cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SPNego - Fallback - Basic Authentication

Go to solution
Former Member

on ‎01-08-2009 9:56 PM

0 Kudos

Hi,

I have configured the SPNego using the wizard available in /spnego alias, to achieve authentication using Kerberos, at the end of wizard, I have selected the option enable fallback, to allow users to authenticate in case SPNego fails and also for other users outside of the scope.

Issue: If a user tries to access the portal without a Kerberos ticket, before he get redirected to the login page (form login), a Basic Authentication Popup is being presented to the user. Whatu2019s wrong? The user should go directly to the form login page without having to pass through the Basic Authentication Popup, more pressing u201CESCu201D key or inserting a correct user and password in the Basic Authentication Popup, always redirect the user to form login page, but as second step.

Thanks

John

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎01-12-2009 2:31 PM
0 Kudos

The popup your users are seeing is NTLM Authentication which comes in to play when Kerberos fails.

As far as I know this is IE browser default behaviour and there is no way to circumvent it.

A possible solution is to develop a custom servlet which relies for authentication on a JAAS login module stack different than the default one. By doing this, your non-domain users could access the portal via a URL like this:

https://your.portal.corp/PwdLogon

and then be redirected to the default portal page, where they are not prompted for anything because they already have a logon ticket, so the authentication sequence does not go down spnego login module.

the JAAS LM stack behind this servlet would be:

evaluateticketloginmodule

basicpasswordloginmodule

createticketloginmodule

Hope this helps a bit

Regards

Show replies
Show replies
Former Member
‎01-14-2009 9:53 PM
0 Kudos

Hi Gaetano,

Thanks for this precious information.

When you say to develop a custom servlet which relies for authentication on a JAAS login module stack different than the default one, this doesnu2019t mean non-domain users has to know the portal URL http://portalserver/PwdLogon?

We donu2019t want users to put, by there own, a portal url depending if they are domain or non-domain users. It should be transparent, all users should access the portal using the same URL, and if is a non-domain user, the spnego login module stack should have something (standard or developed), to skip the basic authentication popup.

Thanks

John

tim_alsop
Active Contributor
‎09-14-2009 12:45 PM
0 Kudos

We had this exact problem with a few of our customers, and we solved it by adding new functionality to our SPNEGO (e.g. Integrated Windows Auth) loginmodule. The new functionality allows us to determine if the user is logged onto a domain, and if they are we can continue as before, otherwise our login module aborts and allows the fallback login module to work. This means that only one URL can be used by both intranet and non intranet users, but different method of authentication are offered in each case, based on which is supported.

Thanks,

Tim

Former Member
‎09-14-2009 1:45 PM
0 Kudos

Hi Tim,

Thanks for sharing the Valuable Information.

Can you please shed some more light on how this was implemented. And If possible, Can point to some documentation.

Best Regards

Hussain.

tim_alsop
Active Contributor
‎09-14-2009 1:50 PM
0 Kudos

Hi,

The product which has the above mentioned functionality, is described at:

http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokeradapter

Thanks,

Tim

Former Member
‎01-28-2010 10:22 AM
0 Kudos

Hi everyone,

we're facing a similar issue with Kerberos cross-domain authentication (we're prompted for credentials when accessing the portal from a different domain).

We've then created a portal component which simply re-route the request to the standard logon page and we've assigned a new authentication scheme to this component (NTLM authentication stack).

This stack is configured to:

- EvaluateTicket

- HeaderVariable

- CreateTicket

- BasicPassword

- CreateTicket

and we've defined the following authscheme:

<authscheme name="ntlm">

<authentication-template>

ntlm

</authentication-template>

<priority>25</priority>

<frontendtype>2</frontendtype>

<frontendtarget>home.prt.logon.certlogon</frontendtarget>

</authscheme>

Well the thing is that the ticket authentication stack is used when we call up our bespoke newly created portal component (we used diagtool to trace the securiy checks being carried out)..As a result, we're prompted for credentials (in case of cross-domain access) the reason being that the ticket auth stack is configured to SPNego.

Isn't it odd? Any ideas or suggestions?

Thanks in advance.

Answers (2)

Answers (2)

Former Member
‎01-08-2009 11:52 PM
0 Kudos

Hello John,

There are some settings that are required on IE/Firefox to support Kerberos:

http://help.sap.com/saphelp_nw04s/helpdata/en/43/49a2aefd975f89e10000000a1553f6/frameset.htm

Regards,

Slava

Show replies
Show replies
Former Member
‎01-08-2009 10:14 PM
0 Kudos

Sounds strange. Have you got a standard logon page, or has someone being making changes to it? Can you post the logon stack for ticket?

Show replies
Show replies
Former Member
‎01-10-2009 11:04 PM
0 Kudos

Hi Michael,

We are using the standard logon page, no one have made changes, we only have created a different alias, instead of using /irj/portal, we are using /irj/portal/company.

The logon stack for ticket was created automatically by the spnego wizard, with the option enable fallback active:

- EvaluateTicketLoginModule = Sufficient

- SPNegoLoginModule = Optional

- CreateTicketLoginModule = Sufficient

- BasicPasswordLoginModule = Requisite

- CreateTicketLoginModule = Optional

This is really boring for the users that are not logged on in the domain, they are always getting the Basic Authentication Popup, before being redirected to the form logon page.

Thanks for your support.

Regards,

John

Former Member
‎01-11-2009 7:58 AM
0 Kudos

What happens when accessing something like /nwa? Does the same happen?

Former Member
‎01-12-2009 4:11 AM
0 Kudos

Hi,

This seems to be a browser issue. As mentioned by Slava, make sure you have the browser properties set as mentioned in the link.

Also check the below seeting.

Bypass the proxy server (if present) for the j2ee server:

IETools ->Internet Options -> Connections -> LAN Settings -> Proxy server -> Advanced -> Exceptions -> Add the host names of the j2ee server

Regards

Deb

Former Member
‎01-12-2009 12:44 PM
0 Kudos

Hi Michael,

Accessing /nwa directly, also happens the same.

This situation only applies to users that are not logged in the domain or donu2019t have a Kerberos ticket.

You may ask. What kind of users are these?

One type is the external users, who were provided a user and password to access the portal. They never logon in the domain, but they should be able to access the portal. Right now, these users are putting the portal address in the browser, and instead of begin redirected to form logon page, they are first getting a Basic Authentication Popup.

I know there are some required Internet Explorer Settings for SPNEgo to work, for internal users, but this is not the case, and I think forcing external users to put portal in trusted sites just to skip the basic authentication popup, is not correct and not accomplishable.

Thanks

John

Ask a Question