cancel
Showing results for 
Search instead for 
Did you mean: 

Configuring Integrated Windows Authentication

Former Member
0 Kudos

Hi all,

I'm trying to configure my EP6 sp9 to use Integrated Windows Authentication with Microsoft ADS.

I managed to do that with ep6 sp2 ( IIS + IISproxy )

Where can I find howto or help files that describes the procedure in EP6 SP9 ???

thanks

Amit

Accepted Solutions (1)

Accepted Solutions (1)

gregorw
Active Contributor
0 Kudos

Hello Amit,

try my weblog about <a href="https://www.sdn.sap.com/sdn/weblogs.sdn?blog=/pub/wlg/920">Integrated Windows Authentication with SAP EP 6.0 SP 3 and higher</a>.

Regards

Gregor

Former Member
0 Kudos

Hi,

Thanks for the directions - looks good - I will report on status. DO u have any idea if that can be done in Unix env.? must I have an IIS installed somewhere in order to do that or can I use other web server?

Thanks,

Tuval

Former Member
0 Kudos

Hi Tuval.

Currently you must have an IIS infront of the portal to do the actual authentication and send the NTLM header.

Former Member
0 Kudos

Is it true that in EP6SP3 > we still have to use IIS if we want to use ADS as our LDAP?

gregorw
Active Contributor
0 Kudos

Hello David,

if you want to use LDAP for Authentication -> No.

But if you want to implement SSO for your Windows Users which had been authenticated by the OS already you have to use IIS AFAIK.

Regards

Gregor

paul_p1
Explorer
0 Kudos

Hello Gregor

I reviewed your weblog.

But now I have a problem. The user can log to portal, the portal show all tabs like as Welcome page, Info Page, Aplication page, etc, etc. By default the portal show Welcome page but when an user want to access to other page, again the welcome page is showed.

Someone have the same problem????

Former Member
0 Kudos

This is getting to be a common theme.

Could you post you authscheme.xml?

There are a few people here that are having the same problem or something close to it.

paul_p1
Explorer
0 Kudos

Hi David,

here my authscheme.xml

<?xml version="1.0" encoding="UTF-8"?>

<!-- Configuration File for Authentication Schemes -->

<!-- $Id: //shared_tc/com.sapall.security/60_SP2_REL/src/_deploy/dist/configuration/shared/authschemes.xml#3 $ from $DateTime: 2003/11/11 11:42:10 $ ($Change: 13312 $) -->

<document>

<authschemes>

<!-- authschemes, the name of the node is used -->

<authscheme name="ntlmuidpw">

<loginmodule>

<loginModuleName>com.sap.security.core.logon.imp.WindowsLoginModule</loginModuleName>

<controlFlag>SUFFICIENT</controlFlag>

<options></options>

</loginmodule>

<loginmodule>

<loginModuleName>com.sap.security.core.logon.imp.DefaultLoginModule</loginModuleName>

<controlFlag>REQUISITE</controlFlag>

<options></options>

</loginmodule>

<loginmodule>

<loginModuleName>com.sap.security.core.logon.imp.Windows</loginModuleName>

<controlFlag>SUFFICIENT</controlFlag>

<options>domain=minsur.com.pe</options>

</loginmodule>

<priority>20</priority>

<frontendtype>2</frontendtype>

<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>

</authscheme>

<authscheme name="uidpwdlogon">

<!-- multiple login modules can be defined -->

<loginmodule>

<loginModuleName>com.sap.security.core.logon.imp.CertLoginModule</loginModuleName>

<controlFlag>SUFFICIENT</controlFlag>

<options></options>

</loginmodule>

<loginmodule>

<loginModuleName>com.sap.security.core.logon.imp.DefaultLoginModule</loginModuleName>

<!-- specifying whether this LoginModule is REQUIRED, REQUISITE, SUFFICIENT, or OPTIONAL -->

<controlFlag>REQUISITE</controlFlag>

<options></options>

</loginmodule>

<loginmodule>

<loginModuleName>com.sap.security.core.logon.imp.CertPersisterLoginModule</loginModuleName>

<controlFlag>OPTIONAL</controlFlag>

<options></options>

</loginmodule>

<priority>20</priority>

<!-- the frontendtype TARGET_FORWARD = 0, TARGET_REDIRECT = 1, TARGET_JAVAIVIEW = 2 -->

<frontendtype>2</frontendtype>

<!-- target object -->

<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>

</authscheme>

<authscheme name="certlogon">

<loginmodule>

<loginModuleName>com.sap.security.core.logon.imp.CertLoginModule</loginModuleName>

<controlFlag>REQUISITE</controlFlag>

<options></options>

</loginmodule>

<priority>21</priority>

<frontendtype>2</frontendtype>

<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>

</authscheme>

<authscheme name="basicauthentication">

<loginmodule>

<loginModuleName>com.sap.security.core.logon.imp.DefaultLoginModule</loginModuleName>

<controlFlag>REQUIRED</controlFlag>

<options></options>

</loginmodule>

<priority>20</priority>

<frontendtype>2</frontendtype>

<frontendtarget>com.sap.portal.runtime.logon.basicauthentication</frontendtarget>

</authscheme>

<authscheme name="header">

<loginmodule>

<loginModuleName>com.sap.security.core.logon.imp.HeaderVariableLoginModule</loginModuleName>

<controlFlag>OPTIONAL</controlFlag>

<options>Header=remote-user</options>

</loginmodule>

<priority>5</priority>

<frontendtype>2</frontendtype>

<frontendtarget>com.sap.portal.runtime.logon.header</frontendtarget>

</authscheme>

<authscheme name="guest">

<loginmodule>

<loginModuleName>com.sap.security.core.logon.imp.AnonymousLoginModule</loginModuleName>

<controlFlag>OPTIONAL</controlFlag>

<options></options>

</loginmodule>

<priority>1</priority>

<frontendtype>2</frontendtype>

<frontendtarget>com.sap.portal.runtime.logon.anonymous</frontendtarget>

</authscheme>

<!-- Reserved 'anonymous' authscheme added for being in the list of authschemes -->

<authscheme name="anonymous">

<priority>-1</priority>

</authscheme>

</authschemes>

<!-- References for Authentication Schemes, this section must be after authschemes -->

<authscheme-refs>

<authscheme-ref name="default">

<authscheme>ntlmuidpw</authscheme>

</authscheme-ref>

</authscheme-refs>

</document>

Former Member
0 Kudos

looks good to me.

it's what I have for my EP6SP2 box.

paul_p1
Explorer
0 Kudos

I don't understand, abour common theme?

where can I change that???

Thanks

Former Member
0 Kudos

I thought you were on a EP6SP9 box, my bad.

There are other thread on SDN that are saying the same thing you are.

My road block is that I can not log on to my portal (I am building EP6SP9) There is something that is not letting authentication from happening against my LDAP and the log on pops back to the logon screen.

Former Member
0 Kudos

Hi Paul,

Just wanted to find out if you were able to resolve this issue of navigating to different portal tabs. We are having the same issue. We are running EP 6 SP10 Patch 2 and when navigating through the portal content , the browser laods the default portal page, instead of the chosen one. We have reffered to Note#732048 but with no luck. So in case you were able to get the solution, could you please let us know too..

Thanks,

Former Member
0 Kudos

Hi David,

I am back with this issue too...

On our portal for a few users/machines,navigation always take us back to the default tab. Do you know if this issue has been resolved for other users. This is a high priority for me, so I have to find a solution for this asap....

Thanks,

Former Member
0 Kudos

Yup, remember the problem.

Now if I can remember how I fixed it.

It was either another permissions issue or I had an extra line in my authscheam.xml, I can't recall right now.

Repost your authscheam.xml again, new prefix?

Former Member
0 Kudos

Here is the Authschemes.xml file

<?xml version="1.0" encoding="UTF-8" ?>

- <!-- Configuration File for Authentication Schemes

-->

- <!-- $Id: //shared_tc/com.sapall.security/630_VAL_REL/src/_deploy/dist/configuration/shared/authschemes.xml#1 $ from $DateTime: 2004/03/08 16:48:43 $ ($Change: 14741 $)

-->

- <document>

- <authschemes>

- <!-- authschemes, the name of the node is used

-->

- <authscheme name="uidpwdlogon">

- <!-- multiple login modules can be defined

-->

<authentication-template>ticket</authentication-template>

<priority>20</priority>

- <!-- the frontendtype TARGET_FORWARD = 0, TARGET_REDIRECT = 1, TARGET_JAVAIVIEW = 2

-->

<frontendtype>2</frontendtype>

- <!-- target object

-->

<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>

</authscheme>

- <authscheme name="certlogon">

<authentication-template>client_cert</authentication-template>

<priority>21</priority>

<frontendtype>2</frontendtype>

<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>

</authscheme>

- <authscheme name="basicauthentication">

<authentication-template>ticket</authentication-template>

<priority>20</priority>

<frontendtype>2</frontendtype>

<frontendtarget>com.sap.portal.runtime.logon.basicauthentication</frontendtarget>

</authscheme>

- <authscheme name="header">

<authentication-template>header</authentication-template>

<priority>5</priority>

<frontendtype>2</frontendtype>

<frontendtarget>com.sap.portal.runtime.logon.header</frontendtarget>

</authscheme>

- <!-- Reserved 'anonymous' authscheme added for being in the list of authschemes

-->

- <authscheme name="anonymous">

<priority>-1</priority>

</authscheme>

</authschemes>

- <!-- References for Authentication Schemes, this section must be after authschemes

-->

- <authscheme-refs>

- <authscheme-ref name="default">

<authscheme>uidpwdlogon</authscheme>

</authscheme-ref>

- <authscheme-ref name="UserAdminScheme">

<authscheme>uidpwdlogon</authscheme>

</authscheme-ref>

</authscheme-refs>

</document>

Former Member
0 Kudos

Whoops, my bad.

IISProxy.xml, sorry.

Former Member
0 Kudos

Here you go David--- Our IISPROXY.xml

<?xml version="1.0" encoding="utf-8" ?>

<!DOCTYPE ISAPI-config[

<!ELEMENT ISAPI-config ( filter, extension, ( mapping | config )* )>

<!ATTLIST ISAPI-config

version CDATA #REQUIRED

>

<!ELEMENT filter (log-path?)>

<!ATTLIST filter

name CDATA #IMPLIED

log-level CDATA "1"

log-flags CDATA "0"

debug-flags CDATA "0"

priority ( high | medium | low ) "high"

extension-url CDATA "/scripts/IisProxy.dll"

authentication ( skip | normal | forward ) "forward"

remote-address ( skip | forward ) "skip"

>

<!ELEMENT extension (

keystore-dir?,

log-path?,

data-path?,

trace-path? )>

<!ATTLIST extension

name CDATA #IMPLIED

log-level CDATA "1"

log-flags CDATA "0"

debug-flags CDATA "0"

access ( filter | direct | both ) "filter"

>

<!ELEMENT keystore-dir (#PCDATA)>

<!ELEMENT log-path (#PCDATA)>

<!ELEMENT data-path (#PCDATA)>

<!ELEMENT trace-path (#PCDATA)>

<!ELEMENT mapping (

source+,

target,

compress-types*,

protocol-header?,

certificate-header?,

cert-chain-header?,

cipher-header?,

keysize-header?,

keystore-path?,

log-path?,

data-path? )>

<!ATTLIST mapping

name CDATA #IMPLIED

log-level CDATA "1"

log-flags CDATA "0"

debug-flags CDATA "0"

keep-alive ( true | false ) "true"

use-continue ( true | false ) "true"

close-socket ( true | false ) "true"

close-socket-delay CDATA "1000"

thread-count CDATA "100"

max-socket-age CDATA "2000"

>

<!ELEMENT source (protocol, host?, port?, prefix, new-prefix?)>

<!ATTLIST source

access ( filter | direct | both ) "filter"

>

<!ELEMENT protocol (#PCDATA)>

<!ELEMENT host (#PCDATA)>

<!ELEMENT port (#PCDATA)>

<!ELEMENT prefix (#PCDATA)>

<!ELEMENT new-prefix (#PCDATA)>

<!ELEMENT target (protocol, host, port)>

<!ELEMENT compress-types (#PCDATA)>

<!ATTLIST compress-types

min-size CDATA "1024"

>

<!ELEMENT protocol-header (#PCDATA)>

<!ELEMENT certificate-header (#PCDATA)>

<!ELEMENT cert-chain-header (#PCDATA)>

<!ELEMENT cipher-header (#PCDATA)>

<!ELEMENT keysize-header (#PCDATA)>

<!ELEMENT keystore-path (#PCDATA)>

<!ELEMENT config ( source+ )>

]>

<ISAPI-config version="1.6">

<filter name="IisProxy filter" log-level="3" log-flags="3" debug-flags="0" priority="high" extension-url="/scripts/IisProxy.dll" authentication="forward" remote-address="skip" />

<extension name="IisProxy extension" log-level="1" log-flags="0" debug-flags="0" access="filter" />

<mapping name="IisProxy http" log-level="3">

<source>

<protocol>http</protocol>

<prefix>/irj/</prefix>

</source>

<source>

<protocol>http</protocol>

<prefix>/logon/</prefix>

</source>

<source>

<protocol>http</protocol>

<prefix>/irj</prefix>

</source>

<target>

<protocol>http</protocol>

<host>dplportaltest.ad.uop.com</host>

<port>50000</port>

</target>

<compress-types>text/html, text/plain</compress-types>

</mapping>

<mapping name="Secure IisProxy https" log-level="3">

<source>

<protocol>https</protocol>

<prefix>/irj/</prefix>

</source>

<target>

<protocol>https</protocol>

<host>dplportaltest.ad.uop.com</host>

<port>50001</port>

</target>

<keystore-path>c:\sec_prd\SAPSSLC.pse</keystore-path>

</mapping>

<config>

<source>

<protocol>http</protocol>

<host>iisproxy</host>

<prefix>/irj/</prefix>

</source>

<source>

<protocol>https</protocol>

<host>iisproxy</host>

<prefix>/irj</prefix>

</source>

</config>

</ISAPI-config>

Former Member
0 Kudos

David,

Is there anything odd/wrong in the Iisproxy.xml file?

Former Member
0 Kudos

<ISAPI-config version="1.6">

<filter name="IisProxy filter" authentication="forward" />

<extension name="IisProxy extension" />

<mapping name="SAP EP 6 - NTLM" log-level="3">

<source>

<protocol>http</protocol>

<prefix>/irj/</prefix>

</source>

<source>

<protocol>http</protocol>

<prefix>/logon/</prefix>

</source>

<target>

<protocol>http</protocol>

<host>dplportaltest.ad.uop.com</host>

<port>50000</port>

</target>

<compress-types>text/html, text/plain</compress-types>

</mapping>

<mapping name="SAP SSL EP 6.0 NTLM" log-level="3">

<source>

<protocol>https</protocol>

<prefix>/irj/</prefix>

</source>

<source>

<protocol>https</protocol>

<prefix>/logon/</prefix>

</source>

<target>

<protocol>https</protocol>

<host>dplportaltest.ad.uop.com</host>

<port>50001</port>

</target>

<keystore-path>c:\sec_prd\SAPSSLC.pse</keystore-path>

</mapping>

<config>

<source>

<protocol>http</protocol>

<host>iisproxy</host>

<prefix>/irj/</prefix>

</source>

<source>

<protocol>https</protocol>

<host>iisproxy</host>

<prefix>/irj</prefix>

</source>

</config>

</ISAPI-config>

I made a change in the code. You were missing the /logon/ on https source. I also took out most of the extra monortoring until we can get this to work 100%

Let me know.

Former Member
0 Kudos

Hi David,

We have identified the problem we were facing. It has nothing to do with the xml file. We have issues with the Proxy itself. We had to add the URL in the Exceptions(Proxy)list and that made our portal tabs to function properly. Thanks for all the help though...

Regards,

Former Member
0 Kudos

Great! Glad to hear it's working.

Former Member
0 Kudos

Rizwan,

We have the same problem with tabs.

I want to ask you, Where to change the Exceptions list? in the Client Browser? or in another place?

Thanks in advance

Patricio

Answers (2)

Answers (2)

Former Member
0 Kudos

Hi Gregor,

you are absolutely right.

I guess its a mistake....

sorry, Is there a way to reward your message with 10 points ?

Amit

gregorw
Active Contributor
0 Kudos

Hello Amit,

yes, you have to remove the Points from Alon and give him for example only 2. Then I think that it should be possible to reasign the points.

Thanks

Gregor

gregorw
Active Contributor
0 Kudos

Hello Amit,

why did you gave Alon all the points?

Regards

Gregor