Skip to Content
0
Former Member
May 31, 2005 at 08:36 AM

SSO using Kerberos with SAP Logon Tickets

140 Views

Hi,

we want to logon from our portal to an ASP.NET application running on IIS 6.0 on WIN2003 via SAP Logon Tickets. So we tried using the KerbMap-ISAPI-Filter provided by SAP. Everything was implemented as described in SAP-documentation "SSO22KerbMap.pdf".

When calling the application outside the portal, the SSO works because no SAP-Logon-Ticket is found and windows authentication is used instead.

But when calling the AppIntegrator-iView inside the portal, the SAP-Logon-Ticket is used, the correct user name is extracted, <b>but then a prompt appears and I have to type UIDPW</b>. The following information is found in the log file:

18:04:23 4312 i OnPreprocHeaders: -----------> Received URL /kerbmaptest/index.htm
18:04:23 4312 i OnPreprocHeaders: Determined account fiegem from cookie MYSAPSSO2
18:04:23 4312 i OnPreprocHeaders: SSO2Account fiegem is used for impersonation
18:04:23 4312 i OnPreprocHeaders: Running on security context of user SYSTEM before impersonation
18:04:23 4312 i LogonAsUser: LsaLookupAuthenticationPackage executed succesfully
18:04:23 4312 i LogonAsUser: LsaLogonUser handle: 2A4
18:04:23 4312 i OnPreprocHeaders: SF_STATUS_REQ_NEXT_NOTIFICATION

Another question: <b>Is the use of Kerberos the right way to logon to this ASP.NET-application from the internet???</b> We have installed a reverse proxy in the DMZ and the application is now available from the internet. <b>What do we have to do, that we can call this application from the internet using the reverse proxy and from the intranet calling it directly? Do we have to configure the reverse proxy filter?</b>

Any help appreciated

Marko