on 05-18-2015 9:22 PM
All,
We have all the settings needed for SPnego on ABAP. I don't want to go into them here, but as the discussion moves forward I can explain all that!
SOMETIMES.....SOMETIMES when trying to log in via NWBC / WEBGUI and CRM ICWEB, users are presented with login screens.
When NWBC/WEBGUI presents a login screen, it's the typical login screen you would see as if no SSO was setup.
And if I refresh the URL a few times, I will end up getting in without actually putting in any user/pass.
When they see the ICWEB login screen, it's really just a pop up in the browser. Saying "Windows Security" (at the top) then, in the window, it says:
"The server myCRMhostname.MyDomain.com at SAP Netweaver Application server [SID/CLIENT] requires a username and password."
Then you see a box for the username/password.
Again, just hit 'cancel' a few times and you will get in....
Sooooo strange. SSO will work great for all users across all PCs for a few hours at a time. Then it will stop working and we'll get those errors I noted above.
I've done TONS of research on this. I highly suspect our Microsoft AD network...KDC has a problem, but I know nothing about that side of the house.
There are a few notes out in SAP, and threads out of google searches that talk about the KDC, instead of sending a Kerberos token, will send something called a NTLM token. And when that happens, you can't login. But it all comes down to why/how the Kerberos KDC is sending that.
How do you prove / disprove that the KDC is sending a Kerberos token (or a NTLM token) from an SAP ABAP perspective?
Or how else could I effectively trouble-shoot this issue?
I really believe that NW SSO could be great for our environment, but because of all these moving parts it is proving very difficult to troubleshoot when it breaks.
Thanks
NICK
I think we finally figured this out. Note 1732610, Section 2.2 mentions a little blub about the importance of the "local intranet zone". for us, it was the exact opposite, once I took the hostname OUT of the zones, we have worked just fine. Our company has a policy setting, so no users can alter what goes in these zones. Unfortunately, that wasn't as consistent across all users as I was told.
But again, once we cleaned up those entries we have not had the problem.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
95 | |
11 | |
11 | |
10 | |
9 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.