Hello Juergen,

I tried your suggestion. Unfortunatly it did not work, however we do not use the network service user but the domain user 'so_admin'. We have the following error report from the ISAPI filter:

14:52:04 5096/4768 i OnPreprocHeaders: Determined account swftestuser from cookie MYSAPSSO2

14:52:04 5096/4768 i OnPreprocHeaders: Running on security context of user so_admin before impersonation

14:52:04 5096/4768 i LogonAsUser: LsaLookupAuthenticationPackage executed succesfully

14:52:04 5096/4768 i LogonAsUser: LsaLogonUser handle: EAC

14:52:04 5096/4768 E OnPreprocHeaders: AcquireCredentialsHandle failed: 0x8009030E

Any ideas?

Regards,

Marcel

Edited by: m. kempers on Mar 6, 2009 4:05 PM

Hi Marcel,

sorry, then I'm not sure how to solve the problem, as mentiond it worked in 2 cases now to set the user to a local system account, restart and then move the account back. Do you have a chance to open a support call at SAP about SSO22KerbMap?

Juergen

Hello Juergen,

Thanks for your help. I will open a support call to SAP.

Regards Marcel

Hello, did you ever find a resolution based on your support message w/ SAP. Thank you. I have the same issue.

Hello Chad,

The issue is not resolved. We opened support calls at both SAP and MS. MS thought it could work but they had to change the ISAPI filter code. Since SAP is the owner of the code things became difficult. Our organisation demanded either the code or support from SAP or MS on the changed ISAPI filter, thus making things more difficult. Resulting in project management deciding not to follow up on a solution with the ISAPI filter.

We are proceeding with looking for alternatives.

Marcel

Thanks, Marcel. I appreciate the response on this as we may have wasted more time troubleshooting. If you find any concrete alternative options, it would be great if you could post those here. Thank you!

Referring to the last line of your output in the log-file and in reference to the "Step-by-Step Guide" and the OSS-Note 735639 I would suggest that the problem belongs to a delegation problem.

I'm currently facing the same problem - on a single-server "farm" everything is right.

Did you investigated further in this direction, Marcel?

Hello Matthias,

You are right it is a delegation problem. We looked in to that. We also made service calls at both MS and SAP. They concluded the ISAPI filter should be changed in order for it to work, but you are welcome to give it a try. I still have hope it can be done. Although I am in doubt the necessary security settings will applicable in a production scenario.

At moment we are working on a proof of concept using OpenSSO. This looks very promising.

Regards,

Marcel

I assume you'd also finished a couple of post-Installation steps for setting up Kerberos - like defining several SPNs and UPNs and setting up the delegation in your AD?!

Whats the clue at yours? Did you enabled Kerberos Error Logging? Could you fix all KDC-Errors?

Would be nice to known, if it is really the fault of the ISAPI-Filter or, as I assume, only a misconfiguration of the delegation at a corner, nobody has pointed out by now.

By now, I dont see the problem for setting out the filter in production, because by now it is only the filter and Kerberos.

Thanks for the hint with OpenSSO - I also have to think about alternatives.

Hello Matthias,

We performed the necessary Kerberos post installation steps. We also tested the kerberos configuration without the ISAPI filter. Kerberos worked fine without any errors. Considering this and the fact we had a service call at MS and having MS security experts take a look at the problem I think there is a slight chance of misconfiguration.

Good luck finding a solution. I would appreciate it if you keep us posted on a solution.

Marcel

Hello Marcel,

something new at yours?

After trying to manipulate as much rights as possible, I could'nt solve this "delegation problem".

According to the SAP Note 735639 "SAP has not yet tested whether the SSO22KerbMap module can be installed with IIS7 on Windows Server 2008".

It's quite unsatisfying and disturbing, because the mainstream support for Windows 2003 ends at 13 July 2010.

SAP is quite slow with new technology.

Best regards.

Matthias

Hello Mathias,

Thank you for the update. Nothing new on our side concerning the SSO22KerbMap module. However we do have a working proof of concept using OpenSSO.

Regards,

Marcel

Hi guys,

any news on this topic. I ran into the same problem (check my own [thread|;). I would really appreciate it if anyone of you who has an idea what went wrong and how to solve it could answer me in his thread.

Best regards,

Martin