on 03-20-2009 7:48 AM
Hi,
Would anyone know whether plans exist to enable NTLM AD support for Widgets, live-office and Polestar to become NTLM AD compliant?
Best regards
Thomas
Super, Thanks a lot.
I'll give it a go.
/Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Tim
I don't have a whole lot of experience with SSO, but shall I interpret below in such a way that although the customer is not using kerberos in their AD setup we can still use the protocol to establish communication between BOE and AD?
/Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
It's something like that. Kerberos is running on all supported AD environments by default. Microsoft actually recommends using kerberos as your authentication default on 2003 or later domain functional levels.
The initial configuration is complicated, especially for most BO admins who don't also happen to be AD admins.
We have documented most aspects of the configuration as well as many tools that can be used to troubleshoot while implementing.The last couple of years we have gained many experienced authentication engineers that can assist should you run into problems.
While NTLM was extremely simple to implement it was also very limited. Credentials could only be used once, delegation to other applications or to a database was impossible.
[This White Paper|https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0f6ac3c-b3ac-2b10-1b95-c9bd46194977] will explain the configuration, and troubleshooting steps from beginning to end.
Regards,
Tim
Hi,
This is a 20.000 employee customer that has decided kerberos is too complex to implement. So it would be nice if we could use at least live-office and widgets with NTLM.
/Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Since NTLM is a proprietary protocol, we are unable to license it for java. Most of our apps are developed in java only for OS independence.
We have quite a few engineers trained in helping customers implement kerberos. Was there any specific reason it was deemed "too complicated"
Initial setup requires 1 dedicated user account and 1 setspn command be run in AD for manual logon. SSO requires ktpass in addition to a 2nd setspn command. The rest is just setting some configuration parameters on the BO side (CMC, web.xml, server,xml, java options, and java SDK).
Kerberos is the open protocol that allows us to tie AD into other other common platforms such as java.
Regards,
Tim
While not official, it's very unlikely that will happen. Many of the BO apps that only run in java are still planned to only run in java in the near future. NTLM is not and will not be supported for java. Kerberos can accomplish anything NTLM can and more. Is there an issue with implementing kerberos?
Regards,
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.