OK, then this is just another flavor of the old Windows Authentication SSO Mod?

Then why is SPNego being packaged differently?

At the begining of the year we were told that IISProxy was no longer an option and that we had to go with SPNego. SPNego does not replace IISProxy's reverse proxy capability. It also seems that SAP is not offering and alternative for IISProxy. Has anyone seen, heard or used an alternative. If so, what is it.

David,

This is thread is getting interesting.

If your users are coming from the Internet. Why would you want Windows Integrated Authentication ?

How would your users be authenticated on an NT domain if they are from the Internet ? Just my 2 cents, SPnego looks like an Intranet solution, or if your users are coming in via a VPN (which fundamentally logs then into the Domain)

What do you think ?

David,

Even i was wondering why you want Integrated Windows Authentication for the Users coming from Internet. Of course they are not authenticated against your KDC (ADS or any LDAP). I was thinking that you want to know what happens to the Users coming from Internet, that's why i replied you can implement SPNego with fallback mechanism.

Plz eloaborate, what you are trying to achieve here?

Regards

Vaib

Ok,

With a big mug of STRONG coffee on hand, allow me to go into detail of who we are what we are doing and how we are attempting to do things.

We are a cabinet manufacturer on the East coast of the US. Our Go Live for SAP was in 2001. In 2004 our customers (builders and remodelers) wanted a way to come over the Internet to place orders directly with us. Our developers created a fantastic program, our Rapid Order Processing System. (ROPS)

On my end, just a PC tech at the time I was tapped out to make a platform for ROPS to run on. They chose EP5 SP5 at the time. The program was written in JAVA so the J2EE Portal looked like a good fit. At that time the J2EE Proxy was to be the reverse program for the portal. External and internal users did user name and password over SSL to authenticate.

As ROPS added more features it took up more memory and processing power. We were forced to upgrade portal versions. As we increased portal versions we had to start using IISProxy as the reverse proxy. If you have seen any of my rants from 2005 on SDN, you could see my frustration of changing platforms every few months and learning as I went along.

ROPS has been very successful for us. Our customers love it. It cuts down on time, errors and lost revenue. Business with it is explosive. One problem, we always had an issue with the java engines dropping at random. As more and more customers use ROPS, the problem got worse. The developers pointed to a portal issue. We brought in a Consultant and he confirmed the engines were tuned properly but, could not find out why the portal was restarting. That was until I got CGviewer. This little program shows a graphic of java memory usage and garbage collection. We found that under certain conditions (major garbage collections) the users would loose information on the session bouncing them off the portal or in some cases cause an out of memory error that restarts that java engine. The program uses massive amounts of memory and I have two 1.5 gig Java engines supporting it. It looks like this is not enough.

We are now facing two courses of action. One, rewrite ROPS in WebDynpro or two, building a 64-bit portal to add massive java engines to handle the current application. I have been told to start option two.

That now brings us to 2006 and today. Because we are using EP6 SPS15 and we are in a 64-bit environment, we can no longer use IISProxy as the reverse proxy. SAP has touted SPNego module as the solution. Now I am not so sure that it is the solution. SPNego does not offer reverse proxy, it is only a newer version of the integrated Windows Authentication SSO. In that case SPNego is not a solution for external users coming in over the Internet because kerberos authentication is not possible. On top of that SAP has taken away their support for a their reverse proxy and does not give their customers an alternative solution! You can not imagine that amount of frustration I have been going through. I still have to do SPNego (now, internal users want SSO in the new portal) AND figure out what I am going to have to do for a reverse proxy for the external users. What ever it is, I fear it is going to have to sit on another server and it is going to be something non-SAP that I have never worked with before. I love a good challenge, but over the past two years SAP should have developed a workable solution for this, not just end it and let their customers fend for themselves.

There has to be some on this planet that knows how to rig up a solution to this. I have seen a few blogs on Apache, but does SAP even support that in my scenario?

Well enough of this post. You all wanted to know, now you do.

You could use the SAP Web Dispatcher as a reverse proxy for your external users.

I am using the Apache server (configured as reverse proxy) <> SAP Web Dispatcher <-> Portal on Solaris.

Am I over-simplifying your situation ?

Message was edited by: Wai-Hon Lam

Well David, i'm pretty sure that the last reply took you so long....ohh man...that was the good explanation.

Okay when you were facing the OutOfMemory errors then i think at that time the solution was simple to brought more application servers (dialog servers) in the landscape along with the Software/Hardware loadbalancer.

Well, now since you already moved into the new 64-bit architecture lets not talk about that.

Okay i understood your problem. As Wai suggested you to use the Apache -> WebDisp -> Portal. Well that may be good to implement. I could have suggested you to only have WebDispatcher in place but WebDispathcer doesn't offer full reverse proxy features.

Now i know SAP stopped support for IISProxy however it doesn't mean that you cant use that anymore. I'm using it with SPS 15 and i have no issues so far so good. Well you can use the IISProxy as reverse proxy -> WebDispatcher (load balancing) -> multiple WAS instances

In this way you can have the reverse proxy features for the Users coming from the Internet and implement Integrated Windows Authentication using NTLM for the users coming from Intranet along with load balancing which is very ciritical in your case because of increasing demand of ROPS...

Hope it helps you to stabilize the platform for the magic app. ROPS

Regards

Vaib

Wai-Hon & Vailbhav.

My original solution was to stay with IISProxy at SPS15. However, IISProxy was not written for a 64-bit environment and therefore will not work. (I tried it just to find out)

How much support will SAP give with Apache? I know nothing of it or Web Dispatcher. Can the Web Dispatcher run on the same box as the Portal? Will Apache require another server?

I am going to try something though. The only thing IISProxy is doing for the most part is a redirect. If I put it on the same box as our ITS gate and point it back to the portal, well the is a warning that may pop up to the user that they are being redirected to another server. But, I wonder if that could be over come?