Skip to Content
avatar image
Former Member

Kerberos login as a different user other than self ID

Hi all,

We have Kerberos configured between our Portal systems and the ADS. UME is integrated to LDAP. It logs me into the portal using the URL, with my LDAP/windows credentials, without prompting for anything now.

Here is my concern. What if I wish to log-out and log in again but as a different user; maybe a test user over the UME database or just the ADMINISTRATOR user? Is this scenario possible?

Any help is greatly appreciated.

Thanks and regards,

Rosun

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

4 Answers

  • Best Answer
    Dec 30, 2010 at 10:54 AM

    Rosun,

    I think you will find that this functionality is not available when using the SAP SPNEGO login module.

    Maybe you can consider a different product ? Check http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokeradapter - click on Details tab and look at the 2nd bullet point on this page.

    Thanks,

    Tim

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Tim,

      I have come to the conclusion that there are in fact a few workarounds to my scenario. Not getting it still though. I have tried setting the GET parameter in the URL as is suggested in a certain blog as http://<hostname>:5XX00/irj?spnego=disabled but didn't work... yet.

      Thanks and regards,

      Rosun

      Edited by: Rosun Raj Kumar on Dec 30, 2010 12:38 PM

  • avatar image
    Former Member
    Dec 30, 2010 at 12:21 PM

    Hi,

    My portal runs on a Windows server which has 2 FQDN.

    The first domain is the windows domain which is also the kerberos realm.

    So, when I call the URL https://serveralias.windowsdomain.company.country:port/irj/portal , I get connected with my personal user through spnego/kerberos.

    In fact, I have a web dispatcher with redirect rules, so it's possible to use the simplified URL http://serveralias

    The second domain is the internal DNS domain (not a kerberos realm)

    So when I call the URL http://server.dnsdomain.company.country:port/irj/portal spnego/kerberos authentication fails (wrong principal name), and I get the login page where I can enter the user/password of my choice.

    Therefore, I can choose very easily to login with SSO or a login page.

    For logoff we have defined a logoff page URL in order to be not reconnected immediately with SSO.

    If you don't have 2 domains for your server, it may be enough to define a fake one in your etc/hosts file ?

    Regards,

    Olivier

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi all,

      This issue is resolved now.

      It was a problem with my login modules. I had only one CreateTicketLoginModule in my stack. SAP advised me to add another one at the end. I am able to login with alternative ID's too now.

      Thanks all!

      Rosun

      Edited by: Rosun Raj Kumar on Jan 10, 2011 2:56 PM

  • Dec 30, 2010 at 11:07 AM

    Hi Rosun

    After configuring Kerberos its not possible to logout from portal as it logs back in automatically. So, option is to close the browser window and open a new window for another login.

    You can implement one process which is by clicking on the logoff button, user would be logged off and sametime the portal window would be closed. This can be achieved by keeping a self and parent close html inside KM and configuring the UME parameter - ume.logoff.redirect.url.

    Regards,

    Sen

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Prodyut,

      Thanks for the info provided. I do have ume.logoff.redirect.url configured; we have the log-off directed to a static page. It doesn't close the page though.

      If I were to rephrase myself, How to de-activate Kerberos so that I could log in with a separate ID other than my ID- is my concern.

      Thanks and regards,

      Rosun

  • avatar image
    Former Member
    Jan 10, 2011 at 02:00 PM

    resolved...

    Add comment
    10|10000 characters needed characters exceeded