on 06-24-2008 10:27 PM
Hello @ll,
I am interested in workflow authentication using the Kerberos ticket, the Identity Centre supports this method. I have thus far not found any implementation guides. Is there anybody is who is more familar with this system, who can assist me.
BR
Chris
Chris,
My specialist area with SAP products is related to Kerberos, but I am not familiar with what you are describing. Can you provide more details to explain what you are looking to acheive ?
Regards,
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
when you open the properties of the Identity Store in the Identity Center you see the workflow-register. Here you can choose a lot of authentication methods.Here and in some whitepaers we saw that the Workflow of SAP NW Identity Center supports Kerberos Authentication. We want to replace the WORKFLOW LOGIN with username/pw(Authentication method: Identity Store) by the kerberos authentication ticket from our domain controller (authentication method: Kerberos). But I dont know were to reference to our ad domain controller where a user has a kerberos ticket after windows login.
BR
Chris
Chris,
Thankyou - this helps a lot.
I know this might sound like a silly question, but can you confirm what platform the Identity Center is running on ? e.g. is it installed on NetWeaver, or running on a standalone web server, or something else ?
Also, can you provide me with links to some of the white papers you mentioned ?
Regards,
Tim
here is the link to the Security Guide:
https://www.sdn.sap.com/irj/sdn/nw-identitymanagement
("product information")
Chris,
ok, I thought this might be the case. The Kerberos authentication into any application running on IIS is setup by enabling Integrated Windows Authentication on IIS website and also in browser. Have you done this ? If you have, when user logs onto workstation and then opens a page on the IIS server they will be authenticated using the domain account they logged onto their workstation with.
Regards,
Tim
Chris,
Thankyou for the document link. As you said, it appears there is very limited information about the different authentication methods supported. However, as I said in my last post, when using IIS the IIS web server is handling the authentication of users, so this is where I suggest you enable IWA to allow you to get Kerberos authentication to work. I cannot think how the product could authenticate in any other way unless there is an ISAPI filter installed in the IIS webserver, just to handle workflow authentication - I doubt this is the case.
Thanks,
Tim
Thanks for your reply,
I did this yesterday:
1. enabled IWA in ISS
2. enabled IWA in IE
3. Kerberos as authentication method in the Identiy Center
missing:
But I think the networkuser has to be in the Identity Center as unique id (but I am not sure)
I will test this later...
Edited by: Christoph Reckers on Jun 25, 2008 11:32 AM
Edited by: Christoph Reckers on Jun 25, 2008 11:37 AM
Chris,
The domain user you are logged onto Windows workstation as will be used to log you onto the IIS application when IWA is used, so you need to make sure that this user exists in the application. If it doesn't you might get a popup signon screen from browser, which will likely not work unless you have also enabled other forms of authentication in IIS.
Regards,
Tim
...I will test later
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
94 | |
11 | |
11 | |
10 | |
9 | |
8 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.