>

> Hi,
> 
> I have a dual stack installation (ABAP+J2EE) with an ABAP UME. I wish to implement LDAP authetification and understand that the configuration cannot be changed due to limitation imposed when the UME is ABAP. SPNEGO(kerberos) authentification is not ideal in our case (although it can be done) but I require the users to be prompted for username and password a second time opening portal session once they have been authetificated via the LAN due to security policy for ESS.
The SAP supplied SPNEGO login module which implements the Negotiate protocol causes the user to be logged into portal using the Kerberos credentials on workstation which were issued when they logged onto workstation with an AD domain account. Instead, it sounds like you actually need Kerberos authentication, so that the user can enter an Active Directory account name and password into browser when they logon to portal, and this account name and password is checked with Active Directory before the user is given an SSO2 ticket and subsequently logged in ? If this is correct, I don't think SAP supports this, but I know for a fact that at least one SAP partner product provides this exact functionality.
Also, the same product mentioned above will give SPNEGO support when ABAP UME is used, and does not require LDAP UME.
> 
> Is it possible to invoke a second challenge once authentificated via the LAN in a kerberos (SPNEGO) setup in the above scenario?
See my above answer.
> 
> Thanks