https://community.sap.com/t5/application-development-and-automation-discussions/basic-authentication-without-using-spnego/m-p/4847261#M1133654 <HTML><HEAD></HEAD><BODY><P>Hello everybody</P><P>We have configured SPNEGO in our portal and everything is working fine but now we are going to use ESS and we want to protrect some iviews, like the payroll. We want to ask for the user and password.</P><P></P><P>We have create a new template in the Visual Administrator-Security Provider with the following entries:</P><P></P><P>com.sap.security.core.server.jaas.EvaluateTicketLoginModule - Sufficient - ume.configuration.active:true =yes</P><P>BasicPasswordLoginModule REQUISITE {}</P><P>com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT {ume.configuration.active=yes}</P><P>With this we have modified the autschemes.xml adding the following</P><P>lines:</P><P></P><P></P><P>Also, we have assing this template to the iview.</P><P>Now, when we access to the iview a logon screen is poped up (this is</P><P>ok) but even if we put a correct user after 3 tries a 401 error is</P><P>shown (acces denied).</P><P>What can be the cause of this behaviour?</P><P></P><P>I have opened a message in OSS but this is all I have got of them:</P><P></P><P>+the point is - when SSO Ticket is expired, it won't be 401-Not Authorized HTTP error,</P><P>with header set to Negotiate, but just a J2EE runtime exception. This</P><P>would allow the user's browser to renew the SSO Kerberos ticket, which</P><P>is how SPNEGO works.</P><P>The user who is checking it is Guest user, so therefore you are getting</P><P>it.+</P><P></P><P>They don't explain anything else because this issue isn't an error... "you know what I mean"</P><P></P><P></P><P></P><P>Here I send an extract of the trace created by the diagtool:</P><P></P><P><A href="https://community.sap.com/1228426945698"></A>[Dec 4, 2008 10:42:25 PM ] - CLIENT: 4649216, REQUEST: </P><P>{GET /irj/servlet/prt/portal/prtmode/preview/prtroot/pcd!3aportal_content!2fcom.sap.pct!2fevery_user!2fcom.sap.pct.erp.ess.bp_folder!2fcom.sap.pct.erp.ess.iviews!2fcom.sap.pct.erp.ess.benefits_payment!2fcom.sap.pct.erp.ess.area_benefits_payment?sap-config-mode=true HTTP/1.1 </P><P>Accept: <STRONG>/</STRONG> </P><P>Accept-Language: es </P><P>UA-CPU: x86 </P><P>Accept-Encoding: gzip, deflate </P><P>User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) </P><P>Host: portal.lubasa.es </P><P>Connection: Keep-Alive </P><P>Authorization: Basic cnVnYXJjaWE6bmFyYW5qYTM= </P><P>Cookie: j_authscheme=ESS_SCH; UserUniqueIdentifier=1228379971997; PortalAlias=portal; saplb_*=(J2EE3080100)3080151; JSESSIONID=(J2EE3080100)ID1055733851DB01046363213849042466End; MYSAPSSO2=AjExMDAgAA9wb3J0YWw6UlVHQVJDSUGIABNiYXNpY2F1dGhlbnRpY2F0aW9uAQAIUlVHQVJDSUECAAMwMDADAANFUFAEAAwyMDA4MTIwNDIxNDEFAAQAAAAMCgAIUlVHQVJDSUH/AQUwggEBBgkqhkiG9w0BBwKggfMwgfACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGB0DCBzQIBATAiMB0xDDAKBgNVBAMTA0VQUDENMAsGA1UECxMESjJFRQIBADAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDgxMjA0MjE0MTIxWjAjBgkqhkiG9w0BCQQxFgQU9r0lROP9xSeA5thGNqyvEbaqrWswCQYHKoZIzjgEAwQvMC0CFQCV6qIJ2ofjbF/iMd9vVFd6U72dVwIUD7ENuEa2ID7ZVYY1kwtrrbs8!OU=; SAPPORTALSDB0=urn%253Acom.sapportals.appdesigner%253Aframework%2526isPersonalizeMode%3Dfalse </P><P>n/a </P><P>} </P><P><A href="https://community.sap.com/1228426945698"></A>[Dec 4, 2008 10:42:25 PM ] - CLIENT: 4649216, REPLY: </P><P>{HTTP/1.1 401 Unauthorized </P><P>Server: SAP J2EE Engine/7.00 </P><P>Content-Type: text/html;charset=ISO-8859-1 </P><P>WWW-Authenticate: Basic Realm=Authentication </P><P>Pragma: no-cache </P><P>Content-Encoding: gzip </P><P>Content-Length: 594 </P><P>Date: Thu, 04 Dec 2008 21:42:25 GMT </P><P>Set-Cookie: j_authscheme=ESS_SCH; Expires=Thu, 04-Dec-2008 21:42:35 GMT </P><P>n/a </P><P>} </P><P></P><P></P><P>Thank you in advanced!</P><P></P><P>Rubé</P><P></P></BODY></HTML> Fri, 05 Dec 2008 14:35:53 GMT Former Member 2008-12-05T14:35:53Z https://community.sap.com/t5/application-development-and-automation-discussions/basic-authentication-without-using-spnego/m-p/4847261#M1133654 <HTML><HEAD></HEAD><BODY><P>Hello everybody</P><P>We have configured SPNEGO in our portal and everything is working fine but now we are going to use ESS and we want to protrect some iviews, like the payroll. We want to ask for the user and password.</P><P></P><P>We have create a new template in the Visual Administrator-Security Provider with the following entries:</P><P></P><P>com.sap.security.core.server.jaas.EvaluateTicketLoginModule - Sufficient - ume.configuration.active:true =yes</P><P>BasicPasswordLoginModule REQUISITE {}</P><P>com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT {ume.configuration.active=yes}</P><P>With this we have modified the autschemes.xml adding the following</P><P>lines:</P><P></P><P></P><P>Also, we have assing this template to the iview.</P><P>Now, when we access to the iview a logon screen is poped up (this is</P><P>ok) but even if we put a correct user after 3 tries a 401 error is</P><P>shown (acces denied).</P><P>What can be the cause of this behaviour?</P><P></P><P>I have opened a message in OSS but this is all I have got of them:</P><P></P><P>+the point is - when SSO Ticket is expired, it won't be 401-Not Authorized HTTP error,</P><P>with header set to Negotiate, but just a J2EE runtime exception. This</P><P>would allow the user's browser to renew the SSO Kerberos ticket, which</P><P>is how SPNEGO works.</P><P>The user who is checking it is Guest user, so therefore you are getting</P><P>it.+</P><P></P><P>They don't explain anything else because this issue isn't an error... "you know what I mean"</P><P></P><P></P><P></P><P>Here I send an extract of the trace created by the diagtool:</P><P></P><P><A href="https://community.sap.com/1228426945698"></A>[Dec 4, 2008 10:42:25 PM ] - CLIENT: 4649216, REQUEST: </P><P>{GET /irj/servlet/prt/portal/prtmode/preview/prtroot/pcd!3aportal_content!2fcom.sap.pct!2fevery_user!2fcom.sap.pct.erp.ess.bp_folder!2fcom.sap.pct.erp.ess.iviews!2fcom.sap.pct.erp.ess.benefits_payment!2fcom.sap.pct.erp.ess.area_benefits_payment?sap-config-mode=true HTTP/1.1 </P><P>Accept: <STRONG>/</STRONG> </P><P>Accept-Language: es </P><P>UA-CPU: x86 </P><P>Accept-Encoding: gzip, deflate </P><P>User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) </P><P>Host: portal.lubasa.es </P><P>Connection: Keep-Alive </P><P>Authorization: Basic cnVnYXJjaWE6bmFyYW5qYTM= </P><P>Cookie: j_authscheme=ESS_SCH; UserUniqueIdentifier=1228379971997; PortalAlias=portal; saplb_*=(J2EE3080100)3080151; JSESSIONID=(J2EE3080100)ID1055733851DB01046363213849042466End; MYSAPSSO2=AjExMDAgAA9wb3J0YWw6UlVHQVJDSUGIABNiYXNpY2F1dGhlbnRpY2F0aW9uAQAIUlVHQVJDSUECAAMwMDADAANFUFAEAAwyMDA4MTIwNDIxNDEFAAQAAAAMCgAIUlVHQVJDSUH/AQUwggEBBgkqhkiG9w0BBwKggfMwgfACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGB0DCBzQIBATAiMB0xDDAKBgNVBAMTA0VQUDENMAsGA1UECxMESjJFRQIBADAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDgxMjA0MjE0MTIxWjAjBgkqhkiG9w0BCQQxFgQU9r0lROP9xSeA5thGNqyvEbaqrWswCQYHKoZIzjgEAwQvMC0CFQCV6qIJ2ofjbF/iMd9vVFd6U72dVwIUD7ENuEa2ID7ZVYY1kwtrrbs8!OU=; SAPPORTALSDB0=urn%253Acom.sapportals.appdesigner%253Aframework%2526isPersonalizeMode%3Dfalse </P><P>n/a </P><P>} </P><P><A href="https://community.sap.com/1228426945698"></A>[Dec 4, 2008 10:42:25 PM ] - CLIENT: 4649216, REPLY: </P><P>{HTTP/1.1 401 Unauthorized </P><P>Server: SAP J2EE Engine/7.00 </P><P>Content-Type: text/html;charset=ISO-8859-1 </P><P>WWW-Authenticate: Basic Realm=Authentication </P><P>Pragma: no-cache </P><P>Content-Encoding: gzip </P><P>Content-Length: 594 </P><P>Date: Thu, 04 Dec 2008 21:42:25 GMT </P><P>Set-Cookie: j_authscheme=ESS_SCH; Expires=Thu, 04-Dec-2008 21:42:35 GMT </P><P>n/a </P><P>} </P><P></P><P></P><P>Thank you in advanced!</P><P></P><P>Rubé</P><P></P></BODY></HTML> Fri, 05 Dec 2008 14:35:53 GMT https://community.sap.com/t5/application-development-and-automation-discussions/basic-authentication-without-using-spnego/m-p/4847261#M1133654 Former Member 2008-12-05T14:35:53Z https://community.sap.com/t5/application-development-and-automation-discussions/basic-authentication-without-using-spnego/m-p/4847262#M1133655 <HTML><HEAD></HEAD><BODY><P>Ruben,</P><P></P><P>I think what SAP are trying to tell you is that when authentication is enabled using SPNEGO, this will be used for all logon attempts. </P><P></P><P>I am very familiar with this scenario, and have a solution, but it involves using a third-party product. I am not aware of any way to make the SAP supplied SPNEGO login module authenticate the user using userid+password entered into browser. Instead, you need some other login modules instead and you need a way to stop your browser from receiving the 401 from the SPNEGO module when a user logs onto the ESS application.</P><P></P><P>Thanks,</P><P>Tim</P></BODY></HTML> Fri, 05 Dec 2008 15:19:57 GMT https://community.sap.com/t5/application-development-and-automation-discussions/basic-authentication-without-using-spnego/m-p/4847262#M1133655 tim_alsop 2008-12-05T15:19:57Z https://community.sap.com/t5/application-development-and-automation-discussions/basic-authentication-without-using-spnego/m-p/4847263#M1133656 <HTML><HEAD></HEAD><BODY><P>Thanks for your answer.</P><P>Could you tell me which third party software do you use?</P><P></P><P>Best regards.</P></BODY></HTML> Fri, 05 Dec 2008 17:23:52 GMT https://community.sap.com/t5/application-development-and-automation-discussions/basic-authentication-without-using-spnego/m-p/4847263#M1133656 Former Member 2008-12-05T17:23:52Z https://community.sap.com/t5/application-development-and-automation-discussions/basic-authentication-without-using-spnego/m-p/4847264#M1133657 <HTML><HEAD></HEAD><BODY><BLOCKQUOTE level="1"></BLOCKQUOTE><PRE><CODE><P></P><P>&gt; Thanks for your answer.</P><P>&gt; Could you tell me which third party software do you use?</P><P>&gt; </P><P>&gt; Best regards.</P></CODE></PRE><P></P><P>It is described here, right on SDN EcoHub. Check <A href="https://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokeradapter" target="test_blank">https://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokeradapter</A></P><P></P><P>Thanks,</P><P>Tim</P><P></P></BODY></HTML> Fri, 05 Dec 2008 17:27:05 GMT https://community.sap.com/t5/application-development-and-automation-discussions/basic-authentication-without-using-spnego/m-p/4847264#M1133657 tim_alsop 2008-12-05T17:27:05Z