on 07-30-2015 7:40 PM
SSO experts,
We have SPNEGO setup for one of our AS JAVA 7.4 SP8 systems (NOT a portal!). SSO works great!
SSO works great for things like:
NWA
UME
http://hostnameFQDN:port/useradmin
RedwoodCPS (v8.33.112) --> we have ETPRJSCHEDULER deployed and we pay for the full version.
http://hostnameFQDN:port/scheduler
My issue is that SOME users don't want to use their AD userID to SSO to the redwood URL above. They want to put in a different username and a password. I thought to myself, OK, no big deal, just add the ?spnego=disabled at the end of the URL right?
Well, that doesn't work on the redwood CPS URL above. it just gets ignored and goes right into SSO!
Now, for the NWA, the ?spnego=disabled DOES work like it is supposed to! Forcing the username/pass login.
http://hostnameFQDN:port/nwa?spnego=disabled
For the UME, http://hostnameFQDN:port/useradmin?spnego=disabled doesn't work either but it can see the URL gets extended to /webdynpro/dispatcher/sap.com/tc~sec~ume~wd~umeadmin/UmeAdminApp and if you stick ?spnego=disabled at the end of that, it will force username / password.
But at any rate, the point is I want RedwoodCPS to force a userID/pass screen using the http://hostnameFQDN:port/scheduler?spnego=disabled
but this does not work.
I also tried http://hostnameFQDN:port/scheduler/ui?spnego=disabled but still no good.
Any ideas?
thanks
NICK
Hello Nick,
Does the RedwoodCPS application use the SPNEGO authentication of SAP AS Java or implements it on its own? Can you check traces collected with the security troubleshooting tool with incident type "Authentication" - http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4e/961adccb0c4f1db41023c755c7c519/frameset.htm. Are there any records with "LOGIN.OK" string for this application and if yes does the authentication table contain the SPNegoLoginModule?
Additional hints:
- You can disable the SPNEGO authentication also using HTTP header "x-sap-spnego: disabled". If set by a reverse proxy it won't be affected by any redirects/URL expansions, however it will affect all users. Still you can try it out.
- Using the latest component for risk-based authentication of SAP SSO product you can write a policy that certain users (members of a specific group for example) cannot authenticate with SPNEGO, and/or from certain IPs, etc. The functionality is quite flexible and powerful. In this case the users won't need to play with URL parameters, of course a prerequisite is that the RedwoodCPS application is using the authentication infrastructure of SAP AS Java.
Regards,
Dimitar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey Dimitar,
Thanks for responding. Sorry I didn't make it clearer, but yes, the Redwood CPS login uses the same mechanism as NWA, useradmin which in my case, are both tied to Microsoft AD. Before I had enabled SSO via SPnego, I logged in with my AD credentials to all of those: NWA, useradmin, Redwood CPS.
After SPnego, it's all SSO. But I can use the "?spnego=disabled", in the NWA/useradmin URL to force a login, but not for Redwood CPS. But again, it's just a URL, nothing fancy.
That other thing you said about changing the header, sounds neat, but I don't really know what to do. When you say "use HTTP header x-sap-spnego: disabled" I don't know what to do with that.
I'm not getting into any of that "risk based" stuff. I don't need this any more complicated that it already is, but thanks for saying that.
As far as that help link goes for "tshw", I followed that. select incident "Authentication".
then reproduced with the ....50000/scheduler?spnego=disabled
Here's what I found:
Then,
So yes, I did get a " LOGIN.OK" string and the application is using SPnego.
But again, it seems to be ignoring the "?spnego=disabled" and I really just want that to work.
NICK
Hi,
Can you click on the 4th cell "HTTP Worker [@1600827039],5,..." of the LOGIN.OK trace? This is the name of the thread and after clicking on it only the traces from this thread will be shown. The first one should contain the HTTP request to the scheduler application. Can you please attach a screenshot of it?
Regards,
Dimitar
Hi Nick,
Unfortunately I cannot see from the traces why it fails. If you want the issue to be further investigated then open a ticket in BC-JAS-SEC-LGN.
Instead of using parameter "spnego=disabled" you can simply access the system by IP. In that case the SPNEGO authentication won't work and you should be able to login with username/password.
Regards,
Dimitar
Hi Nick,
The request that triggers the SPNEGO authentication is to the following resource and there the URL parameter "?spnego=disabled" is missing:
Request:
CLIENT: 1584 [a.b.c.d : 60668], REQUEST:
GET /scheduler/ui/login/login_jee.jsp HTTP/1.1
accept: */*
accept-language: en-US
Response:
CLIENT: 1584 [a.b.c.d : 60668], REPLY:
HTTP/1.1 401 Unauthorized
CLIENT: 1584 [a.b.c.d : 60668], REPLY:
Server: SAP NetWeaver Application Server 7.42 / AS Java 7.40
WWW-Authenticate: Negotiate
Set-Cookie: com.sap.engine.security.authentication.original_application_url=GET#xxx;Path=/scheduler;HttpOnly
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
Content-Length: 1537
Date: Wed, 05 Aug 2015 16:09:15 GMT
Does it work to directly access this page and add the missing parameter to disable SPNGEO? If that is some embedded page this might not work and you would need to ask the vendor of the application to "propagate" the URL parameter.
Regards,
Dimitar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.