12-28-2010 12:58 PM
Hi all,
The 'log-off' once we are logged in thru SSO (using Kerberos) was directed to a static page by setting the parameter ume.logoff.redirect.url in configtool. This asks for an ID and password once I hit 'log off' in Mozilla FF. The same works good for IE. The problem is seen both in Win7 and XP machines. UME is integrated to LDAP.
Any input is greatly appreciated.
Thanks and regards,
Rosun
12-28-2010 1:50 PM
The difference might be due to the fact that IWA (Integrated Windows Authentication) is not implemented same in FF and IE. in IE you turn on IWA via Internet Settings, but in FF you have to set various configuration parameters in FF.
Also, does your logoff URL clear the authentication cookies from browser ? If it does, maybe it is assuming IE browser is used, and is not using the correct javascript to clear cookies in FF.
Thanks,
Tim
12-28-2010 1:04 PM
Hi,
This seems to be a bug in Mozilla. Which version of Mozilla you are using. Check the mozilla bugzilla site for more information on Kerberos bugs.
Regards,
Raghu
12-28-2010 1:36 PM
Hi Raghu,
Thanks so much for the prompt reply.
I am using FF 3.6. I am unable to find any related bugs in FF wrt this problem.
Regards,
Rosun
12-28-2010 1:44 PM
Hi Rosun,
I recommend you to update to Mozilla 4.0 which has fixes (hope it will solve the issue.) If the issue persists, use the diagnostic tool:
Note 1045019 - Web diagtool for collecting traces
This should help you to identify what is missing. This issue might be due to Kerberos key also. Refer the relevant note upon looking at the web diag trace.
Regards,
Raghu
12-28-2010 2:05 PM
Hi Raghu,
Kerberos is working fine both for XP/Win7 with Win server 2003 and or 2008 with IE. So, I am assuming, that rules out any problem with the keys. Would you still suggest using kerbtray?
I have also done the 'settings' in FF as is given in the spnego-addon configuration guide.
Thanks and regards,
Rosun
12-28-2010 2:15 PM
Hi Rosun,
It is evident that the issue is with the parameters that points to the authentication in Firefox. May be this issue was fixed in the upstreme versions. Hence, I've recommended to upgrade to FF 4.0, which was released recently. Check the parameters. I hope it is mod_auth_kerb.
Regards,
Raghu
12-29-2010 4:57 AM
Hi Raghu,
I have upgraded to FF 4 but I am still having the same problem. Could you please elaborate as to how I can check your mentioned parameter mod_auth_kerb? I am unaware of this parameter.
Thanks,
Rosun
12-29-2010 6:27 AM
Hi Rosun,
I am not sure of the parameter. There should be similar parameter mod_auth_kerb which actually authorize kerberos. mod_auth_kerb is in Apache I hope.
Regards,
Raghu
12-29-2010 8:22 AM
Rosun,
I would ignore any suggestions that this is a Kerberos issue, and also ignore anything related to mod_auth_kerb. The mod_auth_kerb is the name of an Apache module which implements IWA. You already have IWA implemented using the SAP SPNEGO login module, and this is working fine, and SAP NetWeaver does not use Apache. Also, there is nothing to suggest that there is a bug in the browser related to Kerberos because the authentication is working fine, so there is no need to use different pre-release Firefox browser.
I suggested previously that you look at what the logoff page is doing - is it running Javascript to remove browser cookies ?
Thanks,
Tim
12-29-2010 9:32 AM
Hi Tim,
Thanks for the clear-cut explanation. The log-off page is a simple HTML and is running no scripts.
Regards,
Rosun
12-29-2010 9:59 AM
Roson,
Modify your logoff html page so that following is between <HEAD> and </HEAD>
Let me know if this helps.
Thanks,
Tim
12-29-2010 10:02 AM
Tim,
Could you be a little more specific? I am sorry for the confusion on my part.
Thanks and Regards,
Rosun
12-29-2010 10:04 AM
I am having problems with this SDN forum, and when I add the code into the thread I get an error. I think the forum is broken so I cannot include code in the thread
12-29-2010 10:09 AM
Rosun,
If you can contact me using my SDN business card, I can send you the code changes you need for your logoff html page.
I have tried many times to add the code into this thread, but I get an error.
Thanks,
Tim
12-29-2010 10:16 AM
12-29-2010 10:22 AM
12-29-2010 10:23 AM
12-29-2010 10:31 AM
Hi Tim,
If you send me the code I will take a look. Content filters don't like Javascript because of XSS...
Cheers,
Julius
12-29-2010 10:34 AM
>
> Hi Tim,
>
> If you send me the code I will take a look. Content filters don't like Javascript because of XSS...
>
> Cheers,
> Julius
Sent to you via email.
12-29-2010 10:46 AM
Rosun,
Modify your logoff html page so that following is between <HEAD> and </HEAD>
<sc-ript type="text/java-script">
function clearcache()
{
document.execCommand( 'ClearAuthenticationCache' );
}
</sc-ript>
Then add following section between <BODY> and </BODY>
<sc-ript type="text/java-script">
clearcache();
</sc-ript>
Let me know if this helps.
Also, make sure the logoff page URL is in same DNS domain as your SAP system. e.g.if you access SAP using sap.company.com you could make the logoff page logoff.company.com
Note: I added - into the code above to make SDN accept the code. Please remove the - when adding to your logoff page.
Edited by: Tim Alsop on Dec 29, 2010 10:47 AM
12-28-2010 1:50 PM
The difference might be due to the fact that IWA (Integrated Windows Authentication) is not implemented same in FF and IE. in IE you turn on IWA via Internet Settings, but in FF you have to set various configuration parameters in FF.
Also, does your logoff URL clear the authentication cookies from browser ? If it does, maybe it is assuming IE browser is used, and is not using the correct javascript to clear cookies in FF.
Thanks,
Tim
12-30-2010 7:06 AM
This issue is resolved. We deployed a .ear log-off page instead via SDM and changed the log-off parameter in configtool.
Thanks to all.