Skip to Content
avatar image
Former Member

SPNego Wizard available for everybody

Dear experts!

We've found that SPNego Wizard available directly by URL http://<hostname>:port/spnego and not restricted by password.

Everybody who has user account even without any roles and permissions, only by entering the password can access wizard page and

make any changes, for example delete reams or Keytab certificate.

Could you advice us how to close this hole?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Sep 19, 2014 at 07:32 AM

    Hello,

    I suppose you are talking about SAP NetWeaver Java?

    I could not reproduce your problem. If I login with a simple user I get "You do not have permission to administrate SPNEGO"

    Possibly the user have additional rights (see Identity Management: Assigned Roles and Assigned Groups), or the permissions within the default groups (Authenticated Users, Everyone) where changed.

    That may also be valid if a LDAP/Active Directory is attached to the UME and a LDAP group the user is a member of (e.g. AD: "Domain Users") have some admin roles assigned.

    You also get logged in "automatically" if you already logged in with an administrator account in the NetWeaver Administrator (NWA) and open another NWA page (e.g. SPNego) in the same web browser. This works as designed.

    Please check again.

    Grüße / Kind regards,

    Frank

    Add comment
    10|10000 characters needed characters exceeded