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in [ticket] authentication stack after adding the default values are: [{ume.configuration.active=true, trustediss1=CN=<SID>, system=<SID>, client=997, j_authscheme=basicauthentication, inclcert=0, trusteddn1=CN=<SID>, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, sap.security.auth.configuration.name=ticket, ume.logon.security.enforce_secure_cookie=false, validity=10, keystore=TicketKeystore, trustedsys1=<SID>,010, password=}].
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule Exiting method
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~et.CreateTicketLoginModule.initialize() Entering method with (Subject:
    , javax.security.auth.login.LoginContext$SecureCallbackHandler@29731812, {System-ID=<SID>, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : [Security Session (0) for J2EE_GUEST created at Thu Nov 13 10:40:15 CST 2008]]}, {ume.configuration.active=true})
    10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in [ticket] authentication stack are: [{ume.configuration.active=true}].
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~t.constructor(Map, Properties, boolean) Entering method with ({System-ID=<SID>, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : [Security Session (0) for J2EE_GUEST created at Thu Nov 13 10:40:15 CST 2008]]}, <null>)
    10:43:33:026 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket got [ume.configuration.active]: [true]
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@aeb4bd5
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~n.loginmodule.ticket.getMergedOptions() Entering method
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@5dbf928c
    10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in [ticket] authentication stack after merge with UME properties are: [{ume.configuration.active=true, system=<SID>, client=997, j_authscheme=basicauthentication, inclcert=0, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, ume.logon.security.enforce_secure_cookie=false, validity=10, keystore=TicketKeystore, password=}].
    10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in [ticket] authentication stack after adding the default values are: [{ume.configuration.active=true, system=<SID>, client=997, j_authscheme=basicauthentication, inclcert=0, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, sap.security.auth.configuration.name=ticket, ume.logon.security.enforce_secure_cookie=false, validity=10, keystore=TicketKeystore, password=}].
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule Exiting method
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~et.CreateTicketLoginModule.initialize() Entering method with (Subject:
    , javax.security.auth.login.LoginContext$SecureCallbackHandler@29731812, {System-ID=<SID>, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : [Security Session (0) for J2EE_GUEST created at Thu Nov 13 10:40:15 CST 2008]]}, {ume.configuration.active=true})
    10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in [ticket] authentication stack are: [{ume.configuration.active=true}].
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~t.constructor(Map, Properties, boolean) Entering method with ({System-ID=<SID>, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : [Security Session (0) for J2EE_GUEST created at Thu Nov 13 10:40:15 CST 2008]]}, <null>)
    10:43:33:026 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket got [ume.configuration.active]: [true]
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@4c2e5569
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~n.loginmodule.ticket.getMergedOptions() Entering method
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@75e98791
    10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in [ticket] authentication stack after merge with UME properties are: [{ume.configuration.active=true, system=<SID>, client=997, j_authscheme=basicauthentication, inclcert=0, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, ume.logon.security.enforce_secure_cookie=false, validity=10, keystore=TicketKeystore, password=}].
    10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in [ticket] authentication stack after adding the default values are: [{ume.configuration.active=true, system=<SID>, client=997, j_authscheme=basicauthentication, inclcert=0, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, sap.security.auth.configuration.name=ticket, ume.logon.security.enforce_secure_cookie=false, validity=10, keystore=TicketKeystore, password=}].
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule Exiting method
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~icket.EvaluateTicketLoginModule.login() Entering method
    10:43:33:026 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule Received no SAPLogonTicket. Authentication stack: [ticket].
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule Exiting method with <null>
    10:43:33:026 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~on.loginmodule.spnego.SPNegoLoginModule Creating new instance of SpNegoState (negstate= initial, mechanism.oid= null)
    10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~on.loginmodule.spnego.SPNegoLoginModule Acquiring credentials for realm DOMAIN.COM
    10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.spnego Looking for credentials for realm DOMAIN.COM
    10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.spnego Looking for credentials for sid<sid>02@DOMAIN.COM in {sid<sid>02@DOMAIN.COM=[GSSCredential:
    sid<sid>02@DOMAIN.COM 1.2.840.113554.1.2.2 Accept [Kerberos Principal sid<sid>02@DOMAIN.COMKey Version 1key EncryptionKey: keyType=3 keyBytes (hex dump)=
    0000: 51 4C AE AE 92 4C 04 07
    ]]}
    10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.spnego Found cached credentials for sid<sid>02@DOMAIN.COM [GSSCredential:
    sid<sid>02@DOMAIN.COM 1.2.840.113554.1.2.2 Accept [Kerberos Principal sid<sid>02@DOMAIN.COMKey Version 1key EncryptionKey: keyType=3 keyBytes (hex dump)=
    0000: 51 4C AE AE 92 4C 04 07
    ]]
    10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~on.loginmodule.spnego.SPNegoLoginModule Credentials for realm DOMAIN.COM successfully acquired: sid<sid>02@DOMAIN.COM
    10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~on.loginmodule.spnego.SPNegoLoginModule Access Denied - responseHeader is NULL
    10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~es.security.authentication.logincontext Login module com.sap.security.core.server.jaas.SPNegoLoginModule from authentication stack ticket does not authenticate the caller.
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~.ticket.CreateTicketLoginModule.login() Entering method
    10:43:33:026 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule No authenticated user found.
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule Exiting method with false
    10:43:33:026 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~on.loginmodule.BasicPasswordLoginModule No user name provided.
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~.ticket.CreateTicketLoginModule.login() Entering method
    10:43:33:026 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule No authenticated user found.
    10:43:33:026 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule Exiting method with false
    10:43:33:042 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~engine.services.security.authentication Exception : Cannot authenticate the user.
    java.lang.Exception
    at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175)
    at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263)
    at com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:158)
    at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:178)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
    at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:324)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
    at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:149)
    at com.sap.tc.webdynpro.serverimpl.wdc.um.ClientUserFactory.getLoggedInClientUser(ClientUserFactory.java:218)
    at com.sap.tc.webdynpro.serverimpl.wdc.um.ClientUserFactory.checkAuthentication(ClientUserFactory.java:249)
    at com.sap.tc.webdynpro.services.sal.um.api.WDClientUser.checkAuthentication(WDClientUser.java:217)
    at com.sap.tc.webdynpro.clientserver.session.RequestManager.checkAuthentication(RequestManager.java:631)
    at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:144)
    at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
    at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
    at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
    at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
    at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
    at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
    at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
    at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
    Caused by: com.sap.security.core.server.jaas.DetailedLoginException: Access Denied. No authorization header received.
    at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:175)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
    at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:324)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
    at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:149)
    at com.sap.tc.webdynpro.serverimpl.wdc.um.ClientUserFactory.getLoggedInClientUser(ClientUserFactory.java:218)
    at com.sap.tc.webdynpro.serverimpl.wdc.um.ClientUserFactory.checkAuthentication(ClientUserFactory.java:249)
    at com.sap.tc.webdynpro.services.sal.um.api.WDClientUser.checkAuthentication(WDClientUser.java:217)
    at com.sap.tc.webdynpro.clientserver.session.RequestManager.checkAuthentication(RequestManager.java:631)
    at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:144)
    at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
    at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
    at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
    at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
    at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
    at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
    at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
    at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
    
    10:43:33:042 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~icket.EvaluateTicketLoginModule.abort() Entering method
    10:43:33:042 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule Internal Login Module data has been reset.
    10:43:33:042 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule Exiting method with true
    10:43:33:042 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~on.loginmodule.spnego.SPNegoLoginModule set Response Status 401
    10:43:33:042 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~on.loginmodule.spnego.SPNegoLoginModule set Header WWW-Authenticate = Negotiate
    10:43:33:042 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~.ticket.CreateTicketLoginModule.abort() Entering method
    10:43:33:042 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule Exiting method with true
    10:43:33:042 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~.ticket.CreateTicketLoginModule.abort() Entering method
    10:43:33:042 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule Exiting method with true
    10:43:33:042 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~es.security.authentication.logincontext LOGIN.FAILED
    User: N/A
    Authentication Stack: ticket
    
    Login Module Flag Initialize Login Commit Abort Details
    1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
    #1 trusteddn1 = CN=<SID>
    #2 trustediss1 = CN=<SID>
    #3 trustedsys1 = <SID>,010
    #4 ume.configuration.active = true
    2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true Access Denied. No authorization header received.
    #1 com.sap.spnego.creds_in_thread = true
    #2 com.sap.spnego.jgss.name = sid<sid>02@DOMAIN.COM
    #3 com.sap.spnego.uid.resolution.attr = uniquename
    #4 com.sap.spnego.uid.resolution.dn = dn
    #5 com.sap.spnego.uid.resolution.mode = prefixbased
    3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false true
    #1 ume.configuration.active = true
    4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok false false
    5. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok false true
    #1 ume.configuration.active = true
    10:43:33:042 Warning J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~es.security.authentication.programmatic getLoggedInUser
    [EXCEPTION]
    com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.
    at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:178)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
    at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:324)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
    at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:149)
    at com.sap.tc.webdynpro.serverimpl.wdc.um.ClientUserFactory.getLoggedInClientUser(ClientUserFactory.java:218)
    at com.sap.tc.webdynpro.serverimpl.wdc.um.ClientUserFactory.checkAuthentication(ClientUserFactory.java:249)
    at com.sap.tc.webdynpro.services.sal.um.api.WDClientUser.checkAuthentication(WDClientUser.java:217)
    at com.sap.tc.webdynpro.clientserver.session.RequestManager.checkAuthentication(RequestManager.java:631)
    at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:144)
    at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
    at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
    at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
    at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
    at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
    at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
    at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
    at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
    Caused by: com.sap.security.core.server.jaas.DetailedLoginException: Access Denied. No authorization header received.
    at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:175)
    ... 37 more
    
    10:43:33:042 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~tication.programmatic.forceLoggedInUser Entering method with (com.sap.engine.services.servlets_jsp.server.runtime.client.HttpServletRequestFacade@6d7689e8, com.sap.engine.services.servlets_jsp.server.runtime.client.HttpServletResponseFacade@158167d)
    10:43:33:042 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~entication.programmatic.getLoggedInUser Entering method with (com.sap.engine.services.servlets_jsp.server.runtime.client.HttpServletRequestFacade@6d7689e8, com.sap.engine.services.servlets_jsp.server.runtime.client.HttpServletResponseFacade@158167d)
    10:43:33:042 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~entication.programmatic.getLoggedInUser no user in session, relogin
    10:43:33:042 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~.EvaluateTicketLoginModule.initialize() Entering method with (Subject:
    , javax.security.auth.login.LoginContext$SecureCallbackHandler@5c48032d)
    10:43:33:042 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in [ticket] authentication stack are: [{ume.configuration.active=true, trustediss1=CN=<SID>, trusteddn1=CN=<SID>, trustedsys1=<SID>,010}].
    10:43:33:042 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~t.constructor(Map, Properties, boolean) Entering method with ({System-ID=<SID>, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : [Security Session (0) for J2EE_GUEST created at Thu Nov 13 10:40:15 CST 2008]]}, <null>)
    10:43:33:042 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket got [ume.configuration.active]: [true]
    10:43:33:042 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@7bc8aeaf
    10:43:33:042 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~n.loginmodule.ticket.getMergedOptions() Entering method
    10:43:33:042 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@3444a2a6
    10:43:33:042 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in [ticket] authentication stack after merge with UME properties are: [{ume.configuration.active=true, trustediss1=CN=<SID>, system=<SID>, client=997, j_authscheme=basicauthentication, inclcert=0, trusteddn1=CN=<SID>, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, ume.logon.security.enforce_secure_cookie=false, validity=10, keystore=TicketKeystore, trustedsys1=<SID>,010, password=}].
    10:43:33:042 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in [ticket] authentication stack after adding the default values are: [{ume.configuration.active=true, trustediss1=CN=<SID>, system=<SID>, client=997, j_authscheme=basicauthentication, inclcert=0, trusteddn1=CN=<SID>, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, sap.security.auth.configuration.name=ticket, ume.logon.security.enforce_secure_cookie=false, validity=10, keystore=TicketKeystore, trustedsys1=<SID>,010, password=}].
    10:43:33:042 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule Exiting method
    10:43:33:042 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~et.CreateTicketLoginModule.initialize() Entering method with (Subject:
    , javax.security.auth.login.LoginContext$SecureCallbackHandler@5c48032d, {System-ID=<SID>, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : [Security Session (0) for J2EE_GUEST created at Thu Nov 13 10:40:15 CST 2008]]}, {ume.configuration.active=true})
    10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in [ticket] authentication stack are: [{ume.configuration.active=true}].
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~t.constructor(Map, Properties, boolean) Entering method with ({System-ID=<SID>, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : [Security Session (0) for J2EE_GUEST created at Thu Nov 13 10:40:15 CST 2008]]}, <null>)
    10:43:33:058 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket got [ume.configuration.active]: [true]
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@6125b19
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~n.loginmodule.ticket.getMergedOptions() Entering method
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@1f1ac96c
    10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in [ticket] authentication stack after merge with UME properties are: [{ume.configuration.active=true, system=<SID>, client=997, j_authscheme=basicauthentication, inclcert=0, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, ume.logon.security.enforce_secure_cookie=false, validity=10, keystore=TicketKeystore, password=}].
    10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in [ticket] authentication stack after adding the default values are: [{ume.configuration.active=true, system=<SID>, client=997, j_authscheme=basicauthentication, inclcert=0, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, sap.security.auth.configuration.name=ticket, ume.logon.security.enforce_secure_cookie=false, validity=10, keystore=TicketKeystore, password=}].
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule Exiting method
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~et.CreateTicketLoginModule.initialize() Entering method with (Subject:
    , javax.security.auth.login.LoginContext$SecureCallbackHandler@5c48032d, {System-ID=<SID>, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : [Security Session (0) for J2EE_GUEST created at Thu Nov 13 10:40:15 CST 2008]]}, {ume.configuration.active=true})
    10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in [ticket] authentication stack are: [{ume.configuration.active=true}].
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~t.constructor(Map, Properties, boolean) Entering method with ({System-ID=<SID>, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : [Security Session (0) for J2EE_GUEST created at Thu Nov 13 10:40:15 CST 2008]]}, <null>)
    10:43:33:058 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket got [ume.configuration.active]: [true]
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@179de168
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~n.loginmodule.ticket.getMergedOptions() Entering method
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@7e397ef4
    10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in [ticket] authentication stack after merge with UME properties are: [{ume.configuration.active=true, system=<SID>, client=997, j_authscheme=basicauthentication, inclcert=0, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, ume.logon.security.enforce_secure_cookie=false, validity=10, keystore=TicketKeystore, password=}].
    10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in [ticket] authentication stack after adding the default values are: [{ume.configuration.active=true, system=<SID>, client=997, j_authscheme=basicauthentication, inclcert=0, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, sap.security.auth.configuration.name=ticket, ume.logon.security.enforce_secure_cookie=false, validity=10, keystore=TicketKeystore, password=}].
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule Exiting method
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~icket.EvaluateTicketLoginModule.login() Entering method
    10:43:33:058 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule Received no SAPLogonTicket. Authentication stack: [ticket].
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule Exiting method with <null>
    10:43:33:058 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~on.loginmodule.spnego.SPNegoLoginModule Received instance of SpNegoState (negstate= initial, mechanism.oid= null)
    10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~on.loginmodule.spnego.SPNegoLoginModule Acquiring credentials for realm DOMAIN.COM
    10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.spnego Looking for credentials for realm DOMAIN.COM
    10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.spnego Looking for credentials for sid<sid>02@DOMAIN.COM in {sid<sid>02@DOMAIN.COM=[GSSCredential:
    sid<sid>02@DOMAIN.COM 1.2.840.113554.1.2.2 Accept [Kerberos Principal sid<sid>02@DOMAIN.COMKey Version 1key EncryptionKey: keyType=3 keyBytes (hex dump)=
    0000: 51 4C AE AE 92 4C 04 07
    ]]}
    10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~urity.authentication.loginmodule.spnego Found cached credentials for sid<sid>02@DOMAIN.COM [GSSCredential:
    sid<sid>02@DOMAIN.COM 1.2.840.113554.1.2.2 Accept [Kerberos Principal sid<sid>02@DOMAIN.COMKey Version 1key EncryptionKey: keyType=3 keyBytes (hex dump)=
    0000: 51 4C AE AE 92 4C 04 07
    ]]
    10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~on.loginmodule.spnego.SPNegoLoginModule Credentials for realm DOMAIN.COM successfully acquired: sid<sid>02@DOMAIN.COM
    10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~on.loginmodule.spnego.SPNegoLoginModule Access Denied - responseHeader is NULL
    10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~es.security.authentication.logincontext Login module com.sap.security.core.server.jaas.SPNegoLoginModule from authentication stack ticket does not authenticate the caller.
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~.ticket.CreateTicketLoginModule.login() Entering method
    10:43:33:058 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule No authenticated user found.
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule Exiting method with false
    10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~on.loginmodule.BasicPasswordLoginModule No user name provided.
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~.ticket.CreateTicketLoginModule.login() Entering method
    10:43:33:058 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule No authenticated user found.
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule Exiting method with false
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~engine.services.security.authentication Exception : Cannot authenticate the user.
    java.lang.Exception
    at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175)
    at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263)
    at com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:158)
    at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:178)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
    at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:324)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
    at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:149)
    at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.forceLoggedInUser(SAPJ2EEAuthenticator.java:234)
    at com.sap.tc.webdynpro.serverimpl.wdc.um.ClientUserFactory.forceLoggedInClientUser(ClientUserFactory.java:114)
    at com.sap.tc.webdynpro.serverimpl.wdc.um.ClientUserFactory.checkAuthentication(ClientUserFactory.java:263)
    at com.sap.tc.webdynpro.services.sal.um.api.WDClientUser.checkAuthentication(WDClientUser.java:217)
    at com.sap.tc.webdynpro.clientserver.session.RequestManager.checkAuthentication(RequestManager.java:631)
    at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:144)
    at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
    at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
    at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
    at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
    at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
    at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
    at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
    at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
    Caused by: com.sap.security.core.server.jaas.DetailedLoginException: Access Denied. No authorization header received.
    at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:175)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
    at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:324)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
    at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:149)
    at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.forceLoggedInUser(SAPJ2EEAuthenticator.java:234)
    at com.sap.tc.webdynpro.serverimpl.wdc.um.ClientUserFactory.forceLoggedInClientUser(ClientUserFactory.java:114)
    at com.sap.tc.webdynpro.serverimpl.wdc.um.ClientUserFactory.checkAuthentication(ClientUserFactory.java:263)
    at com.sap.tc.webdynpro.services.sal.um.api.WDClientUser.checkAuthentication(WDClientUser.java:217)
    at com.sap.tc.webdynpro.clientserver.session.RequestManager.checkAuthentication(RequestManager.java:631)
    at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:144)
    at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
    at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
    at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
    at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
    at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
    at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
    at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
    at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
    
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~icket.EvaluateTicketLoginModule.abort() Entering method
    10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule Internal Login Module data has been reset.
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~module.ticket.EvaluateTicketLoginModule Exiting method with true
    10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~on.loginmodule.spnego.SPNegoLoginModule set Response Status 401
    10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~on.loginmodule.spnego.SPNegoLoginModule set Header WWW-Authenticate = Negotiate
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~.ticket.CreateTicketLoginModule.abort() Entering method
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule Exiting method with true
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~.ticket.CreateTicketLoginModule.abort() Entering method
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~inmodule.ticket.CreateTicketLoginModule Exiting method with true
    10:43:33:058 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~es.security.authentication.logincontext LOGIN.FAILED
    User: N/A
    Authentication Stack: ticket
    
    Login Module Flag Initialize Login Commit Abort Details
    1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
    #1 trusteddn1 = CN=<SID>
    #2 trustediss1 = CN=<SID>
    #3 trustedsys1 = <SID>,010
    #4 ume.configuration.active = true
    2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true Access Denied. No authorization header received.
    #1 com.sap.spnego.creds_in_thread = true
    #2 com.sap.spnego.jgss.name = sid<sid>02@DOMAIN.COM
    #3 com.sap.spnego.uid.resolution.attr = uniquename
    #4 com.sap.spnego.uid.resolution.dn = dn
    #5 com.sap.spnego.uid.resolution.mode = prefixbased
    3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false true
    #1 ume.configuration.active = true
    4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok false false
    5. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok false true
    #1 ume.configuration.active = true
    10:43:33:058 Warning J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~es.security.authentication.programmatic getLoggedInUser
    [EXCEPTION]
    com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.
    at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:178)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
    at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:324)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
    at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:149)
    at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.forceLoggedInUser(SAPJ2EEAuthenticator.java:234)
    at com.sap.tc.webdynpro.serverimpl.wdc.um.ClientUserFactory.forceLoggedInClientUser(ClientUserFactory.java:114)
    at com.sap.tc.webdynpro.serverimpl.wdc.um.ClientUserFactory.checkAuthentication(ClientUserFactory.java:263)
    at com.sap.tc.webdynpro.services.sal.um.api.WDClientUser.checkAuthentication(WDClientUser.java:217)
    at com.sap.tc.webdynpro.clientserver.session.RequestManager.checkAuthentication(RequestManager.java:631)
    at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:144)
    at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
    at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
    at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
    at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
    at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
    at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
    at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
    at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
    Caused by: com.sap.security.core.server.jaas.DetailedLoginException: Access Denied. No authorization header received.
    at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:175)
    ... 38 more
    
    10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~tication.programmatic.forceLoggedInUser ume.logon.use_https=false
    10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~tication.programmatic.forceLoggedInUser ume.logon.use_https_redirect=false
    10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~tication.programmatic.forceLoggedInUser invokedURL=/webdynpro/dispatcher/sap.com/tc~lm~webadmin~mainframe~wd/WebAdminApp
    10:43:33:058 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~tication.programmatic.forceLoggedInUser forceLoggedInUser(): Redirecting to: /logon/logonServlet?redirectURL=%2Fwebdynpro%2Fdispatcher%2Fsap.com%2Ftc%7Elm%7Ewebadmin%7Emainframe%7Ewd%2FWebAdminApp
    10:43:33:058 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_23 ~tication.programmatic.forceLoggedInUser Exiting method
    10:43:33:073 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~thentication.logonapplication.initBeans LogonLocaleBean and LogonMessageBean created
    10:43:33:073 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~thentication.logonapplication.initBeans LanguagesBean created
    10:43:33:073 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~ication.logonapplication.executeRequest No command found, forwarding to umLogonPage
    10:43:33:073 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~entication.programmatic.getLoggedInUser Entering method with (com.sap.engine.services.servlets_jsp.server.runtime.client.HttpServletRequestFacade@6d7689e8, com.sap.engine.services.servlets_jsp.server.runtime.client.HttpServletResponseFacade@158167d)
    10:43:33:073 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~entication.programmatic.getLoggedInUser no user in session, relogin
    10:43:33:073 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~.EvaluateTicketLoginModule.initialize() Entering method with (Subject:
    , javax.security.auth.login.LoginContext$SecureCallbackHandler@4b763dd2)
    10:43:33:073 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in [ticket] authentication stack are: [{ume.configuration.active=true, trustediss1=CN=<SID>, trusteddn1=CN=<SID>, trustedsys1=<SID>,010}].
    10:43:33:073 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~t.constructor(Map, Properties, boolean) Entering method with ({System-ID=<SID>, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : [Security Session (0) for J2EE_GUEST created at Thu Nov 13 10:40:15 CST 2008]]}, <null>)
    10:43:33:073 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket got [ume.configuration.active]: [true]
    10:43:33:073 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@3fd4ccb2
    10:43:33:073 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~n.loginmodule.ticket.getMergedOptions() Entering method
    10:43:33:073 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@2bcadadb
    10:43:33:073 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in [ticket] authentication stack after merge with UME properties are: [{ume.configuration.active=true, trustediss1=CN=<SID>, system=<SID>, client=997, j_authscheme=basicauthentication, inclcert=0, trusteddn1=CN=<SID>, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, ume.logon.security.enforce_secure_cookie=false, validity=10, keystore=TicketKeystore, trustedsys1=<SID>,010, password=}].
    10:43:33:073 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~module.ticket.EvaluateTicketLoginModule The options of EvaluateTicketLoginModule in [ticket] authentication stack after adding the default values are: [{ume.configuration.active=true, trustediss1=CN=<SID>, system=<SID>, client=997, j_authscheme=basicauthentication, inclcert=0, trusteddn1=CN=<SID>, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, sap.security.auth.configuration.name=ticket, ume.logon.security.enforce_secure_cookie=false, validity=10, keystore=TicketKeystore, trustedsys1=<SID>,010, password=}].
    10:43:33:073 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~module.ticket.EvaluateTicketLoginModule Exiting method
    10:43:33:073 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~et.CreateTicketLoginModule.initialize() Entering method with (Subject:
    , javax.security.auth.login.LoginContext$SecureCallbackHandler@4b763dd2, {System-ID=<SID>, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : [Security Session (0) for J2EE_GUEST created at Thu Nov 13 10:40:15 CST 2008]]}, {ume.configuration.active=true})
    10:43:33:073 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in [ticket] authentication stack are: [{ume.configuration.active=true}].
    10:43:33:073 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~t.constructor(Map, Properties, boolean) Entering method with ({System-ID=<SID>, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : [Security Session (0) for J2EE_GUEST created at Thu Nov 13 10:40:15 CST 2008]]}, <null>)
    10:43:33:073 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket got [ume.configuration.active]: [true]
    10:43:33:073 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@12e67653
    10:43:33:089 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~n.loginmodule.ticket.getMergedOptions() Entering method
    10:43:33:089 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@58624cd6
    10:43:33:089 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in [ticket] authentication stack after merge with UME properties are: [{ume.configuration.active=true, system=<SID>, client=997, j_authscheme=basicauthentication, inclcert=0, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, ume.logon.security.enforce_secure_cookie=false, validity=10, keystore=TicketKeystore, password=}].
    10:43:33:089 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in [ticket] authentication stack after adding the default values are: [{ume.configuration.active=true, system=<SID>, client=997, j_authscheme=basicauthentication, inclcert=0, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, sap.security.auth.configuration.name=ticket, ume.logon.security.enforce_secure_cookie=false, validity=10, keystore=TicketKeystore, password=}].
    10:43:33:089 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~inmodule.ticket.CreateTicketLoginModule Exiting method
    10:43:33:089 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~et.CreateTicketLoginModule.initialize() Entering method with (Subject:
    , javax.security.auth.login.LoginContext$SecureCallbackHandler@4b763dd2, {System-ID=<SID>, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : [Security Session (0) for J2EE_GUEST created at Thu Nov 13 10:40:15 CST 2008]]}, {ume.configuration.active=true})
    10:43:33:089 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in [ticket] authentication stack are: [{ume.configuration.active=true}].
    10:43:33:089 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~t.constructor(Map, Properties, boolean) Entering method with ({System-ID=<SID>, sap.security.auth.configuration.name=ticket, sap.security.auth.context.object=[Security Context : [Security Session (0) for J2EE_GUEST created at Thu Nov 13 10:40:15 CST 2008]]}, <null>)
    10:43:33:089 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket got [ume.configuration.active]: [true]
    10:43:33:089 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@1da2a2ef
    10:43:33:089 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~n.loginmodule.ticket.getMergedOptions() Entering method
    10:43:33:089 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.ticket Exiting method with [Ljava.lang.Object;@2077081c
    10:43:33:089 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in [ticket] authentication stack after merge with UME properties are: [{ume.configuration.active=true, system=<SID>, client=997, j_authscheme=basicauthentication, inclcert=0, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, ume.logon.security.enforce_secure_cookie=false, validity=10, keystore=TicketKeystore, password=}].
    10:43:33:089 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~inmodule.ticket.CreateTicketLoginModule The options of CreateTicketLoginModule in [ticket] authentication stack after adding the default values are: [{ume.configuration.active=true, system=<SID>, client=997, j_authscheme=basicauthentication, inclcert=0, ume.logon.httponlycookie=true, alias=SAPLogonTicketKeypair, sap.security.auth.configuration.name=ticket, ume.logon.security.enforce_secure_cookie=false, validity=10, keystore=TicketKeystore, password=}].
    10:43:33:089 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~inmodule.ticket.CreateTicketLoginModule Exiting method
    10:43:33:089 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~icket.EvaluateTicketLoginModule.login() Entering method
    10:43:33:089 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~module.ticket.EvaluateTicketLoginModule Received no SAPLogonTicket. Authentication stack: [ticket].
    10:43:33:089 Path J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~module.ticket.EvaluateTicketLoginModule Exiting method with <null>
    10:43:33:089 Info J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~on.loginmodule.spnego.SPNegoLoginModule Creating new instance of SpNegoState (negstate= initial, mechanism.oid= null)
    10:43:33:089 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~on.loginmodule.spnego.SPNegoLoginModule Acquiring credentials for realm DOMAIN.COM
    10:43:33:089 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.spnego Looking for credentials for realm DOMAIN.COM
    10:43:33:089 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.spnego Looking for credentials for sid<sid>02@DOMAIN.COM in {sid<sid>02@DOMAIN.COM=[GSSCredential:
    sid<sid>02@DOMAIN.COM 1.2.840.113554.1.2.2 Accept [Kerberos Principal sid<sid>02@DOMAIN.COMKey Version 1key EncryptionKey: keyType=3 keyBytes (hex dump)=
    0000: 51 4C AE AE 92 4C 04 07
    ]]}
    10:43:33:089 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~urity.authentication.loginmodule.spnego Found cached credentials for sid<sid>02@DOMAIN.COM [GSSCredential:
    sid<sid>02@DOMAIN.COM 1.2.840.113554.1.2.2 Accept [Kerberos Principal sid<sid>02@DOMAIN.COMKey Version 1key EncryptionKey: keyType=3 keyBytes (hex dump)=
    0000: 51 4C AE AE 92 4C 04 07
    ]]
    10:43:33:089 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~on.loginmodule.spnego.SPNegoLoginModule Credentials for realm DOMAIN.COM successfully acquired: sid<sid>02@DOMAIN.COM
    10:43:33:089 Debug J2EE_GUEST SAPEngine_Application_Thread[impl:3]_31 ~on.loginmodule.s
    - Great Overview
      2008-11-13 23:00:07 Holger Bruchelt Business Card [Reply]
      
      Hi Eric,
      
      usually a form would be a better place to poast such long logs.
      
      Did you set the krb5principal name for all the users you wanted to log on?.
      
      Regards,
      
      Holger.
      - Great Overview
        2008-11-14 07:31:58 Eric Green Business Card [Reply]
        
        Holger,
        I have set the krb5principal custom attribute to blank (nothing, the LDAP user ID, LDAPID@Domain.com, the connect user to the LDAP (sid<sid>02@Domain.com in my case)...
        
        all with no success.
        
        any other thoughts?
        
        have a good weekend!
        Eric
        
        Great Overview
        2008-11-17 12:34:53 Holger Bruchelt Business Card [Reply]
        
        Hi Eric,
        
        can you sent me an email and we can discuss this that way? I guess this will be easier than using the comment section of this blog...
        
        Regards,
        
        Holger.

In conclusion...
2008-08-01 09:00:00 Roberto Mariani Business Card [Reply]

Very nice blog, it's very usefull.

We have Ep70 with ABAp+Java and we followed the suggestions on the blog and it seems working but I have some questions:

Please which is the final advantage to use the SPnego Wizard in an Abap+Java scenario with an ABAP userstore ?

I mean, if we start from ABAP+JAVA instance with an ABAP datasource and we are aware now that it cannot be changed, the logon to the EP is always done via users created and managed in the ABAP stack. That also using the SPnego wizard.

At the end we have to continue anyway to create and manage users in the ABAP stack.

I'm not very expert in this problem, probabily I miss something.

regards
- In conclusion...
  2008-08-01 09:07:53 Holger Bruchelt Business Card [Reply]
  
  Hi Roberto,
  
  I agree. When there is no real reason to connect the portal to an ABAP system I personally would also not user the ABAP userstore, but choose any other. By that you are much more flexible.
  However, there can be situations where the usage of ABAP+Java is already given and you still want to use SPNego.
  
  Hope this help,
  
  Holger.

ABAP Datasource
2008-06-29 00:36:46 HP Administrator Business Card [Reply]

My current setup is ABAP+JAVA Stack and using ABAP as my datasource. while configuring SPNego I get stuck with xml file upload. Though I have "dataSourceConfiguration_ads_readonly_db_with_krb5.xml" as my additional xml file and uploaded in UME LDAP Data (Configtool), I still dont see selectable drop down in "Configuration File" list.

Do I miss something here?
- ABAP Datasource
  2008-06-30 01:29:30 Holger Bruchelt Business Card [Reply]
  
  Hi,
  
  currently you are using the dataSourceConfiguration_ABAP, right? Then there is no supported way to switch to _ADS_read_only. But you do not have to switch to another datasource if you want to use SPNego. Just follow the blog above and use _ABAP.
  
  Hope this helps,
  
  Holger.

missing mapping attribute field in wizard
2008-06-04 09:00:48 Martina Amrein Business Card [Reply]

Hello Holger,

i have the same problem as Sandro.

If you have a solution, please can you explain this.

kind regards and thank you,
my email: Martina_amrein@web.de
- missing mapping attribute field in wizard
  2008-06-10 04:30:13 Holger Bruchelt Business Card [Reply]
  
  Hi Martina,
  
  sorry for the long delay. Please make sure that you have deployed the files sap.com~tc~sec~auth~jmx~ear.ear and sap.com~tc~sec~auth~spnego~wizard.ear from the SPNego wizard. Also make sure that the additional attribute is set in the configtool.
  I just checked this on a new installed J2EE 7.0 SP9 and it worked without problems.
  
  Regards,
  
  Holger.

missing mapping attribute field in wizard
2008-05-20 07:41:33 SANDRO COCO Business Card [Reply]

Hi Holger,

I am followind your instructions but even if I am able to see krb5principalname in useradmin after restarting J2EE, it is missing in SPNego wizard.
Do I miss something?

Thank you very much!
Kind regards
Sandro
- missing mapping attribute field in wizard
  2008-05-20 08:01:21 SANDRO COCO Business Card [Reply]
  
  Sorry I try to explain myself better... what I miss is the field "mapping attribute" in first SPNego wizard step, so I cannot put krb5principalname there.
  
  Many thanks
  Sandro
  - missing mapping attribute field in wizard
    2008-05-20 11:35:46 Holger Bruchelt Business Card [Reply]
    
    Hi Sandro,
    
    I will contact you via email. Maybe we can solve this offline.
    
    Regards,
    
    Holger.
    - missing mapping attribute field in wizard
      2008-05-25 05:47:06 Boaz Paz Business Card [Reply]
      
      Hello Holger,
      
      I am having the same problem as Sandro.
      
      If you have a solution for Sandro I would like to know it.
      My email is boaz.paz@hp.com
      
      Thanks
      Boaz
      - missing mapping attribute field in wizard
        2008-06-17 01:29:32 Holger Bruchelt Business Card [Reply]
        
        Hi,
        
        just a quick update from my side. From NetWeaver 7.0 SPS 14 on the field "mapping attribute" in the first Wizard screen is no longer available -- but this is fine. You don't need it.
        
        Regards,
        
        Holger.
        
        missing mapping attribute field in wizard
        2008-06-25 10:38:24 Muhammed Ali Business Card [Reply]
        
        Hi Mr Holger,
        
        I have tried to follow this blog, which is very simple and useful.
        
        But I have come across with an issue which I am not getting a clue about.
        
        Could you please have a look at my post
        
        https://www.sdn.sap.com/irj/sdn/thread?threadID=935997&tstart=0

Which resolution mode to use?
2008-05-16 00:43:39 Boaz Paz Business Card [Reply]

Hi Holger,
On our site the username in Active Directory will be for example paz.boaz and also the same in SAP.
However the problem arises for users with more then 12 characters in their AD username. For example: User in AD = steinberg.micheal
User in SAP = steinberg.mich
This because of SAP 12 character limitation for username.

How should I attack this problem? Aside from the option of shortening their userrname in AD?
What resolution mode should I use? I heard of an option of 'manual mapping' of users from AD to ABAP but I do not understand where this mapping fits?

Thanks
Boaz
- Which resolution mode to use?
  2010-02-18 10:24:18 Eric Poellinger Business Card [Reply]
  
  Hello Boaz - I was curious if you ever decided on an approach for the 12 character limitation?
  
  I saw an earlier post to match based on email address which does not have the limitation but have not tried it yet!
- Which resolution mode to use?
  2009-05-20 03:52:33 Dawid Breet Business Card [Reply]
  
  Hi Boaz
  
  I am also struggling with long usernames in AD when using prefixedbased resolution mode.
  
  Did you manage to get a solution for your problem?
  
  thanks
  
  Dawid
  - Which resolution mode to use?
    2010-02-18 10:25:19 Eric Poellinger Business Card [Reply]
    
    Hello Dawid - what did you end up doing?

prefix based or simple?
2008-03-11 06:23:52 Renato Moltrasio Business Card [Reply]

Hello Holger,

in the oss note regarding this configuration it is told to use simple resolution mode. Here you suggest to use prefix based one.
Can you explain the difference or why you write to use prefix based?

Anyway very good and useful blog series!
thnx
Renato
- prefix based or simple?
  2008-03-11 06:37:03 Holger Bruchelt Business Card [Reply]
  
  Hi Renato,
  
  "simple" will probably work as well...
  Usually I connect the J2EE Engine to an ADS and in this case I prefer the prefix based resolution mode. In prefix-based mode the username received is split up in two parts: kpn_prefix and kpn_suffix (e.g. when the username d044410@DOMAIN is received it is split in kpnprefix=d044410 and kpnsuffix=domain).
  Then the J2EE Engine tries to find the username d044410 in the UME. If this lookup is successful then everything is fine (and this is the same way as the simple resolution mode would work). If you chose prefix-based -- and the lookup was not successful/not unique -- then the J2EE Engine uses the kpn_suffix to try a unique lookup.
  
  So, just old habit: in this case you can use simple, but I prefer prefix-based...
  
  Regards,
  
  Holger.
  - prefix based or simple?
    2009-06-23 04:13:26 Przemyslaw Siudzinski Business Card [Reply]
    
    Hello
    I noticed very significant difference between Simple and prefix-based resolution mode:
    
    when i used prefix-based, SPNego worked only when ABAP user name was equal to ADS user name.
    When i changed to simple mode, and changed from uniquename to krb5principalname, then the authorization worked for every user with mapped ADS account name.
    
    Hope this helps to others who will configure spnego in future :)

Well done Holger
2008-03-11 01:58:48 Mike Fröhlich Business Card [Reply]

Hi Holger,

read your blog today and was glad reading this, as it covers an actual problem.

hope 2 hear (read) from you soon,

Mike

Nice one...
2008-03-11 00:04:26 Stefan Schwing Business Card [Reply]

Hi Holger,

great blog series, keep 'em coming ;-)

Best,
Stefan

Showing messages 1 through 79 of 79.

Configuring SPNego with ABAP datasource Holger Bruchelt Business Card Company: SAP AG Posted on Mar. 10, 2008 12:03 PM in ABAP, Application Server, Enterprise Portal (EP), SAP NetWeaver Platform

Configuring SPNego with ABAP datasource
Holger Bruchelt
Business Card
Company: SAP AG
Posted on Mar. 10, 2008 12:03 PM in ABAP, Application Server, Enterprise Portal (EP), SAP NetWeaver Platform