03-09-2007 2:39 PM
Hi All
We have configured External WEb Access Management Product (reverse proxy, passthrough) for authentication to access our BI Java 7.0 Application using Header variable.We have configured authschemes.xml and UME Properties
When we are trying to access our BI Java 7.0 Application then get the below Error
" Cannot logon user defined in header variable"
Please help me on this if anyone have faced these type of issue
Waiting for your fast immediate response on this
Thanks with Regards
Deelip Kumar
03-12-2007 8:37 AM
Can you please check, whether the user name in the header does exist on the BI Java ?
Look also for the hints <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/c5/2dfb40ee74f723e10000000a155106/frameset.htm">in the docs for Logon Failed</a>.
Regards,
Patrick
03-12-2007 8:37 AM
Can you please check, whether the user name in the header does exist on the BI Java ?
Look also for the hints <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/c5/2dfb40ee74f723e10000000a155106/frameset.htm">in the docs for Logon Failed</a>.
Regards,
Patrick
03-12-2007 9:16 AM
Hi Patrick
Thanks for your reply
Yes, that ID exists in BI Java, but my BI Java is not connected to Abap Backend system.Is backend system Integration is mandatory with BI java to use Header variable authentication.
When i deactivate Header variable then i ma able to login to my BI java with the same ID.I have changed only Authschemes.xml and UME properties to authenticate as heade variable.Do i need to make any other configuration ??
Please reply
Thanks with Regards
Deelip Kumar
03-12-2007 9:36 AM
Hi Deelip
Yes, you also have to adapt the logon module stack configuration. Please have a look at the <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/d0/a3d940c2653126e10000000a1550b0/frameset.htm">docs about using header variables</a>.
regards,
Patrick
03-12-2007 11:08 AM
Hi Patrick
Thanks for helping me....
I configured the below logon module stack in visual Adminsitrator (Policy configuration ---> Authentication) but still getting the same error
BasicPasswordLoginModule REQUISITE {}
HeaderVariableLoginModule OPTIONAL {ume.configuration.active=true, Header=usr_name}
Please suggest, also can you please send me your personal email Id so that i can send you authschemes.xml file where i have made the changes
Thanks with Regards
Deelip Kumar
03-12-2007 11:51 AM
Hi Deelip,
your logon stack is incorrect. A full logon stack could look like the following:
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
com.sap.security.core.server.jaas.HeaderVariableLoginModule OPTIONAL {ume.configuration.active=true, Header=usr_name}
com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
BasicPasswordLoginModule REQUISITE {}
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
Regarding on the parameters used above, please have a look at the <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/8c/f03541c6afd92be10000000a1550b0/frameset.htm">docs on Login Modules and Login Module Stacks</a>.
regards,
Patrick
03-12-2007 2:05 PM
Hi Patrick
I made changes as suggested by you but still gettng the same error.Below is the changes which i made in authschems.xml file
<authscheme name="header">
<authentication-template>
header=usr_name
</authentication-template>
<priority>5</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.header</frontendtarget>
</authscheme>
<!-- Reserved 'anonymous' authscheme added for being in the list of authschemes -->
<authscheme name="anonymous">
<priority>-1</priority>
</authscheme>
</authschemes>
<!-- References for Authentication Schemes, this section must be after authschemes -->
<authscheme-refs>
<authscheme-ref name="default">
<authscheme>header</authscheme>
</authscheme-ref>
<authscheme-ref name="UserAdminScheme">
<authscheme>uidpwdlogon</authscheme>
</authscheme-ref>
</authscheme-refs>
Is the header=usr_name entry OK or we just need to leave header ??
Please suggest, thanks for your help so far on this
Thanks with Regards
Deelip Kumar
03-12-2007 3:35 PM
Hi Deelip,
the authentication-template is a reference to a login module stack name.
For header absed authentication I would recommend not to change the authschemes at all (as long as you do not want to achieve something special by this), only the ticket login module stack. If you really need to change the authschemes.xml, please check <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/d3/1dd4516c518645a59e5cff2628a5c1/frameset.htm">the example in the docs</a>.
Did you change the ticket login module stack ?
Regards,
Patrick
03-12-2007 5:27 PM
Hi Patrick
I have doubt on onething, in visual Administrator the below Login module stacks are available,
SAP-J2EE-Engine this is a default configured login module stack that can be used by everyone.
· Basic allows for Basic Authentication, supported by the Web container.
· Client allows for client certificate authentication, supported by the Web container.
· Digest allows for digest authentication, supported by the Web container.
· Form allows for form authentication, supported by the Web container.
· Ticket used for creating and verifying logon tickets.
· Evaluation assertion ticket used for verifying assertion tickets (tickets used between systems).
I have selected SAP J2EE Engine and then defined the below Logon stack
EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
HeaderVariableLoginModule REQUIRED {ume.configuration.active=true, Header=}
CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
BasicPasswordLoginModule REQUISITE {}
CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
it do not understand whether it is right or we should create new policy under policy configuration and the define the above stack.now i am also facing problem in loggin to Visual adminstrator
Please suggest
Thanks with Regards
Deelip Kumar
03-13-2007 7:14 AM
Hi Deelip,
please read the docs. You configure the portal login stack being used by the authschemes.xml.
You should NEVER change the SAP-J2EE-Engine login stack, as this is being used by the VA.
The default login stack for the portal is called ticket. This is the opne, which should have been changed and only this one.
There is a <a href="https://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/17be8b32-0a01-0010-51bc-8fe5e11d204e">presentation on SDN</a> about that topic, which gives some background info. There is also<a href="https://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/4849f574-0701-0010-0ea2-ef19dc792042">an e-learning about JAAS and how it works</a> on SDN.
regards,
Patrick
03-13-2007 9:00 AM
Hi Patrick
This means i should select "Ticket" Login stake and make the Changes, right ??
Just for your info, right now we have not connect this portal to our backend system, i believe this is also not mandatory to test Authentication through external WAM, right ??
Please reply
I will try to confgure "ticket" login stake and provide the feedback
Thanks with Regards
Deelip Kumar
03-13-2007 9:34 AM
Hi Deelip,
yes, you should only change the ticket login stack and nothing else.
No the Backend systems are not required to test header based authentication.
Regards,
Patrick
03-13-2007 9:49 AM
Hi Patrick
So i am going to add the login stack like below for the "ticket" logon stake
EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
HeaderVariableLoginModule REQUIRED {ume.configuration.active=true, Header=usr_name}
CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
BasicPasswordLoginModule REQUISITE {}
CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
Is it ok ot you want me to change something
Thanks for your all help so far on this, really appreciate your help
Thanks
Deelip Kumar
03-13-2007 9:59 AM
Hi Deelip,
if you want to be able to also log in using Basic Password, the stack should read:
EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
HeaderVariableLoginModule <b>OPTIONAL</b> {ume.configuration.active=true, Header=usr_name}
CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
BasicPasswordLoginModule REQUISITE {}
CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
If not, you can also use
EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
HeaderVariableLoginModule REQUISITE {ume.configuration.active=true, Header=usr_name}
CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
regards,
Patrick
03-13-2007 10:10 AM
Hi Patrick
What do you mean by Login with Basic Password ??
Thanks with Regards
Deelip Kumar
03-13-2007 10:14 AM
Authentication at the portal using username and password.
Regards,
Patrick
03-13-2007 10:42 AM
Hi Patrick
I configured the login stack as suggested by you but still getting the same error
I have selected Authentication Template as "no" for ticket lgon stack, is it ok ??
Can i attach here something, i want to attach the VA screen shot where i have done configuration
Thanks with regards
Deelip Kumar
03-13-2007 10:57 AM
Hi Patrick
Below is HTTP Log
[1173783268987][Mar 13, 2007 3:54:28 AM ] - CLIENT: 4608, REPLY:
{}
[1173783268987][Mar 13, 2007 3:54:28 AM ] - CLIENT: 4608, RESPONSE TIME: 46
[1173783269519][Mar 13, 2007 3:54:29 AM ] - CLIENT: 4864, REQUEST:
{POST /irj/portal HTTP/1.1
Via: 1.1 https-sappldv1.cadence.com
Proxy-jroute: Ls63
Content-length: 48
Content-type: application/x-www-form-urlencoded
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shock
wave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application
/msword, /
Referer: http://sappldv1.cadence.com/irj/portal
Accept-language: en-us
Accept-encoding: gzip, deflate
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0
.50727; .NET CLR 1.1.4322)
Host: sappldv1.cadence.com
Cache-control: no-cache
User: deelips
Role: excacc.CADUSR
Locale: ja_JP
Sessionid: SMS_cdsga70apd_7ac816::46651beea0706adc39c520dd72c3bd84
Authmethod: UserPassword
SCCRYPTICUSERID: edlepis
Cookie: usr_name=deelips; AUTH_SESSION_ID=SMS_cdsga70apd_7ac816::46651beea0706ad
c39c520dd72c3bd84; JSESSIONID=(J2EE15348100)ID1212035750DB11205774199674154851En
d; saplb_*=(J2EE15348100)15348150; PortalAlias=portal
Proxy-ip: 158.140.252.206
login_submit=header&j_user=&j_authscheme=default}
[1173783269552][Mar 13, 2007 3:54:29 AM ] - CLIENT: 4864, REPLY:
{HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Encoding: gzip
Date: Tue, 13 Mar 2007 10:54:29 GMT
Transfer-Encoding: chunked
Set-Cookie: PortalAlias=portal; Path=/
Please suggest
Thanks
Deelip
03-13-2007 11:35 AM
Hi Deelip,
the header module can not use cookies but headers only. It seams that the header name really is User or SCCRYPTICUSERID. Please check your config.
Again please haev a look at the e-learning and the docs. The do list the steps required pretty well.
First reset the system to do local authentication. If this works, you can start changing it.
Regards,
Patrick
03-13-2007 11:41 AM
Hi Patrick
Is this configuration required at reverse proxy or web server ??
I am getting below error in security.log
"no loginmodules configured for Header"
Please suggest
Thanks
Deelip
03-13-2007 11:46 AM
Hi Deelip,
I would recommend to get the help of a consultant in this case.
I can not explain everything here, this is not the purpose of this forum, sorry.
Get the system back into a running state by resetting the config. I would guess, you simply have a wrong authschemes.xml as already stated above in one of my posts.
Regards,
patrick
03-13-2007 11:57 AM
Hi Patrick
Just for your information
When i deactivate the "header" authentication by changing authschemes.xml file and use authentication as userid/password then after entering userID/Password for External WAM, the portal Logon page appears and i am able to login with my Portal userId and password
So do not understand whether problem is at reverse proxy configuration (this is configured by different resource in my company ) or at Portal level
Thanks
Deelip
03-13-2007 12:00 PM
Hi Deelip,
in THIS configuration, where your password does work, please change the Ticket login module stack (and nothing else please).
Make sure, that you did activate the Header login module (see the docs and logs of the server, as outlined above and in the other post referenced above).
Based on the info you provided so far, the following stack should work:
EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
HeaderVariableLoginModule OPTIONAL {ume.configuration.active=true, Header=User}
CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
BasicPasswordLoginModule REQUISITE {}
CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
regards,
Patrick
03-13-2007 1:14 PM
Hi Patrick
Thanks for your all help on this.I am able to login after making the changes, i mean setting "Header=User"
Thanks for your all help on this.Appreciate your fantastic support
Also, do i need to ask my resource who has configured Extenal Web Access management to change anything like he has used usr_name for header ??
Thanks
Deelip Kumar
03-13-2007 2:04 PM
Hi Deelip,
your collegue may have added a cookie named usr_name. This is not necessary from an SAP point of view.
I'm not quite sure, what is required as I do not know enough to judge.
Regards,
Patrick
03-13-2007 2:20 PM
Hi Patrick
one more help as you know that we also use http://servername:Port #, in our case it http://sapplev1.cadence.com:50100
so when i am accessing any option from here, from Portal prompts (Portal Logon page, as this is not configured for External authentication) me to enter userid and password, after entering my portal id and passoword, it says "no loginmodules configured for header"
Why system says about login module here as we do not need external authentication to access this URL http://sapplev1.cadence.com:50100 ??
We have configured External authentication for URL http://sapplev1.cadence.com:50100/irj
Please guide me
Thanks
Deelip
03-13-2007 3:48 PM
please check the authschemes.xml. Check for a section with the following:
<authentication-template>
header
</authentication-template>
Remove that authscheme.
regards,
Patrick
03-13-2007 7:41 PM
Hi Patrick
Do you want me to comment these 3 Rows mentioned in your reply
Thanks
Deelip kumar
03-14-2007 11:30 AM
Hi Patrick
I removed the below from authschemes.xml file, now getting error "UNKNOWN_ERROR" while entering my portalID/PAssword to access user management from url http://sapplev1.cadence.com:50100
<authscheme name="header">
<authentication-template>
header
</authentication-template>
<priority>5</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.header</frontendtarget>
Also after deleting the above my external authentication giving below error after entering UserID/Password
503 Service Unavailable
SAP J2EE Engine/7.00
Servlet [prt] will be unavailable for undefined time.
Details: javax.servlet.UnavailableException: Initialization of Dispatcher failed
Exception id: [00144F21A09C0065000000510000011A00042BA13F9F1A81
Please suggest
thanks with Regards
Deelip Kumar