Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Kerberos login as a different user other than self ID

Former Member
0 Kudos

Hi all,

We have Kerberos configured between our Portal systems and the ADS. UME is integrated to LDAP. It logs me into the portal using the URL, with my LDAP/windows credentials, without prompting for anything now.

Here is my concern. What if I wish to log-out and log in again but as a different user; maybe a test user over the UME database or just the ADMINISTRATOR user? Is this scenario possible?

Any help is greatly appreciated.

Thanks and regards,

Rosun

1 ACCEPTED SOLUTION

tim_alsop
Active Contributor
0 Kudos

Rosun,

I think you will find that this functionality is not available when using the SAP SPNEGO login module.

Maybe you can consider a different product ? Check http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokeradapter - click on Details tab and look at the 2nd bullet point on this page.

Thanks,

Tim

27 REPLIES 27

tim_alsop
Active Contributor
0 Kudos

Rosun,

I think you will find that this functionality is not available when using the SAP SPNEGO login module.

Maybe you can consider a different product ? Check http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokeradapter - click on Details tab and look at the 2nd bullet point on this page.

Thanks,

Tim

Former Member
0 Kudos

Hi Tim,

I have come to the conclusion that there are in fact a few workarounds to my scenario. Not getting it still though. I have tried setting the GET parameter in the URL as is suggested in a certain blog as http://<hostname>:5XX00/irj?spnego=disabled but didn't work... yet.

Thanks and regards,

Rosun

Edited by: Rosun Raj Kumar on Dec 30, 2010 12:38 PM

former_member218672
Active Contributor
0 Kudos

Hi Rosun

After configuring Kerberos its not possible to logout from portal as it logs back in automatically. So, option is to close the browser window and open a new window for another login.

You can implement one process which is by clicking on the logoff button, user would be logged off and sametime the portal window would be closed. This can be achieved by keeping a self and parent close html inside KM and configuring the UME parameter - ume.logoff.redirect.url.

Regards,

Sen

0 Kudos

Hi Prodyut,

Thanks for the info provided. I do have ume.logoff.redirect.url configured; we have the log-off directed to a static page. It doesn't close the page though.

If I were to rephrase myself, How to de-activate Kerberos so that I could log in with a separate ID other than my ID- is my concern.

Thanks and regards,

Rosun

Former Member
0 Kudos

Hi,

My portal runs on a Windows server which has 2 FQDN.

The first domain is the windows domain which is also the kerberos realm.

So, when I call the URL https://serveralias.windowsdomain.company.country:port/irj/portal , I get connected with my personal user through spnego/kerberos.

In fact, I have a web dispatcher with redirect rules, so it's possible to use the simplified URL http://serveralias

The second domain is the internal DNS domain (not a kerberos realm)

So when I call the URL http://server.dnsdomain.company.country:port/irj/portal spnego/kerberos authentication fails (wrong principal name), and I get the login page where I can enter the user/password of my choice.

Therefore, I can choose very easily to login with SSO or a login page.

For logoff we have defined a logoff page URL in order to be not reconnected immediately with SSO.

If you don't have 2 domains for your server, it may be enough to define a fake one in your etc/hosts file ?

Regards,

Olivier

0 Kudos

Hi Olivier,

Thanks a lot!

We have a single domain. But your hint of creatin a fake entry in hosts file seems plausible. I will be trying this.

Regards,

Rosun

0 Kudos

Hi Rosun,

Easiest way is you are using IE .. just go to the tools>internet options>advanced> find "enable Integrated windows authentication' and uncheck it.

By doing this you will now be prompted for a login ID.

0 Kudos

Hi Ryan,

Works like a charm. Wonder how I didn't think of this before!

Thanks and Regards,

Rosun

0 Kudos

Ryan, hi again!

This is to tell you that unchecking enable Integrated windows authentication deactivates kerberos. I am prompted to give the ID and password but unable to log in now. I checked the box again but login (even with kerberos) seems to have failed altogether.

Thanks and regards,

Rosun

0 Kudos

Did you close the IE session and open a window? Also are you logging in with administrator?

0 Kudos

Hi,

Yes deactivating "enable Integrated windows authentication' should work but the problem is that in most companies (including mine) the users are not administrators of their PC and this setup is forbidden.

It would also deactivate Kerberos for all Kerberos based applications, not only SAP portal.

So it's a good idea but not for everybody.

Regards,

Olivier

0 Kudos

Hi Ryan,

I did restart IE. I tried logging in with ADMINISTRATOR and also my own ID.

Thanks and regards,

Rosun

0 Kudos

Hi Olivier,

For my company, I am able to check/uncheck enable Integrated windows authentication but not able to set/change the Tools -> Internet Options ->Security -> Local Intranet -> Custom level -> Automatic logon only in Intranet Zone as should be according to the kerberos config guide. This has been by default set to Automatic logon with current user name and password. How would this affect me?

I am still unable to log in after Kereberos is deactivated by unchecking enable Integrated windows authentication with Automatic logon with current user name and password IE settings.

Please help.

Thanks and regards,

Rosun

0 Kudos

Hi Rosun,

Sorry I can't experiment on my PC. I am administrator of all the SAP production systems but am not administrator of my own PC...

Did you try the fake domain technique ?

Regards,

Olivier

0 Kudos

Olivier,

I am unable to try the fake domain thing because it requires changes at the hosts file level, for which i got no direct access. That has to be my last resort though.

Thanks and regards,

Rosun

0 Kudos

Rosun,

If you use the 'fake domain' method then your fallback login module (e.g. BasicPasswordLoginModule) will be used to authenticate the user, but the user will see 'Authentication failed' at top of signon screen because the IWA auth failed - not very user friendly. Also, the browser might popup a dialog box asking the user to authenticate to the domain, and they will have to click cancel before they get the SAP login screen. These are some of the reasons why we added support into our product to allow users to logon as different AD account when IWA is used normally. With our product, there is no HTTP 401 sent to browser for IWA when user doesn't want to use IWA, and there is no authentication failed error in the signon screen when IWA is not used. I can show you a demo if you are interested.

Thanks,

Tim

0 Kudos

Hi Tim,

Your point is well noted. I will surely get back to you.

Thanks and regards,

Rosun

0 Kudos

Hi Rosun,

It is a bit strange why you are not able to login, I have done this many times without issues.

Try using the web diag tool to see at what point the failure arises.

0 Kudos

Hi Ryan,

Its is indeed strange. Let me explain myself a little further. I have configured Kerberos for a lot of my portal systems. Everytime it so happens thus.

Spnego wizard is run.

Login modules in VA are set.

IE settings are done.

Kerberos works.

Whenever Kerberos fails for various reasons- improper keytab, improper IE settings etc., the logon totally fails. I am prompted for an ID/password. Not even my default ID/password login would work. This will be reverted back to at least a normal ID/password login ONLY when I have taken off the SPNEGOLoginModule and have re-arranged the modules in VA.

Any inputs?

Regards,

Rosun

0 Kudos

Rosun,

Sounds like a bug.... Try using the new method that has been delivered by SAP.

SPNEGO add-on ossnote 1457499

Might help resolve some off your issues.

0 Kudos

Ryan,

I was not clear enough. I have used Spnego Addon itself. The problems I have been speaking are for the same.

Regards,

Rosun

0 Kudos

hi,

If you use the 'fake domain' method then your fallback login module (e.g. BasicPasswordLoginModule) will be used to authenticate the user, but the user will see 'Authentication failed' at top of signon screen because the IWA auth failed - not very user friendly. Also, the browser might popup a dialog box asking the user to authenticate to the domain, and they will have to click cancel before they get the SAP login screen.

Well, usually the need to bypass SSO is for administrators and functional consultants. These people understand it is a bypass and don't mind the "Authentication failed".

I have never got a popup dialog box to authenticate to the domain.

Each SAP cutomer has different requirements. There is no perfect universal solution for everybody...

Regards,

Olivier

0 Kudos

Olivier,

Just to highlight my problem, I am unable to log in at all once Kereberos is deactivated. I don't see an error message nor a pop-up for network credentials.

Thanks,

Rosun

0 Kudos

Hi all,

The Diagtool trace shows the following error:

com.sap.engine.services.security.exceptions.BaseLoginException: Call logout before login.

I have lodged an OSS message for the same.

Thanks and regards,

Rosun

0 Kudos

Hi all,

This issue is resolved now.

It was a problem with my login modules. I had only one CreateTicketLoginModule in my stack. SAP advised me to add another one at the end. I am able to login with alternative ID's too now.

Thanks all!

Rosun

Edited by: Rosun Raj Kumar on Jan 10, 2011 2:56 PM

Former Member
0 Kudos

resolved...

0 Kudos

Hi Rosun,

What you did to log off from portal?

Regards