Skip to Content
0
Former Member
Apr 03, 2008 at 02:11 AM

Kerberos Implementation for Laptop Users on IE

32 Views

Hi,

We tried to implement Kerberos on EP 6 SP 19 with KMC. We have the issue with laptop users in Internet Explorer browsers where the portal URL was added to the Trusted Sites zone. SSO would work inside the company network, but when the laptop user tried from home, they would get a 'Page cannot be displayed' screen instead of the Logon screen for the portal. Microsoft responded with the following -

'This issue was caused by the SAP Portal site being placed into the “Trusted Sites” security Zone.

Within the Trusted sites we will send the “known” authentication methods which are used by this site.

Since the Mobile User machines had been connected to the “trusted” network and had previously obtained Credentials from the Domain controllers (KDC), when they would attempt to contact the site from the “untrusted”, or home locations, they would attempt to pass the same credentials they had earlier used. Since the KDC Domain controllers were not available on the Internet (untrusted networks), in order to provide an updated Kerberos Ticket (the known authentication method used on the “trusted” network), we would try to do a DNS lookup for the KDC. This would fail and we would receive the DNS failure error related to opening the page.'

The solution they suggested was that we use two different URLs.

- One to be used by users when outside the company. This could be an FQDN alias. This would belong to the Trusted Zone with custom security having the option Automatic Logon in Intranet only selected. (This will be referred to as the external URL).

- The second URL, the FQDN, to be placed in the Intranet Zone to be used by users when inside the company. (Will be referred to as internal URL).

This solution solves the problem with IE, but we then have the following issues -

1. Users do not type in the portal URL, but select the link from their favorites regardless of if they are inside or outside the company network.

2. Some of the Knowledge Management and Collaboration features such as Portal documents when sent to users as a link in an email and WebDAV URLs will only have the external URL on them. This is due to the fact that there can be only one name under Host under the URL Generator Service. This will have to be the external one as this is the one that is accessible by both internal and external users. SSO does not work in this case as the URL on the document link will always be the external, hence all users inside the compnay (laptop users or not) will be prompted with a logon screen though they are inside the company network.

With problem 1, is there a way that we can assign just one URL and have the user redirected to the external URL when outside the network and redirected to the internal URL when inside the network? It would also be useful to know how other companies with the same issue are operating?

Any help would be appreciated!!

Thank you,

Lakshmi.