Hi Patrick

Thanks for your reply

Yes, that ID exists in BI Java, but my BI Java is not connected to Abap Backend system.Is backend system Integration is mandatory with BI java to use Header variable authentication.

When i deactivate Header variable then i ma able to login to my BI java with the same ID.I have changed only Authschemes.xml and UME properties to authenticate as heade variable.Do i need to make any other configuration ??

Please reply

Thanks with Regards

Deelip Kumar

Hi Deelip

Yes, you also have to adapt the logon module stack configuration. Please have a look at the <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/d0/a3d940c2653126e10000000a1550b0/frameset.htm">docs about using header variables</a>.

regards,

Patrick

Hi Patrick

Thanks for helping me....

I configured the below logon module stack in visual Adminsitrator (Policy configuration ---> Authentication) but still getting the same error

BasicPasswordLoginModule REQUISITE {}

HeaderVariableLoginModule OPTIONAL {ume.configuration.active=true, Header=usr_name}

Please suggest, also can you please send me your personal email Id so that i can send you authschemes.xml file where i have made the changes

Thanks with Regards

Deelip Kumar

Hi Deelip,

your logon stack is incorrect. A full logon stack could look like the following:

com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

com.sap.security.core.server.jaas.HeaderVariableLoginModule OPTIONAL {ume.configuration.active=true, Header=usr_name}

com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

BasicPasswordLoginModule REQUISITE {}

com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}

You can find this example .

Regarding on the parameters used above, please have a look at the <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/8c/f03541c6afd92be10000000a1550b0/frameset.htm">docs on Login Modules and Login Module Stacks</a>.

regards,

Patrick

Hi Patrick

I made changes as suggested by you but still gettng the same error.Below is the changes which i made in authschems.xml file

<authscheme name="header">

<authentication-template>

header=usr_name

</authentication-template>

<priority>5</priority>

<frontendtype>2</frontendtype>

<frontendtarget>com.sap.portal.runtime.logon.header</frontendtarget>

</authscheme>

<!-- Reserved 'anonymous' authscheme added for being in the list of authschemes -->

<authscheme name="anonymous">

<priority>-1</priority>

</authscheme>

</authschemes>

<!-- References for Authentication Schemes, this section must be after authschemes -->

<authscheme-refs>

<authscheme-ref name="default">

<authscheme>header</authscheme>

</authscheme-ref>

<authscheme-ref name="UserAdminScheme">

<authscheme>uidpwdlogon</authscheme>

</authscheme-ref>

</authscheme-refs>

Is the header=usr_name entry OK or we just need to leave header ??

Please suggest, thanks for your help so far on this

Thanks with Regards

Deelip Kumar

Hi Deelip,

the authentication-template is a reference to a login module stack name.

For header absed authentication I would recommend not to change the authschemes at all (as long as you do not want to achieve something special by this), only the ticket login module stack. If you really need to change the authschemes.xml, please check <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/d3/1dd4516c518645a59e5cff2628a5c1/frameset.htm">the example in the docs</a>.

Did you change the ticket login module stack ?

Regards,

Patrick

Hi Patrick

I have doubt on onething, in visual Administrator the below Login module stacks are available,

SAP-J2EE-Engine – this is a default configured login module stack that can be used by everyone.

· Basic – allows for Basic Authentication, supported by the Web container.

· Client – allows for client certificate authentication, supported by the Web container.

· Digest – allows for digest authentication, supported by the Web container.

· Form – allows for form authentication, supported by the Web container.

· Ticket – used for creating and verifying logon tickets.

· Evaluation assertion ticket – used for verifying assertion tickets (tickets used between systems).

I have selected SAP J2EE Engine and then defined the below Logon stack

EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

HeaderVariableLoginModule REQUIRED {ume.configuration.active=true, Header=}

CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

BasicPasswordLoginModule REQUISITE {}

CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}

it do not understand whether it is right or we should create new policy under policy configuration and the define the above stack.now i am also facing problem in loggin to Visual adminstrator

Please suggest

Thanks with Regards

Deelip Kumar

Hi Deelip,

please read the docs. You configure the portal login stack being used by the authschemes.xml.

You should NEVER change the SAP-J2EE-Engine login stack, as this is being used by the VA.

The default login stack for the portal is called ticket. This is the opne, which should have been changed and only this one.

There is a <a href="https://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/17be8b32-0a01-0010-51bc-8fe5e11d204e">presentation on SDN</a> about that topic, which gives some background info. There is also<a href="https://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/4849f574-0701-0010-0ea2-ef19dc792042">an e-learning about JAAS and how it works</a> on SDN.

regards,

Patrick

Hi Patrick

This means i should select "Ticket" Login stake and make the Changes, right ??

Just for your info, right now we have not connect this portal to our backend system, i believe this is also not mandatory to test Authentication through external WAM, right ??

Please reply

I will try to confgure "ticket" login stake and provide the feedback

Thanks with Regards

Deelip Kumar

Hi Deelip,

yes, you should only change the ticket login stack and nothing else.

No the Backend systems are not required to test header based authentication.

Regards,

Patrick

Hi Patrick

So i am going to add the login stack like below for the "ticket" logon stake

EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

HeaderVariableLoginModule REQUIRED {ume.configuration.active=true, Header=usr_name}

CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

BasicPasswordLoginModule REQUISITE {}

CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}

Is it ok ot you want me to change something

Thanks for your all help so far on this, really appreciate your help

Thanks

Deelip Kumar

Hi Deelip,

if you want to be able to also log in using Basic Password, the stack should read:

EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

HeaderVariableLoginModule <b>OPTIONAL</b> {ume.configuration.active=true, Header=usr_name}

CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

BasicPasswordLoginModule REQUISITE {}

CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}

If not, you can also use

EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

HeaderVariableLoginModule REQUISITE {ume.configuration.active=true, Header=usr_name}

CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}

regards,

Patrick

Hi Patrick

What do you mean by Login with Basic Password ??

Thanks with Regards

Deelip Kumar

Authentication at the portal using username and password.

Regards,

Patrick

Hi Patrick

I configured the login stack as suggested by you but still getting the same error

I have selected Authentication Template as "no" for ticket lgon stack, is it ok ??

Can i attach here something, i want to attach the VA screen shot where i have done configuration

Thanks with regards

Deelip Kumar

Hi Patrick

Below is HTTP Log

[1173783268987][Mar 13, 2007 3:54:28 AM ] - CLIENT: 4608, REPLY:

{}

[1173783268987][Mar 13, 2007 3:54:28 AM ] - CLIENT: 4608, RESPONSE TIME: 46

[1173783269519][Mar 13, 2007 3:54:29 AM ] - CLIENT: 4864, REQUEST:

{POST /irj/portal HTTP/1.1

Via: 1.1 https-sappldv1.cadence.com

Proxy-jroute: Ls63

Content-length: 48

Content-type: application/x-www-form-urlencoded

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shock

wave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application

/msword, /

Referer: http://sappldv1.cadence.com/irj/portal

Accept-language: en-us

Accept-encoding: gzip, deflate

User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0

.50727; .NET CLR 1.1.4322)

Host: sappldv1.cadence.com

Cache-control: no-cache

User: deelips

Role: excacc.CADUSR

Locale: ja_JP

Sessionid: SMS_cdsga70apd_7ac816::46651beea0706adc39c520dd72c3bd84

Authmethod: UserPassword

SCCRYPTICUSERID: edlepis

Cookie: usr_name=deelips; AUTH_SESSION_ID=SMS_cdsga70apd_7ac816::46651beea0706ad

c39c520dd72c3bd84; JSESSIONID=(J2EE15348100)ID1212035750DB11205774199674154851En

d; saplb_*=(J2EE15348100)15348150; PortalAlias=portal

Proxy-ip: 158.140.252.206

login_submit=header&j_user=&j_authscheme=default}

[1173783269552][Mar 13, 2007 3:54:29 AM ] - CLIENT: 4864, REPLY:

{HTTP/1.1 200 OK

Server: SAP J2EE Engine/7.00

Content-Type: text/html; charset=UTF-8

Content-Language: en-US

Content-Encoding: gzip

Date: Tue, 13 Mar 2007 10:54:29 GMT

Transfer-Encoding: chunked

Set-Cookie: PortalAlias=portal; Path=/

Please suggest

Thanks

Deelip

Hi Deelip,

the header module can not use cookies but headers only. It seams that the header name really is User or SCCRYPTICUSERID. Please check your config.

Again please haev a look at the e-learning and the docs. The do list the steps required pretty well.

First reset the system to do local authentication. If this works, you can start changing it.

Regards,

Patrick

Hi Patrick

Is this configuration required at reverse proxy or web server ??

I am getting below error in security.log

"no loginmodules configured for Header"

Please suggest

Thanks

Deelip

Hi Deelip,

I would recommend to get the help of a consultant in this case.

I can not explain everything here, this is not the purpose of this forum, sorry.

Get the system back into a running state by resetting the config. I would guess, you simply have a wrong authschemes.xml as already stated above in one of my posts.

Regards,

patrick

Hi Patrick

Just for your information

When i deactivate the "header" authentication by changing authschemes.xml file and use authentication as userid/password then after entering userID/Password for External WAM, the portal Logon page appears and i am able to login with my Portal userId and password

So do not understand whether problem is at reverse proxy configuration (this is configured by different resource in my company ) or at Portal level

Thanks

Deelip

Hi Deelip,

in THIS configuration, where your password does work, please change the Ticket login module stack (and nothing else please).

Make sure, that you did activate the Header login module (see the docs and logs of the server, as outlined above and in the other post referenced above).

Based on the info you provided so far, the following stack should work:

EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

HeaderVariableLoginModule OPTIONAL {ume.configuration.active=true, Header=User}

CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

BasicPasswordLoginModule REQUISITE {}

CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}

regards,

Patrick

Hi Patrick

Thanks for your all help on this.I am able to login after making the changes, i mean setting "Header=User"

Thanks for your all help on this.Appreciate your fantastic support

Also, do i need to ask my resource who has configured Extenal Web Access management to change anything like he has used usr_name for header ??

Thanks

Deelip Kumar

Hi Deelip,

your collegue may have added a cookie named usr_name. This is not necessary from an SAP point of view.

I'm not quite sure, what is required as I do not know enough to judge.

Regards,

Patrick

Hi Patrick

one more help as you know that we also use http://servername:Port #, in our case it http://sapplev1.cadence.com:50100

so when i am accessing any option from here, from Portal prompts (Portal Logon page, as this is not configured for External authentication) me to enter userid and password, after entering my portal id and passoword, it says "no loginmodules configured for header"

Why system says about login module here as we do not need external authentication to access this URL http://sapplev1.cadence.com:50100 ??

We have configured External authentication for URL http://sapplev1.cadence.com:50100/irj

Please guide me

Thanks

Deelip

please check the authschemes.xml. Check for a section with the following:

<authentication-template>

header

</authentication-template>

Remove that authscheme.

regards,

Patrick

Hi Patrick

Do you want me to comment these 3 Rows mentioned in your reply

Thanks

Deelip kumar

Hi Patrick

I removed the below from authschemes.xml file, now getting error "UNKNOWN_ERROR" while entering my portalID/PAssword to access user management from url http://sapplev1.cadence.com:50100

<authscheme name="header">

<authentication-template>

header

</authentication-template>

<priority>5</priority>

<frontendtype>2</frontendtype>

<frontendtarget>com.sap.portal.runtime.logon.header</frontendtarget>

Also after deleting the above my external authentication giving below error after entering UserID/Password

503 Service Unavailable

SAP J2EE Engine/7.00

Servlet [prt] will be unavailable for undefined time.

Details: javax.servlet.UnavailableException: Initialization of Dispatcher failed

Exception id: [00144F21A09C0065000000510000011A00042BA13F9F1A81

Please suggest

thanks with Regards

Deelip Kumar