cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Windows integrated authentication - How to force logon for Portal

Go to solution
Former Member

on ‎04-03-2009 5:23 PM

0 Kudos

Hi

We have implemented Windows integrated authentication - Spnego and UME is configured with Microsoft Active Diretory in our EP7 SP17.

However, due to security requirements for ESS/MSS, there is a requirement to disable this windows integrated authentication for the portal.

The disabling "windows integrated authentication" in the Internet Explorer is causing other issues for applications like Sharepoint etc and also this is not desired options, as the user can be reset the same.

My questions:

1) How to force users logon to Portal?

2) Is it possible to enforce logon when clicking on any tabs withinthe portal? e.g when I click on MSS it should ask for password

Would appreciate your views on this.

Regards

Chandu

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-13-2009 7:40 PM
0 Kudos

Chandu,

Recently we had a similar requirement with WIA for SSO. We made it work by developing a custom login module and added to the login stack with REQUISITE flag. This custom login modules placed after SPNego module in the stack.

Thanks

Vinay P

Show replies
Show replies
Former Member
‎05-22-2009 3:07 PM
0 Kudos

Hi Vinay,

Would you mind in giving more details on this?

Regards

Chandu

Answers (2)

Answers (2)

Former Member
‎04-04-2009 12:05 AM
0 Kudos

You could maybe setup another authscheme for the ESS/MSS iViews which had a higher level value and caused a new logon stack to be used.

Show replies
Show replies
Former Member
‎04-04-2009 9:32 AM
0 Kudos

Hi Michael,

Thanks for the response. Is it possible to set up another authscheme at role level instead of iview level so that user is not required to login for each iview?

Also, can you give more details on setting up another authscheme?

Regards

Chandu

Former Member
‎04-04-2009 1:16 PM
0 Kudos

Authschemes are only at View and page level. Creating a new one can be found here: http://help.sap.com/saphelp_nw70/helpdata/EN/d3/1dd4516c518645a59e5cff2628a5c1/frameset.htm

Former Member
‎04-05-2009 7:31 AM
0 Kudos

Hi Michael,

We could explore this solution, as we can change the authentication scheme for certain pages, which are sensitive.

I am going thru the information you suggested.

Our UME is configured with Active Directory. Do I need to create new authentication sheme to force users to supply user name and password? I changed the auth schema to uidpwdlogon, but it is not asking for username and password.

Regards

chandu

Former Member
‎04-05-2009 11:33 AM
0 Kudos

That's because form based an kerberos logon have the same authsecheme value - I think it's 20.

Former Member
‎04-05-2009 1:24 PM
0 Kudos

What options do I have?

Regards

Chandu

Former Member
‎04-05-2009 1:30 PM
0 Kudos

The best as Tobias said is a separate portal without kerberos. That way the user will need to enter a username/password.

Personally I would push back and find out what the perceived problem is. This issue comes up quote a lot and it comes mostly from confusion on the part of the business. As a portal user I want my liufe as simple as possible - making me re-enter credentials doesn't do that.

Former Member
‎04-05-2009 2:29 PM
0 Kudos

I fully agree with what you said.

We have recently gone live with ESS/MSS and feedback from the Manager is that Portal should have logon, as they don't lock their computer when they leave desk for few minutes. The desktop is locked after 30 minutes as per Windows config.

So, we are trying to ascertain what options we have to enforce logon and also logout/timeout portal, if the session is idle more than 5 minutes.

Regards

Chandu

Former Member
‎04-05-2009 8:26 PM
0 Kudos

So, I'd suggest to management that they enforce locking the Windows desktop after 5 minutes. If the problem is that some people walk away from their desk and don't lock their PC, then why upset all users? If I have to reaunthenticate to the portal every 5 minutes, then it makes me a lot less productive.

It sounds like management think that ESS/MSS are the only activities that a user does that need extra levels of security. This is dangerous thinking.

Former Member
‎04-05-2009 11:08 PM
0 Kudos

Thanks Michael for your inputs. We are considering locking PCs etc as well.

Do you know does most of the companies enforce Portal logon or Windows integrated authentication? Which one is most preferred option?

Regards

Chandu

Former Member
‎04-05-2009 11:11 PM
0 Kudos

In my experience, companies try to use windows integrated authentication whenever possible.

hofmann
Active Contributor
‎04-06-2009 2:08 PM
0 Kudos

Hi,

I can only agree with this. SSO is THE advantage of portals over other solutions. And SSO to the portal is even more an advantage.

Michael is also right at where to look for the solution. If your users don't lock the computer, even 5 minutes idle time is too much. In 5 minutes (coffee break time) another user can do really, really bad things. Even considering forcing a new logon for ESS/MSS, what about E-Mails? File access? And 30 Minutes? Looks like the people working there are really honest or good at concealing security breaches ...

It should be better if you consider a new security policy. Teach the users to lock the computer when they leave. Forcing a new logon for acessing ESS/MSS won't really make it more user friendly or make the useres realize the benefits of ESS/MSS over the portal. It's also not the solution for the underlying security problem. It will make things even more worse.

br,

Tobias

Former Member
‎04-06-2009 3:26 PM
0 Kudos

I fully agree with you guys about SSO. But, have to go with the Management decisions.

As explained, we have configured our Portal with Windows integrated authentication and are looking to remove windows integrated authentication without affecting UME as LDAP?

Removing SPN with setspn -d would disable windows integrated authentication?

Regards

Chandu

hofmann
Active Contributor
‎04-06-2009 3:32 PM
0 Kudos

Hi,

yes, removing the SPN will deactivate SSO for your portal. (Alternative and better solution: change your CIO)

To ensure that nobody will hijack the session after the user has left the computer unlocked, your users have at least to close the browser to prevent misuse of ESS/MSS.

Or you'll have to configure the session timeout of the portal to =< 5 Minutes.

br,

Tobias

Former Member
‎04-06-2009 3:46 PM
0 Kudos

Thanks Tobias for prompt response.

Can you elaborate on

1) Alternative and better solution: change your CIO?

2) Session timeout ?

Are you referring to modifying par file with custom java script for session timeout?

Regards

Chandu

Former Member
‎04-06-2009 8:41 PM
0 Kudos

I believe

change your CIO

was Tobias being funny! He means replace the Chief Information Officer - in other words, get someone who has a more realistic idea about things like security.

hofmann
Active Contributor
‎04-06-2009 8:56 PM
0 Kudos

Hi,

with session timeout I mean: the lifetime of a portal session.

When your currently security policy is set to a 30 minute limit for locking the session and you want to trim it down to 5 minutes mainly because of the ESS/MSS log-in requirement, you should also consider lowering the session timeout to a similiar value.

It doesn't make sense to set an automatic timeout of 5 minutes to the workstation, when the lockout is set to 8h in the portal.

A user can hijack the computer after 4 min 59 sec. When the timeout of the portal session is set to 8h, he can still access the ESS/MSS data. If the timeout of these is set to <5 minutes (consider the thinking time of ESS/MSS), the hijacker / hacker can't gain access to the ESS/MSS in the portal.

But this will only work when your users don't write their passworts down and pin them next to the computer.

BTW: smartcards and thin clients will resolve almost all of your security concerns. I think the portal also supports smartcard authentication (not sure).

br,

Tobias

hofmann
Active Contributor
‎04-03-2009 8:45 PM
0 Kudos

Hi,

when SSO (Kerberos) is configured, everytime a user acesses the portal he will get logged in automatically.

To prevent this, you could install a separate portal for ESS/MSS. This portal will be running under a different FQDN, therefore SSO between Portal + Browser won't work. This portal instance also has to be confiured to not acceppt the Logon Ticket from the other portal.

If a seperate portal isn't feasible:

- the portal needs to be available under 2 FQDNS. 1 is configured for Kerberos SSO, the other one not, like: portal.company.com and mss.company.com

- when the user clicks on MSS/ESS, you'll have to implement a component that will remove the logon information from the browser (internally calling the logoff logic from the masthead).

- with clicking the link, the user will access MSS/ESS under the non-SSO-enabled FQDN (mss.company.com).

br,

Tobias

Show replies
Show replies
Former Member
‎04-04-2009 9:29 AM
0 Kudos

Thanks Tobias. Can you expand your solution regarding setting up 2 FQDNS?

Regards

Chandu

Ask a Question