12-05-2008 2:35 PM
Hello everybody
We have configured SPNEGO in our portal and everything is working fine but now we are going to use ESS and we want to protrect some iviews, like the payroll. We want to ask for the user and password.
We have create a new template in the Visual Administrator-Security Provider with the following entries:
com.sap.security.core.server.jaas.EvaluateTicketLoginModule - Sufficient - ume.configuration.active:true =yes
BasicPasswordLoginModule REQUISITE {}
com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT {ume.configuration.active=yes}
With this we have modified the autschemes.xml adding the following
lines:
Also, we have assing this template to the iview.
Now, when we access to the iview a logon screen is poped up (this is
ok) but even if we put a correct user after 3 tries a 401 error is
shown (acces denied).
What can be the cause of this behaviour?
I have opened a message in OSS but this is all I have got of them:
+the point is - when SSO Ticket is expired, it won't be 401-Not Authorized HTTP error,
with header set to Negotiate, but just a J2EE runtime exception. This
would allow the user's browser to renew the SSO Kerberos ticket, which
is how SPNEGO works.
The user who is checking it is Guest user, so therefore you are getting
it.+
They don't explain anything else because this issue isn't an error... "you know what I mean"
Here I send an extract of the trace created by the diagtool:
[Dec 4, 2008 10:42:25 PM ] - CLIENT: 4649216, REQUEST:
{GET /irj/servlet/prt/portal/prtmode/preview/prtroot/pcd!3aportal_content!2fcom.sap.pct!2fevery_user!2fcom.sap.pct.erp.ess.bp_folder!2fcom.sap.pct.erp.ess.iviews!2fcom.sap.pct.erp.ess.benefits_payment!2fcom.sap.pct.erp.ess.area_benefits_payment?sap-config-mode=true HTTP/1.1
Accept: /
Accept-Language: es
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: portal.lubasa.es
Connection: Keep-Alive
Authorization: Basic cnVnYXJjaWE6bmFyYW5qYTM=
Cookie: j_authscheme=ESS_SCH; UserUniqueIdentifier=1228379971997; PortalAlias=portal; saplb_*=(J2EE3080100)3080151; JSESSIONID=(J2EE3080100)ID1055733851DB01046363213849042466End; MYSAPSSO2=AjExMDAgAA9wb3J0YWw6UlVHQVJDSUGIABNiYXNpY2F1dGhlbnRpY2F0aW9uAQAIUlVHQVJDSUECAAMwMDADAANFUFAEAAwyMDA4MTIwNDIxNDEFAAQAAAAMCgAIUlVHQVJDSUH/AQUwggEBBgkqhkiG9w0BBwKggfMwgfACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGB0DCBzQIBATAiMB0xDDAKBgNVBAMTA0VQUDENMAsGA1UECxMESjJFRQIBADAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDgxMjA0MjE0MTIxWjAjBgkqhkiG9w0BCQQxFgQU9r0lROP9xSeA5thGNqyvEbaqrWswCQYHKoZIzjgEAwQvMC0CFQCV6qIJ2ofjbF/iMd9vVFd6U72dVwIUD7ENuEa2ID7ZVYY1kwtrrbs8!OU=; SAPPORTALSDB0=urn%253Acom.sapportals.appdesigner%253Aframework%2526isPersonalizeMode%3Dfalse
n/a
}
[Dec 4, 2008 10:42:25 PM ] - CLIENT: 4649216, REPLY:
{HTTP/1.1 401 Unauthorized
Server: SAP J2EE Engine/7.00
Content-Type: text/html;charset=ISO-8859-1
WWW-Authenticate: Basic Realm=Authentication
Pragma: no-cache
Content-Encoding: gzip
Content-Length: 594
Date: Thu, 04 Dec 2008 21:42:25 GMT
Set-Cookie: j_authscheme=ESS_SCH; Expires=Thu, 04-Dec-2008 21:42:35 GMT
n/a
}
Thank you in advanced!
Rubé
12-05-2008 3:19 PM
Ruben,
I think what SAP are trying to tell you is that when authentication is enabled using SPNEGO, this will be used for all logon attempts.
I am very familiar with this scenario, and have a solution, but it involves using a third-party product. I am not aware of any way to make the SAP supplied SPNEGO login module authenticate the user using userid+password entered into browser. Instead, you need some other login modules instead and you need a way to stop your browser from receiving the 401 from the SPNEGO module when a user logs onto the ESS application.
Thanks,
Tim
12-05-2008 5:23 PM
Thanks for your answer.
Could you tell me which third party software do you use?
Best regards.
12-05-2008 5:27 PM
> Thanks for your answer.
> Could you tell me which third party software do you use?
>
> Best regards.
It is described here, right on SDN EcoHub. Check https://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokeradapter
Thanks,
Tim