We are using SAP Enterprise Portal (EP 7.0 SP 16) with SPNEGO setup with Microsoft AD. But sometimes SSO does not function properly and prompting logon pad for SAP portal. We have checked all SAP related setting and found all configurations are correct. This happened intermittently. We had traced the error with SAP diagnostic tool and found that, this occurs due to IE browser sends NTLM instead of Kerberos when it cannot obtain a Kerberos token from Microsoft Key Distribution Center (MS KDC).
The error trace message is as below. Also attached herewith the trace file.
----------------------------------------------------------------------
NTLM token found in authorization header during SPNego authentication
Authentication failed. Error during handshake. Check the trace file for details.
----------------------------------------------------------------------------------
We checked all settings as per Knowledge Based Article (KBA) 1649110 and referenced SAP notes 934138 and 1313880 and found all settings are correct. Also need to mention that we have three SAP EP portal servers (Development, Test and Production). All these systems have independent configurations and settings at SAP end. However, whenever we observe this problem, it happens with all the three systems simultaneously – i.e. none of the portal is successfully accessed via SSO. This makes us believe that there can be issues outside the SAP environment which cause this sudden failure of SSO.
Landscape Technical Details:
SAP Application: SAP Enterprise Portal 7.00 (SP16)
SAP Application OS : Suse Linux 10
Microsoft AD server: Windows 2008 R2
Desktop OS : Windows 7
IE version : 8