cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Logon Prompt with Single Sign On

Go to solution
Former Member

on ‎04-05-2006 2:53 PM

0 Kudos

Hello,

We are running Netweaver04s portal. We have spNego configured for single sign on. Now whenever we go to the portal it automatically authenticates you. How do I intialize the logon screen and logon with a different user with spNego on? We have test users we need to logon with.

Thanks

Lee

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎04-06-2006 11:19 PM
0 Kudos

How about this,

Create a new LogonModule Stack (say..."Force_Ticket")with the following logon modules.

com.sap.security.core.server.jaas.EvaluateTicketLoginModule | SUFFICIENT | ume.configuration.active=true

BasicPasswordLoginModule | REQUISITE|

com.sap.security.core.server.jaas.CreateTicketLoginModule|OPTIONAL|ume.configuration.active=true

Then assign this Logonstack to your iview

Show replies
Show replies
Former Member
‎04-07-2006 9:36 PM
0 Kudos

Do you know how to create this stack?

Answers (5)

Answers (5)

Former Member
‎03-16-2007 7:15 AM
0 Kudos

Hi Lee,

Can you with me further on the how you configured the Logon Prompt as provided by SAP?

I tired the Negotiate method but failed. Can you help?

Thanks

Regards,

Jason

Show replies
Show replies
Former Member
‎04-17-2006 2:58 PM
0 Kudos

I got a solution from SAP that worked. Thanks everyone for their suggestions.

Show replies
Show replies
Former Member
‎04-17-2006 6:02 PM
0 Kudos

Would it be possible to post SAP's solution here, for the benefit of everyone ?

Former Member
‎04-17-2006 6:51 PM
0 Kudos

Here is what I did to get use password logon and SPNego simultaneously.

1. Modify authschemes definition file and add the following.

<authscheme name="negotiate">

<authentication-template>

negotiate

</authentication-template>

<priority>20</priority>

<frontendtype>2</frontendtype>

<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>

</authscheme>

2.Create a new login module stack named negotiate which is used for kerberos. Set as follows.

EvaluateTicketLoginModule

SUFFICIENT

ume.configuration.active=true

SPNegoLoginModule

OPTIONAL

com.sap.spnego.jgss.name=

HTTP/hades.customer.de@IT.CUSTOMER.DE

CreateTicketLoginModule

SUFFICIENT

ume.configuration.active=true

BasicPasswordLoginModule

REQUISITE

CreateTicketLoginModule

OPTIONAL

ume.configuration.active=true

3. Use the following URL to call the portal launcher. You can create a new iview if needed and call that.

http://<host>:50000/irj/servlet/prt/portal/prtroot/com.sap.portal.navigation.portallauncher.default?...

notice the authscheme=negotiate at the end. This url will allow you to login automatically with Kerberos. If you login as normal, you will get prompted. Let me know if you have more questions.

Former Member
‎04-14-2006 3:49 PM
0 Kudos

Lee, if you wan't to prevent IE from automatically logging when using integrated authentication you could try disabling it in the browser. In IE, Tools --> Internet options --> Security, select the security zone and click "Custom Level" --> scroll to the bottom to "User Authentication/Logon" and change to "Prompt for user name and password".

Not sure if it will solve your problem with spNego on Netweaver04s but it may help.

Peter

Show replies
Show replies
Former Member
‎04-07-2006 6:26 PM
0 Kudos

That did not seem to work. Any other suggestions. I need this in place ASAP.

Thanks,

LEE

Show replies
Show replies
Former Member
‎04-07-2006 8:32 PM
0 Kudos

Nope. No more ideas, sorry.

We'll see if someone else comes along.

How about some sdn points ? Hopefully I could get an amazon gift card after 20 more years on sdn. Did you manage to get any spnego references/steps for me.

Former Member
‎04-06-2006 9:10 PM
0 Kudos

Lee,

Off the cuff, I guess you must have configured the login module stack with fallback mechanism as documented under :

http://help.sap.com/saphelp_nw04/helpdata/en/43/4c3725aeaf30b4e10000000a11466f/frameset.htm

SO if you want to allow your portal to prompt for IDs, you could switch off the Windows Integrated Authentication on that particular IE.

This can be done via Tools->Options->Advanced->Security and remove the option "Enable Windows Integrated Authentication". You need to restart everytime you do this. So, maybe it's better to designate a few PCs for your test user to logons.

I am very surprised that you seem to be able to configure spnego so easily.

I have been stuggling for 2 weeks eating/sleeping spnego parameters and could not even get pass the "Acquire Creditations" test on the spnegoconfig test tool.

I know this is a longshot request, but are there any gotchas or even a rough guide that you used or refered to ? I am doing a non-ADS data store scenario (SUN ONE LDAP)

That would really be helpful.

Show replies
Show replies
Former Member
‎04-06-2006 9:47 PM
0 Kudos

I was not the one who configured the spnegro. I know we had an OSS message open for it for awhile. I will see if I can get some information.

Switching the Windows Intergrated Authentication in IE will not be a solution for us. We need a solution where we can link into the login page and login with a different user. I have created a iview in which i set the authentication to basicauthentication. If i load that iview directly, it will bring up an IE prompt for a user name and password. I can login with a different id and it works. I want it to load the SAP logon page instead. How do I do that?

Ask a Question