Configure portal to issue ticket (MYSAPPSSO2 cookie) for "higher" domain
Hello all,
we have an EP 7.00 (SP 22) which can be accessed using the following (faked) fully qualified URL:
https://host.sd1.sd2.mycompany.de:[HTTPS-port]/irj/portal
When logging on to the portal with username and password, the portal issues a logon ticket. In the browser, I can see the MYSAPSSO2 cookie and it is for the following domain:
.sd1.sd2.mycompany.de
From the portal, we call some BI report applications, which run on WebFocus. The WebFocus server is in the following domain:
.sd3.sd4.mycompany.de
Single sign-on does not work. It only works, if we modify the domain of the MYSAPSSO2 cookie (this we achieved with a firefox-addon) and "cut off" the two subdomains .sd3.sd4
My question: is it possible, to configure the portal in such a way, that the MYSAPSSO2 cookie is issued for domain
.mycompany.de ?
I have read some hints on domain relaxing. But I am not sure, if setting the parameter ume.logon.security.relax_domain.level would help us. If I understood it correctly, we would need to set the value to 3.
Best regards,
Philipp Hinnah
Hi Philipp,
yes, relax_domain is the correct parameter. By the way - use the search function in SDN and you will find a lot of threads around this issue. And also you would have found the answer.
Anja
Similar Messages
-
Seeting cookies for different domain with port number
Hi,
I've been desperately trying to solve this for a few days now so thought i'd give up and ask.
Basically, when a user logs into the website, the idea is for them to be automatically logged into the bulleting board. This is being done by setting a cookie(I won't go into detail as it's not relevent).
The cookie is being created in one domain (.stage.csu.ac.uk) and needs to be used by another, .prospects.ac.uk. However, the board is on servername.prospects.ac.uk:81, which means that the cookie isn't being picked up.
I've been tearing my hair out for days about this. I can't change the fact it's using port 81, and there's no other way of doing this log in.
If ANYONE can help, I would not be able to say thanks enough.
Sam.Perhaps you can call a jsp on the other server to set the cookie for you, for example by loading it in a hidden iframe?
This has some maintainance issues because you need to provide a full url to the jsp on the other server, so if anything changes (port number for example) then this solution will break. -
How to clear cookies for a single domain?
The new Developer Tools on IE 11 is terrible.
Previously, we can clear session cookies for the current page or clear cookies for the whole domain (of the current page). My page is now showing
www.facebook.com and I am logged in to Facebook. I click the Network icon followed by the Clear cookies icon. Then I hit Enter in the Address box (note: not F5). Fiddler2 shows that IE 11 is submitting lots
of facebook.com cookies (act, c_ser, csm, p, presence, s, xs).
According to
http://msdn.microsoft.com/en-us/library/ie/dn255004(v=vs.85).aspx "Clear cookies ensures that all cookies related to the current domain are removed, so that you get the experience of loading the page for the first time."
Are there any hidden configurations I must do to have Clear cookies to work?
Thanks.
PS: Chrome is so much more flexible. Not only can I clear cookies for the domain of the current page, but also any or all domains which the current page loads via script.Hi,
We just could clear the current domain through Clear cookies in the
Network tab.
It's recommended you post your question to the Internet Explorer Develop Center forum for further help.
Internet Explorer Develop Center
http://social.msdn.microsoft.com/Forums/ie/en-US/home?category=iedevelopment
Karen Hu
TechNet Community Support -
As it says above, I have cookies set to always ask. I go to a domain (i.e. google) and it asks and I allow for session only. Some time later it will change to "first party only" and start to allow persistent cookies for the domain.
Hello,
Many site issues can be caused by corrupt cookies or cache. In order to try to fix these problems, the first step is to clear both cookies and the cache.
Note: ''This will temporarily log you out of all sites you're logged in to.''
To clear cache and cookies do the following:
#Click the menu button [[Image:New Fx Menu]], choose History, and then Clear Recent History....
#Under "Time range to clear", select "Everything".
#Now, click the arrow next to Details to toggle the Details list active.
#From the details list, check ''Cache'' and ''Cookies'' and uncheck everything else.
#Now click the ''Clear now'' button.
Further information can be found in the [[Clear your cache, history and other personal information in Firefox]] article.
Did this fix your problems? Please report back to us!
Thank you. -
Configure PO document type for "High sea Sale"
Dear sir,
Pl. tell me step by step how can i configure new Document type of Purchase order for "High sea Sale" business senerio without GR.
Thanks/
AnuragHi,
In normal case, when you do GR w.r.t. a Normal PO then system updates Stock Quantity as well as Stock Value of Material.
But in case of High Seas PO, you don't want GR to happen, you want to carry out LIV directly based on PO. So in this case there won't be Stock Quantity updation as well as Stock Value updation i.e. Expense Account will get psted during LIV against Vendor Account. So your High Seas PO should be account assigned PO.
So to achieve this, create a separate document type for High Seas PO with allowed Item Category as Blank" i.e. Standard.
Path: - SPRO > MM > Purchasing > Purchase Order > Define Document Types
OME9 - Create an Account Assignment Category as "Z" (High Seas PO) by copying "K" and in the detailed screen of the same deactivate "Goods Receipt" indicator.
Now create PO with this Document Type and Account Assignment Category "Z" and check under "Delivery" Tab Page, "Goods Receipt" indicator will be deactivated that means GR not required for this PO. -
Weblogic Sessions for different domains
Hi
I am developing a website that will be will be used in different countries. The code is going to be the same and this code will be deployed on one cluster of weblogic servers.
For Eg. there will be a site abc.com.br and abc.com.mx. Both these are websites for different countries but will be served by the same application server.
So, the same application server will service the request coming from both the websites. So the question that I have is whether Weblogic will treat these requests as seperate sessions or the same session.
ie, will the weblogic server issue two JSESSIONID cookies for both these domains or will this be treated as a single session?
Thanks in advance
TejasHi,
You can use "Cookie-Path" tag inside your "weblogic.xml" file to prevent any such thing: http://download.oracle.com/docs/cd/E15051_01/wls/docs103/webapp/weblogic_xml.html
cookie-path
Default Value: null
Defines the session tracking cookie path.
If not set, this attribute defaults to / (slash), where the browser sends cookies to all URLs served by WebLogic Server. You may set the path to a narrower mapping, to limit the request URLs to which the browser sends cookies.
Still if you want to make sure that the Session Cookie Name should be different for Both the Applications (means other Than JSESSIONID) then you can use <cookie-name> tag inside the "weblogic.xml" file..... One best way of changing the cookiename is using "plan.xml" without changing anything physically in the application.
Example: http://weblogic-wonders.com/weblogic/2009/12/16/updating-cookiename-using-plan-xml/ -
Issuing Multiple MYSAPSSO2 tickets for Multiple Domains
Hi,
I am having a problem understanding the SAP documentation on how to go about issuing SAP login tickets in multiple domains. In the documentation it states that in order to do so, you require either a IRJ or the SAP ISAPI Web Filter installed in on a server in the target Domain. I have now setup the IIS_SSO.dll ISAPI filter in the domain I require the SSO ticket to be issued in however when I make a request to that webserver I do not see the MYSAPSSO2 cookie being created in my browser, I do see in the ISAPI logs that the request has been filtered and the portal username extracted and set to the configured HTTP Header, but no new Cookie created in the DOMAIN.
Can anyone help? Has anyone done something like this before?
Basically I have a portal in the domain <b>myportal.subdomain.domain.com</b> and an ITS in the domain <b>myits.domain.com</b>. With this configuration the MYSAPSSO2 cookie is not sent to the ITS server as it is in a Super Domain. So what I want is to configure the portal to issue a Cookie in the super domain (domain.com) rather then subdomain.domain.com. I thought I could do this with the parameter login.ticket_recieving_hosts in the usermanagment.properties file (EP5) and the IIS ISAPI filter to SSO (IIS_SSO.dll) configured on a website in the super domain (domain.com).
Any help would be greatly appriciated.
Simon.I believe we had to set the domain relax level (ume.logon.security.relax_domain.level) but needed to make sure this was secure since it changes the domain scope of cookies that are valid for the system.
See the following:
http://scn.sap.com/thread/1534863
http://help.sap.com/saphelp_nw70ehp3/helpdata/en/5e/473d4124b08739e10000000a1550b0/frameset.htm
Hope this helps. -
I have a National Lottery online account but for a while now i cannot access it from my MacBook. I can access it via other pc's and laptops and via my iphone. I have been on to the NL helpline and they say the issue is with cookies and my MacBook. Help!
Hi Josh,
Thanks for taking the time to contact us here a Novation for technical support. Lets continue to correspond via email so we can get your issue resolved.
Thanks.
Mike Towns -
ISSUE Sharepoint 2013 databases for reporting services on the second server SQL 2012
Hello,
I have server A: Operating system windows 2012 standard, SQL server 2012 standard
instance: Sharepoint contains data for sharepint
instance: Reporting should be contain databases for reporting
Server B:
Windows server 2012 standard contains installation Sharepoint 2013
Sharepoint works (without reporting services), it is OK - databases are located on server A:
My issue is:
When I have installed reporting services on server B, I have already installed SQL server 2012 on server B, it works.
I am able to create report in report builder adn place it in to sharepoint.
But I would like to use only one full SQL machine on server A:
When I reconfigure repoting settings on server A in central administration - manage service aplications,
On the SQL server A in instance reporting , there is automatically created databases. It is no problem.
But the first difference is, when I want to manage service aplication for reporting in
Provision Subscriptions and Alerts, there is information
SQL Server Agent state cannot be determined
When I want to create report in report builder, I have issue:
server A-7380mw016\reporting it means server A with full SQL server:
The Test of connection was successful
Then I have clicked test connection
I have recieved this screen with fail: Logon faild for user NT Authority\anonymous logon
My account belongs to SQL admin on server A (A-7380mw016\reporting) I do not know it is not possible to create report, when it is possible to test connection in the first step and in the second step, there is problem...
Please, can somebody help me?Hi,
Since you are getting an Anonymous Logon error, it appears there may be a problem passing your credentials to the SQL Server Agent Service. This would indicate a Kerberos issue. See this thread for details:
http://social.technet.microsoft.com/Forums/sharepoint/en-US/46b7c773-6a77-435d-b471-cb9a6ec41c43/has-anyone-else-upgraded-reporting-services-to-denali-2012
Microsoft Virtual Academy: Breakthrough Insights using SQL Server 2012 : Analysis Services and Credible, Consistent data (Module 2) - Configuring and Securing Complex BI Applications in a SharePoint 2010 Environment with Microsoft SQL Server 2012
http://technet.microsoft.com/en-us/video/Video/hh858469
Tips from the video:
We are connecting to Reporting services using Kerberos when using Reporting Services in SharePoint integrated mode
For the account using reporting services, we just need a dummy SPN. We go to Attribute editor tab in AD for RS account. And then we will be enabled with Delegation tab.
In Delegation tab. I we are using claims to windows token, we need to use "Trust this user for delegation to specified services only"
There you have 2 options: "Use Kerberos only": It means I only want to delegate in the situation where the service that is doing the delegation actually has the Kerberos ticket to start with
"Use any authentication protocol" When we need protocol transition (like from NTLM to claims for intra farm communication)
We need to delegate this to SQL server.
Please check out these articles as well:
How to configure SQL Reporting Services in SharePoint Server for Kerberos authentication
http://support.microsoft.com/kb/2723587
Configure Kerberos authentication (Office SharePoint Server)
http://blogs.technet.com/b/mbiswas/archive/2009/07/10/configure-kerberos-authentication-office-sharepoint-server.aspx
Thanks.
Tracy Cai
TechNet Community Support -
Issuing Ticket By an Employee in Travel Planning
Hi All,
We are Implementing Travel Module using EhP2 and have a requirement of allowing employee to Issue Tickets on thier own and also print E Ticket. I searched SAP help and found that in SAP we can configure the automatic Issuing of Tickets using queues and also that an employee can print the ticket using 'viewmytrip' site.
I wish to know what configuration needs to be done for automatic Issuing of tickets and how can we get print the E ticket from SAP system
Please let me know ASAP as this process will be a real show stopper for our project..
Regards
Stuck....Hello Stuck,
Sorry for the delay. Please refer to the following information in help.sap.com:
http://help.sap.com/erp2005_ehp_02/helpdata/en/e2/4905387ce5fd3ce1000000
9b38f8cf/frameset.htm
Issuing a Ticket
Prerequisites
The ticket can only be issued once the travel plan has been booked (see
Booking Travel Services).
Use
Automatic Ticket Issue
Generally a booking made using SAP Travel Management will automatically
be sent to a processing queue of the travel agency connected with the
company, whereby the travel agency can see that the booking has been
completed and the ticket is then issued. When completing this automatic
queuing the booking is sent to the queue of the sales office that is set
up with the processing type "Booking/Booking Modification in Customizing
(see Customizing for Travel Planning under Master Data -> Control
Parameters for Travel Planning -> Define Resubmission for Ticket Issue
(queue) You should use a queue for an operating sales office, and not
the queues for the virtual SAP Travel Planning sales office.
Regards,
Raynard -
ApplicationPoolException: JBO-30006: The cookie for session
Hi
Presently we are using the followings s/w for our product development:
1. JDeveloper 11g (11.1.1.0.2) - yet to migrate to JDev 11g R1 (11.1.1.1.0)
2. Weblogic 10.3.0
3. Target Browser Client is IE7 – and to extend to FF3+
Now we have completed few of the modules and is in the process of moving to Customers Beta Env. During our testing we are getting some sort of JBO errors (server log) and the browser displays ‘Cancel or Retry’ message.
A portion of error message from the stack trace has been pasted below
oracle.jbo.common.ampool.ApplicationPoolException: JBO-30006: The cookie for session 0K5ZKVDL7wNcJ2qXTkQhjCQvq0sJSykgnV8P0WQMvNqdbF9QdThk!1335475191!1247101864354 and application 378381615_1_PcmsSysDataControl_$beandc$_ is not a valid handle for application pool, InternalDCAMs. The cookie may not be used to access this pool instance.
at oracle.jbo.common.ampool.ApplicationPoolImpl.validateSessionCookieInPool(ApplicationPoolImpl.java:3496)
at oracle.jbo.common.ampool.ApplicationPoolImpl.removeSessionCookie(ApplicationPoolImpl.java:769)
at oracle.jbo.common.ampool.SessionCookieImpl.removeFromPool(SessionCookieImpl.java:609)
at oracle.jbo.common.ampool.SessionCookieImpl.destroy(SessionCookieImpl.java:528)
at oracle.jbo.common.ampool.SessionCookieImpl.timeout(SessionCookieImpl.java:586)
at oracle.adf.model.bc4j.DCJboDataControl.releaseImmediateAMUnmanaged(DCJboDataControl.java:2414)
at oracle.adf.model.bc4j.DCJboDataControl.releaseApplicationModule(DCJboDataControl.java:2324)
The present scenario:
1. ADFModel1.jar - An ADF Model Project contains a set of views to be used across multiple Model projects by Importing Business Components.
2. ADFModel2.jar - This project uses ADFBC import from the above model project – ADFModel1.jar
All the view implementations are available here as the Core Model
3. ADFModel3.jar - Imports ADFModel2.jar – used as a Customization layer (refer error message above - PcmsSysDataControl)
4. ViewController.war - Contains all the JSPX, Page Defs, Html, JS, CSS, Images
Both ADFModel3.jar and ViewController projects are under a separate .jws (Application Workspace) and running as a separate application. Similar way all other applications have been modeled.
Both ADFModel2 and ADFModel3 has the DataSource Names defined. Please help us to resolve this issue.
If you need any more info, please let me know
Krishhave you ever solved the problem? I have a similar issue on Linux RedHat with a load-balanced cluster of Tomcat. The strange thing is that only one of the servlets always issues the problem. The incriminated app module is created with "Configuration.createRootApplicationModule..." and released at the end. I have a similar servlet that creates the same app module with the same command and has no problems.
The ADF Team, what does it say about?
Thanks -
Issue in SAP CPS for Job Interception
Issue in SAP CPS for Job Interception
Scenario:
After triggering a Process Chain in BW and maintaining the Job Interception settings in SAPCPS(Redwood)
(so that any job which triggers in BW by that Particular User is intercepted and not let it proceed further until the job is released in SAP CPS.)
Issue:
The Jobs are getting into Waiting status in SAP CPS(Redwood) even though there is no progress in loads in BW side. Also the Jobs are in Intercepted state even after releasing the Parent Job in SAP CPS(Redwood).
Please let us know how to go about it.Hi Ramesh,
What you plan to do is called monitoring of process chains (ie. process chains not started from CPS) and this should be available in the latest version of CPS.
This requires the interception of only the BI_PROCESS_TRIGGER process, just as you have configured now, and other than that the following prerequisites:
SAP Note 1080558 describes the SP levels for the BW/BI releases
XBP 2.0 or higher
Redwood transport files must be loaded
ProcessServerService.SAP.XBPVariant license key
Maybe this helps,
Anton. -
Portal display issue in Portal 7.3 version
Hi Experts,
We are using portal 7.3 vesion,one of the user getting portal disply issue,it is not appearing proper ess portal screen.
we checked with other user,they will not getting the same issue,it is only one use faceing this issue.
please let me know what is the root cause of the issue.
Thank you in advance..
Regards,
JyothiHi All,
pradyp: sorry for the delay reply, yes they have adobe flash player in their systems.
in google chrome and mozila, its looking good. actually we have two company users like A and B,A company user dont have this problem but B company some of the user( only mss role users) have this issue.
Earier we have assigned new theme with new logo to the B company users through rule collection.
my understanding the problem arraised with new theme with new logo.am i right ?
Could you please help me any one.
Regards,
Jyothi -
DNS/LDAP Issue for Trusted Domain
Hi
I'm trying to configure Configuration Manager 2012 R2 Forest Discovery to a trusted domain.
Objects from the trusted domain (users/computers) show up in the Collections, but when I check under Administration\Active Directory Forests I can see Discovery Status "Failed to connect using default account" and Publishing status "Cannot
Contact LDAP Server".
I've added the SCCM server to local admin at the trusted domain via GPO and have also created the system Management container.
When I check the log ADForestDisc.log I get this error message:
"Failed to connect to forest X. This can be because of disjoint DNS namespaces, network connectivity or server availibility issue. Error Information The specified forest does not exist or cannot be contacted."
I have setup Conditional Forwarders in DNS in both domains.
I have also read other forums about this issue and should have the answer:
"This error occurs for all of the domains that you mentioned and is typical when SRV records for DCs in those remote domains cannot be found. Forest discovery relies on DNS name resolution of SRV records to locate a suitable DC to communicate with."
"The site server performing the forest discovery must be able to resolve the SRV records for the DCs or root domain of the other forest."
We are using Windows AD integrated DNS in both domains.
I'm not so familiar with DNS configuration so I appreciate if someone could tell more specific how to fix this.
Thanks in advanceHi
Thank you for your answer. This issue is solved. I've missed to open some ports in the router/firewall between the LANs.
The status under Active Directory Forests is Succeded now, but when I check under boundaries, I can only see the "Default-First-Site-Name" site for the first domain (same LAN as CM Server) and I can only see the IP address range for that LAN.
I don't Think this is a big issue, but shouldn't the site name and address range for the other LAN (where the trusted domain is) be automatically found to during forest Discovery when I've checked the options to create site and ip boundaries automatically? -
How to configure email Alerts in OEM Cloud 12c for Database Servers up/down
Hi everybody,
How to configure email Alerts in OEM Cloud 12c for Database Servers up/down status?
Regards,
Miguel VegaHi Miguel Vega,
Information regarding the notifications:
==============================
Configuring notification rules in 12c is different from earlier releases.
The concept and function of notification rules has been replaced with a two-tier system consisting of Incident Rules and Incident Rule Sets :
1. Incident Rules: Operate at the lowest level granularity (on discrete events) and performs the same role as notification rules from earlier releases.
By using incident rules, you can automate the response to incoming incidents and their updates.
A rule contains a set of automated actions to be taken on specific events, incidents or problems.
The actions taken are for example : sending e-mails, creating incidents, updating incidents, and creating tickets.
2. Incident Rule Set: A rule set is a collection of rules that applies to a common set of objects, for example, targets, jobs, and templates.
To help you to achieve the Notification Rules configuration, refer those notes :
How To Configure Notification Rules in 12C Enterprise Manager Cloud Control ? Doc ID 1368036.1
EM12c How to Add and Configure Email Addresses to EM Administrators and Update the Notification Schedule ?Doc ID 1368262.1
EM12c How to Subscribe or Unsubscribe for Email Notification for an Incident Rule Set ?Doc ID 1389460.1
EM 12c How to Configure Notifications for Job Executions ? Doc ID 1386816.1
Best Regards,
Venkat
Maybe you are looking for
-
I'm at a loss.....
I sure like my digital audio, but why have they forgotten that there are a lot of people (like me!) that do NOT have an toslink input available, but do have an SP/DIF coaxial connection? Also, why even have an music mediaplayer version without a disp
-
Time Machine: Make it back up less?
Ok, I don't know how to do this and the discussion board here isn't giving much insight, but I require to find an answer, because right now using an older machine I get pegged at maximum processor peak whenever Time Machine runs in backup, even if it
-
Using Thunderbird as email client in iPhoto
Has anyone figured out how to use Thunderbird as the email client in iPhoto? I have searched the forums and there is only one reference to it and they did not know. Thanks for any help. Strangeite
-
I have recently backed up my Iphone 4. However now it will not restore as it claims I have not enough space on the iphone. I am in a major hurry to get this up and running by tonight as need it for work ?
-
TCS is configured as per the standards but not working
Hi Experts, I have configured TCS as per the standdard Practice which assigned in the customer master record. But not trggerring while doing FI Invoice. Thanks Regards, Dude