Solved: 'log-off' in SSO asking ID and password in Mozilla...

Former Member · ‎12-28-2010

Hi all,

The 'log-off' once we are logged in thru SSO (using Kerberos) was directed to a static page by setting the parameter ume.logoff.redirect.url in configtool. This asks for an ID and password once I hit 'log off' in Mozilla FF. The same works good for IE. The problem is seen both in Win7 and XP machines. UME is integrated to LDAP.

Any input is greatly appreciated.

Thanks and regards,

Rosun

tim_alsop · ‎12-28-2010

The difference might be due to the fact that IWA (Integrated Windows Authentication) is not implemented same in FF and IE. in IE you turn on IWA via Internet Settings, but in FF you have to set various configuration parameters in FF.

Also, does your logoff URL clear the authentication cookies from browser ? If it does, maybe it is assuming IE browser is used, and is not using the correct javascript to clear cookies in FF.

Thanks,

Tim

Former Member · ‎12-28-2010

Hi,

This seems to be a bug in Mozilla. Which version of Mozilla you are using. Check the mozilla bugzilla site for more information on Kerberos bugs.

Regards,

Raghu

Former Member · ‎12-28-2010

Hi Raghu,

Thanks so much for the prompt reply.

I am using FF 3.6. I am unable to find any related bugs in FF wrt this problem.

Regards,

Rosun

Former Member · ‎12-28-2010

Hi Rosun,

I recommend you to update to Mozilla 4.0 which has fixes (hope it will solve the issue.) If the issue persists, use the diagnostic tool:

Note 1045019 - Web diagtool for collecting traces

This should help you to identify what is missing. This issue might be due to Kerberos key also. Refer the relevant note upon looking at the web diag trace.

Regards,

Raghu

Former Member · ‎12-28-2010

Hi Raghu,

Kerberos is working fine both for XP/Win7 with Win server 2003 and or 2008 with IE. So, I am assuming, that rules out any problem with the keys. Would you still suggest using kerbtray?

I have also done the 'settings' in FF as is given in the spnego-addon configuration guide.

Thanks and regards,

Rosun

Former Member · ‎12-28-2010

Hi Rosun,

It is evident that the issue is with the parameters that points to the authentication in Firefox. May be this issue was fixed in the upstreme versions. Hence, I've recommended to upgrade to FF 4.0, which was released recently. Check the parameters. I hope it is mod_auth_kerb.

Regards,

Raghu

Former Member · ‎12-29-2010

Hi Raghu,

I have upgraded to FF 4 but I am still having the same problem. Could you please elaborate as to how I can check your mentioned parameter mod_auth_kerb? I am unaware of this parameter.

Thanks,

Rosun

Former Member · ‎12-29-2010

Hi Rosun,

I am not sure of the parameter. There should be similar parameter mod_auth_kerb which actually authorize kerberos. mod_auth_kerb is in Apache I hope.

Regards,

Raghu

tim_alsop · ‎12-29-2010

Rosun,

I would ignore any suggestions that this is a Kerberos issue, and also ignore anything related to mod_auth_kerb. The mod_auth_kerb is the name of an Apache module which implements IWA. You already have IWA implemented using the SAP SPNEGO login module, and this is working fine, and SAP NetWeaver does not use Apache. Also, there is nothing to suggest that there is a bug in the browser related to Kerberos because the authentication is working fine, so there is no need to use different pre-release Firefox browser.

I suggested previously that you look at what the logoff page is doing - is it running Javascript to remove browser cookies ?

Thanks,

Tim

Former Member · ‎12-29-2010

Hi Tim,

Thanks for the clear-cut explanation. The log-off page is a simple HTML and is running no scripts.

Regards,

Rosun

tim_alsop · ‎12-29-2010

Roson,

Modify your logoff html page so that following is between <HEAD> and </HEAD>

Let me know if this helps.

Thanks,

Tim

Former Member · ‎12-29-2010

Tim,

Could you be a little more specific? I am sorry for the confusion on my part.

Thanks and Regards,

Rosun

tim_alsop · ‎12-29-2010

I am having problems with this SDN forum, and when I add the code into the thread I get an error. I think the forum is broken so I cannot include code in the thread

tim_alsop · ‎12-29-2010

Rosun,

If you can contact me using my SDN business card, I can send you the code changes you need for your logoff html page.

I have tried many times to add the code into this thread, but I get an error.

Thanks,

Tim

Former Member · ‎12-29-2010

Hi Tim,

I have mailed you. Please check.

Thanks and regards,

Rosun

tim_alsop · ‎12-29-2010

I have sent you the code changes via email. Please check...

Former Member · ‎12-29-2010

Thanks a lot Tim. I will surely update you what turns out.

Former Member · ‎12-29-2010

Hi Tim,

If you send me the code I will take a look. Content filters don't like Javascript because of XSS...

Cheers,

Julius

tim_alsop · ‎12-29-2010

>


> Hi Tim,
> 
> If you send me the code I will take a look.  Content filters don't like Javascript because of XSS...
> 
> Cheers,
> Julius

Sent to you via email.

tim_alsop · ‎12-29-2010

Rosun,

Modify your logoff html page so that following is between <HEAD> and </HEAD>

<sc-ript type="text/java-script">

function clearcache()

{

document.execCommand( 'ClearAuthenticationCache' );

}

</sc-ript>

Then add following section between <BODY> and </BODY>

<sc-ript type="text/java-script">

clearcache();

</sc-ript>

Let me know if this helps.

Also, make sure the logoff page URL is in same DNS domain as your SAP system. e.g.if you access SAP using sap.company.com you could make the logoff page logoff.company.com

Note: I added - into the code above to make SDN accept the code. Please remove the - when adding to your logoff page.

Edited by: Tim Alsop on Dec 29, 2010 10:47 AM

tim_alsop · ‎12-28-2010

The difference might be due to the fact that IWA (Integrated Windows Authentication) is not implemented same in FF and IE. in IE you turn on IWA via Internet Settings, but in FF you have to set various configuration parameters in FF.

Also, does your logoff URL clear the authentication cookies from browser ? If it does, maybe it is assuming IE browser is used, and is not using the correct javascript to clear cookies in FF.

Thanks,

Tim

Former Member · ‎12-30-2010

This issue is resolved. We deployed a .ear log-off page instead via SDM and changed the log-off parameter in configtool.

Thanks to all.

'log-off' in SSO asking ID and password in Mozilla FF