on 04-10-2006 3:30 PM
Hi.
After reading Andre Fischers document "Integration of Windows File Servers into the SAP KM platform using SSO and the WebDAV repository manager" I have some questions which I would like to post. Here goes...
1) Does the described setup work when permissions are set on shares and not on NTFS folders?
2) When creating a Virtual Directory do we leave the "Connect as..." blank or do we have to enter a valid username and password?
3) When configuring delegation for the portal server (under Users and Computers) do we have to add the file/share server name for the service type cifs or host or both?
4) When defining an http system does server url has to contain port number 1080?
5) When creating a webdav system you have to maintain user mapping. Is this also required when using Kerberos?
This is it. I guess it helps to have Andres document at hand to fully understand my questions ;o)
Can anyone help or is Andre out there?
Points will be rewarded!
BR Søren
Dear Mr. Tiffert,
As mentioned in the following document from Microsoft
Troubleshooting Kerberos Errors
constrained delegation is currently NOT supported across multiple domains
+
...
Constrained delegation is being attempted across multiple domains.
Resolution
No resolution. Windows 2000 does not support constrained delegation across multiple domains.
If constrained delegation is being attempted across multiple domains in Windows Server 2003, this error message will read:
Constrained delegation is not currently supported across multiple domains.
...
+
Best regards,
André Fischer
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
we have configured the iis webdav and SSO22KerbMap.dll. But we receive an error 401 for Repository.
The cmadmin_service and index_service user are created in the ADS.
Thr 3268] Got date 200903120704 from ticket.
[Thr 3268] Cur time = 200903120715.
[Thr 3268] Computing validity in hours.
[Thr 3268] Computing validity in minutes.
[Thr 3268] CurTime_t = 1236928500, CreTime_t = 1236927840
[Thr 3268] validity: 28800, difference: 660.000.
[Thr 3268] *** ERROR => Cannot find user for application portal [ssoxxext.c 2023]
[Thr 3268] Ticket is 1100u02C6.
8:14:09 3232/3272 I ADSI Configuration for delegation on host GDEPFN77:
ServicePrincipalNames:
HOST/hostiis
HOST/hostiis.home.net
Delegation allowed to following SPNs:
http/hostiis
http/hostiis.home.net
HOST/hostiis
HOST/hostiis.home.net
cifs/hostiis.home.net
cifs/hostiis
Delegation Flag:Use any authentication protocol: ACTIVE
08:14:10 3232/3272 I IIS SSO22KerbMap Module configured on following Web Sites:
08:14:10 3232/3272 I WebSite WebDAVTest (IIS://LOCALHOST/W3SVC/1653188151)
Authentication(WebSite): Integrated Windows Authentication
Application Pool DefaultAppPool (IIS://localhost/w3svc/AppPools/DefaultAppPool)
Identity (Application Pool): Local System
SubFolders (WebDAVTest)
filters
SSO22KerbMap
SSO22KerpMap
SSO2KerpMap
SSOTest
tt
root (Authentication: Integrated Windows Authentication)
WebDAVTest (Authentication: Integrated Windows Authentication)
08:14:10 3232/3272 I IMPORTANT: Check that the Virtual directory of your target application is running
on 'Integrated Windows Authentication'!
08:14:10 3232/3272 E getAccountFromCookie: missing user in SAP Logon Ticket
08:14:10 3232/3272 i OnPreprocHeaders: No SSO2 account from cookie MYSAPSSO2
08:14:10 3232/3272 E getAccountFromCookie: missing user in SAP Logon Ticket
08:14:10 3232/3272 i OnPreprocHeaders: No SSO2 account from cookie MYSAPSSO2
08:14:10 3232/3272 E getAccountFromCookie: missing user in SAP Logon Ticket
08:14:10 3232/3272 i OnPreprocHeaders: No SSO2 account from cookie MYSAPSSO2
08:14:10 3232/3268 E getAccountFromCookie: missing user in SAP Logon Ticket
08:14:10 3232/3268 i OnPreprocHeaders: No SSO2 account from cookie MYSAPSSO2
08:14:19 3232/3272 E getAccountFromCookie: missing user in SAP Logon Ticket
08:14:19 3232/3272 i OnPreprocHeaders: No SSO2 account from cookie MYSAPSSO2
Dear Mr. Tiffert,
as a prerequisite for the SSO22KerbMap Module to work Kerberos Constrained Delegation has to be configured for the services (http and host) for the remote server on the server where the IIS is running.
If this does not work for the server in the trusted domain you can install a separate IIS in the second domain. There it will be possible to configure kerberos constrained delegation locally.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Soren,
yes Andre is out here
1) Does the described setup work when permissions are set on shares and not on NTFS folders?
I tested it with two different users one having only read access via share one having full control.
Using the first user I get an exception. Using the second user I can upload the document. So I expect that it should work.
2) When creating a Virtual Directory do we leave the "Connect as..." blank or do we have to enter a valid username and password?
It should be left blank since you are using either SSO, hardcoded user mapping in the http system or usermapping.
3) When configuring delegation for the portal server (under Users and Computers) do we have to add the file/share server name for the service type cifs or host or both?
You do not configure delegation for the portal server. You configure delegation for the Microsoft based servers that should accept kerberos tickets created by the process of kerberos constrained delegation using protocol transition.
You configure delegation for the protocols:
Http and Host for the IIS where the SSO22KerbMap Module is running on.
Http and host for the server where the share is located (can be the same as the host above)
Additionally cifs for the server that provides the share
4) When defining an http system does server url has to contain port number 1080?
No. 1080 just happens to be the port used by me. As a default IIS uses port 80.
5) When creating a webdav system you have to maintain user mapping. Is this also required when using Kerberos?
It is not required if you are using the SSO22KerbMap Module.
Best regards,
André
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Andre.
Thank you very much for your reply. That answered many of my questions.
I am still a bit confused though about question/answer no. 3. It might be my lack of technical knowledge ;o) but I need to ask you some more questions.
We have in the properties for the portal server set the radio button "Trust this computer for the specified services only" and "Use any authentication protocol" and added a service type (HOST) for the portal server. From you answer I assume that this is wrong.
My questions are:
1) Are the properties set on the portal server (in you document that is MSCTSCOWA3)?
2) The service types are?
- Http and Host for the IIS where the SSO22KerbMap Module is running on (in our case is the IIS running on the portal server).
- Http and host for the server where the share is located (can be the same as the host above) - isn't that normally the file server?
- Additionally cifs for the server that provides the share
...and they are all set on the portal server (as asked in question no. 1)?
Thanks in advance.
BR Søren
The server MSCTSCOWA3 is not the server on which the SAP NetWeaver Portal is running on.
The server is just a standalone IIS where WebDAV is activated.
The Virtual Directory on the server MSCTSCOWA3 maps a share on the server MSCTSCBIZ so it uses a share
MSCTSCBIZwebdavtest.
You have to configure delegation in Active Directory for the server MSCTSCOWA3 where the IIS is running for host and http.
In addition you have to configure delegation for the services http, host and cicfs for the server MSCTSBIZ since this server is to accept the kerberos tickets too.
Best regards,
André
So...
for each IIS (if you use different ISS for each portal environment) you configure host and http?
And for each share (or actually for each file server) you configure host, http and cifs?
Do you configure on each server or do you configure everything (for each server) on the IIS server(s)!?
BR Søren
Hi Søren,
Q: for each IIS (if you use different ISS for each portal environment) you configure host and http?
A: for each IIS (but you could one IIS and several virtual directories)
Q: And for each share (or actually for each file server) you configure host, http and cifs?
A: For each File Server.
Q: Do you configure on each server or do you configure everything (for each server) on the IIS server(s)!?
A: Delegation has to be configured for a computer account in Active Directory. There is nothing to be configured for delegation on the server itself.
BR Andre
Hi Andre.
So far so good 🐵
A related question:
My Webdav Repository Manager in the portal fails. Under Monitoring -> Knowledge Management -> Componenet Monitor -> -> servers -> properties, I get a "401 Unauthorized" error message.
It suddenly strikes me when I create a File System Repository Manager the service user which runs the SAP services (servlet engines) must have at least read rights on the file share for the manager to work. Is this also the case for a Webdav Repository Managers?
If it is not the case why do my Webdav Manager then fail?
PS! I have checked help.sap.com which doesn't say anything about the service user. Can I count on that?
BR Søren
1. Make sure that your SSO2Kerberos ISAPI filter works. There is a log file. Read that log file to see which ID it tries to impersonate. Then verify that ID has access to the share and the file itself. Installing the ISAPI is a little bit tricky because it requires other components like sapsecu.dll, sapssoext.dll, MS JVM. There are sample code in the SAPSSOEXT package you could use for debugging purposes. I was able to implement SSO to WebDAV using SSO2Kerberos ISAPI filter succesfully but it took a while to set it up.
2. Yes, you need to configure the servlet engine user for File System RM.
And No, you do not need to do the above for WebDAV RM because the credential of the portal login user will be used (impersonation) not te servlet enginer ID.
However, if you want to index the WebDAV RM you have to map index_service account to an account that can read files in the physical folder where your WebDAV RM is pointing to.
Hello,
we are productive with this method to integrate fileserver.
Now we have a big problem to integrate a fileserver out of the default domain. The DOmains are trusted, but in fact the problem is to set constrained delegation in LDAP, because the we can't select the fileserver from the other domain to set it up.
Has anybody a hint to solve this problem?
Thank's
Matthias Tiffert
Message was edited by: Matthias Tiffert
Hi Soren,
Refer to this link -
<a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/4a/217fb6c33c6748a1715a161ac942cd/frameset.htm">http://help.sap.com/saphelp_nw2004s/helpdata/en/4a/217fb6c33c6748a1715a161ac942cd/frameset.htm</a>
You need to follow the following four steps as mentioned in the documentation-
1. Define an HTTP system in the CM system landscape.
2. Set the repository manager parameters (see WebDAV Repository Manager).
3. Create a WebDAV system in the portal system landscape (see Creating a System in the Portal System Landscape).
4. Carry out user mapping for the WebDAV system (see Specifying User Mapping).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi.
Thank you for your reply.
First of all we don't have NW2004s but NW04 SP11 (my mistake - I didn't mention it).
Secondly, we have already set up an http system, webdav rep. mgr and webdav system. User mapping is not necessary due to use of Kerberos.
I think our problem relates to the virtual directory in the IIS mgr.
BR Søren
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.