cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Issue with SPNEGO if SAP and Browser are on the same host (NTLM issue)

Go to solution
Colt
Active Contributor

on ‎09-22-2016 8:08 AM

0 Kudos

Hi Experts,

have anyone of you ever experienced the issue with SPNEGO SSO where the browser is executed on the SAP host itself.

In my case I have to prepare a training where I only have one single Server for my students and I like to setup SPNEGO for ABAP and Java.

I have configured both correctly (pretty sure ) and in the ICM traces I am able to see HTTP 401 Negotiate is trigged by AS ABAP and Java.

In the Java traces i can see "NTLM token received in authorization header"

Does anyone know how to cure the Internet Explorer from doing NTLM?

Thanks!!!!

Cheers,

Carsten

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member157391
Employee
Employee
‎09-22-2016 9:32 AM
0 Kudos

Dear Carsten,

Please see "Are the client and server on the same box?" under below link.

https://blogs.msdn.microsoft.com/friis/2009/12/31/things-to-check-when-kerberos-authentication-fails...

The issue is described in MS's knowledge base with possible solutions. https://support.microsoft.com/en-us/kb/896861

Best regards,
Ning

Show replies
Show replies
Colt
Active Contributor
‎10-05-2016 2:04 PM
0 Kudos

SPNEGO where the client and the server are on the same host does not work. Fact is: Kerberos is not enabled in this configuration and a hard coded loopback check will always force usage of NTLM in this scenario.

Update: Method 1 and 2 as described in https://support.microsoft.com/en-us/kb/896861 did not helped.

Workaround: see my post above

Solution1: use a different client

Solution2: create an additional DNS entry for the system and SPN pointing to that name.

(But this is not possible in my scenario as i have only limited access to AD environment, unfortunately )

former_member157391
Employee
Employee
‎10-06-2016 1:05 AM
0 Kudos

Thanks for sharing your workarounds.

Answers (1)

Answers (1)

Colt
Active Contributor
‎09-22-2016 8:35 AM
0 Kudos

Workaround:

If I configure Local Intranet Zone for "Prompted Auth"

I see the following popup if connecting to a SAP web AS:

There i am able to enter a AD username and password and I am successfully logged in.

Is there a better way?

Carsten

Show replies
Show replies
Ask a Question