cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Unable to pass the logonTicket through WebDispatcher to backend system

Go to solution
laxman_molugu
Participant

on ‎02-25-2016 3:25 AM

0 Kudos

Hello,

We currently have scenario like below, our MII system is not load balanced it always uses Central Instance(CI)

Citrix ---> SAPPortal(EP) ----sso-->CI of Backend System (MII with multiple Apps)

With above scenario, we have successfully setup SSO from EP to backend System(CI) with logonTicket

Now we are trying to load Balance the MII apps with WebDispatcher, we Installed/configured web Dispatcher for http load balancing of a MII system, The scenario is like below:

Citrix ---> SAPPortal(EP) ----sso---> [WebDispatcher] ----->Backend Systems (MII with multiple Apps)

In above case, the logonTicket is Not passing all the way to MII system, when user login with with single-Sign-on at Portal it again asks user/password for MII application.

I am realizing that some how webDispatcher is dropping the logonTicket and not passing to backend system. Trying to figure out if there is any parameter to keep the logonTicket and forward to backend System.

Appreciate your help on this matter.

Thanks,

Laxman

Show replies
Show replies
Answer
View Entire Topic
LutzR
Active Contributor
‎02-25-2016 8:21 AM
0 Kudos

Hi Laxman, typically WebDispatcher does not interfere with SSO-Cookie.

What do URLs to portal and WebDispatcher look like? They must be in the same domain to enable the browser to send the portal's MYSAPSSO2 cookie to the WebDispatcher.

They must look something like

https://ep.mydomain.com and

https://wdmii.mydomain.com

Use F12-Network traces of browsers to check if the cookie is transfered or not.

If it is transfered to the web dispatcher then it wil most probably reach the instances. Check all mii instances if they are configured to accept sso tickets.

Good luck,

Lutz

Show replies
Show replies
Former Member
‎02-25-2016 8:42 AM
0 Kudos

Not quite right:

Unlike HTTP, with end-to-end SSL the SAP Web dispatcher cannot read any request data and therefore cannot interpret any session cookies that may be available


Refer to End-to-End SSL - SAP Web Dispatcher - SAP Library


I suggest you review SAP Web Dispatcher and SSL - SAP Web Dispatcher - SAP Library and adjust WebDispatcher parameters where needed.

LutzR
Active Contributor
‎02-25-2016 9:46 AM
0 Kudos

Hi Thomas,

I don't get your point. A SAP Web Dispatcher never needs to interpret a MYSAPSSO2 cookie. Never. It just needs to pass it through. From an SSO point of view End-toEnd SSL or SSL termination is irrelevant.

Regards,

Lutz

laxman_molugu
Participant
‎02-25-2016 2:13 PM
0 Kudos

Hi Lutz,

Thanks for quick response, all the systems are in the same domain the only difference is that webDispatcher and MII systems are not https (http with 8101 port for WD and plain http 50000 port for MII) but Citrix and portal are on https (with 443 port).

Do you we need to have end-end SSL for this need?

Thanks,

Laxman

Former Member
‎02-25-2016 2:53 PM
0 Kudos

That's correct Lutz but I would think the Web Dispatcher would still need to have a proper relationship setup between itself and the other two system.

I think we need to look at the log files.

LutzR
Active Contributor
‎02-25-2016 4:54 PM
0 Kudos

Hi Laxman, you found it. MYSAPSSO2 Cookie is marked as https only by default so the browser will not forward it to http connections. This could be switched off by some UME parameter in the portal. But I would not recommend this for security reasons.

For overall constistency you should only integrate https applications into an https portal anyway. Otherwise you will get additional problems with javascript on the long run.

So setup your SAP Web Dispatcher for https and everything will work (most probalby ).

I would recommend to terminate SSL at the Web dispatcher and optionaly reencrypt forwarded traffic to application servers. Check SSL documentation of SAP Web Dispatcher so you will not miss anything. Thomas posted the links.

Cheers,

Lutz

isaias_freitas
Advisor
Advisor
‎02-25-2016 5:35 PM
0 Kudos

Hello Laxman,

I believe that you cannot have mixed protocols either (https at the portal but http at the Web Dispatcher).

The internet browsers (FireFox, Chrome, Internet Explorer, ...) would not like this and this could cause issues.

You do not have to setup end-to-end SSL, necessarily.

You could setup SSL at the Web Dispatcher only and use SSL termination.

The SSL termination scenario is also described at the "SAP Web Dispatcher and SSL" help page sent by Thomas (e.g., "wdisp/ssl_encrypt = 0".

Regards,

Isaías

Ask a Question