on 03-03-2009 1:21 PM
Hello,
I have a running a SharePoint farm and a SAP portal. I would like to have SSO in the browser from SAP portal to SharePoint. To realize this I have installed the SSO22KerbMap ISAPI Module on the SharePoint server. To do this I used the Step-by-Step guide 'SSO22KerbMap'.
After following this guide SSO works fine, however SharePoint is not. This is because the step-by-step guide describes to set the IIS application pool security account to 'Local System'. A SharePoint farm installation needs a domain user for the application pool security account.
Is it possible to configure the SSO22KerbMap module using a domain user account for the IIS application pool security account instead of the 'Local System' account?
Regards,
Marcel
Hello,
are you running SharePoint 2007? If yes set the account to a Local System Account, restart the Service and then set the account back to the NetworkService account, that should help from what I know, please let us know the result.
Juergen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Juergen,
I tried your suggestion. Unfortunatly it did not work, however we do not use the network service user but the domain user 'so_admin'. We have the following error report from the ISAPI filter:
14:52:04 5096/4768 i OnPreprocHeaders: Determined account swftestuser from cookie MYSAPSSO2
14:52:04 5096/4768 i OnPreprocHeaders: Running on security context of user so_admin before impersonation
14:52:04 5096/4768 i LogonAsUser: LsaLookupAuthenticationPackage executed succesfully
14:52:04 5096/4768 i LogonAsUser: LsaLogonUser handle: EAC
14:52:04 5096/4768 E OnPreprocHeaders: AcquireCredentialsHandle failed: 0x8009030E
Any ideas?
Regards,
Marcel
Edited by: m. kempers on Mar 6, 2009 4:05 PM
Hello Chad,
The issue is not resolved. We opened support calls at both SAP and MS. MS thought it could work but they had to change the ISAPI filter code. Since SAP is the owner of the code things became difficult. Our organisation demanded either the code or support from SAP or MS on the changed ISAPI filter, thus making things more difficult. Resulting in project management deciding not to follow up on a solution with the ISAPI filter.
We are proceeding with looking for alternatives.
Marcel
Referring to the last line of your output in the log-file and in reference to the "Step-by-Step Guide" and the OSS-Note 735639 I would suggest that the problem belongs to a delegation problem.
I'm currently facing the same problem - on a single-server "farm" everything is right.
Did you investigated further in this direction, Marcel?
Hello Matthias,
You are right it is a delegation problem. We looked in to that. We also made service calls at both MS and SAP. They concluded the ISAPI filter should be changed in order for it to work, but you are welcome to give it a try. I still have hope it can be done. Although I am in doubt the necessary security settings will applicable in a production scenario.
At moment we are working on a proof of concept using OpenSSO. This looks very promising.
Regards,
Marcel
I assume you'd also finished a couple of post-Installation steps for setting up Kerberos - like defining several SPNs and UPNs and setting up the delegation in your AD?!
Whats the clue at yours? Did you enabled Kerberos Error Logging? Could you fix all KDC-Errors?
Would be nice to known, if it is really the fault of the ISAPI-Filter or, as I assume, only a misconfiguration of the delegation at a corner, nobody has pointed out by now.
By now, I dont see the problem for setting out the filter in production, because by now it is only the filter and Kerberos.
Thanks for the hint with OpenSSO - I also have to think about alternatives.
Hello Matthias,
We performed the necessary Kerberos post installation steps. We also tested the kerberos configuration without the ISAPI filter. Kerberos worked fine without any errors. Considering this and the fact we had a service call at MS and having MS security experts take a look at the problem I think there is a slight chance of misconfiguration.
Good luck finding a solution. I would appreciate it if you keep us posted on a solution.
Marcel
Hello Marcel,
something new at yours?
After trying to manipulate as much rights as possible, I could'nt solve this "delegation problem".
According to the SAP Note 735639 "SAP has not yet tested whether the SSO22KerbMap module can be installed with IIS7 on Windows Server 2008".
It's quite unsatisfying and disturbing, because the mainstream support for Windows 2003 ends at 13 July 2010.
SAP is quite slow with new technology.
Best regards.
Matthias
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.