cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Portal Authentication Against AD with ABAP UME

Go to solution
Former Member

on ‎01-09-2014 2:13 PM

0 Kudos

I have a stand-alone portal system with an ABAP system as its UME.  Both are ERP 6.0 EHP7 SPS01 on Windows 2008 R3 and MSSQL 2008 R2.  The ABAP system is connected to our Active Directory with read-only authorization. 

I have now configured the Java system to authenticate against Active Directory instead of the ABAP system according to the online documentation.  If a user exists in both AD and SAP, the AD password is now used to successfully log into the portal.  If the user doesn't exist in SAP, the portal authentication fails whether the user exists in AD or not.  So far so good.

My problem is the case where the user exists in SAP, but not in AD.  According to the documentation, the authentication should now be carried out against SAP only.  But the session hangs up and eventually times out, regardless of whether the password is correct or not.  I can't see anything in the ABAP or Java logs.  Does anybody have seen this before or have an idea what to do to figure it out? 

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎04-25-2014 3:44 PM
0 Kudos

After more than 3 months of back and forth, I finally got a fix from SAP.  It will be released with note 2008475.

Thank you again to everybody that helped.

Susan Haenicke

Show replies
Show replies
Former Member
‎04-25-2014 5:11 PM
0 Kudos

Thank you for sharing the solution.

Answers (1)

Answers (1)

Former Member
‎01-09-2014 9:30 PM
0 Kudos

Can you reproduce the problem while the Security Troubleshooting Wizard is running?

Show replies
Show replies
Former Member
‎01-10-2014 3:01 PM
0 Kudos

Thank you for your response.  Yes, I can and did this morning.  Please see the attached file.  I started the test at 9:05 am and it timed out 10 minutes later.

ldapTraceEP6_140110_090532.txt.zip
Former Member
‎01-10-2014 4:45 PM
0 Kudos

Thanks, the trace looks bit weird to me. I don't see any reference to authentication APIs. Did you really use the Security Troubleshooting Wizard? Use Incident type Authentication, Start Diagnostics, reproduce error, Stop Diagnostics and then press Download Zip Archive. Inside the Zip archive you should find a directory and inside it a file called diagtool_XXX_XXX.html sized at least 50-100 kilobytes. Attach that file either as HTML or convert to TXT before attaching.

Former Member
‎01-10-2014 5:48 PM
0 Kudos

Please remove the attachments immediately as they contain sensitive information including passwords. Before sending attachments, remove/replace sensitive information. Meanwhile, I got the traces and I will analyze them.

sunny_pahuja2
Active Contributor
‎01-10-2014 5:51 PM
0 Kudos

Guys,

I would request you to please don't put confidential data here as this is a public site.

Thanks,

Sunny

Former Member
‎01-10-2014 6:11 PM
0 Kudos

I'm sorry.  It didn't even occur to me to check.  That was amazingly stupid.  Thanks for catching it.

Former Member
‎01-10-2014 6:18 PM
0 Kudos

No problem.

About the traces, I can see UME trying to query LDAP for the user

12:14:59:212 Debug J2EE_GST_EP6 HTTP Worker [@1733154494],5,...

...ication.vuser.VirtualUserDataSource

searchPrincipalDatabags ***************************************************************************

* com.sap.security.core.persistence.imp.SearchCriteria

* looking for: "UACC" on all repositories.

* Using AND mode without size limit.

*

* com.sap.security.core.usermanagement|->PRINCIPAL_TYPE_ATTRIBUTE EQUALS UACC (case sensitive)

* com.sap.security.core.usermanagement|->j_user EQUALS testsusan (not case sensitive)

***************************************************************************

found nothing.

12:14:59:288 Debug J2EE_GST_EP6 HTTP Worker [@1733154494],5,...

...ication.vuser.VirtualUserDataSource

Populate principal databag failed as principal was not found.

After that nothing. I suspect there is a bug in the BC-JAS-SEC-UME component or even the logon component not reacting to the result. Have you involved SAP support? If not, please do and attach the traces you sent earlier.

Former Member
‎01-13-2014 3:28 PM
0 Kudos

No, I haven't involved support yet.  It's usually quicker to get help here.  I will do so now and keep this open until I have a result, so I can share it with the community.

Former Member
‎01-13-2014 5:05 PM
0 Kudos

You might want to reference this discussion thread in the customer incident. It at least shows that you have tried to reach out to the community and did the ground work in trying to figure out what is happening.

Ask a Question