cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

disable SPNEGO for pure Java AS 7.4 SP8 with redwood CPS

Go to solution
Former Member

on ‎07-30-2015 7:40 PM

0 Kudos

SSO experts,

We have SPNEGO setup for one of our AS JAVA 7.4 SP8 systems  (NOT a portal!).  SSO works great!

SSO works great for things like:

NWA

http://hostnameFQDN:port/nwa

UME

http://hostnameFQDN:port/useradmin

RedwoodCPS  (v8.33.112) --> we have ETPRJSCHEDULER deployed and we pay for the full version.

http://hostnameFQDN:port/scheduler

My issue is that SOME users don't want to use their AD userID to SSO to the redwood URL above.  They want to put in a different username and a password.  I thought to myself, OK, no big deal, just add the ?spnego=disabled at the end of the URL right?

Well, that doesn't work on the redwood CPS URL above.  it just gets ignored and goes right into SSO!

Now, for the NWA, the ?spnego=disabled DOES work like it is supposed to!  Forcing the username/pass login.

http://hostnameFQDN:port/nwa?spnego=disabled

For the UME, http://hostnameFQDN:port/useradmin?spnego=disabled doesn't work either but it can see the URL gets extended to /webdynpro/dispatcher/sap.com/tc~sec~ume~wd~umeadmin/UmeAdminApp and if you stick ?spnego=disabled at the end of that, it will force username / password.

But at any rate, the point is I want RedwoodCPS to force a userID/pass screen using the http://hostnameFQDN:port/scheduler?spnego=disabled

but this does not work.

I also tried http://hostnameFQDN:port/scheduler/ui?spnego=disabled but still no good.

Any ideas?

thanks

NICK

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member182254
Active Participant
‎08-04-2015 8:42 PM
0 Kudos

Hello Nick,

Does the RedwoodCPS application use the SPNEGO authentication of SAP AS Java or implements it on its own? Can you check traces collected with the security troubleshooting tool with incident type "Authentication" - http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4e/961adccb0c4f1db41023c755c7c519/frameset.htm. Are there any records with "LOGIN.OK" string for this application and if yes does the authentication table contain the SPNegoLoginModule?

Additional hints:

- You can disable the SPNEGO authentication also using HTTP header "x-sap-spnego: disabled". If set by a reverse proxy it won't be affected by any redirects/URL expansions, however it will affect all users. Still you can try it out.

- Using the latest component for risk-based authentication of SAP SSO product you can write a policy that certain users (members of a specific group for example) cannot authenticate with SPNEGO, and/or from certain IPs, etc. The functionality is quite flexible and powerful. In this case the users won't need to play with URL parameters, of course a prerequisite is that the RedwoodCPS application is using the authentication infrastructure of SAP AS Java.

Regards,

Dimitar

Show replies
Show replies
Former Member
‎08-05-2015 4:27 PM
0 Kudos


Hey Dimitar,

Thanks for responding.  Sorry I didn't make it clearer, but yes, the Redwood CPS login uses the same mechanism as NWA, useradmin which in my case, are both tied to Microsoft AD.  Before I had enabled SSO via SPnego, I logged in with my AD credentials to all of those: NWA, useradmin, Redwood CPS.

After SPnego, it's all SSO.  But I can use the "?spnego=disabled", in the NWA/useradmin URL to force a login, but not for Redwood CPS.  But again, it's just a URL, nothing fancy.

That other thing you said about changing the header, sounds neat, but I don't really know what to do.  When you say "use HTTP header x-sap-spnego: disabled" I don't know what to do with that.

I'm not getting into any of that "risk based" stuff.  I don't need this any more complicated that it already is, but thanks for saying that.

As far as that help link goes for "tshw", I followed that.  select incident "Authentication".

then reproduced with the ....50000/scheduler?spnego=disabled

Here's what I found:

Then,

So yes, I did get a " LOGIN.OK" string and the application is using SPnego.

But again, it seems to be ignoring the "?spnego=disabled" and I really just want that to work.

NICK

former_member182254
Active Participant
‎08-05-2015 8:32 PM
0 Kudos

Hi,

Can you click on the 4th cell "HTTP Worker [@1600827039],5,..." of the LOGIN.OK trace? This is the name of the thread and after clicking on it only the traces from this thread will be shown. The first one should contain the HTTP request to the scheduler application. Can you please attach a screenshot of it?

Regards,

Dimitar

Former Member
‎08-07-2015 5:00 PM
0 Kudos

Hey Dimitar,

thanks again for responding to my thread.  Sorry for the delay, hopefully this is what you want to see:

NICK

former_member182254
Active Participant
‎08-07-2015 8:51 PM
0 Kudos

Hi Nick,

Unfortunately I cannot see from the traces why it fails. If you want the issue to be further investigated then open a ticket in BC-JAS-SEC-LGN.

Instead of using parameter "spnego=disabled" you can simply access the system by IP. In that case the SPNEGO authentication won't work and you should be able to login with username/password.

Regards,

Dimitar

Former Member
‎08-07-2015 9:05 PM
0 Kudos

Hello!

Yeah, I didn't think of that.  that does work, like you said.  that might be the way to go.

Yes, I already have a message opened in that component, just waiting....

I'll update the thread based on what they say,

Thank you!

NICK

former_member182254
Active Participant
‎08-08-2015 6:58 AM
0 Kudos

Hi Nick,

Can you attach the complete traces in the support ticket and provide me the ticket number so that I can have a look?

Regards,

Dimitar

Former Member
‎08-10-2015 9:25 PM
0 Kudos

Yep, did that!

601942 / 2015

former_member182254
Active Participant
‎08-11-2015 8:17 AM
0 Kudos

Hi Nick,

The request that triggers the SPNEGO authentication is to the following resource and there the URL parameter "?spnego=disabled" is missing:

Request:

CLIENT: 1584 [a.b.c.d : 60668], REQUEST:

GET /scheduler/ui/login/login_jee.jsp HTTP/1.1

accept: */*

accept-language: en-US

Response:

CLIENT: 1584 [a.b.c.d : 60668], REPLY:

HTTP/1.1 401 Unauthorized

CLIENT: 1584 [a.b.c.d : 60668], REPLY:

Server: SAP NetWeaver Application Server 7.42 / AS Java 7.40

WWW-Authenticate: Negotiate

Set-Cookie: com.sap.engine.security.authentication.original_application_url=GET#xxx;Path=/scheduler;HttpOnly

Content-Type: text/html; charset=UTF-8

Content-Encoding: gzip

Content-Length: 1537

Date: Wed, 05 Aug 2015 16:09:15 GMT

Does it work to directly access this page and add the missing parameter to disable SPNGEO? If that is some embedded page this might not work and you would need to ask the vendor of the application to "propagate" the URL parameter.

Regards,

Dimitar

Answers (1)

Answers (1)

Chenyang
Contributor
‎08-10-2015 11:48 PM
0 Kudos

Hi Nick,

I assume this particular CPS application is using the standard ticket template, which is forced to use SPNego SSO. Is it possible to change the authentication template from ticket to basic, so that SSO can be disabled for this app?

Something like this.

Cheers

Chenyang Xiong

Show replies
Show replies
Ask a Question