Maryam,

Since you have now told me you are using SPNEGO and Kerberos, some of the information I asked for previously is not needed anymore. Thankyou.

First let me explain why you are getting the popup signon screen at browser:

The web browser is configured for IWA (Integrated Windows Authentication) which means it will use either Kerberos or NTLM via the negotiate protocol (aka SPNEGO). On the server you are using the SAP SPNEGO login module, which only supports SPNEGO with Kerberos tokens, and not SPNEGO with NTLM tokens. Your browser cannot send a Kerberos token since there are no Kerberos credentials on workstation when user is external/not on intranet. Instead, the browser sends the NTLM token which the SAP server doesn't like, so it is rejected, and browser just knows the user is trying to authenticate, and displays its default logon screen as a popup screen.

When you see the popup signon screen displayed by the browser you cannot enter any valid userid and password into this screen because there is no code on SAP server waiting to check this userid and password is correct or not. So, you need to press cancel and allow SAP to show the default logon screen in browser after you see the popup signon screen.

Hopefully the above info explains why you are getting the popup signon screen ?

The solution:

You could add a Kerberos login module (available from a vendor called CyberSafe) to your ticket stack (configured using SAP Visual Administrator) so that a user can enter a valid Active Directory account/principal name and password in the SAP signon screen displayed, instead of a SAP user and password normally entered in this screen. If you configure this login module as a fallback login module, when the SPNEGO login module fails to authenticate the user (e.g. when they are not on Intranet) the fallback login module will be invoked, authenticating the user. Then an SSO2 ticket will be issued by SAP for SSO purposes. If you do this, the browser will not get confused when the NTLM token is not accepted by the server SPNEGO login module.

Please let me know if you have any questions ? I appreciate that some of this might be confusing, so please ask if it is not clear.

Thanks,

Tim

Maryam,

I am pleased I can help you in some way.

Can you tell me more about your database of external users ? Do you know more about how your external users are authetnicated to the portal using this external database ?

I have come across companies before that have separate authentication of external users, and the often use an authenticaftion server running in DMZ, and use the HTTP Header Login Module in SAP to determine the user from a variable in HTTP header. Is this the case with your setup ? I need to know this to help you, since if you are using this method of logon a Kerberos login module like I suggested is not going to help.

When I mentioned the Kerberos login module, I was not referring to the one available from SUN. I was referring to one provided by my company (CyberSafe) as a commercially available and supported product. It is in many ways better than the one provided by SUN and I don't even know if the SUN login module will work with SAP - probably not. Anyway, as mentioned in paragraph above it is likely that you don't need any Kerberos login module to solve your specific problem.

Thanks,

Tim

Maryam,

Thankyou for the information regarding your external users.

To make sure I am clear - can you confirm my understanding:

For external users you display the SAP logon screen and the user enters userid+password, and SAP checks this against UME to see if the user's password is correct. Can I assume that UME is configured to use an ABAP user store, or is it using LDAP to access a user store in an LDAP directory, for password checking ?

For internal users you use SPNEGO/Kerberos so that users are authenticated against Active Directory when they logon to their workstation, and the Kerberos credentials are used to authenticate them to SAP portal. Is this correct ?

Thanks,

Tim

>

> I believe SPNEGO/Kerberos is going to authenticate the users no matter the user is external or internal.

Actually, SPNEGO/Kerberos will only be able to authenticate the user when they logon to SAP if the workstation they are using with browser installed is joined to the Active Directory domain, and they have logged onto a domain account and the workstation has a network connection with the Active Directory domain controllers when they use the browser to logon to SAP. If all these conditions are true, then SPNEGO/Kerberos will work, so for your external users I am assuming this is not the case. Can you confirm please ?

>

> I hope this is going to help you to let us know what's the next step for us to solve the issue.

I thinkI am getting closer to understanding your current implementation so that I can explain how to solve the problem. Thankyou for your patience.

Regards,

Tim

Maryam,

I will try and explain again.

This is over simplified explanation, and so is not 100% complete, but shows the important steps to help you understand the issue:

1. browser on remote users computer connects to your SAP system.

2. Your SAP system is configured to use SPNEGO/Kerberos so it asks browser for an authentication token.

3. browser is unable to get Kerberos ticket to create a token, since workstation is not logged onto domain account and/or browser cannot contact the domain controller to get tickets. So, browser falls back to using NTLM instead of Kerberos and sends an NTLM token.

4. Your SAP system is not configured to handle the NTLM token since your login module is not supporting NTLM, so the login fails in SAP system and finishes.

5. Browser is expecting response from SAP after it sent NTLM token and response it gets indicates authentication is still required, so it displays the default browser signon screen. This signon screen is not going to function since SAP is not waiting for the userid and password entered in this screen.

So, to stop the browser showing the signon screen you need to use a login module which supports NTLM or configure a fallback to a login module which will allow remove users to logon. Since you are using user store in Java system via UME for remote users you need to configure the BasicPasswordLoginModule as a fallback so if SPNEGO login module is unable to recognise the NTLM token it receives it will fallback to using another login mdoule (BasicPasswordLoginMoodule).

First I think we need to check your ticket stack configuration. To do this, please:

1. On your SAP J2EE Engine system (portal ?), navigate to your /usr/sap/<SID>/DVEBMGS00/j2ee/admin directory and run the script in this directory to launch Visual Administrator tool, then login.

2. In Visual Admin, in left side you will be able to see Services under the Server node. In Services scroll down to find "Security Provider"

3. Now on right you will see list of various components. Near the top (about 6th line down) you will see a component called "ticket". Please select ticket

4. On right side of screen you will see a list of login modules with various flags and options. Can you let me know what they are set to ?

Thanks,

Tim

Maryam,

Can you please confirm the exact version of SAP NetWeaver your portal is running on, including patch level of J2EE engine ?

The login module stack looks ok, since BasicPasswordLoginModule is set as a fallback when SPNEGO fails, but clearly something is confusing the browser.

Can you confirm if this problem occurs for all users, or just some of them ? Does it occur all the time ?

Thanks,

Tim

Thankyou.

I will do some more research and get back to you later.

TIm

Maryam,

I have setup a test environment to test the same scenario you have, and when I logon from a computer which is not joined to the Active Directory domain, and accessing the network where SAP is installed via a VPN I get the SAP logon screen in browser as expected and don't get any browser popup signon screen for NTLM logon. I tried with IE7 and Firefox web browsers. I am using NetWeaver 2004s SP9.

My test environment uses the login modules which our company provide to SAP customers, and which I support. If you were using these same login modules I could provide you with more support on this issue, but I am afraid it has got to a point where I need to ask if you can open a message with SAP and get SAP to assist you with this problem. That is unless somebody else on SDN can help you with SAP login modules ?

Regards,

Tim

Maryam,

Thankyou, I hope I have been of some assistance, even though you don't yet have a solution.

Regarding authscheme.xml - if you change this, the portal logon will be effected for all users, regardless of whether they are internal or external, so I doubt it will fix anything. From experience I have found the best way to solve these kinds of problems is to fix the login module so that fallback works correctly, or change the configuration of the ticket stack if it is wrong (in your case this looks ok). I suspect the version of SAP software you are using is the cause, so you either need to get SAP to help you fix it, upgrade to later version, or use a login module like the one sold by my company (CyberSafe) that I have confirmed works in the scenario you have.

Thanks,

Tim

Maryam,

I understand what you need, and this is what I tested using our products. There is no need to install any software on each workstation or browser - just in NetWeaver.

If you contact me offline using the email address in my SDN business card I will give you price quote. I cannot provide that kind of information via SDN.

Thanks again,

Tim

Maryam,

The tests I did were using our own Login Module, and not the SAP SPNEGO Login Module which you are using. Our Login Module uses the SPNEGO protocol, so essentially provides same functionality you have + much more. One big difference is that our Login Module does not depend on using a data source, since we support any data source - ABAP data source, LDAP, or any other data source you might want to us. Just because the user is being authenticated against Active Directory usign Kerberos, this does not mean that SAP needs to use AD via LDAP as a UME datasource - not when using our product, anyway.

Thanks,

Tim

I understand that the NTLM authentication dialog appears in browser during logon to portal, and when the user presses cancel button they get the SAP portal signon screen (e.g. portal applicaiton is not yet involved). So, the problem is clearly specific to NetWeaver user authentication, and not specific to the application the user is logging onto (e.g. portal). I suspect if they logged onto a different application on same J2EE Engine the same problem would occur, e.g. http://<address of j2ee engine>:<port>/useradmin

Thanks,

Tim

Dries,

The problem is because of the way the IE browser handles the Integrated Windows Authentication. if you use firefox the problem will not occur. You cannot fix this by using authschemes.xml. The spnego login module would have to be changed to work same way as the CyberSafe TrustBroker Adapter SPNEGO (e.g. IWA) login module. The company that Maryam works for purchased this product to solve their problem.

Thanks,

Tim