12-30-2010 9:16 AM
Hi all,
We have Kerberos configured between our Portal systems and the ADS. UME is integrated to LDAP. It logs me into the portal using the URL, with my LDAP/windows credentials, without prompting for anything now.
Here is my concern. What if I wish to log-out and log in again but as a different user; maybe a test user over the UME database or just the ADMINISTRATOR user? Is this scenario possible?
Any help is greatly appreciated.
Thanks and regards,
Rosun
12-30-2010 10:54 AM
Rosun,
I think you will find that this functionality is not available when using the SAP SPNEGO login module.
Maybe you can consider a different product ? Check http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokeradapter - click on Details tab and look at the 2nd bullet point on this page.
Thanks,
Tim
12-30-2010 10:54 AM
Rosun,
I think you will find that this functionality is not available when using the SAP SPNEGO login module.
Maybe you can consider a different product ? Check http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokeradapter - click on Details tab and look at the 2nd bullet point on this page.
Thanks,
Tim
12-30-2010 11:38 AM
Hi Tim,
I have come to the conclusion that there are in fact a few workarounds to my scenario. Not getting it still though. I have tried setting the GET parameter in the URL as is suggested in a certain blog as http://<hostname>:5XX00/irj?spnego=disabled but didn't work... yet.
Thanks and regards,
Rosun
Edited by: Rosun Raj Kumar on Dec 30, 2010 12:38 PM
12-30-2010 11:07 AM
Hi Rosun
After configuring Kerberos its not possible to logout from portal as it logs back in automatically. So, option is to close the browser window and open a new window for another login.
You can implement one process which is by clicking on the logoff button, user would be logged off and sametime the portal window would be closed. This can be achieved by keeping a self and parent close html inside KM and configuring the UME parameter - ume.logoff.redirect.url.
Regards,
Sen
12-30-2010 11:34 AM
Hi Prodyut,
Thanks for the info provided. I do have ume.logoff.redirect.url configured; we have the log-off directed to a static page. It doesn't close the page though.
If I were to rephrase myself, How to de-activate Kerberos so that I could log in with a separate ID other than my ID- is my concern.
Thanks and regards,
Rosun
12-30-2010 12:21 PM
Hi,
My portal runs on a Windows server which has 2 FQDN.
The first domain is the windows domain which is also the kerberos realm.
So, when I call the URL https://serveralias.windowsdomain.company.country:port/irj/portal , I get connected with my personal user through spnego/kerberos.
In fact, I have a web dispatcher with redirect rules, so it's possible to use the simplified URL http://serveralias
The second domain is the internal DNS domain (not a kerberos realm)
So when I call the URL http://server.dnsdomain.company.country:port/irj/portal spnego/kerberos authentication fails (wrong principal name), and I get the login page where I can enter the user/password of my choice.
Therefore, I can choose very easily to login with SSO or a login page.
For logoff we have defined a logoff page URL in order to be not reconnected immediately with SSO.
If you don't have 2 domains for your server, it may be enough to define a fake one in your etc/hosts file ?
Regards,
Olivier
12-30-2010 12:34 PM
Hi Olivier,
Thanks a lot!
We have a single domain. But your hint of creatin a fake entry in hosts file seems plausible. I will be trying this.
Regards,
Rosun
01-05-2011 11:14 PM
Hi Rosun,
Easiest way is you are using IE .. just go to the tools>internet options>advanced> find "enable Integrated windows authentication' and uncheck it.
By doing this you will now be prompted for a login ID.
01-06-2011 4:05 AM
Hi Ryan,
Works like a charm. Wonder how I didn't think of this before!
Thanks and Regards,
Rosun
01-06-2011 4:35 AM
Ryan, hi again!
This is to tell you that unchecking enable Integrated windows authentication deactivates kerberos. I am prompted to give the ID and password but unable to log in now. I checked the box again but login (even with kerberos) seems to have failed altogether.
Thanks and regards,
Rosun
01-06-2011 4:44 AM
Did you close the IE session and open a window? Also are you logging in with administrator?
01-06-2011 8:48 AM
Hi,
Yes deactivating "enable Integrated windows authentication' should work but the problem is that in most companies (including mine) the users are not administrators of their PC and this setup is forbidden.
It would also deactivate Kerberos for all Kerberos based applications, not only SAP portal.
So it's a good idea but not for everybody.
Regards,
Olivier
01-06-2011 9:11 AM
Hi Ryan,
I did restart IE. I tried logging in with ADMINISTRATOR and also my own ID.
Thanks and regards,
Rosun
01-06-2011 9:24 AM
Hi Olivier,
For my company, I am able to check/uncheck enable Integrated windows authentication but not able to set/change the Tools -> Internet Options ->Security -> Local Intranet -> Custom level -> Automatic logon only in Intranet Zone as should be according to the kerberos config guide. This has been by default set to Automatic logon with current user name and password. How would this affect me?
I am still unable to log in after Kereberos is deactivated by unchecking enable Integrated windows authentication with Automatic logon with current user name and password IE settings.
Please help.
Thanks and regards,
Rosun
01-06-2011 12:01 PM
Hi Rosun,
Sorry I can't experiment on my PC. I am administrator of all the SAP production systems but am not administrator of my own PC...
Did you try the fake domain technique ?
Regards,
Olivier
01-06-2011 12:21 PM
Olivier,
I am unable to try the fake domain thing because it requires changes at the hosts file level, for which i got no direct access. That has to be my last resort though.
Thanks and regards,
Rosun
01-06-2011 12:29 PM
Rosun,
If you use the 'fake domain' method then your fallback login module (e.g. BasicPasswordLoginModule) will be used to authenticate the user, but the user will see 'Authentication failed' at top of signon screen because the IWA auth failed - not very user friendly. Also, the browser might popup a dialog box asking the user to authenticate to the domain, and they will have to click cancel before they get the SAP login screen. These are some of the reasons why we added support into our product to allow users to logon as different AD account when IWA is used normally. With our product, there is no HTTP 401 sent to browser for IWA when user doesn't want to use IWA, and there is no authentication failed error in the signon screen when IWA is not used. I can show you a demo if you are interested.
Thanks,
Tim
01-06-2011 12:50 PM
Hi Tim,
Your point is well noted. I will surely get back to you.
Thanks and regards,
Rosun
01-06-2011 9:32 PM
Hi Rosun,
It is a bit strange why you are not able to login, I have done this many times without issues.
Try using the web diag tool to see at what point the failure arises.
01-07-2011 4:13 AM
Hi Ryan,
Its is indeed strange. Let me explain myself a little further. I have configured Kerberos for a lot of my portal systems. Everytime it so happens thus.
Spnego wizard is run.
Login modules in VA are set.
IE settings are done.
Kerberos works.
Whenever Kerberos fails for various reasons- improper keytab, improper IE settings etc., the logon totally fails. I am prompted for an ID/password. Not even my default ID/password login would work. This will be reverted back to at least a normal ID/password login ONLY when I have taken off the SPNEGOLoginModule and have re-arranged the modules in VA.
Any inputs?
Regards,
Rosun
01-07-2011 4:59 AM
Rosun,
Sounds like a bug.... Try using the new method that has been delivered by SAP.
SPNEGO add-on ossnote 1457499
Might help resolve some off your issues.
01-07-2011 6:12 AM
Ryan,
I was not clear enough. I have used Spnego Addon itself. The problems I have been speaking are for the same.
Regards,
Rosun
01-07-2011 12:09 PM
hi,
If you use the 'fake domain' method then your fallback login module (e.g. BasicPasswordLoginModule) will be used to authenticate the user, but the user will see 'Authentication failed' at top of signon screen because the IWA auth failed - not very user friendly. Also, the browser might popup a dialog box asking the user to authenticate to the domain, and they will have to click cancel before they get the SAP login screen.
Well, usually the need to bypass SSO is for administrators and functional consultants. These people understand it is a bypass and don't mind the "Authentication failed".
I have never got a popup dialog box to authenticate to the domain.
Each SAP cutomer has different requirements. There is no perfect universal solution for everybody...
Regards,
Olivier
01-10-2011 5:24 AM
Olivier,
Just to highlight my problem, I am unable to log in at all once Kereberos is deactivated. I don't see an error message nor a pop-up for network credentials.
Thanks,
Rosun
01-10-2011 10:48 AM
Hi all,
The Diagtool trace shows the following error:
com.sap.engine.services.security.exceptions.BaseLoginException: Call logout before login.
I have lodged an OSS message for the same.
Thanks and regards,
Rosun
01-10-2011 1:56 PM
Hi all,
This issue is resolved now.
It was a problem with my login modules. I had only one CreateTicketLoginModule in my stack. SAP advised me to add another one at the end. I am able to login with alternative ID's too now.
Thanks all!
Rosun
Edited by: Rosun Raj Kumar on Jan 10, 2011 2:56 PM
01-10-2011 2:00 PM
01-06-2012 2:55 PM