06-24-2011 2:32 PM
Dear Community,
my recent approach to configure SSO between NW Portal 7.01 SP6 and MS Server 2008 IIS7.5 (64-bit) failed due to the fact that SAP does not provide appropriate DLLs for the SSO22KerbMap ISAPI filter. Since my knowledge about the MS side is very limited I am wondering if there is another possibility to implement SSO between these two systems. Anybody out there who is able to share experience / provide some tips?
Best regards
Frank Opitz
06-25-2011 9:43 PM
Does the MS Server not support authentication with the original Kerberos token from the AD?
Assuming that was used to authenticate the user on the SAP Portal, why is it failing? Perhaps you can explain more details about the call and the application on the portal (how does the user authenticate there?).
If it is a SSO2 ticket you are wanting to issue and use for the call, then an option is the SSO2 ticket verification library. It basically verifies the digi-sig on the ticket, extracts the user name from it if everything is okay and passes it on as a header variable in the request. So... it is not really SSO but rather an "I believe you" trust relationship chain...
Cheers,
Julius
06-25-2011 10:28 PM
If the user is being authenticated to the portal using MS AD account via Kerberos, then you can configure IIS to authenticate the user using Integrated Windows Authentication. Then, a user will be able to access both IIS and the portal and will be recognised as the user who is logged onto the Windows workstation.
Tim
06-27-2011 12:11 PM
Hi togehter,
thanks for your response.
Kerberos seems to be a nice option but a lot of users are still using username / password for login to our corporate portal. The landscape is very heterogenous with many ADs in use. Unfortunately most changes can only be handled on the side of the corporate portal.
Secondly transmitting user credentials as header parameters seems to be a security risk. The redirect to the Microsoft application is handled on the client side, the browser. The user can easily exchange the user ID to login as somebody else when it is not protected in some way.
Best regards
Frank Opitz
06-27-2011 12:21 PM
Hi,
Kerberos can be used when users logon to portal and either log them in without any need to enter an id/password, or it can be used where a form is shown in browser and user enters their AD account and password.
I'm not sure why you are mentioning passing credentials as header parameters - this is not good and I don't believe I have suggested anything which would mean you woud have to suffer this ?
Tim
07-26-2011 2:20 PM
I am also experiencing the single sign on with non sap. We were successfully able to do with IIS6, windows 2003.
Now we have upgraded the server to windows 2008 and IIS7. Tried with several different options of kerberos, sapssoext.dll etc...no luck..Did anyone found the solution? Please advise.
11-08-2011 8:20 AM
Dear all,
We want to make SSO from SAP Netweaver Portal to a Sharepoint Server.
SP Server is installed upon a Windows Server 2008R2.
Currently, I'm unable to install the SSO22KerbMap module inside IIS too.
Did you find a solution from your side?
With my best regards,
Ludovic BONTEMPS