2012 R2 RDS SSO with IE 8

Similar Messages

• Server 2012 R2 RDS, User Profile Disks are created but local profiles are created as well. The UPDs aren't mounting correctly.

  2012 R2 RDS Deployment with RDCB HA and UPDs enabled. Everything was working fine with no issues until users started getting temporary profiles. Around the same time UPDs were being created but at the same time a user profile was created in C:\Users. 
  I actually rebuilt the entire RDS configuration except the SQL Server. It took about 5 hours and was not that big a deal but.... we still have the same issue! 
  Does anybody have the solution for this?

  Hi,
  In most cases, the issue is caused by locked UPD. And the workaround is to log off the user. Please check if it is the case.
  For example:
  RDS user profile disks - getting error temporary profile are being used as UPD are not accessible
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/0d4b66fc-b53f-435e-b036-142b6ed15d0b/rds-user-profile-disks-getting-error-temporary-profile-are-being-used-as-upd-are-not-accesible?forum=winserverTS
  Also, please check if you will get the temporary profile when logging on with a local account of the session host server.
  If issue persists, please check if there is any related error in Event Viewer and provide us for further research.
  Hope this helps.
  Jeremy Wu
  TechNet Community Support

• Windows Server 2012 R2 RDS: RDS Users are unable to delete files from their desktop

  Hello,
  We are working with Windows Server 2012 R2 RDS. We also implemented User Profile Disks. This is all working fine without problems. The only issue I have is that normal users are unable to delete files from their desktop. They are getting a message:
  you'll need administrator permission to delete this file, with the prompt for administrator access.
  They can edit, copy, rename, cut and paste files. But they cannot delete a file from their desktop.
  I checked the security permissions of the files on the desktop (for example a normal self-created PDF file) and the users are owner and have "Full Control" over the files.
  I checked the file permissions and took a look under "Advanced", selecting the specific domain user and checked the "Advanced Permissions" and the user has the "Delete" option checked. So he should be able to delete the
  file.
  I am guessing this is UPD related issue, or something in GPO. But I already unlinked the GPO objects, that I felt could be the source of this problem, but without results.
  Could someone give me a hint on where to look? It's kinda annoying to users, that they can't delete their own files.

  Hello Bria,
  What you should check first, is the NTFS permissions on the User Profile Disk to begin with. See if the user has full control over the items that are in the UPD.
  Also check the GPO's that are enabled for the user and computer account. You can check that by running: gpresult /h <path>\gpresult.html
  There are two GPO settings that could prevent the user from deleting his/her own items: 
  User
  Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Explorer\
  Hide these specified drives in My Computer
  Prevent access to specified drives in My
  Computer
  There might be other GPO settings, that block deleting items on the UPD, but can't think of any out of my head.
  I can only think NTFS and GPO settings that might prevent the user from deleting items. In my case it was a GPO setting, that I didn't suspect.

• Server 2012R2 -- RDS Farm with XP and Windows Vista Clients

  Hi There,
  My team has been having some fun in getting our Server 2012R2 farm operational, annoyingly MS documentation is severely lacking on how to correctly configure a 2012R2 Farm correctly.
  We have an RDG1-TCC server, which is the RDGateway, RDConnection Broker and RDWeb Server. We have two session host servers RDS1-TCC and RDS2-TCC.
  It took us some time and much online research to figure out exactly how we needed to configure the RDS server as a lot of information online for 2012R2 was apparently incorrect(was based on 2008R2 practices). We started off with using a DNS Round Robin for
  the RDS Session hosts servers and after a number of certificate issues, we later found this was incorrect. We're now using RDWeb exclusively, which appears to be the correct way to have the Connection Broker working?
  We've ran into a number of issues with certificates too, we have an external certificate for remote.domain.com. Installing this on all 4 options in the certificate manager has made internally work correctly via RDWeb, however externally we are getting a
  certificate mismatch as it's trying to connected to RDG1-TCC with a certificate for remote.domain.com. I'm pretty sure I can resolve this with a replacement remote.domain.com certificate that includes a SAN for *.domain.internal. Testing with a self signed
  certificate seemed to resolve this issue.
  Now providing i've configured everything the correct way, we have an issue where RDWEb RDP files do not work internally or externally for XP, Vista or Windows 7 (With RDP7.1). Windows 8/8.1 and Windows 7 with RDP 8/8.1 updates work perfectly fine. Unfortunately
  this new client has a few XP machines that they are not willing to update just yet.
  Is there a known fix/workaround to get these older clients working correctly?
  Sorry for the extremely long post, but I'm sick of banging my head against the wall trying to get something that we assumed would have been fairly simple to get up and running.
  Cheers,
  Ben

  Thanks for the assistance so fat, now I have all clients connecting, I need to tackle the certificate issues.
  The UC SAN certificate is going to cost much more than the current certificate, currently that idea is on the back burner as the client does not wish to pay a few hundred extra.
  To quickly sum things up:
  AD DNS(internal DNS) override in place for remote.domain.com.au pointing it to the internal IP of the gateway/connection broker/RDWeb server.
  Connecting Internally its working perfectly fine under all circumstances (I'm guessing this is because of Kerberos Auth)
  When users connect externally via RDWeb they get a certificate missmatch as the cert is for remote.domain.com.au and the server is RDG1-TCC.domain.com.net
  When users connect externally via MSTSC using the Gateway option, they get a certificate missmatch as per the above, however they also receive a second "certificate is not trusted" error for whatever RDS server they hit.
  I have tried the below previously and they broke other things:
  "Change published FQDN for Server 2012 or 2012 R2 RDS Deployment."
  This resolved the external certificate issue. However then internal connections stopped working. When connecting via RDWeb, you would get asked for credentials instantly and no matter what you entered, it just asked for credentials again.
  There did not seem to be ANY event logs for this connection.
  "Changing RDP-Tcp listener on RDSH to use external certificate."
  I can't recall the exact error we had when we did this, but I know we had to roll back the change. I have a feeling we then started getting certificate missmatch errors on the Session Hosts.
  I'm half thinking that when the farm is free(Currently being used for application UAT), I'm going to try and reconfigure the RDP-Tcp listener on the RDSH servers again and see if that resolves one or more of our issues.
  Do you have any suggestions on how I can use the correct published FQDN name without breaking internal access? Or any other ideas on getting this entire thing working both internally and externally?
  Also, Dharmesh, I've tried clearing out the certificate cache as suggested, but to no avail.

• Best practices for setting up RDS pool, with regards to profiles /appdata

  All,
  I'm working on a network with four physical sites and currently using a single pool of 15 RDS servers with one broker. We're having a lot of issues with the current deployment, and are rethinking our strategy. I've read a lot of conflicting information on how
  to best deploy such a service, so I'd love some input.
  Features and concerns:
  Users connect to the pool from intranet only.
  There are four sites, each with a somewhat different local infrastructure. Many users are connecting to the RDS pool via thin clients, although some locations have workstations in place.
  Total user count that needs to be supported is ~400, but it is not evenly distributed - some sites have more than others.
  Some of the users travel from one site to another, so that would need to be accounted for with any plans that involve carving up the existing pool into smaller groups.
  We are looking for a load-balanced solution - using a different pool for each site would be acceptable as long as it takes #4 and #7,8 into account.
  User profile data needs to be consistent throughout: My Docs, Outlook, IE favorites, etc.
  Things such as cached IE passwords (for sharepoint), Outlook settings and other user customization needs to be carried over as well.
  As such, something needs to account for the information in AppData/localroaming, /locallow and /local between these RDS servers.
  Ideally the less you have to cache during each logon the better, in order to reduce login times.
  I've almost never heard anything positive about using roaming profiles, but is this one of those rare exceptions? Even if we do that, I don't believe that covers the information in <User>/AppData/*  (or does it?), so what would be the best
  way to make sure that gets carried over between sessions inside the pool or pools?
  The current solution involves using 3rd party apps, registry hacks, GPOs and a mashup of other things and is generally considered to be a poor fit for the environment. A significant rework is expected and acceptable. Thinking outside the box is fine!
  I would relish any advice on the best solutions for deployment! Thank you!

  Hi Ben,
  Thank you for posting in Windows Server Forum.
  Please check below blogs and document which helps to understand some basic requirement and to setup the new environment with proper guided manner.
  1. Remote Desktop Services Deployment Guide
  (Doc)
  2. Step by Step Windows 2012 R2 Remote Desktop Services –
  Part 1, 2,3 & 4
  3.Deploying a 2012 / 2012R2 Remote Desktop Services (RDS) farm
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• File Associations in 2012 R2 RDS Server using Roaming Profiles

  Background Information
  We recently moved from using 2008 R2 RDS servers to 2012 R2 RDS Servers. All of our users
  have roaming profiles. When we migrated from the old terminal servers to the
  new terminal servers, the users got completely new profiles. The only thing
  moved from their old profiles were documents and items on their desktops. We
  have multiple PDF viewers/editors installed on our RDS servers. Mostly due to
  the cost difference between Adobe Acrobat and other, cheaper products that a
  lot of our users can get away with using that don't need the functionality of
  Adobe Acrobat.
  The Problem
  Ever since moving to the new 2012 R2 RDS servers, whenever our users log off terminal
  server, the next time they log in their default PDF Viewer association doesn't
  load, and they have to go through the process of choosing a default PDF viewer.
  This only occurs when there's more than one PDF viewer installed on the server.
  We've tested it with only one PDF viewer program, and the setting remains after
  logging off and back on. The problem we've found is that the registry key that
  houses the default user choice:
  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice
  when set during the session, to Adobe Acrobat 11 for example, reads as such
  inside that registry key. For example, the Progid key will say
  Acrobat.Document.11 and this setting will persist until the user logs off. Upon
  logging off and back on to the terminal servers, if you look at that same
  Progid key, it has been converted in to a Hash value, and the Operating System
  is unable to read the hashed value and determine what that user's default PDF
  Viewer choice is, causing them to have to go through the process of setting it
  again.
  Things we've tried
  We created a GPO that runs a script that exports the registry key upon log off that has
  the non-hashed value, and have it set to import that value on log on. However,
  by default this registry key has the DENY WRITE permission applied to it, so
  when the system tries to import the registry key through the login script it is
  unable to do so. 
  Summary
  This issue only started happening once we moved over to 2012 R2 RDS servers. It only
  occurs for users using Roaming Profiles. It only occurs when we have multiple
  PDF Viewers installed on the servers. Any insight on why this is happening or
  how to resolve it would be greatly appreciated.

  I would use GPP to push the value, 'not hashed'. You can give right to the registry too, so like adding everyone group to that registry branch. (https://technet.microsoft.com/en-ca/library/cc753092.aspx)
  Regards, Philippe
  Don't forget to mark as answer or vote as helpful to help identify good information. ( linkedin endorsement never hurt too :o) )
  Answer an interesting question ? Create a
  wiki article about it!

• 2012 R2 RDS Shadowing "Permissions"

  Hi All,
  Just wondering if anyone has found a "workaround" for the requirement to be an Administrator to perform Remote Desktop Shadowing in Server 2012 R2?
  We are a software development company, who offers a Remote Desktop service to our customers to use our software. Our support team needs to be able to take control of these sessions to support them.
  We made the leap to 2012 R2 purely for the shadowing feature being re-implemented. However allowing 50+ support staff, some who have little to no knowledge of Server OS's, to have administrative control on an RDS server farm, including the AD server
  which is the Connection Broker, is just not an option.
  The best i can come up with, is to lock down permissions on all Administrative Tools to these users with implicit Deny ACL's, but that does not stop them from being able to launch Add/Remove Server Roles, and perform other tasks within Server Manager.
  Also due to the Server Manager integration, gone are the days where you could permit a Terminal Services MMC for these users like we did in the "old days" of 2003.
  Does anyone have any brilliant ideas in regards to either enabling Shadowing without Administrator rights, or locking down Server Manager to a set task list?
  Thanks,
  Nash

  Hi Nash,
  A user does not need to be an Administrator to shadow other sessions under Server 2012 R2 RDS.  You need to grant the non-admin user/group permissions to the RDP-Tcp listener on each RDSH server. 
  To do this, first create a security group in your domain and add the users as members that you would like to have shadow permission.  Next log on to each 2012 R2 RDSH server, open an administrator command prompt, and enter the following
  command (substitute your domain and group name):
  wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName ="RDP-Tcp") CALL AddAccount "domain\group",2
  The non-admin user can use the query session command to retrieve a list of logged-on users:
  query session
  If they want to view and control another session they may use the following command:
  mstsc /shadow:<sessionid> /control
  -TP
  Brilliant! Thanks heaps - I saw this one a little earlier from the previous post and couldn't wait to give it a run.
  Darmesh, despite saying it's not possible, the link you posted points to an article where the above process is outlined.
  Appreciate the input guys, i will post back with the outcome!

• Users Cannot Change Passwords on a Server 2012 R2 RDS Farm

  Hello I have a Server 2012 R2 RDS Farm consisting of 1 server that has connection broker and gateway configured and 4 RDS Session Hosts. The works great I even have a separate remote app farm to distribute the apps to the servers, my main issue is passwords
  and the lack of the EU ability to change these, listed below are my symptoms.
  Users password has expired denied logon instantly with no ability to change password.
  User tries to change password whilst in 30 day warning period using ctrl alt end the user is advised the password does not meet complexity requirements I have checked this and they do meet them.
  Expired passwords can be changed via the RDWeb site however this is not an option for us.
  Chris

  Hi,
  Firstly, based on my knowledge, remote users may have to change their passwords before expired. If not, they have to use OWA or logon on locally to change their passwords.
  Regarding the issue, please let us know if the following policies are enabled in your domain.
  Enforce password history
  Minimum password age
  Also, does a local domain user have the same issue?
  Thanks.
  Jeremy Wu
  TechNet Community Support

• Resizing User Profile Disks in Existing Server 2012 R2 RDS Deployment Question

  Once the initial maximum size is set and the VHDXs have been created in a Server 2012 R2 RDS deployment, will attempting to increase Collection's maximum UPD size by say.. issuing a Powershell command of:
  Set-RDSessionCollectionConfiguration -CollectionName MySpiffyNewCollection -MaxUserProfileDiskSizeGB 10
  over-write the existing VHDXs instead of simply increasing their size? (max size is currently 5GB)
  I'm not at a point where I can test this in a lab condition to find out, and I have not found this question asked (or at least not definitively answered) in this forum yet.
  -G

  Hi,
  Thank you for posting in Windows Server Forum.
  We can resize the UPD file with below command:
  Resize-VHD –Path c:\BaseVHDX.vhdx –SizeBytes 1TB
  After running this mount the .vhdx file and open disk manager and there will be unallocated disk, and then you can click extend disk/volume and its done.
  You can refer following article for more information.
  Resize User Profile Disks
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• How to add Windows 2012 R2 RDS to Existing Windows 2008 R2 Terminal Server

  I currently have a Windows 2008 R2 Terminal Server running and I am looking to add a Windows Server 2012 R2 server to it. All I see when I google the setup is only for Windows Server 2012 R2 RDS, cant find anything to integrate with a current 2008 R2 Terminal
  Server.
  Can anyone help with this or point me to a blog I possibly missed?
  Thanks.

  Hi,
  Thanks for your comment.
  Yeah, agree with diramoh; as already commented. If you want user session from RDS Server 2012 R2 then you need to  install RDS License role on server 2012 R2, purchase and install RDS CAL (per user or per device) according your requirement and then you
  can use user session for server 2012 R2 and also for lower version. 
  But as you already have Server 2008 R2 RDS CAL, then with that you can simply access lower version but can’t manage Server 2012\R2. 
  For more information, you can refer following document.
  Licensing
  Windows Server 2012 R2 Remote Desktop Services
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• 10g - how to configure sso with iis-

  hi, experts, I have followed Oracle® Business Intelligence Enterprise Edition Deployment Guide to configure SSO with IIS.
  but I always meet this message.
  Not Logged In
  You are not currently logged in to the Oracle BI Server.
  If you have already logged in, your connection might have timed out, or a communications or server error may have occurred
  what steps are missing?
  how to check?

  hi, experts,
  I checked C:\OracleBIData\web\log\sawlog0.log on the obi server (windows server 2003 standard).
  at Thu Feb 17 14:48:46 2011 , I logined OBI on another machine (not via the browser on the obi server).
  however, the log shows the login user is the administrator of the obiserver (obiserver\administrator ).
  any setup on IIS are wrong? thank you very much!
  =========================================================================================
  Running job 'MinutelyMonitor' took 7422 milliseconds, 12.3% of job's frequency (60 seconds).
  Type: Error
  Severity: 40
  Time: Thu Feb 17 14:48:46 2011
  File: project/webodbcaccess/odbcconnectionimpl.cpp Line: 371
  Properties: ConnId-1,1;ThreadID-1796
  Location:
       saw.odbc.connection.open
       saw.connectionPool.getConnection
       saw.subsystem.security.checkAuthenticationImpl
       saw.threadPool
       saw.threads
  Odbc driver returned an error (SQLDriverConnectW).
  State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
  [nQSError: 43001] Authentication failed for obiserver\administrator in repository Star: invalid user/password. (08004)
  Type: Error
  Severity: 42
  Time: Thu Feb 17 14:48:46 2011
  File: project/webconnect/connection.cpp Line: 276
  Properties: ThreadID-1796
  Location:
       saw.connectionPool.getConnection
       saw.subsystem.security.checkAuthenticationImpl
       saw.threadPool
       saw.threads
  Authentication Failure.
  Odbc driver returned an error (SQLDriverConnectW).
  ---------------------------------------

• SSO with Logon Ticket to non-SAP Unix based application

  Hi all,
  Anyone has implemented SSO with Logon Ticket to a Unix box ?
  We need to achieve Single Sign On between our EP5.0 SP5 Portal and a third-party web application with a front-end on a Unix AIX machine with Apache.
  We achieved SSO with non-SAP applications with Logon Tickets, but one was to an IIS system in another domain (we therefore used the standard Web Filter for IIS and declared it in usermanagement for cross-domain support) and another one running on Windows platform (we used the C libraries provided in the "Logon Ticket Toolkit": NT or Linux only).
  From what we understand and found on the web sites, we cannot reuse any standard web filter (none for Unix, am I correct ???) and want to implement custom code using SAP libraries, if possible using Java
  -> Are there any Java libraries that are available to both:
  . verify the logon ticket with the deployed Portal public key
  . decrypt/extract the authenticated username from this ticket ??
  I've seen a mention of Java libraries, and Unix, in a SAP EP 6.0 document but I'm not sure where to find them...
  Is the SAP Logon Ticket issued the same way in EP 5.0 and EP 6.0 ?
  I managed to find something called SAPSSOEXT, for AIX, which contains some partial library and a sample, but it is dated 2000 !! Anyone has more information about this ?
  Any hint is very much appreciated.
  Thanks a lot
  Olivier

  Check these links for reference regarding AIX and Apache using X.509 certificates:
  http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/cas_pki.htm
  And just using cookies -
  http://forums.devshed.com/archive/t-105611 (perl based)
  You can also use mod_ssl built into your Apache to facilitate both certificate based authentication as well as encryption.
  The mod_ssl route is most secure (because of the encryption), the IBM link is comprehensive but requires extra infrastructure (LDAP).
  Nick
  Nick

• SSO with KRB/ADS on Enterprise Portal 7

  Dear All
  while i am trying to configure SSO with KRB/ADS on Enterprise Portal 7 i am getting this on the trace file..completed the configuration through SpNego and when i try to log in its promting for user name password..
  i have attched the trace file extract for  your advice..
  Regards
  Buddhike
  #1.5 #001CC45E6DA0008000000004000054FC00044F76844D9013#1213270351029#com.sap.engine.services.security.authentication.logincontext#
  sap.com/com.sap.security.core.admin
  #com.sap.engine.services.security.authentication.logincontext#Guest#0####3e642d50387311ddc2a0001cc45e6da0#Thread[Thread-110,5,SAPEngine_Application_Thread[impl:3]_Group]#
  #0#0#Error#1#/System/Security/Authentication#Plain###
  LOGIN.FAILED User:N/A Authentication Stack:com.sun.security.jgss.accept
  *Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details*1. com.sun.security.auth.module.Krb5LoginModule                            OPTIONAL    ok          exception             false      null#
  #1.5 #001CC45E6DA0006E00000029000054FC00044F76844D95C5#1213270351029#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/com.sap.security.core.admin#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#Guest#0####3e669e50387311dda053001cc45e6da0#SAPEngine_Application_Thread[impl:3]_2##0#0#Error##Java###Acquiring credentials for realm KEELLS.INT failed
  [EXCEPTION]
  #1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)     at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
       at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
       at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
       at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
       at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
       at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
       at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
       at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:236)
       at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
       at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:337)
  Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Access Denied.     at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:297)
       at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
       at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
       ... 9 more
  Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: Internal server error. An error log with ID [001CC45E6DA0008000000001000054FC00044F76844D8A3F] is created. For more information contact your system administrator.
       at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:156)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
       ... 23 more

  Hi,
  please check if the options defined in the KRB5LoginModule are correct.
  First of all check for the option prinicpal. Did you provide this option and also provided the correct value?
  This error often occurs if you provided a wrong value for option prinicpal
  Cheers

• SSO with ITS & Webenabling WEBGui

  Hello,
  We have configured SSO with R/3 system. It works fine.
  The requirement is, we have to webenable R/3 system thru SAP GUI For Windows and SAP GUI For HTML.
  We are able to do both on developement environment where both R/3 and portal has got the same host names.
  But in the qa environment, we are able to webenable R/3 with SAP GUI For Windows and the SSO also works fine. But when we try to using SAP GUI For Html, it asks for the username and pwd again. Here the portal and R/3 has different host names.
  Otherwise the settings in dev and test are exactly the same. Has anybody got a clue why is it not working?
  Regards,
  Rukmani

  Hi all,
  it is always good to start with a good checklist. Here is probably the best one: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/sso checklist.html
  My suggestion is: do not skip even simple steps, sometimes problem appears there
  Regards,
  Pavol

• SSO with EP 6.0 and R/3 as backened not working

  Hi , 
      I am implementing ESS in EP 6.0 and r/3 4.7c as backend. SSO is working with UIPWD. but when I try with LogonTickets it does not work.
  I tried with ordinary SAP transaction SSO with logon tickets works. But through ITS if I call a ESS transaction service It asks me for login user and password.
  What are the setting to be done in ITS for SSO towork. I have set the parameter
  msapcomusesso2cookie = 1 in the global.svrc file.
  I do not know what is wrong. Please help.
  Regards,
  Ramesh

  Hi,
    I am using a standalone ITS for a R/3 4.7 system.
  How should I maintain a FQDN for ITS?
  You are right,
  now it is not of the format hostname.domain.com:port format. It is of the format hostname:port.
  But where should I change this format. The host name of the system where the ITS is setup is <hostname> only.
  can you please tell me as to where should I maintain the FQDN as the specific format you suggested.
  Regards,
  Ramesh