on 04-05-2006 2:53 PM
Hello,
We are running Netweaver04s portal. We have spNego configured for single sign on. Now whenever we go to the portal it automatically authenticates you. How do I intialize the logon screen and logon with a different user with spNego on? We have test users we need to logon with.
Thanks
Lee
How about this,
Create a new LogonModule Stack (say..."Force_Ticket")with the following logon modules.
com.sap.security.core.server.jaas.EvaluateTicketLoginModule | SUFFICIENT | ume.configuration.active=true
BasicPasswordLoginModule | REQUISITE|
com.sap.security.core.server.jaas.CreateTicketLoginModule|OPTIONAL|ume.configuration.active=true
Then assign this Logonstack to your iview
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Lee,
Can you with me further on the how you configured the Logon Prompt as provided by SAP?
I tired the Negotiate method but failed. Can you help?
Thanks
Regards,
Jason
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I got a solution from SAP that worked. Thanks everyone for their suggestions.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Here is what I did to get use password logon and SPNego simultaneously.
1. Modify authschemes definition file and add the following.
<authscheme name="negotiate">
<authentication-template>
negotiate
</authentication-template>
<priority>20</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
</authscheme>
2.Create a new login module stack named negotiate which is used for kerberos. Set as follows.
EvaluateTicketLoginModule
SUFFICIENT
ume.configuration.active=true
SPNegoLoginModule
OPTIONAL
com.sap.spnego.jgss.name=
HTTP/hades.customer.de@IT.CUSTOMER.DE
CreateTicketLoginModule
SUFFICIENT
ume.configuration.active=true
BasicPasswordLoginModule
REQUISITE
CreateTicketLoginModule
OPTIONAL
ume.configuration.active=true
3. Use the following URL to call the portal launcher. You can create a new iview if needed and call that.
notice the authscheme=negotiate at the end. This url will allow you to login automatically with Kerberos. If you login as normal, you will get prompted. Let me know if you have more questions.
Lee, if you wan't to prevent IE from automatically logging when using integrated authentication you could try disabling it in the browser. In IE, Tools --> Internet options --> Security, select the security zone and click "Custom Level" --> scroll to the bottom to "User Authentication/Logon" and change to "Prompt for user name and password".
Not sure if it will solve your problem with spNego on Netweaver04s but it may help.
Peter
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
That did not seem to work. Any other suggestions. I need this in place ASAP.
Thanks,
LEE
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Lee,
Off the cuff, I guess you must have configured the login module stack with fallback mechanism as documented under :
http://help.sap.com/saphelp_nw04/helpdata/en/43/4c3725aeaf30b4e10000000a11466f/frameset.htm
SO if you want to allow your portal to prompt for IDs, you could switch off the Windows Integrated Authentication on that particular IE.
This can be done via Tools->Options->Advanced->Security and remove the option "Enable Windows Integrated Authentication". You need to restart everytime you do this. So, maybe it's better to designate a few PCs for your test user to logons.
I am very surprised that you seem to be able to configure spnego so easily.
I have been stuggling for 2 weeks eating/sleeping spnego parameters and could not even get pass the "Acquire Creditations" test on the spnegoconfig test tool.
I know this is a longshot request, but are there any gotchas or even a rough guide that you used or refered to ? I am doing a non-ADS data store scenario (SUN ONE LDAP)
That would really be helpful.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I was not the one who configured the spnegro. I know we had an OSS message open for it for awhile. I will see if I can get some information.
Switching the Windows Intergrated Authentication in IE will not be a solution for us. We need a solution where we can link into the login page and login with a different user. I have created a iview in which i set the authentication to basicauthentication. If i load that iview directly, it will bring up an IE prompt for a user name and password. I can login with a different id and it works. I want it to load the SAP logon page instead. How do I do that?
User | Count |
---|---|
79 | |
9 | |
9 | |
7 | |
7 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.