Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to logon with different user when use of SPNego

Former Member

‎02-01-2007 8:30 AM

0 Kudos

Hi

We have implemented SPNego as Windows Integrated Authentication - but how to logoff the portal to log on with another user?

Since the users are authenticated when logging on the network from their client pc - the user will be using the standard logon page. But when logging off the portal - the users are automatic redirected and logged back in to the portal.

I have created a HTML page which the users are redirected to by use of the ume.redirect.url. But how to logon to the portal again?

When entering the portal url - the users are once more directly logged in due to the SPNego configuration.

I need to develop a new logon page where the users are able to enter another uid and pw to enter the portal.

Regards

Kay-Arne

2 REPLIES 2

yonko_yonchev
Active Participant

‎02-01-2007 1:59 PM

0 Kudos

Hi Kay,

This could be possible but with a workaround that goes against the idea behind integrated Windows authentication: you can try making the portal accessible from a DNS name that is not registered as an Service Principal Name (SPN) for the portal. You can then redirect user logoff to a URL with this DNS name.

The above should in effect break the kerberos authentication (the SPNego login module will fail). So, the next thing you need to have is the BasicPasswordLoginModule in the ticket authentication stack - with appropriate login module ordering and configuration of the flags for the login modules the authentication will proceed down the stack and call the BasicPasswordLoginModule where the user can log on with different credentials.

Please note that this is a workaround and if you go with this approach the portal will be accessible from at least two DNS names - one that is not registered as a KPN or an SPN and few others that are. When the portal is called from the unregistered DNS, users will always get a logon prompt (when you have basic authentication for fallback of course.).

Hope this helps.

Regards,

Yonko

Former Member

‎02-02-2007 12:42 PM

0 Kudos

Hi Kay-Arne,

an other option is to have an application on the portal server (servlet or jsp, not webdynpro), that uses a different logon stack (containg basic auth and logon ticket). In this case the user can simply use this application to log in via userid and password and then proceed to the portal. The portal will see the logon ticket and not do a kerberos auth (as the user was already authenticated.

Regards,

Patrick