cancel
Showing results for 
Search instead for 
Did you mean: 

IIS and tomcat SSO on the same server

Former Member
0 Kudos

Tim,

I already have AD/Kerberos/VSJ SSO working, and would like to have .NET InfoView works with Kerberos as well. I was interested in your alternative approach, so I followed SAP note 1356046 that you referred to, but IIS was still prompting afterwards.

Please note that I did not follow SAP note 1356046 to set up SPN as "setspn -a BOSSO/mydomain.com bosso", nor did I entered

BOSSO/mydomain.com in the service principle name inside CMC because it already had a value in the format of BOSSO/ADServiceAcct.mydomain.com, which was the setup forJava InfoView SSO.

Is this some kind of conflict? How should I resolve it?

Thanks.

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
0 Kudos

Do I need to install VSJ or is it already included in the BO infoview? Thanks for your help.

BasicTek
Advisor
Advisor
0 Kudos

To note while IIS and tomcat can use the same SSO configuration it is specifically stated in the XI 3.x admin guide that this configuration is not supported. To avoid any support issues if you have any issues with IIS or tomcat in the future disable the other when working with any engineers

I've run this configuration for years myself and it is not problematic at all, in fact it helps for troubleshooting the java side as we have more .net tools available.

Regards,

Tim

Former Member
0 Kudos

I figured it out. Need to change identity from "Network Service" to AD Service Account on both application pools, BOBJAppPool21 (used by InfoViewApp and PlatformServices ) and DefaultAppPool (used by Xcelsius and CrystalReports). Now I could sso into JAVA and .NET Infoview using Kerberos. Thanks.

former_member183781
Active Participant
0 Kudos

I too am trying the "unsupported" IIS and Tomcat SSO side-by-side on the same SANDBOX server....just so we can kick the tires on the two different InfoViews for comparison.

Java SSO is working A-OK, but IIS keeps prompting me for a Windows login, then errors-out with "You are not authorized to view this page".

I have tried updating the Identity for the Appilcation Pools to the BOSSO account - which is also a LOCAL Admin on the server (so it should have all the required rights).

However, when I try to start the Appilcation Pools - they both throw a WARNING error in the Windows System Event Log like -

The identity of application pool, 'BOBJAppPool121' is invalid. If it remains invalid when the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number 80070569

Based on some IIS research, it appears that the BOSSO account does not have the "allow logon as batch" privilege (despite being a Local ADMIN).

Anyone seen this before - and know the fix?

Thanks in advance!

BasicTek
Advisor
Advisor
0 Kudos

What version of IIS, we do have some specific IIS 7 issues you can search the knowledge base. Also search for .net SSO kerberos 3.1 for my KB on setting up the service account. Have you added it to the IIS_WPG group?

Just FYI even though it is explicitely "unsupported" the reason behind it had nothing to do with it working or not. I have successfully set this up in XIR2 through XI 3.1 beta SP3 and never had any issues. We do not have it documented though and it can be a little tricky.

Regards,

Tim

former_member183781
Active Participant
0 Kudos

Tim :

I had to add it to the IIS_WPG group - Thanks!

My assumption was that if the account was "Local Admin" that would be enough - but it wasn't.

Thanks,

Mark

____________