Hello,
I am attempting to enable SSO for an application and have limited visibility into the HANA side of things. I have the authentication trace, and though I understand what the strings mean in general, I'm hoping to get a more verbose description and understanding of the entire process.
Relevant snippet:
[68075]{-1}[-1/-1] 2016-05-24 19:19:11.723751 i Authentication ManagerAcceptor.cpp(00206) : Extending list of expected external names by someusername@somecompany.com (method: GSS)
[68075]{-1}[35/-1] 2016-05-24 19:19:11.723977 i Authentication AuthenticationInfo.cpp(00211) : Found no user with expected external name!
[68075]{-1}[-1/-1] 2016-05-24 19:19:11.724049 d Authentication ManagerAcceptor.cpp(00273) : Injecting logon name into method:
[68075]{-1}[-1/-1] 2016-05-24 19:19:11.724054 d Authentication MethodGSSAcceptor.cpp(00047) : ENTER evaluate, status=INITIAL
[68075]{-1}[-1/-1] 2016-05-24 19:19:11.724065 d Authentication MethodGSSAcceptor.cpp(00152) : parseInput: mechanism=Kerberos 5
[68075]{-1}[-1/-1] 2016-05-24 19:19:11.724081 d Authentication MethodGSSAcceptor.cpp(00179) : checkUserPrincipalName: name type=GSS_KRB5_NT_PRINCIPAL_NAME
[68075]{-1}[-1/-1] 2016-05-24 19:19:11.724084 w Authentication MethodGSSAcceptor.cpp(00193) : checkUserPrincipalName: User Principal Name != External Name! UPN=someusername@somecompany.com, EN=
[68075]{-1}[-1/-1] 2016-05-24 19:19:11.724087 w Authentication MethodGSSAcceptor.cpp(00070) : evaluate: check UPN failed
...
[68075]{-1}[-1/-1] 2016-05-24 19:19:11.725645 i Authentication SAMLAuthenticator.cpp(00400) : Unable to verify XML signature
[68075]{-1}[-1/-1] 2016-05-24 19:19:11.725658 d Authentication ManagerAcceptor.cpp(00273) : Injecting logon name into method:
[68075]{-1}[-1/-1] 2016-05-24 19:19:11.725675 d Authentication SAPLogonManager.cpp(00360) : Store chosen for assertion ticket validation: /usr/sap/HD1/HDB01/somehost.somesite.somecompany.com/sec/saplogonSign.pse
[68075]{-1}[-1/-1] 2016-05-24 19:19:11.725749 w Authentication SAPLogonManager.cpp(00504) : The base64 decode of the received ticket failed. SSO_RC return value: 1281
[68075]{-1}[-1/-1] 2016-05-24 19:19:11.725755 d Authentication SAPLogonManager.cpp(00513) : Use SSO Validation PSE >>>/usr/sap/HD1/HDB01/somehost.somesite.somecompany.com/sec/saplogonSign.pse<<<
What I want to understand is if, when the service account connects to HANA on behalf of the user using the application, the failure for the service account to be identified switches to the the credentials for that particular user that is initially represented by the service account. I can see the UPN doesn't match the external name and it fails, but is that for the service account or is the second "Injecting logon name into method" the switch to the other credentials? Specifically, if it's failing early in this process, is it continuing through these steps, guaranteed to fail, or is it iterating through other options (i.e., first tries service account, fails, then passes user credentials)?
Last of all, the message that "the base64 decode of the received ticket failed" suggests the ticket is not properly formatted. Is this the case with this message or do the cumulative failures above return this, as it results in inability to even get so far as to decode it?
I am relatively new to HANA so please forgive my ignorance. Any help anyone can offer is appreciated.
R