on 02-27-2019 1:58 PM
Hi,
I am trying to authenticate to SAP Netweaver Portal 75 with Active Directory user. It works if I use these entries:
http://host1.domain.es:50500/irj/portal
http://host1.subdomain.domain.es:50500/irj/portal
http://servername:50500/irj/portal
http://servername.domain.es:50500/irj/portal
http://servername.subdomain.domain.es:50500/irj/portal
But they also have configured in F5 rules a new address:
They want to access the Portal with that URL without port (obviuosly it is 80).
When I access to the firsts 6 entries it works and login is done with Windows user. When I access to this last URL it returns an error and prompts login page witohout login to de SAP Portal. The error is:
NTLM token received in authorization header
I have also made some nslookup queries:
1.- The first 6 entries return servername.domain.es
2.- The last entry returns host2.domain.es
One last thing, the Realm is configured:
- Principal only. Logon ID.
- HTTP/servername.domain.es@REALM
What could I do? Do I have to config 2 different setspn for both servername.domain.es and host2.domain.es?
Thanks.
Hi, correct. You have to register every URL as SPN. Make sure you are not using CNAME (Alias).
If you are using a CNAME alias, register SPNs to the actual hostname and the CNAME. You must register the Kerberos service principal names (SPNs), the hostname, and the fully-qualified domain name (FQDN) for all the new DNS alias (CNAME) records. If you do not do this, a Kerberos ticket request for a DNS alias (CNAME) record may fail and your browser tries to NTLM authentication, which leads to that issue.
Cheers
Carsten
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
78 | |
9 | |
9 | |
7 | |
7 | |
6 | |
6 | |
5 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.