cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BO SSO not working using Apache Server as Reverse proxy

Former Member

on ‎12-29-2014 1:56 PM

0 Kudos

Hi,

We have configured SSO on BO and it is working fine. BO deployment is in corporate network. Customer wanted to setup an Apache Server on dmz in order to reach BO system from any network other than corporate one.

We have setup Apache Server as reverse proxy with Tomcat following official SAP notes. This setup working fine with any authentication option on logonNoSso.jsp login page. But when using SSO, Apache Server welcomes user with an authentication box (MS Windows style).After filling username and password (the problem is we don't want to fill any authentication form since we implemented SSO authentication), website does not load any content. We traced the authentication cycle concluding it is successful.

So here are my questions:

  1. Is it possible to use SSO with reversed proxy connection using Apache Server not asking for authentication form?
  2. Do we have to do any further configuration for Apache Server(connecting succesfully to Tomcat on port 8080 not ajp protocol)?

Thanks.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member205064
Active Contributor
‎12-29-2014 2:09 PM
0 Kudos

Firstly have to create SPN for the rever proxy url.

Secondly create a browser setting

Add the url in the Local Internet and go to internet settings->local internet->Custom level

and select "Automatic logon for current username and password"

let me know if it fixes your issue.

Show replies
Show replies
Former Member
‎12-29-2014 3:27 PM
0 Kudos

Hi Raunak,

I have followed your steps. Now I am getting a different error captured below.

former_member205064
Active Contributor
‎12-30-2014 9:54 AM
0 Kudos

check for maxHTTPHeader value in server.xml of tomcat.

Increase to 65536 restart the tomcat and then check.

Former Member
‎12-31-2014 7:45 AM
0 Kudos

maxHTTPHeader is 65536. SSO without Apache Server is working.

Is there a chance that Apache Server truncates headers so authentication information cannot reach to tomcat?

former_member205064
Active Contributor
‎12-31-2014 12:48 PM
0 Kudos

Did you have SPN created for Apache Server? also do u have constraint Delegation selected? in that case add the SPN for the Apache server as well.

Former Member
‎01-02-2015 8:20 AM
0 Kudos

Hi,

SPN for apache server was created after your first response. 

The AD service account has constraint delegation selected for Kerberos Only option.

The problem still occurs.

Thanks.

former_member205064
Active Contributor
‎01-02-2015 10:35 AM
0 Kudos

If that is the case then everything seems fine from the BO configuration point.

you need to check with the Apace webserver team, there is some settings which is not letting passing the request.

run the fiddler for direct tomcat SSO and the fiddler for Apache web server SSO you will have result for what in Apache server is causing the issue.

former_member189884
Contributor
‎01-06-2015 3:17 PM
0 Kudos

You may want to go ahead and trace the login attempt using wireshark to see if the kerberos process is correct and the spn's being requested are present.

-Josh

Ask a Question