cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HTTP basic auth prompt, when SPNEGO and security zone <> "local Intranet"

tombo_larsen
Active Participant

on ‎09-19-2008 9:49 AM

0 Kudos

Hi

We have configured a login module stack with SPNEGO and BasicPasswordLoginModule as fallback. SPNEGO works fine for internal users (users in the windows domain) and the BasicPasswordLoginModule as fallback also works when the security zone is "local intranet".

However when calling the portal externally or in general when the zone is NOT "local intranet" then the logon process comes with 1) an unexpected prompt (HTTP basic authentication) - and then 2) with the expected BasicPasswordLoginModule prompt.

Any explanation for this behaviour and how to avoid it?

BR

Tom Bo

Edited by: Tom Bo Larsen on Sep 19, 2008 8:49 AM

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

daniel_rothmund
Participant
‎09-20-2008 12:59 PM
0 Kudos

Hello ,

please check your IE setting for the security zone "internet".

But when you connected to the portal over the internet your pc must connect to the ADS Server. No local windows logon on your PC !

http://msdn.microsoft.com/en-us/library/ms995329.aspx

Daniel

Show replies
Show replies
tombo_larsen
Active Participant
‎09-22-2008 9:36 AM
0 Kudos

Hi

We are not trying to get SPNEGO working from the Internet.

Actually we want a prompt for authentication when coming from Internet and Internet Zone.

Our problem is that we get TWO authentications prompts. And even when you give valid credentials (user/password) to the first prompt, then you also get the second prompt.

We suspect that the SPNEGO module triggers the first authentication prompt (and fails) and that the HTTPBasicAuthentication logon module then is called and triggers the second prompt.

A HTTP trace looks like:

1: HTTP 401, www-authenticate: Negotiate

and even if valid credentials are given then a second:

.

2: HTTP 401 (without "www-authentication")

prompt occurs. This also happens when "Enable Integrated Windows authentication" is enabled in the IE settings. When we do not control this IE setting the solution should be able to cope with this setting and only generating ONE authentication prompt

BR

Tom

Former Member
‎10-31-2008 8:24 AM
0 Kudos

Hi Tom Bo,

we are facing exactly the same situation.

Did you find a solution to that behaviour.

Thanks in Advance

Markus

tombo_larsen
Active Participant
‎11-18-2008 11:06 AM
0 Kudos

Hi

No, we did a work-around.

Took a copy of the portallauncher iview and changede to authentication template to BASIS (a logon module stack without the SPNEGO module). The on our SAP web dispatcher in front we created a re-direct so that if the URL is <protocol>://<server>:<port>/logon then this i redirected to the copy of the portal launcher, which uses the logon module stack without SPNEGO.

So the users can call 2 URL's: One with SPNEGO and one without

BR

Tom Bo

Former Member
‎02-17-2009 4:21 PM
0 Kudos

Hi Tom Bo,

Did you try user name as domain\myusername or myusername'@'yourdomain.com at the first prompt (Basic Authentication)? Actually this is working for me if I login to Domain and try to access portal as a user which is diiferent from the user I used for login to domain. Please note that I give username as domain\myusername. Only myusername does not work.

I am fcaing other problem. If I try to access portal without login to domain I don't get Basic Authentication prompt at all which you are getting.

Regards,

Ashvini

Former Member
‎08-19-2009 2:42 PM
0 Kudos

Hi Tom,

Can you explain what you meantt when you say you created an authentication template without SPnego? Can your users still access the portal with the standard url with SSO to http://host>/irj/portal.

We tried the same but by we don't want to change the url for the current users in the landscape and we want to provide the external users with a login screen without any popups...

We therefore need to try and split te url for anonymous/external users from the internal users who already uses SSO to the portal.

Can you provide me with a shortlist of how you did this please

Thanks Dries.

Ask a Question