on 02-25-2016 3:25 AM
Hello,
We currently have scenario like below, our MII system is not load balanced it always uses Central Instance(CI)
Citrix ---> SAPPortal(EP) ----sso-->CI of Backend System (MII with multiple Apps)
With above scenario, we have successfully setup SSO from EP to backend System(CI) with logonTicket
Now we are trying to load Balance the MII apps with WebDispatcher, we Installed/configured web Dispatcher for http load balancing of a MII system, The scenario is like below:
Citrix ---> SAPPortal(EP) ----sso---> [WebDispatcher] ----->Backend Systems (MII with multiple Apps)
In above case, the logonTicket is Not passing all the way to MII system, when user login with with single-Sign-on at Portal it again asks user/password for MII application.
I am realizing that some how webDispatcher is dropping the logonTicket and not passing to backend system. Trying to figure out if there is any parameter to keep the logonTicket and forward to backend System.
Appreciate your help on this matter.
Thanks,
Laxman
Hi Laxman, typically WebDispatcher does not interfere with SSO-Cookie.
What do URLs to portal and WebDispatcher look like? They must be in the same domain to enable the browser to send the portal's MYSAPSSO2 cookie to the WebDispatcher.
They must look something like
Use F12-Network traces of browsers to check if the cookie is transfered or not.
If it is transfered to the web dispatcher then it wil most probably reach the instances. Check all mii instances if they are configured to accept sso tickets.
Good luck,
Lutz
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Not quite right:
Unlike HTTP, with end-to-end SSL the SAP Web dispatcher cannot read any request data and therefore cannot interpret any session cookies that may be available
Refer to End-to-End SSL - SAP Web Dispatcher - SAP Library
I suggest you review SAP Web Dispatcher and SSL - SAP Web Dispatcher - SAP Library and adjust WebDispatcher parameters where needed.
Hi Lutz,
Thanks for quick response, all the systems are in the same domain the only difference is that webDispatcher and MII systems are not https (http with 8101 port for WD and plain http 50000 port for MII) but Citrix and portal are on https (with 443 port).
Do you we need to have end-end SSL for this need?
Thanks,
Laxman
Hi Laxman, you found it. MYSAPSSO2 Cookie is marked as https only by default so the browser will not forward it to http connections. This could be switched off by some UME parameter in the portal. But I would not recommend this for security reasons.
For overall constistency you should only integrate https applications into an https portal anyway. Otherwise you will get additional problems with javascript on the long run.
So setup your SAP Web Dispatcher for https and everything will work (most probalby ).
I would recommend to terminate SSL at the Web dispatcher and optionaly reencrypt forwarded traffic to application servers. Check SSL documentation of SAP Web Dispatcher so you will not miss anything. Thomas posted the links.
Cheers,
Lutz
Hello Laxman,
I believe that you cannot have mixed protocols either (https at the portal but http at the Web Dispatcher).
The internet browsers (FireFox, Chrome, Internet Explorer, ...) would not like this and this could cause issues.
You do not have to setup end-to-end SSL, necessarily.
You could setup SSL at the Web Dispatcher only and use SSL termination.
The SSL termination scenario is also described at the "SAP Web Dispatcher and SSL" help page sent by Thomas (e.g., "wdisp/ssl_encrypt = 0".
Regards,
Isaías
User | Count |
---|---|
87 | |
11 | |
8 | |
8 | |
6 | |
6 | |
6 | |
6 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.