Symptom
The NetWeaver AS Java is configured for Kerberos Authentication. Kerberos authentication fails for some or all clients due to the browser sending a NTLM token and not a SPNego token which is required for successful authentication
After collecting Authentication trace as per SAP Note 1045019 example 3, resulted trace shows:
[…]
LOGIN.FAILED
User: <...>
IP Address: <...>
Authentication Stack: sap.com/tc~lm~itsam~ui~mainframe~wd*webdynpro_resources_sap.com_tc~lm~itsam~ui~mainframe~wd
Authentication Stack Properties:
policy_domain = /webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd
realm_name = Upload Protected Area
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false false true
[...]
2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true true Authorization header received is not SPNEGO token: Basic <user name>:<secure content>
3. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok true true true
4. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true true true
Central Checks exception Missing new password
Logon policies are disabled
[…]
Read more...
Environment
SAP NetWeaver Application Server Java using SPNego/Kerberos/LDAP authentication
Product
Keywords
LDAP, directory server, AD, ADFS. Windows, Windows AD, active directory, directory service , KBA , BC-JAS-SEC-LGN , Logon, SSO , Problem
About this page
This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.