Read all the posts in the thread - the answer is to confirm that IISProxy is sending the headers correctly (trace your browser session and the communication between IISProxy and J2EE) and you can follow the help directly to implement this - I've validated the help myself and it works perfectly.

http://help.sap.com/saphelp_nw04/helpdata/en/a4/385bef3bd14241b9c4f36bd779537d/frameset.htm

Nick

I configured my system exactly as described by Gregor in his weblog.

When I access my portal, I get the "Enter Network Password" prompt instead of automatically logging me into the portal. If I provide my windows userid and pwd, then, it logs me in.

Is this how it is supposed to work? If not can you give me pointers to fix the problem?

Thanks

Sriram

Gregor, I hope that you can shed some light on me too.

I too have looked at you web log and have found it most informing but, it is not helping me with my situation.

You solution is for a portal to be with one domain and on an intranet, correct?

My portal does not work on an intranet. Users come in on port 80 from the internet. IIS 6.0 and the Proxy are set up to tall request on 80 and point them too 50000/irj/default.htm and default.htm takes them to the portal logon sreen. When I attemp to log on, it bounces me back to the logon screen. If I access the portal from port 50000/irj/portal I can log in fine.

I am using basic authentication. If a alter my authschemes.xml to put the default to basic authentication I no longer get a logon screen but a windows pop up logon prompt. So I leave it at uidpwlogon.

IIS is taking me to the same logon screen as going right into WAS. I can not find what is going wrong. OSS is in but no responce yet.

I have two portats running ep6sp2. I can find lots of docs for them but, SAP has really let me down on NW04 IMO.

Hi Gregor:

The client is in the same domain as the server. I found additional problems - If I try to access the portal from the server, I get the "Enter Network password" prompt. If I enter the windows uid and pwd, I get into the portal. But if I login from the client machine from the same domain, I get the "Enter Network Password" prompt and when the uid and pwd for that client machine is entered, it takes me to the portal logon screen. However, if I access the portal logon screen using the 50000/irj I can login from anywhere.

Appreciate your help.

Thanks

Sriram

Gee, Sriram

This is starting to sound a little like my problem. If you access the portal via port 50000/irj you are going directly into WAS.

If you just log in via port 80 you get bounced back to a portal login prompt.

I have an ongoing rant posted here in sdn about this, and I just filed an OSS on it. If you look in your portal logging in at port 50000/irj you will see that all of your LDAP setting are there. If you log into the configtool you will see the same infomation in the UME. If you go to the visual admin tool, the LDAP information is not found. All that is there is the default setting of annonymous and j2ee-guest. Check out your server log and see if you have the same j2ee-guest user being bounced out.

David: I looked at the server.log and the security.log files. When I login from the server itself, I get the "Enter Network Password" prompt but am able to login into the portal; but when I login from the client I get the "Enter Network Password" prompt but cannot login into the portal.

In the first case, I see a log in the server.log and security.log. In the second case when I try to login from the client machine, I do not see any log in the server.log file. I see the following line in the security.log file. Incidentally, even in the first case, the log in the security.log file was similar.

/System/Security/Usermanagement#sap.com/irj#com.sap.security.core.umap#Guest#2#####SAPEngine_Application_Thread[impl:3]_38

The number 38 that you see at the end was 2 in the first case.

Thanks

Sriram

The two error lines are different with me. Here is a long paste of them.

#1.5#001185D4FC80001400004D88000014200003F0530D31DF9C#1108664424495#/System/Server#sap.com/irj#com.sap.engine.services.jndi#j2ee_guest#15#####Thread[Thread-40,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info#1#com.sap.engine.services.jndi#Plain###Path to object does not exist at jmsfactory, the whole lookup name is webContainer/applications/sap.com/irj/irj/jmsfactory/default/queueconnectionfactory.#

Then the next line.

#1.5#001185D4FC80001400004D89000014200003F0530D31E0D1#1108664424495#/System/Server#sap.com/irj#com.sap.engine.services.jndi#j2ee_guest#15#####Thread[Thread-40,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info#1#com.sap.engine.services.jndi#Plain###Path to object does not exist at jmsfactory, the whole lookup name is jmsfactory/default/QueueConnectionFactory.#

I have no idea on what the jmsfactory is or why it is using j2ee-guest to log in when I am on the client using the proxy. I have an OSS in on this. Nothing back yet. I have been browsing SDN and I know that we are not the only ones with this problem.

Official documentation from SAP on how to do this is poor at best in my opinion. At least you could find your way through with was6.20.

Apparently Gregor has it working. Gregor - any ideas? David - if you get a reply or resolve the problem please update me in this thread.

Thanks

Sriram

Ok troops, looks like we are going to write up another blog on this one.

Again I have narrowed down some suspects. If we log into the server direct http://portal.evil.arg:50000/irj/portal we can all get in and see our LDAP information and the rest of our portal as if nothing is wrong.

If we log in using our IIS proxy http://please.work.now we get a log on sreen but we can not log on, we just get another log on screen.

What is the difference? We are both going the same place. Ah, but there is a difference. If the authscheme.xml is left alone we can log on using the port 50000 address. The default in the uidpwlogon. We need basic authentication to work if we are using the proxy. If we change it to "basicauthentication" it causes more problems of an addition windows logon that has no user name or password associated with it.

I am starting to think that we need to make a custom logon module, maybe one that ties in with a new UME. We know that uidpwlogon is not going to work in the authschemes.xml and they took away ntlmuidpw from the old engine. We have to tell it to go to the LDAP but, I don't know how to do it. (yet)

There has got to be a way to alter the UME that is there now.

Hi Gregor,

I was following your instructions but I'm confused when you say in your second weblog "Please do only continue if you have read the documentation and your check returns the same as in the documentation." What documentation are you referring to ?

Also I followed your instructions and I get the same error as David. When I try to access the portal thru IIS I can't login I keep getting the login screen.

Morning Gregor,

Yes, I have read your blog and I thank you for your time.

However, I have the same question as Malik, what documentation are you referring to? SAP far too often refers to documents or software that has not been released or has not been made public knowledge.

Your blog takes into case if you are on an Intranet doing Windows Authentication and passing the the user ID that has already been authenticated to the Portal.

Our problem is that we are not on an Intranet for our requierment. We are going via the Internet and Headers are not the solution. In WAS 6.20 logon is handled by ntlmuidpw and the logon module is com.sap.security.core.ligon.imp.windows. These items were standard in WAS 6.20. Do we now have to recreate them in 6.40? Everything points to that module question and authentication. The options shipped with SAP do not work with our senario.

At this point I am tring to find information about re creating what I did in 6.20.

Working with second level OSS now, attemping to get log files to them today.

I made some progress but am not sure if the approach is correct.

In the authschemes.xml I made the foll: change

<authscheme-refs>

<authscheme-ref name="default">

<authscheme>header</authscheme>

</authscheme-ref>

...

After I made this change, the clients are also able to access the portal. However, when I login from the server or from the client machine, I still get the "Enter Network Pasword" prompt.

Once I am in the portal, most of the pages do not load - I get a javascript error. When I grab the url of the page and open a new window, I login and I see that page without any errors. Of course, when I try to navigate I get the same javascript error ('undefined' is null or not an object).

Here is my IisProxy.xml - please let me know if there is anything wrong:

<?xml version="1.0" encoding="utf-8" ?>

<!DOCTYPE ISAPI-config[

<!ELEMENT ISAPI-config ( filter, extension, ( mapping | config )* )>

<!ATTLIST ISAPI-config

version CDATA #REQUIRED

>

<!ELEMENT filter (log-path?)>

<!ATTLIST filter

name CDATA #IMPLIED

log-level CDATA "1"

log-flags CDATA "0"

debug-flags CDATA "0"

priority ( high | medium | low ) "high"

extension-url CDATA "/scripts/IisProxy.dll"

authentication ( skip | normal | forward ) "forward"

remote-address ( skip | forward ) "forward"

>

<!ELEMENT extension (

keystore-dir?,

log-path?,

data-path?,

trace-path? )>

<!ATTLIST extension

name CDATA #IMPLIED

log-level CDATA "1"

log-flags CDATA "0"

debug-flags CDATA "0"

access ( filter | direct | both ) "filter"

>

<!ELEMENT keystore-dir (#PCDATA)>

<!ELEMENT log-path (#PCDATA)>

<!ELEMENT data-path (#PCDATA)>

<!ELEMENT trace-path (#PCDATA)>

<!ELEMENT mapping (

source+,

target,

compress-types*,

protocol-header?,

certificate-header?,

cert-chain-header?,

cipher-header?,

keysize-header?,

keystore-path?,

log-path?,

data-path? )>

<!ATTLIST mapping

name CDATA #IMPLIED

log-level CDATA "1"

log-flags CDATA "0"

debug-flags CDATA "0"

keep-alive ( true | false ) "true"

use-continue ( true | false ) "true"

close-socket ( true | false ) "true"

close-socket-delay CDATA "1000"

thread-count CDATA "100"

max-socket-age CDATA "37"

>

<!ELEMENT source (protocol, host?, port?, prefix, new-prefix?)>

<!ATTLIST source

access ( filter | direct | both ) "filter"

>

<!ELEMENT protocol (#PCDATA)>

<!ELEMENT host (#PCDATA)>

<!ELEMENT port (#PCDATA)>

<!ELEMENT prefix (#PCDATA)>

<!ELEMENT new-prefix (#PCDATA)>

<!ELEMENT target (protocol, host, port)>

<!ELEMENT compress-types (#PCDATA)>

<!ATTLIST compress-types

min-size CDATA "1024"

>

<!ELEMENT protocol-header (#PCDATA)>

<!ELEMENT certificate-header (#PCDATA)>

<!ELEMENT cert-chain-header (#PCDATA)>

<!ELEMENT cipher-header (#PCDATA)>

<!ELEMENT keysize-header (#PCDATA)>

<!ELEMENT keystore-path (#PCDATA)>

<!ELEMENT config ( source+ )>

]>

<ISAPI-config version="1.6">

<filter name="IisProxy filter" authentication="forward" />

<extension name="IisProxy extension" />

<mapping name="IisProxy samples" log-level="0">

<source>

<protocol>http</protocol>

<prefix>/irj/</prefix>

</source>

<source>

<protocol>http</protocol>

<prefix>/irj</prefix>

<new-prefix>/irj/</new-prefix>

</source>

<source>

<protocol>http</protocol>

<prefix>/portal/</prefix>

<new-prefix>/irj/</new-prefix>

</source>

<source>

<protocol>http</protocol>

<prefix>/logon/</prefix>

</source>

<target>

<protocol>http</protocol>

<host>172.24.171.2</host>

<port>50000</port>

</target>

<compress-types>text/html, text/plain</compress-types>

</mapping>

<config>

<source>

<protocol>http</protocol>

<host>172.24.171.2</host>

<prefix>/IisProxy</prefix>

</source>

<source>

<protocol>https</protocol>

<host>172.24.171.2</host>

<prefix>/IisProxy</prefix>

</source>

</config>

</ISAPI-config>

David: Check to see if your "scripts" directory is a virtual directory or not. If it is not, then you will be sent to the portal logon screen.

Look at this one:

At the bottom with your config lines:

<config>

<source>

<protocol>http</protocol>

<host>iisproxy</host>

<prefix>/irj/</prefix>

</source>

<source>

<protocol>https</protocol>

<host>iisproxy</host>

<prefix>/irj</prefix>

</source>

</config>

Try that.

>>>you said

David: Check to see if your "scripts" directory is a virtual directory or not. If it is not, then you will be sent to the portal logon screen.

I am not sure what you are getting at here. I has to be a virtual directory. Are you saying it is not supposed to be one now, it that different in 6.40?

It has to be a virtual directory. When I was playing around, I used the scripts directory that was not a virtual directory and I was sent to the logon screen. So, I thought maybe your scripts directory was not a virtual directory.

Bottom line, it has to be a virtual directory. Sorry for the confusion.

David: I changed the config as you suggested, but, I still get the javascript error ('undefined' is null or not an object)

Not having seen SP7 code, I would try to decompile the WindowsLoginModule class (and perhaps compare it with an SP2 patch4 version)

On SP2 it is in I:\usr\sap\EPP1\j2ee\j2ee_01\cluster\server\additional-lib\com\sap\security\api\com.sap.security.core.jar

Hello,

I've tried to set up the integrated windows authentication with the iisproxy module v1.6. But with activated integrated windows authentication on the iis it doesn't work. I've always have to enter my ID and password on the portal page again. If I pass the ID with basic authentication then it works fine...

Please help!

Regards

Joerg Loechner

Hello,

thank you all for your feedback. I've followed every step of the documentation but I can't locate the problem. I think the IisProxy module doesn't forward the user ID (the IIS and the Portal are both running on the same machine). Does anyone knows where to get the new version of the IisProxy module (1.7)?

Thanks in advance...

Jörg