cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Integrating file servers in km using webdav and sso

Former Member

on ‎04-10-2006 3:30 PM

0 Kudos

Hi.

After reading Andre Fischers document "Integration of Windows File Servers into the SAP KM platform using SSO and the WebDAV repository manager" I have some questions which I would like to post. Here goes...

1) Does the described setup work when permissions are set on shares and not on NTFS folders?

2) When creating a Virtual Directory do we leave the "Connect as..." blank or do we have to enter a valid username and password?

3) When configuring delegation for the portal server (under Users and Computers) do we have to add the file/share server name for the service type cifs or host or both?

4) When defining an http system does server url has to contain port number 1080?

5) When creating a webdav system you have to maintain user mapping. Is this also required when using Kerberos?

This is it. I guess it helps to have Andres document at hand to fully understand my questions ;o)

Can anyone help or is Andre out there?

Points will be rewarded!

BR Søren

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

Andre_Fischer
Product and Topic Expert
Product and Topic Expert
‎08-23-2006 2:28 PM
0 Kudos

Dear Mr. Tiffert,

As mentioned in the following document from Microsoft

Troubleshooting Kerberos Errors

constrained delegation is currently NOT supported across multiple domains

+

...

• Constrained delegation is being attempted across multiple domains.

Resolution

No resolution. Windows 2000 does not support constrained delegation across multiple domains.

If constrained delegation is being attempted across multiple domains in Windows Server 2003, this error message will read:

Constrained delegation is not currently supported across multiple domains.

...

+

Best regards,

André Fischer

Show replies
Show replies
daniel_rothmund
Participant
‎03-12-2009 7:22 AM
0 Kudos

Hello,

we have configured the iis webdav and SSO22KerbMap.dll. But we receive an error 401 for Repository.

The cmadmin_service and index_service user are created in the ADS.

Thr 3268] Got date 200903120704 from ticket.

[Thr 3268] Cur time = 200903120715.

[Thr 3268] Computing validity in hours.

[Thr 3268] Computing validity in minutes.

[Thr 3268] CurTime_t = 1236928500, CreTime_t = 1236927840

[Thr 3268] validity: 28800, difference: 660.000.

[Thr 3268] *** ERROR => Cannot find user for application portal [ssoxxext.c 2023]

[Thr 3268] Ticket is 1100u02C6.

8:14:09 3232/3272 I ADSI Configuration for delegation on host GDEPFN77:

ServicePrincipalNames:

HOST/hostiis

HOST/hostiis.home.net

Delegation allowed to following SPNs:

http/hostiis

http/hostiis.home.net

HOST/hostiis

HOST/hostiis.home.net

cifs/hostiis.home.net

cifs/hostiis

Delegation Flag:Use any authentication protocol: ACTIVE

08:14:10 3232/3272 I IIS SSO22KerbMap Module configured on following Web Sites:

08:14:10 3232/3272 I WebSite WebDAVTest (IIS://LOCALHOST/W3SVC/1653188151)

Authentication(WebSite): Integrated Windows Authentication

Application Pool DefaultAppPool (IIS://localhost/w3svc/AppPools/DefaultAppPool)

Identity (Application Pool): Local System

SubFolders (WebDAVTest)

filters

SSO22KerbMap

SSO22KerpMap

SSO2KerpMap

SSOTest

tt

root (Authentication: Integrated Windows Authentication)

WebDAVTest (Authentication: Integrated Windows Authentication)

08:14:10 3232/3272 I IMPORTANT: Check that the Virtual directory of your target application is running

on 'Integrated Windows Authentication'!

08:14:10 3232/3272 E getAccountFromCookie: missing user in SAP Logon Ticket

08:14:10 3232/3272 i OnPreprocHeaders: No SSO2 account from cookie MYSAPSSO2

08:14:10 3232/3272 E getAccountFromCookie: missing user in SAP Logon Ticket

08:14:10 3232/3272 i OnPreprocHeaders: No SSO2 account from cookie MYSAPSSO2

08:14:10 3232/3272 E getAccountFromCookie: missing user in SAP Logon Ticket

08:14:10 3232/3272 i OnPreprocHeaders: No SSO2 account from cookie MYSAPSSO2

08:14:10 3232/3268 E getAccountFromCookie: missing user in SAP Logon Ticket

08:14:10 3232/3268 i OnPreprocHeaders: No SSO2 account from cookie MYSAPSSO2

08:14:19 3232/3272 E getAccountFromCookie: missing user in SAP Logon Ticket

08:14:19 3232/3272 i OnPreprocHeaders: No SSO2 account from cookie MYSAPSSO2

Andre_Fischer
Product and Topic Expert
Product and Topic Expert
‎08-23-2006 1:50 PM
0 Kudos

Dear Mr. Tiffert,

as a prerequisite for the SSO22KerbMap Module to work Kerberos Constrained Delegation has to be configured for the services (http and host) for the remote server on the server where the IIS is running.

If this does not work for the server in the trusted domain you can install a separate IIS in the second domain. There it will be possible to configure kerberos constrained delegation locally.

Show replies
Show replies
Andre_Fischer
Product and Topic Expert
Product and Topic Expert
‎04-12-2006 8:02 AM
0 Kudos

Hi Soren,

yes Andre is out here

1) Does the described setup work when permissions are set on shares and not on NTFS folders?

I tested it with two different users one having only read access via share one having full control.

Using the first user I get an exception. Using the second user I can upload the document. So I expect that it should work.

2) When creating a Virtual Directory do we leave the "Connect as..." blank or do we have to enter a valid username and password?

It should be left blank since you are using either SSO, hardcoded user mapping in the http system or usermapping.

3) When configuring delegation for the portal server (under Users and Computers) do we have to add the file/share server name for the service type cifs or host or both?

You do not configure delegation for the portal server. You configure delegation for the Microsoft based servers that should accept kerberos tickets created by the process of kerberos constrained delegation using protocol transition.

You configure delegation for the protocols:

Http and Host for the IIS where the SSO22KerbMap Module is running on.

Http and host for the server where the share is located (can be the same as the host above)

Additionally cifs for the server that provides the share

4) When defining an http system does server url has to contain port number 1080?

No. 1080 just happens to be the port used by me. As a default IIS uses port 80.

5) When creating a webdav system you have to maintain user mapping. Is this also required when using Kerberos?

It is not required if you are using the SSO22KerbMap Module.

Best regards,

André

Show replies
Show replies
Former Member
‎04-18-2006 11:52 AM
0 Kudos

Hi Andre.

Thank you very much for your reply. That answered many of my questions.

I am still a bit confused though about question/answer no. 3. It might be my lack of technical knowledge ;o) but I need to ask you some more questions.

We have in the properties for the portal server set the radio button "Trust this computer for the specified services only" and "Use any authentication protocol" and added a service type (HOST) for the portal server. From you answer I assume that this is wrong.

My questions are:

1) Are the properties set on the portal server (in you document that is MSCTSCOWA3)?

2) The service types are?

- Http and Host for the IIS where the SSO22KerbMap Module is running on (in our case is the IIS running on the portal server).

- Http and host for the server where the share is located (can be the same as the host above) - isn't that normally the file server?

- Additionally cifs for the server that provides the share

...and they are all set on the portal server (as asked in question no. 1)?

Thanks in advance.

BR Søren

Andre_Fischer
Product and Topic Expert
Product and Topic Expert
‎04-18-2006 11:58 AM
0 Kudos

The server MSCTSCOWA3 is not the server on which the SAP NetWeaver Portal is running on.

The server is just a standalone IIS where WebDAV is activated.

The Virtual Directory on the server MSCTSCOWA3 maps a share on the server MSCTSCBIZ so it uses a share

MSCTSCBIZwebdavtest.

You have to configure delegation in Active Directory for the server MSCTSCOWA3 where the IIS is running for host and http.

In addition you have to configure delegation for the services http, host and cicfs for the server MSCTSBIZ since this server is to accept the kerberos tickets too.

Best regards,

André

Former Member
‎04-18-2006 12:28 PM
0 Kudos

So...

for each IIS (if you use different ISS for each portal environment) you configure host and http?

And for each share (or actually for each file server) you configure host, http and cifs?

Do you configure on each server or do you configure everything (for each server) on the IIS server(s)!?

BR Søren

Andre_Fischer
Product and Topic Expert
Product and Topic Expert
‎04-18-2006 1:36 PM
0 Kudos

Hi Søren,

Q: for each IIS (if you use different ISS for each portal environment) you configure host and http?

A: for each IIS (but you could one IIS and several virtual directories)

Q: And for each share (or actually for each file server) you configure host, http and cifs?

A: For each File Server.

Q: Do you configure on each server or do you configure everything (for each server) on the IIS server(s)!?

A: Delegation has to be configured for a computer account in Active Directory. There is nothing to be configured for delegation on the server itself.

BR Andre

Former Member
‎04-18-2006 2:08 PM
0 Kudos

Hi Andre.

So far so good 🐵

A related question:

My Webdav Repository Manager in the portal fails. Under Monitoring -> Knowledge Management -> Componenet Monitor -> -> servers -> properties, I get a "401 Unauthorized" error message.

It suddenly strikes me when I create a File System Repository Manager the service user which runs the SAP services (servlet engines) must have at least read rights on the file share for the manager to work. Is this also the case for a Webdav Repository Managers?

If it is not the case why do my Webdav Manager then fail?

PS! I have checked help.sap.com which doesn't say anything about the service user. Can I count on that?

BR Søren

david_pham
Explorer
‎06-21-2006 5:08 PM
0 Kudos

1. Make sure that your SSO2Kerberos ISAPI filter works. There is a log file. Read that log file to see which ID it tries to impersonate. Then verify that ID has access to the share and the file itself. Installing the ISAPI is a little bit tricky because it requires other components like sapsecu.dll, sapssoext.dll, MS JVM. There are sample code in the SAPSSOEXT package you could use for debugging purposes. I was able to implement SSO to WebDAV using SSO2Kerberos ISAPI filter succesfully but it took a while to set it up.

2. Yes, you need to configure the servlet engine user for File System RM.

And No, you do not need to do the above for WebDAV RM because the credential of the portal login user will be used (impersonation) not te servlet enginer ID.

However, if you want to index the WebDAV RM you have to map index_service account to an account that can read files in the physical folder where your WebDAV RM is pointing to.

Former Member
‎08-15-2006 7:38 AM
0 Kudos

Hello,

we are productive with this method to integrate fileserver.

Now we have a big problem to integrate a fileserver out of the default domain. The DOmains are trusted, but in fact the problem is to set constrained delegation in LDAP, because the we can't select the fileserver from the other domain to set it up.

Has anybody a hint to solve this problem?

Thank's

Matthias Tiffert

Message was edited by: Matthias Tiffert

Former Member
‎04-11-2006 4:47 AM
0 Kudos

Hi Soren,

Refer to this link -

<a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/4a/217fb6c33c6748a1715a161ac942cd/frameset.htm">http://help.sap.com/saphelp_nw2004s/helpdata/en/4a/217fb6c33c6748a1715a161ac942cd/frameset.htm</a>

You need to follow the following four steps as mentioned in the documentation-

1. Define an HTTP system in the CM system landscape.

2. Set the repository manager parameters (see WebDAV Repository Manager).

3. Create a WebDAV system in the portal system landscape (see Creating a System in the Portal System Landscape).

4. Carry out user mapping for the WebDAV system (see Specifying User Mapping).

Show replies
Show replies
Former Member
‎04-11-2006 9:42 AM
0 Kudos

Hi.

Thank you for your reply.

First of all we don't have NW2004s but NW04 SP11 (my mistake - I didn't mention it).

Secondly, we have already set up an http system, webdav rep. mgr and webdav system. User mapping is not necessary due to use of Kerberos.

I think our problem relates to the virtual directory in the IIS mgr.

BR Søren

Ask a Question