on 04-09-2007 9:41 PM
Hello,
We have a BSP running inside the portal and expects authentication.
When I run this BSP using the portal regular address everything is working OK and SSO is working after logging into the portal.
At next step, we have configured an alias for the portal URL at the DNS Server.
When activating the BSP from the alias URL it asks for 2nd authentication. Meaning, SSO is not working after logging into the portal.
I have activated an HTTP trace in order to see why and it seems like when running it from the alias name it recognizes it as a different domain and I assume this is why the authentication is coming up.
I would like to suppress this for the alias URL but don't know how.
I found this UME property on the server:ume.logon.security.relax_domain.level
This UME property controls the amount of sub domains to remove from the server name to obtain the domain for which the logon ticket is valid.
I have changed this property from its default value 1 to 3 (and restarted the server of course) which, in our case, leaves only ourCompany.com for the ticket in the original server URL. Yet, the authentication pop up is still not supressed when browsing through the alias URL.
Any idea what can I do next?
Thanks,
Roy
Hello,
Is it possibble for you to trace the problem with a HTTP analyzer tool, like HTTPWatch ot HTTPLook? >> If yes you can see wether the ticket was sent to the backend ABAP system at all, if it was sent than the ticket of the portal is not accepted.
If it is not sent, than the domain relaxation is still not deep enough yet.
Please tell me your findings.
Best regards,
Dezso
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Roy,
when the first request is sent to the BSP application the return code will be 401 /* This is why the pop-up is displayed */ Please check the sent cookies with this request. Do you see the MYSAPSSO2 cookie sent?
Do you see a cookie named: sso-list in the response of the server?
Best regards,
Dezso
Hi Dezso,
I found the 401 let me know if I look on it right:
I have an entry node with two subnodes: request and response.
The response has:
<responseStatus>HTTP/1.1 401 Unauthorized</responseStatus>
And the request before that doesn't have any MYSAPSSO2 in it, all it has which is related to cookies is this:
<header name="Cookie">UserUniqueIdentifier=1174345919524; alreadyLogged=1179560552416</header>
...
<cookies>
<cookie name="alreadyLogged">1179560552416</cookie>
<cookie name="UserUniqueIdentifier">1174345919524</cookie>
</cookies>
Can you advice what to do next?
Dear Roy,
Here seems the Backend system does not recives an SSO2 cookie so there is no information to authenticate the user.
Can you please look for occurance of cookie: MYSAPSSO2? Please check the domain this is valid for, and make sure this domain matched the domain of you backend R/3 system.
Best regards,
Dezso
To whom it is interested, problem solved: My relaxation was "too relaxed".
I set it to be valid to .com domain which is a root domain and therefore rejected by the browser. Instead, it needs to be at least myCompany.com or more...
Also this property calculation is being done according to the alias URL and not the server actual one...
Hi,
In profile parameter check the SSO Parameter (In T-Code RZ10, Instance profile).
for more information refer this link.
http://help.sap.com/saphelp_nw2004s/helpdata/en/5c/b7d53ae8ab9248e10000000a114084/frameset.htm
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
98 | |
11 | |
11 | |
10 | |
10 | |
8 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.