Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO between EP and Windows

Former Member

‎08-12-2011 6:04 PM

0 Kudos

Hello,

We have implemented SSO between EP 7.0 and Windows LDAP sever using SPNego Authentication which was working fine, now sometimes when users goto the Portal URL ,it asks for their userid and password rather than taking them directly to the Portal. What can be causing this?

Any help would be highly appreciated.

Thanks

4 REPLIES 4

former_member201257
Active Contributor

‎08-12-2011 6:44 PM

0 Kudos

Check your logs when this problem happens, this should give you some additional details.

Couple of possible reasons:

1) They are working with a SAP system longer than the MYSAPSSO2 ticket lifetime is set. Once the cookie expires (default is 8 hours I believe), SSO no longer works.

2) Another thing to check is if the Integrated Windows Authentication is enabled in IE browser options going to Tools -> Internet Options -> Advanced -> Security. The AS Java hostname must be added to the Intranet sites list in Tools -> Internet Options -> Security -> Local Intranet -> Sites button -> Advanced button. You can use asterix (*) in order to add a whole domain to the site list.

3) Another likely reason is that users are not locking their computers and thus not having to re-authenticate with the KDC often enough to hold a valid Kerberos ticket in their cache.

If you need to change the lifetime of the kerberos ticket, then you need to do this in your Active Directory. I believe the default lifetime is set to 10 hours...

You can find more information on the dedicated wiki page for this topic:

http://wiki.sdn.sap.com/wiki/display/Security/SingleSign-OnwithSPNego%28NWAS+Java%29

Thanks,

Shanti

hofmann
Active Contributor

‎08-15-2011 3:56 PM

0 Kudos

Hi,

when SSO is broken for some users, check if the user ID is valid in the portal's UME and if the timezone of the windows computer is correct (normally SPNego permits a time difference of 5 minutes). If everything is OK, check if the browser is responding to the HTTP header NEGOTIATE sent from the portal.

br,

Tobias

MG3
Contributor

‎08-16-2011 2:07 AM

0 Kudos

Hi

We recently had an intermittent issue with SSO from Windows to Portal. If you're facing a similar issue, its worth checking if there have been any changes to the LDAP envroinment. In our case this blog helped us a lot:

http://weblogs.sdn.sap.com/cs/blank/view/wlg/21784

The best way, I feel, to deal with SPNego issue is, in addition to doing the basic checks suggested by others above, use tools like kerbtray, http watch/http analyzer, webdiagtool and wireshark.

Thanks

Manoj

Former Member

‎08-16-2011 1:07 PM

0 Kudos

Hi,

Check also if some users use Chrome web browser.

For spnego, the web browser has to support it and be correctly configured for it (intranet, IWA activated, proxy exclusions, etc...)

Internet Explorer is the only web browser supported in my company but even if the PCs are protected it is possible to use Firefox or Chrome from an USB key without installation.

As I could not prevent this, I had to detect the web browser used with the SAP web dispatcher and display an error page telling to use the officially supported IE browser. Since then, there are much less SSO errors....

Regards,

Olivier