Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

Kerberos: Form login fallback for IE (how to cope with IE flaw?)

Hi,

We are moving from NTLM authentication with IIS to Kerberos authentication with SAP Java AS on NW04s. We need to have username/password fallback for a user, in case kerberos authentication fails (for example misconfiguration of the client can cause NTLM token to be sent and this will be rejected)

The problem is stated in the SPNegoLoginModule Installation Guide:

"Currently there is a problem with the Internet Explorer, the Windows Integrated Authentica-tion using Kerberos and the POST method. The http POST does not work properly. There-fore, the fallback to password authentication in case of a Kerberos authentication failure doesn’t work. The only workaround is to switch off Kerberos in the browser. Microsoft has committed that they have a problem (see [12])."

Reference [12] points to http://support.microsoft.com/default.aspx?scid=kb;en-us;308074

The workaround described by Microsoft is actually not a feasible work around, since it involves change the configuration of the client IE software.

Has anyone implemented a solution for this ?

As far as I can see the only solution is to

1. create a new authscheme for kerberos

2. Implement a revised new version of com.sap.portal.runtime.logon.par which redirects to the login page of another authscheme in case of login failure

3. Assign frontendtarget for kerberos to component in 2.

4. Set kerberos as default authscheme for portal

But this will have to be repeated for each SP installation and I would very much like to avoid that complexity.

Dagfinn

Not what you were looking for? View more on this topic or Ask a question