09-14-2009 2:11 PM
Hi,
We found that the SPNEGO authentication works fine for portal when using form based authentication, but SPNEGO doesn't work when authschemes.xml changed to use HTTP basic authentication e.g. the browser popup screen is shown instead of authenticating using SPENGO.
The authschemes.xml changed to use basicauthentication instead of uidpwdlogon as follow:
<authscheme-refs>
<authscheme-ref name="default">
<authscheme>basicauthentication</authscheme>
</authscheme-ref>
<authscheme-ref name="UserAdminScheme">
<authscheme>uidpwdlogon</authscheme>
</authscheme-ref>
</authscheme-refs>
When I checked the HTTP trace, the response contains header "WWW-Authenticate=Basic" and not "WWW-Authenticate=Negotiate". Though "WWW-Authenticate=Negotiate" is set by the SPNEGO loginmodule, looks like the SAP logon application is resetting the WWW-Authenticate header back to "Basic" as basic authentication is used instead of form based authentication.
Any ideas on making SPNEGO work with HTTP basic authentication would greatly appreciated.
Thanks,
Srini
09-14-2009 8:49 PM
Apples and pears are simply not the same ...
As you have posted correctly, the server sends out different header fields ("WWW-Authenticate=Negotiate" vs. "WWW-Authenticate=Basic") expecting the http client to react accordingly. Sorry, but if Basic Authentication is demanded by the server you cannot simply answer with SPNEGO (and vice versa).
09-14-2009 8:59 PM
Woflgang,
Is it possible to configure the portal authschemes so that when logging onto the portal you can decide to use basic auth, or spnego auth, perhaps by using a different portal login url ?
Thanks,
Tim
09-14-2009 9:04 PM
I think redirects are a problem here.
Perhaps you noticed in the past days that it was difficult to logon to SDN...
Cheers,
Julius
09-14-2009 11:12 PM
Julius,
I am not clear what you mean - are you suggesting that this can be solved using redirects ?
Thanks,
Tim
09-15-2009 6:10 AM
Hi Tim,
Sorry, my mistake then - I thought you were suggesting redirects.
Cheers,
Julius
09-15-2009 10:14 AM
Thanks. I think it makes sense that the authentication set at server level overrides the authentication at loginmodules.