cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SPNego Wizard available for everybody

former_member271562
Explorer

on ‎09-19-2014 6:41 AM

0 Kudos

Dear experts!

We've found that SPNego Wizard available directly by URL http://<hostname>:port/spnego and not restricted by password.

Everybody who has user account even without any roles and permissions, only by entering the password can access wizard page and

make any changes, for example delete reams or Keytab certificate.

Could you advice us how to close this hole?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

frank_kueppers
Explorer
‎09-19-2014 8:32 AM
0 Kudos

Hello,

I suppose you are talking about SAP NetWeaver Java?

I could not reproduce your problem. If I login with a simple user I get "You do not have permission to administrate SPNEGO"

Possibly the user have additional rights (see Identity Management: Assigned Roles and Assigned Groups), or the permissions within the default groups (Authenticated Users, Everyone) where changed.

That may also be valid if a LDAP/Active Directory is attached to the UME and a LDAP group the user is a member of (e.g. AD: "Domain Users") have some admin roles assigned.

You also get logged in "automatically" if you already logged in with an administrator account in the NetWeaver Administrator (NWA) and open another NWA page (e.g. SPNego) in the same web browser. This works as designed.

Please check again.

Grüße / Kind regards,

Frank

Show replies
Show replies
former_member271562
Explorer
‎09-22-2014 12:21 AM
0 Kudos

Hello Frank,

I've created new user for test without any roles and profiles and even without any permissions I can manage this page, only this page is accessible for managing. For other pages like NWA, IRJ etc. authorization is requres and this is strange.

We don't use LDAP/AD database, only ABAP store so there is no any AD impact on this issue.

frank_kueppers
Explorer
‎09-22-2014 11:27 AM
0 Kudos

Hello Andrey,

can you tell me your NetWeaver Version incl Support Package and Patch Level.

Also the full version number of tc~sec~auth~spnego~wizard (part of LMNWABASICAPPS.SCA)


Is your installation a dual stack (ABAP and Java) or Java only?


Grüße / Kind regards,

Frank

Former Member
‎09-22-2014 5:21 PM
0 Kudos

Hello

I would suggest you to open an incident with SAP Support.

Regards,

Tapan

Ask a Question