cancel
Showing results for 
Search instead for 
Did you mean: 

SPNego (SSO) with ABAP data source

ross_anderson2
Explorer
0 Kudos

Currently we are using ABAP as the data source for our UME, however, we recently discovered we need to have SSO enabled on the Java side as well (web analyzer, adobe forms, etc). I know it is not possible to change from using abap as the ume data source, so I searched around and found the sdn blogs regarding SPNego and ABAP. I'm not completely sure how this works, but I've followed all of the steps verbatim and SSO still does not work for me.

I understand it is normal practice to use spnego with ldap (ADS) as your data source but for us this is not possible since we're already using abap as the data source.

Here are the articles I am referencing :

[/people/holger.bruchelt/blog/2008/03/10/configuring-spnego-with-abap-datasource]

[https://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/13265] [original link is broken] [original link is broken] [original link is broken];

/people/holger.bruchelt/blog/2008/01/09/configuring-and-troubleshooting-spnego--part-1

Incidentally, when running the spnego wizard the authorization checks work fine (ie. I can resolve a ume name to it's ADS counterpart), so I know the actual authentication works.

Please help me figure out what my next step is as I am stuck and don't know what to try next. I feel like I'm just missing one little thing but I just can't find it.

Thanks!!

Ross

Edited by: Ross Anderson on Aug 23, 2009 7:57 PM

Accepted Solutions (0)

Answers (5)

Answers (5)

ross_anderson2
Explorer
0 Kudos

This is resolved. There was a bug with the Java version so I had to end up adding a specific java value to the login modules for each individual domain (as documented in one of the SPNego blogs I listed above).

ross_anderson2
Explorer
0 Kudos

Thanks Jan ...upon trying this again yesterday, it seems to work now!! (I was able to get into the Netweaver admin via SSO) I'm not sure what was changed, however. I'm guessing the main problem was with the SPN being assigned to the ADS user, but I can not be sure.

Either that, or the fact I went through the normal SPNego (with ldap) blogs as well and added in the SPNegoModule into the com.sun.security.jgss.accept component (in Visual Admin under "Security Provider"). I need to remove that and see if it still works. That step was not part of the SPNego with Abap blog, but it was a step with the regular SPNego with Ldap blogs I believe.

At any rate, I'll try and post the final outcome. Adobe Forms is still not working with SSO but I'm not sure that will work anyway. Most people will probably use basic authentication with adobe forms (ie. one user is used for all authentication, adsuser). In our case, however, we actually have the users log into the http/adobe form so that we can build the form based on their permissions. I think the only other option is SSL based authentication but to be honest I'm not even sure if the login credentials get passed to the ABAP AS or the JAVA AS.

Thx

Edited by: Ross Anderson on Aug 25, 2009 2:59 PM

Former Member
0 Kudos

Hi Ross,

i did the SPNEGO Configuration with an ABAP data source, and it is up and running.

However I faced also several problems. Install the Web Diagtool for analyzies. Otherwise it will not be possible to figure out your problem.

I'll keep an eye on this thread, so if you got some additional information, I'll try to help you.

Kind regards,

Jan Tilo

ross_anderson2
Explorer
0 Kudos

Thanks for the reply Michael. I'm pretty sure it's possible (as per the first and second links in my original post), but I'm just stuck right now since it doesn't work for me and I followed all the instructions in those links.

As you mentioned though, I will try the diagtool and possible a packet capture tool to do further troubleshooting.

Has anyone else out there gotten this working??

Thanks!!

Edited by: Ross Anderson on Aug 24, 2009 1:42 PM

Former Member
0 Kudos

Honestly, i am not sure, if you can use SSO with SPNEGO and abap ume. I only setup SPNego on a standalone portal with the AD ldap ume. Maybe if your usernames match, then you might be lucky.

To troubleshoot the logon, you will need to run the diagtool. Have a look at note [958107 - Using Diagtool for Troubleshooting Kerberos|https://service.sap.com/sap/support/notes/958107]

for more information.

Regards, Michael