on 09-19-2008 9:49 AM
Hi
We have configured a login module stack with SPNEGO and BasicPasswordLoginModule as fallback. SPNEGO works fine for internal users (users in the windows domain) and the BasicPasswordLoginModule as fallback also works when the security zone is "local intranet".
However when calling the portal externally or in general when the zone is NOT "local intranet" then the logon process comes with 1) an unexpected prompt (HTTP basic authentication) - and then 2) with the expected BasicPasswordLoginModule prompt.
Any explanation for this behaviour and how to avoid it?
BR
Tom Bo
Edited by: Tom Bo Larsen on Sep 19, 2008 8:49 AM
Hello ,
please check your IE setting for the security zone "internet".
But when you connected to the portal over the internet your pc must connect to the ADS Server. No local windows logon on your PC !
http://msdn.microsoft.com/en-us/library/ms995329.aspx
Daniel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi
We are not trying to get SPNEGO working from the Internet.
Actually we want a prompt for authentication when coming from Internet and Internet Zone.
Our problem is that we get TWO authentications prompts. And even when you give valid credentials (user/password) to the first prompt, then you also get the second prompt.
We suspect that the SPNEGO module triggers the first authentication prompt (and fails) and that the HTTPBasicAuthentication logon module then is called and triggers the second prompt.
A HTTP trace looks like:
1: HTTP 401, www-authenticate: Negotiate
and even if valid credentials are given then a second:
.
2: HTTP 401 (without "www-authentication")
prompt occurs. This also happens when "Enable Integrated Windows authentication" is enabled in the IE settings. When we do not control this IE setting the solution should be able to cope with this setting and only generating ONE authentication prompt
BR
Tom
Hi
No, we did a work-around.
Took a copy of the portallauncher iview and changede to authentication template to BASIS (a logon module stack without the SPNEGO module). The on our SAP web dispatcher in front we created a re-direct so that if the URL is <protocol>://<server>:<port>/logon then this i redirected to the copy of the portal launcher, which uses the logon module stack without SPNEGO.
So the users can call 2 URL's: One with SPNEGO and one without
BR
Tom Bo
Hi Tom Bo,
Did you try user name as domain\myusername or myusername'@'yourdomain.com at the first prompt (Basic Authentication)? Actually this is working for me if I login to Domain and try to access portal as a user which is diiferent from the user I used for login to domain. Please note that I give username as domain\myusername. Only myusername does not work.
I am fcaing other problem. If I try to access portal without login to domain I don't get Basic Authentication prompt at all which you are getting.
Regards,
Ashvini
Hi Tom,
Can you explain what you meantt when you say you created an authentication template without SPnego? Can your users still access the portal with the standard url with SSO to http://host>/irj/portal.
We tried the same but by we don't want to change the url for the current users in the landscape and we want to provide the external users with a login screen without any popups...
We therefore need to try and split te url for anonymous/external users from the internal users who already uses SSO to the portal.
Can you provide me with a shortlist of how you did this please
Thanks Dries.
User | Count |
---|---|
95 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.