Solved: PI 7.1 LDAP connectivity

Former Member · ‎07-20-2011

Hi ,

We configured our PI 7.1 system to connect to Active Directory(LDAP), we completed all the configuration in T Code-LDAP.But when i see Java stack user administration --> Configuration Data Source is still ABAP System. I am not able to change Java stack to point to Active Directory, it is is not showing our active directory in drop down menu, it is having only ABAP system.

How to change the Java stack of PI system to point to Active directory?

Once the SSO is enabled our security will disable the password so users will not have any password but when when they try to access RWB, Integration Engine sytem is prompting for password.So if Java stack is pointed to Active directory i guess the issue will be solved.

Thanks,

Srini Koppuravuri

Former Member · ‎07-20-2011

Which SSO mechanism are you using? There are several options and they impact what you should at best do.

Anyway, changing the UME from ABAP to AD is AFAIK not officially supported.

Cheers,

Julius

Former Member · ‎07-20-2011

Which SSO mechanism are you using? There are several options and they impact what you should at best do.

Anyway, changing the UME from ABAP to AD is AFAIK not officially supported.

Cheers,

Julius

tim_alsop · ‎07-20-2011

Yes, this is my understanding also.

if you want to logon to SAP portal using forms based login with AD account + password, you can do this with ABAP as UME datasource if you use a third-party product, that is SAP certified and supported. The same product can be used for Integrated Windows Authentication. See http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokeradapter

Thanks,

Tim

former_member432219 · ‎07-21-2011

Hi Srini,

As already mentioned by Julius, for Netweaver AS ABAP + Java, it's not supported to change the UME datasource from ABAP to Active Directory.

Hower since you mention disabling users passwords I assume that your main intention is Windows Intergrated Authentication.

This is indeed possible with an ABAP UME datasource, simply configure SAPs SPNego Authentication as outlined in the pdf attached to note 1488409 and users will authenticate using their kerberos tokens.

Step 10. 'ADJUST THE AUTHENTICATION STACK' should be done for each application to which users will use Windows Intergrated Authentication

regards,

Patrick

Former Member · ‎07-21-2011

Thank You all for the information.

We are NOT planning for Windows Intergrated Authentication.

Users will login into PI 7.1 from/via EP 7.02 system, Even with SSO between PI and EP when users try to open RWB or Integration Engine on PI it is prompting for password. SSO works fine for PI ABAP stack but when they try to open some tools which use Java stack, it is prompting for password.

Thanks,

Srini

former_member432219 · ‎07-21-2011

OK, so as far as I can tell the scenario is that users first log in to EP using userid and password, from there they SSO using sap logon tickets to PI. The SSO to PI ABAP works ok, the SSO to PI Java does not- is this correct?

Can you specify what configuration you have done on the PI AS Java in order for logon tickets issued by the EP system to be used for authentication there?

If you logon to the EP system and then change the URL in the browser address bar to http://<pijavaserver>:<port>/useradmin do you get authenticated or is the logon page displayed?

Former Member · ‎07-21-2011

Patrick,

Yes, your understanding is correct. EP authenticates to Active Directory, Similarly PI system also .

Followed the below url's to make changes for JAVA stack

http://help.sap.com/saphelp_nwpi711/helpdata/en/cb/ac3d41a5a9ef23e10000000a155106/frameset.htm

http://help.sap.com/saphelp_nwpi711/helpdata/en/75/c80b424c6cc717e10000000a155106/frameset.htm

When i try the PI user admin url it is directly taking me into PI system. NO login screen.

Thanks,

Srini

former_member432219 · ‎07-21-2011

Hi again Srini,

OK well the fact that you can access the useradmin system without being requested to enter userid and password again shows that the PI java server 'trusts' logon tickets issued by the EP system.

Perhaps the XI components RWB, Integration Engine, that you would like to access don't have their login module stacks configured to evaluate the logon ticket issued by the EP system.

The user administration application uses the 'ticket' login module stack, so it appears that this login module stack is configured correctly since you can access the application using the logon ticket.

So I suggest configuring the login module stacks of RWB, Integration Engine etc to have the same configuration as the 'ticket' stack, at least as a test, in fact you can configure them to use the 'ticket' template in the Netweaver Administrator. Go to Configuration Management - Security - Authentication - Policy Configuration Name.

I'm not a PI guy so I'm not sure but I think policy configuration name for RWB that you'll find in the NWA is

sap.com/com.sap.xi.rwb*rwb - try configuring this to use the ticket template by choosing 'ticket' from the 'used template' dropdown and then test the SSO again

regards,

Patrick

Former Member · ‎07-26-2011

Hi Patrick,

All the changes you mentioned were already made. When the new window opens as a new tab in the present browser it is not prompting for password.

Opened an OSS message to SAP and got a reply that Data Source change is not supported by SAP.

Thank You all for your valuable suggestions.

Thanks,

Srini