cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Wdigets and Polestar for NTLM AD SSO

thomas_madsen
Participant

on ‎03-20-2009 7:48 AM

0 Kudos

Hi,

Would anyone know whether plans exist to enable NTLM AD support for Widgets, live-office and Polestar to become NTLM AD compliant?

Best regards

Thomas

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

thomas_madsen
Participant
‎03-30-2009 5:17 PM
0 Kudos

Super, Thanks a lot.

I'll give it a go.

/Thomas

Show replies
Show replies
thomas_madsen
Participant
‎03-30-2009 3:50 PM
0 Kudos

Hi Tim

I don't have a whole lot of experience with SSO, but shall I interpret below in such a way that although the customer is not using kerberos in their AD setup we can still use the protocol to establish communication between BOE and AD?

/Thomas

Show replies
Show replies
BasicTek
Advisor
Advisor
‎03-30-2009 4:15 PM
0 Kudos

It's something like that. Kerberos is running on all supported AD environments by default. Microsoft actually recommends using kerberos as your authentication default on 2003 or later domain functional levels.

The initial configuration is complicated, especially for most BO admins who don't also happen to be AD admins.

We have documented most aspects of the configuration as well as many tools that can be used to troubleshoot while implementing.The last couple of years we have gained many experienced authentication engineers that can assist should you run into problems.

While NTLM was extremely simple to implement it was also very limited. Credentials could only be used once, delegation to other applications or to a database was impossible.

[This White Paper|https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0f6ac3c-b3ac-2b10-1b95-c9bd46194977] will explain the configuration, and troubleshooting steps from beginning to end.

Regards,

Tim

thomas_madsen
Participant
‎03-30-2009 6:22 AM
0 Kudos

Hi,

This is a 20.000 employee customer that has decided kerberos is too complex to implement. So it would be nice if we could use at least live-office and widgets with NTLM.

/Thomas

Show replies
Show replies
BasicTek
Advisor
Advisor
‎03-30-2009 1:12 PM
0 Kudos

Since NTLM is a proprietary protocol, we are unable to license it for java. Most of our apps are developed in java only for OS independence.

We have quite a few engineers trained in helping customers implement kerberos. Was there any specific reason it was deemed "too complicated"

Initial setup requires 1 dedicated user account and 1 setspn command be run in AD for manual logon. SSO requires ktpass in addition to a 2nd setspn command. The rest is just setting some configuration parameters on the BO side (CMC, web.xml, server,xml, java options, and java SDK).

Kerberos is the open protocol that allows us to tie AD into other other common platforms such as java.

Regards,

Tim

BasicTek
Advisor
Advisor
‎03-21-2009 2:34 AM
0 Kudos

While not official, it's very unlikely that will happen. Many of the BO apps that only run in java are still planned to only run in java in the near future. NTLM is not and will not be supported for java. Kerberos can accomplish anything NTLM can and more. Is there an issue with implementing kerberos?

Regards,

Tim

Show replies
Show replies
Ask a Question