on 08-14-2016 6:24 PM
Hello Alle,
I am doing SSO configuration EP portal with LDAP.
I have configure ume to use ldap and configure Spnego in EP portal. Do I need any more configuration for SSO?
Is it possible to change ldap user path in identity management?
I have configure UME to connect LDAP server, I had chose the worung user path.
My user in Domian controller is not on this path.
Thanks for any help
Reza
Dear Reza,
Hope you are doing good.
You can just make the change in the UME datasource configuration fle. For example:
*******************************************************************
<ume.ldap.access.base_path.grup>OU=GenericGroups,OU=DSSLDAP,DC=dev98,DC=dev-wdf,DC=sap,DC=corp</ume.ldap.access.base_path.grup>
<ume.ldap.access.base_path.user>OU=GenericUsers,OU=DSSLDAP,DC=dev98,DC=dev-wdf,DC=sap,DC=corp</ume.ldap.access.base_path.user>
<ume.ldap.access.base_path.uacc>OU=GenericUsers,OU=DSSLDAP,DC=dev98,DC=dev-wdf,DC=sap,DC=corp</ume.ldap.access.base_path.uacc>
*******************************************************************
Then restart for the changes to take effect.
Hope this helps.
_ _ _ _ _ _ _ __ _ _
Kind Regards,
Hemanth
SAP Product Support
_ _ _ _ _ _ _ _ _ _ _
Join me online: http://scn.sap.com/people/hemanth.kumar/content
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Hemanth,
Thanks for reply, I have actually done this and it working.
I need some advice for SSO connection. I am in EP Portal 7.31. last sp.
I have don configuration in identity management so UME has contact with LDAP and I configure Spnego.
Now I can not login on Portal whit my LDAP user? SSO not working.
Do I forget something.
The only thing I havenot don is add server name in browser security sites. becuse that is grey out.
Thanks
Reza
Dear Reza,
Only the trace files will help us here. Kindly run the web diag tool as outlined in SAP Note No. 1332726-Troubleshooting Wizard SAP AS Java 7.20 and above with incident "General Security" and reproduce the issue. Click on Start, reproduce the error, click on stop and attach to this
message the zip file generated. Also attach the below files as well when you reproduced the issue
along with the diagtool output:
/usr/sap/<SID>/J<nr>/j2ee/cluster/server0/logs/default trace (latest).
Hope this helps.
_ _ _ _ _ _ _ __ _ _
Kind Regards,
Hemanth
SAP Product Support
_ _ _ _ _ _ _ _ _ _ _
Join me online: http://scn.sap.com/people/hemanth.kumar/content
Dear Reza,
Hope you are doing good.
Thank you for the logs. They have been very helpful. The error is:
*****************************************
NTLM token found in authorization header during SPNEGO authentication2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true NTLM token received in authorization header.
*****************************************
Can you please review and apply the following SAP Note:1649110 - SPNego for Kerberos Authentication: NTLM token received in authorization header.
In such cases the issue is either with your browser or Active directory configuration.
Hope this helps.
_ _ _ _ _ _ _ _ _
Kind Regards,
Hemanth
SAP Product Support
_ _ _ _ _ _ _ _ _
Join me online: http://scn.sap.com/people/hemanth.kumar/content
Dear Reza,
In this case, BasicPasswordLoginModule was used and SPNEGO was bypassed:
*******************************************************************
Logon is successful.
22:11:25:756 Debug XREJ HTTP Worker [@496326755],5,D... ...ogon(request, response, authscheme) The logon user principal is: XREJ (authentication method: password)
*******************************************************************
Actually SPNEGO failed.
This trace is not valid. Please clear all the cache and login again and trigger a trace if needed.
_ _ _ _ _ _ _ _ _
Kind Regards,
Hemanth
Dear Reza,
Even now, SPNEGO was not used:
*******************************************************************
SPNego authentication has failed during previous attempt.The logon user principal is: XREJ (authentication method: password)
*******************************************************************
SPNEGO did fail; but this has not been captured.
You have to log off from the OS (so that LDAP log off also happens), then reproduce the issue so that SPNEGO fails.
_ _ _ _ _ _ _ _ _
Kind Regards,
Hemanth
Hi reza,
Did you check SAP Note 1649110 that I mentioned earlier? In your case, the browser sends a request which contains an NTLM token, instead of a Kerberos one, so AS Java rejects it and as a result the login fails, since AS Java needs a Kerberos token for the authentication. Please contact the domain controller vendor and the browser vendor in order to check why the browser sends an NTLM token to AS Java, instead of a Kerberos one.
I am not sure whether there are any more steps from the SAP Application Server JAVA end.
_ _ _ _ _ _ _ __ _ _
Kind Regards,
Hemanth
SAP Product Support
_ _ _ _ _ _ _ _ _ _ _
Join me online: http://scn.sap.com/people/hemanth.kumar/content
Dear Hemanth,
Thanks Again for reply.
Yes i did check the mentioned note.
I will contacet the domain controller vendor and ask them to run -
ldifde -r command and check the result for AD system user.
And contacet browser vendor too.
I am wondring if it possible to delete the SPNego connection and recreatet it by wizard again.
Thanks
Reza
User | Count |
---|---|
84 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.