cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO is not working for an Alias URL but is working for original portal URL

Former Member

on ‎04-09-2007 9:41 PM

0 Kudos

Hello,

We have a BSP running inside the portal and expects authentication.

When I run this BSP using the portal regular address everything is working OK and SSO is working after logging into the portal.

At next step, we have configured an alias for the portal URL at the DNS Server.

When activating the BSP from the alias URL it asks for 2nd authentication. Meaning, SSO is not working after logging into the portal.

I have activated an HTTP trace in order to see why and it seems like when running it from the alias name it recognizes it as a different domain and I assume this is why the authentication is coming up.

I would like to suppress this for the alias URL but don't know how.

I found this UME property on the server:ume.logon.security.relax_domain.level

This UME property controls the amount of sub domains to remove from the server name to obtain the domain for which the logon ticket is valid.

I have changed this property from its default value 1 to 3 (and restarted the server of course) which, in our case, leaves only ourCompany.com for the ticket in the original server URL. Yet, the authentication pop up is still not supressed when browsing through the alias URL.

Any idea what can I do next?

Thanks,

Roy

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member191062
Active Contributor
‎04-10-2007 10:52 AM
0 Kudos

Hello,

Is it possibble for you to trace the problem with a HTTP analyzer tool, like HTTPWatch ot HTTPLook? >> If yes you can see wether the ticket was sent to the backend ABAP system at all, if it was sent than the ticket of the portal is not accepted.

If it is not sent, than the domain relaxation is still not deep enough yet.

Please tell me your findings.

Best regards,

Dezso

Show replies
Show replies
Former Member
‎04-10-2007 11:00 AM
0 Kudos

Rakesh,

The login/accept_sso2_ticket is set to 1. Also, if the configuration wasn't correct there the SSO wouldn't have worked without the Alias as well.

Dezso,

I have activated an HTTP Trace and I have the results in hand.

Can you please guide me where should I see it?

Thanks,

Roy

former_member191062
Active Contributor
‎04-10-2007 2:04 PM
0 Kudos

Hello Roy,

when the first request is sent to the BSP application the return code will be 401 /* This is why the pop-up is displayed */ Please check the sent cookies with this request. Do you see the MYSAPSSO2 cookie sent?

Do you see a cookie named: sso-list in the response of the server?

Best regards,

Dezso

Former Member
‎04-10-2007 2:21 PM
0 Kudos

Hi Dezso,

I found the 401 let me know if I look on it right:

I have an entry node with two subnodes: request and response.

The response has:

<responseStatus>HTTP/1.1 401 Unauthorized</responseStatus>

And the request before that doesn't have any MYSAPSSO2 in it, all it has which is related to cookies is this:

<header name="Cookie">UserUniqueIdentifier=1174345919524; alreadyLogged=1179560552416</header>
...
<cookies>
<cookie name="alreadyLogged">1179560552416</cookie>
<cookie name="UserUniqueIdentifier">1174345919524</cookie>
</cookies>

Can you advice what to do next?

former_member191062
Active Contributor
‎04-10-2007 3:52 PM
0 Kudos

Dear Roy,

Here seems the Backend system does not recives an SSO2 cookie so there is no information to authenticate the user.

Can you please look for occurance of cookie: MYSAPSSO2? Please check the domain this is valid for, and make sure this domain matched the domain of you backend R/3 system.

Best regards,

Dezso

Former Member
‎04-10-2007 4:00 PM
0 Kudos

Hi Dezso,

The domains are not the same, this is why I used the relaxation property.

Is there any way to check to which sub domains the issued MYSAPSSO2 is valid for?

Roy

Former Member
‎04-13-2007 10:19 AM
0 Kudos

To whom it is interested, problem solved: My relaxation was "too relaxed".

I set it to be valid to .com domain which is a root domain and therefore rejected by the browser. Instead, it needs to be at least myCompany.com or more...

Also this property calculation is being done according to the alias URL and not the server actual one...

Former Member
‎04-10-2007 9:19 AM
0 Kudos

Hi,

In profile parameter check the SSO Parameter (In T-Code RZ10, Instance profile).

for more information refer this link.

http://help.sap.com/saphelp_nw2004s/helpdata/en/5c/b7d53ae8ab9248e10000000a114084/frameset.htm

Show replies
Show replies
Ask a Question