cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SPNego in Intranet and Form Based Authentication externally

Former Member

on ‎06-08-2010 8:54 PM

0 Kudos

Hi

Could anyone tell me if this activity is supported by Portal.

I have SPNego configured properly and it is running in my company network but user when he acess the same URL from Internet he is getting Page cannot be displayed. My requirement is to get Login screen where he can type user ID and password.

We cannot Provide different URL since requirement is to have a single URL.

Hope everyone understood the requirement.

Thanks

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

former_member182254
Active Participant
‎08-16-2010 5:19 AM
0 Kudos

Hi,

Please check the information at and https://service.sap.com/sap/support/notes/1457499 about the new SPNEGO solution provided by SAP . It does not use the Kerberos API from JDK 1.4 and does not require connection to the domain controller in order to validate an SPNEGO/Kerberos token.

Regards,

Dimitar

Show replies
Show replies
former_member198282
Participant
‎06-16-2010 7:15 PM
0 Kudos

Hi, Siddi.

What does it mean when a user logs on from the internet? Does he still authenticate against your AD?

I have a feeling that the user gets "a page cannot be displayed" error because he does not have access to your portal server via the portal port. One thing you can verify is to logon to the internet, run "ping j2ee_server" and then "telnet j2ee_server portal_port". Do these 2 commands work?

By the way, I am assuming that you do not have a web dispatcher. If your users go through the web dispatcher, then they need to be able to telnet into the web dispatcher host with the right port.

Thanks,

Jonathan.

Edited by: Jonathan Ma on Jun 16, 2010 8:15 PM

Show replies
Show replies
Former Member
‎06-16-2010 7:34 PM
0 Kudos

Hi

My Portal server works over internet too. Here is the situation , our users browser settings are configured so there is a check box selected for doing windows authentication.

Open IE - > Tools->Internet Options-> Advanced - > Enable Integrated Windows Authentication : That check box is selected

Intranet Scenario

So when the user is in company domain or network ( which is Intranet Scenario) he is authenticated and Portal Home page is visible.

If the Check box selection is removed the user is getting Log in Screen

Intranet Scenario is perfectly working as Expected

Internet Scenario

If the check box is selected The user is getting Page cannot be displayed as there is no valid Kerberos token

(Expected behaviour is to get Log in Screen where as Page cannot be displayed error is coming)

If the Check box selection is removed the user is getting Log in Screen --> Perfectly working as Expected

We dont want to let the users tun on and off that checkbox but portal to handle this by default by knowing if the user is on external or internal domain.

Thanks

Krishna

Edited by: siddi siddi on Jun 16, 2010 8:35 PM

hofmann
Active Contributor
‎06-16-2010 3:10 AM
0 Kudos

Hi,

What is happening in your Intranet when the AD is down? To users are not able to logon on?

Configure your logon module stack to have a fall-back to UIDPW. When the SPNEgo module fails, the portal will present the logon form (userid + pw).

br,

Tobias

Show replies
Show replies
Former Member
‎06-16-2010 12:27 PM
0 Kudos

Hi,

>What is happening in your Intranet when the AD is down?

When the AD is down inside a company using Windows workstations, the company is pretty much completely stopped.

Nobody can open a session on its PC workstation.

The AD is a highly critical service. I know that, in my company, the redundancy level for the AD is something like 10 or 12.

Regards,

Olivier

hofmann
Active Contributor
‎06-16-2010 2:21 PM
0 Kudos

Hi Olivier,

my laptop is AD integrated and still I can logon without AD connection. When the AD is down, MS implemented a local cache that will still verify my credentials. The portal logon stack should also have this fallback: AD down, switch to UIDPW.

Your AD may be reduntant, but is your portal kerberos configuration also? Java 1.4 isn't using the AD DNS SRV records to find a valid DC, you have to write them into the config file. All the DCs are in there and when a DC is replaced, removed, added this is reflected in the kerberos conf?

br,

Tobias

Former Member
‎06-16-2010 4:40 PM
0 Kudos

Hi Tobias,

>Your AD may be reduntant, but is your portal kerberos configuration also? Java 1.4 isn't using the AD DNS SRV records to find a valid DC, you have to write them into the config file. All the DCs are in there and when a DC is replaced, removed, added this is reflected in the kerberos conf?

That is one of several reasons why we did not use the SAP standard Kerberos implementation but bought a certified SAP partner product. This product uses only the kerberos realm name (which happens to be also the windows domain) to find automatically one of the reduntant available AD server. This product also does not use the obsolete cryptology API from Java 1.4 and is so able to encrypt the kerberos ticket using AES or RC4. It means also that it works for Windows 2008 AD and for Windows 7 workstations.

Last Point, we are also able to do SSO authentications for ABAP systems which are in a different domain than the Portal server (using domain relaxing)

Best Regards,

Olivier

hofmann
Active Contributor
‎06-16-2010 4:48 PM
0 Kudos

Hi Olivier,

can you share more about this product and your experience with it? Especially the vantages and drawbacks. I'm sure others would really benefit from your insight.

br,

Tobias

Former Member
‎06-17-2010 10:22 AM
0 Kudos

Hi Tobias,

I am not sure if it is allowed to give names of commercial products here on SDN.

I already gave you the main reasons of our choice. In fact The DES algorithm was a NO GO from our security team and the Windows team refused to activate the DES algorithm on the new Windows 2008 AD servers.

SAP has announced to adress this problem with future SP stacks but it was too late for our needs.

The documentation to configure the product is much better that standard SAP documentation.

Java Redirect applications are delivered to be able to use SSO for other SAP systems (abap or java).

This was complex in our case because the portal server is in a new windows domain. The users and the other SAP servers are in an other windows domain. It is so needed to use domain relaxing to get a MYSAPSSO2 ticket valid for both windows domains.

We discovered (me and the vendor technical support) that the UME configuration is only valid for Java applications using UME authentication and not web container authentication. Unfortunetly most redirect applications use container authentication and so don't work in a multi domain environment.

The vendor had to develop a new redirect application for our need and they will include it in the next release of their product.

The main drawback is of course the price if you compare with the standard SAP "free" kerberos implementation.

Regards,

Olivier

Former Member
‎06-09-2010 5:16 PM
0 Kudos

Hi,

Hint : Check the concept of login module stack...

Regards,

Olivier

Show replies
Show replies
Ask a Question