Dear Raymond,

Thanks for quick reply.

I have checked for some of the users, there are able to login into different machines with AD id and password. But with the same user id & password , i am not able to login into the portal.

In our landscape, both the AD user id and Portal id are same, before LDAP configuration also we have same user id. they have not changed the password recently.

Regards

Ponnusamy

Hi Ponnusamy,

Is it just that 1 person that is having the login issue? or are there more than 1?

As mentioned above, go to your Portal User Management and check if the user exist there. Check as well under Portal User Management, if your users are "copied"into the Portal via your LDAP (check the source..its indicated where the userID comes from..either Portal UME...or LDAP). If all your users in the User Management are derived from LDAP, then for sure your LDAP setup to Portal is ok...just be sure that its not your LDAP setup, as it could be that those workable user accounts are existing in your Portal UME and that your LDAP setup might not be working.

If its just 1 person not working and that all others possibilities (meaning other end users and also that your LDAP setup are confirmed working) are fine, then I guess your Portal is really not liking that user account ("joking" as its definately that user account having the issue). My last suggestion, get the password from the user and test it out on your hardware. If still not possible, go to the Portal User management, "lock" the account (change the password there if possible) and click "save". Then "unlock" the account again and then try to login in your hardware with the new password to see if its ok.

If all above not successful, I'm out of ideas as its definately a specific user account issue you have there. At least we troubleshoot it till its possible issue source !!

Sorry if not able to help...GL and Hope the above can help you.

Ray

Dear Raymond,

Thanks again,

I have checked, If the user is available in UME & LDAP, he is facing the problem in

login.

I need to make the LDAP configuration to authenicate only the AD password and it should skip the UME database ID and password.

Is there any specific configuration available or only solution is to delete the user from UME database

Regards

Ponnusamy

Hi Ponnusamy,

You can setup SSO between your AD and the Portal (see below for steps). With SSO, your user does not need to login when they click on the Portal URL..they will just SSO and appear login into the Portal.

To run the SPNego Wizard, perform the below steps:

Step1:

1) Create a service user (J2EE-US1) to identify the AS Java instance on the KDC. Its recommend that you choose a naming convention for these users to help you identify them with their corresponding AS Java instances.

The service user represents an AS Java instance running on a specific host and must meet the following requirements:

u2022 The password of the service user must never expire.

u2022 Use Data Encryption Standard (DES) for this account.

Step2:

2) Download ZIP archive (SPNegoWizard 64*.ZIP) from SAP Note 994791. Unzip the archive and deploy the EARs via VA.

After deploying all 3 EARs, dataSourceConfiguration_ads_readonly_db_with_krb5.xml will be available as an option for your UME configuration.

3) The UME is connected to an LDAP data source and the UME data source configuration file contains attribute mappings to enable user resolution for Kerberos authentication.

Run the wizard and flag the first 2 option as thats what you have done above (Service user created and UME Configuration). Click "Next".

Single domain configuration:

1. Enter the name of the Kerberos Realm or Windows Domain inside the input field Realm Name (Domain).

2. Choose Add KDC to add the host address (IP Address) and port for the Kerberos Domain Controller (KDC).

3. Choose Enter Principal to manually enter the AS Javau2019s KPN:

a. Enter the KPN of the AS Java in Principal (J2EE-US1@Domain).

b. Enter the password for the AS Java service user in Password.

Click "Next"

Step3:

Resolution mode prefixbased supports Kerberos authentication in a single and in multiple Kerberos Realms or Windows Domains.

1) Enter the attribute that is mapped in the UMEconfiguration file to the KPN prefix of the authenticating users

2) Enter the attribute that is mapped in the UMEconfiguration file to the KPN suffix of the authenticating users.

Click "Next"

Step4:

Click "Next" to confirm if the enter values are ok.

Once the above is configured, you can assume that the below activites are done.

● You have configured the Kerberos KDC for Kerberos authentication with the AS Java.

● You have configured the AS Java to use SPNegoLoginModule for Kerberos Authentication.

● The configuration steps depend on the specific Web client you are using. The examples used in this topic are based on the configuration steps for Microsoft Internet Explorer.

You left the below in IE settings:

1) enabling Windows Integrated Authentication in your Web browser.

In Internet Explorer go to Tools ->Internet Options -> Advanced -> Security and choose Enable Windows Integrated Authentication (requires restart).

2) Enable automatic logon in Intranet zone.

In Internet Explorer go to Tools -> Internet Options -> Security -> Local Intranet -> Custom Level and choose Automatic logon only in Intranet Zone from the section User Authentication.

3) Add the AS Javau2019s DNS host name to the list of local intranet sites.

In Internet Explorer go to Tools -> Internet Options -> Security -> Local Intranet -> Sites -> Advanced and add the AS Javau2019s DNS host name to the list.

There.. your SSO should be working.

Configuring Mozilla Firefox for Kerberos Authentication

The following example is specific to Mozilla Firefox version 2.0.0.x.

1. Add the server name to the list of sites which do not use a proxy:

Open the proxy settings of your browser. In the field No Proxy for specify the name of the AS Java for which you want to use Kerberos authentication, for example: my_kerberos_server.

2. Allow integrated authentication:

u2022 In the address bar of your browser, enter the following: about:config.

u2022 Filter the entries by name using the prefix negotiate.

u2022 Add the AS Java address to the entries network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris.

Mozilla Firefox is configured to use Kerberos authentication for the required AS Java.

To delete users in the UME manually, I do not know if there is a automated means. Just know the manuel way which could be alot of work if you have alot of users created directly in the UME. Maybe others can suggest or help you on this.

Hope that helps.

Award points if suggestions helps.

Ray

Dear Raymond,

Thanks again. I need one clarification.

Here most of the users machine is not in the domain, in that case, whatever your mentioning will not workout rite..

Regards

Ponnusamy

Hi Ponnusamy,

If users are not in same Domain..yep your remarks is correct.

However, I do remember some discussion about connecting to multiples Domains to Portal..and that can be done with your SSO setup which points to multiple Domains.

Let me checkout some links for you on this...found the below...

http://help.sap.com/saphelp_nw70/helpdata/EN/a0/88a340fa432b54e10000000a1550b0/frameset.htm

So to connect Portal to multiple Domain..its possible.

Hope that helps. Thanks for the points..makes my weekend

Ray

Edited by: Raymond HENG on Sep 5, 2008 11:46 AM

Hi Ponnusamy,

I am also facing the same issue. I integrated portal to AD. When a user exist in bot ldap and UME, login is possible only with UME DB password. Now i am not sure how to ignore UME Database authentication.I want ldap authentication only.

Can you suggest me any solutions regaridng this..