Portal Authentication

Similar Messages

• Work Portal Authentication with MSAD

  Hi,
  I have followed the document "Fuego Enterprise 5.1 and 5.5 Work Portal Authentication using microsoft Acive directory".
  I am using Aqualogic 5.7 Standalone.
  I have problems to log into the work portal with a MSAD user. Tomcat performs authentication against MSAD but after that it returns a Http 403 error (Access denied).
  I have created a participan in aqualogic msad structure directly with the same id as msad user because I can not add participants through the process administrator but still the same problem.
  In the document above in the paragraph "Configuring Fuego Directory service repository" it tells how to configure to automatic login to work portal after authenticating by tomcat with a fuego directory service deployed in an RDBMS (inserting two rows in a table) but it does not say anything if it is deployed in MSAD (We don´t have such table). Perhaps this is my configuration problem.
  Any help would be appreciated.
  Thanks in advance.

  If you configured ALBPM Directory on MSAD (and not a RDBMS), then ALBPM will
  naturally use MSAD for authentication.
  You shouldn't need to do anything described in that document (no need for
  special Tomcat configuration, no need to configure the Workspace either)
  Fernando
  Rub?n Vidaurre <> wrote:
  Hi,
  I have followed the document "Fuego Enterprise 5.1 and 5.5 Work Portal
  Authentication using microsoft Acive directory". I am using Aqualogic 5.7
  Standalone. I have problems to log into the work portal with a MSAD user.
  Tomcat performs authentication against MSAD but after that it returns a
  Http 403 error (Access denied).
  I have created a participan in aqualogic msad structure directly with the
  same id as msad user because I can not add participants through the
  process administrator but still the same problem. In the document above in
  the paragraph "Configuring Fuego Directory service repository" it tells
  how to configure to automatic login to work portal after authenticating by
  tomcat with a fuego directory service deployed in an RDBMS (inserting two
  rows in a table) but it does not say anything if it is deployed in MSAD
  (We don??t have such table). Perhaps this is my configuration problem. Any
  help would be appreciated. Thanks in advance.

• Multiple Portal Authentication when closing Word document

  Hi all,
  We are on EP6 SP2 Patch4 HF7 and CM HF6.  When closing a MS Word document accessed from the KM Repository multiple Portal authentication popups appear.  This only happens to Word documents.  Other documents like Excel, Powerpoint, pdf etc. close without any popups.
  The problem only happens when going through the IISProxy filter.
  Does anybody have any ideas ?
  Thanks
  Jose

  > 1. Are you using NTLM authentication?
  > 2. What version of IIS?
  > 3. Can you show the IisProxy.xml file?
  > 4. Have you tried running an HTTP trace while that
  > happens to see what kind of requests & responses you
  > get?
  1. No
  2. IIS 5
  3. <?xml version="1.0" encoding="utf-8" ?>
  <!DOCTYPE ISAPI-config[
       <!ELEMENT ISAPI-config ( filter, extension, ( mapping | config )* )>
       <!ATTLIST ISAPI-config
            version CDATA #REQUIRED
       >
       <!ELEMENT filter (log-path?)>
       <!ATTLIST filter
            name CDATA #IMPLIED
            log-level CDATA "1"
            log-flags CDATA "0"
            debug-flags CDATA "0"
            priority ( high | medium | low ) "high"
            extension-url CDATA "/scripts/IisProxy.dll"
            authentication ( skip | normal | forward ) "normal"
            remote-address ( skip | forward ) "skip"
       >
       <!ELEMENT extension (
            keystore-dir?,
            log-path?,
            data-path?,
            trace-path? )>
       <!ATTLIST extension
            name CDATA #IMPLIED
            log-level CDATA "1"
            log-flags CDATA "0"
            debug-flags CDATA "0"
            access ( filter | direct | both ) "filter"
       >
       <!ELEMENT keystore-dir (#PCDATA)>
       <!ELEMENT log-path (#PCDATA)>
       <!ELEMENT data-path (#PCDATA)>
       <!ELEMENT trace-path (#PCDATA)>
       <!ELEMENT mapping (
            source+,
            target,
            compress-types*,
            protocol-header?,
            certificate-header?,
            cert-chain-header?,
            cipher-header?,
            keysize-header?,
            keystore-path?,
            log-path?,
            data-path? )>
       <!ATTLIST mapping
            name CDATA #IMPLIED
            log-level CDATA "1"
            log-flags CDATA "0"
            debug-flags CDATA "0"
            keep-alive ( true | false ) "true"
            use-continue ( true | false ) "true"
            close-socket ( true | false ) "true"
            close-socket-delay CDATA "1000"
            thread-count CDATA "100"
            max-socket-age CDATA "10"
       >
       <!ELEMENT source (protocol, host?, port?, prefix, new-prefix?)>
       <!ATTLIST source
            access ( filter | direct | both ) "filter"
       >
       <!ELEMENT protocol (#PCDATA)>
       <!ELEMENT host (#PCDATA)>
       <!ELEMENT port (#PCDATA)>
       <!ELEMENT prefix (#PCDATA)>
       <!ELEMENT new-prefix (#PCDATA)>
       <!ELEMENT target (protocol, host, port)>
       <!ELEMENT compress-types (#PCDATA)>
       <!ATTLIST compress-types
            min-size CDATA "1024"
       >
       <!ELEMENT protocol-header (#PCDATA)>
       <!ELEMENT certificate-header (#PCDATA)>
       <!ELEMENT cert-chain-header (#PCDATA)>
       <!ELEMENT cipher-header (#PCDATA)>
       <!ELEMENT keysize-header (#PCDATA)>
       <!ELEMENT keystore-path (#PCDATA)>
       <!ELEMENT config ( source+ )>
  ]>
  <ISAPI-config version="1.6">
       <filter name="IisProxy filter" authentication="forward" />
       <extension name="IisProxy extension" />
       <mapping name="IisProxy samples"
                      keep-alive="true" log-level="1" use-continue="false">
            <source>
                 <protocol>http</protocol>
                 <prefix>/irj/</prefix>
            </source>
            <source>
                 <protocol>http</protocol>
                 <prefix>/myserv.xxx.xx.xx/</prefix>
                          <new-prefix>/irj/</new-prefix>
            </source>
            <target>
                 <protocol>https</protocol>
                 <host>portalserv.xxx.xx.xx</host>
                 <port>#####</port>
            </target>
            <compress-types>text/html, text/plain</compress-types>
       </mapping>
       <mapping name="Secure IisProxy samples"
                    keep-alive="true" log-level="1" use-continue="false">
            <source>
                 <protocol>https</protocol>
                 <prefix>/irj/</prefix>
            </source>
            <source>
                 <protocol>https</protocol>
                 <prefix>/myserv.xxx.xx.xx/</prefix>
                          <new-prefix>/irj/</new-prefix>
            </source>
            <target>
                 <protocol>https</protocol>
                 <host>portalserv.xxx.xx.xx</host>
                 <port>#####</port>
            </target>
            <keystore-path>SAPSSLC.pse</keystore-path>
       </mapping>
       <config>
            <source>
                 <protocol>http</protocol>
                 <host>localhost</host>
                 <prefix>/IisProxy/</prefix>
            </source>
            <source>
                 <protocol>https</protocol>
                 <host>localhost</host>
                 <prefix>/IisProxy/</prefix>
            </source>
       </config>
  </ISAPI-config>
  4. I will try.
  Thanks,
  Jose

• Portal authentication using two login module stacks?

  G'day,
  I am noticing something odd when I authenticate to the portal: there are two login module stacks used.
  Background: I have created a custom logon page, which is basically a form with username/password input as per [this guide|http://help.sap.com/saphelp_nw04/helpdata/en/62/601e1eebf54ca6a97e2873c8c63517/content.htm|Changing the logon screen]. I then modified the authschemes.xml file by defining a new authscheme "mylogon" that uses my own login module stack ("mystack") and uses the new logon page ("mylogonform"). This new authscheme is then made the default reference:
  <authscheme name="mylogon">
    <authentication-template>mystack</authentication-template>
    <priority>21</priority>
    <frontendtype>2</frontendtype>
    <frontendtarget>com.foo.bar.mylogonpage</frontendtarget>
  </authscheme>
  <authscheme-refs>
    <authscheme-ref name="default"><authscheme>mylogon</authscheme></authscheme-ref>
    <authscheme-ref name="UserAdminScheme"><authscheme>mylogon</authscheme></authscheme-ref>
  </authscheme-refs>
  When I want to access the portal, up pops the "mylogonform" page, and on clicking the "submit" button the portal page for the user is shown.
  Now here is the interesting thing: when the "ticket" login module stack is unchanged (ie. it uses the BasicpasswordLoginModule), then the log shows that authentication to the portal uses just my login module.
  This can be seen as follows, where I navigate to the portal, logon as one user, then logoff and logon as another user:
  Message : LOGIN.OK
  User: tu-1
  Authentication Stack: mystack
  Message : LOGOUT.OK
  User: tu-1
  Authentication Stack: mystack
  Message : LOGIN.OK
  User: Administrator
  Authentication Stack: mystack
  The "mylogonform" page is shown when logon is required in both cases.
  However, if I modify the "ticket" login module stack by replacing the BasicPasswordLogonModule with a custom logon module that does automatic authentication, then the following is observed when the "mylogonform" page is displayed:
  Message : LOGIN.FAILED
  User: N/A
  Authentication Stack: ticket
  Message : LOGIN.OK
  User: tu-1
  Authentication Stack: ticket
  For some reason, the modified "ticket" login module stack is now being executed, which was not the case when this login module stack was unmodified.
  This stack automatically authenticates the current user (the initial failure is because the new login module asks the browser to send authentication data), and this "failure" causes the logon form to be displayed.
  I can logon to the portal as the same user, and the logs show that "mystack" login module stack is used:
  Message : LOGIN.OK
  User: tu-1
  Authentication Stack: mystack
  Logoff shows that "mystack" is used for the actual logoff, but "ticket" is called again automatically and succeeds:
  Message : LOGOUT.OK
  User: tu-1
  Authentication Stack: mystack
  Message : LOGIN.FAILED
  User: N/A
  Authentication Stack: ticket
  Message : LOGIN.OK
  User: tu-1
  Authentication Stack: ticket
  (Again, the initial logon failure is the new login module requesting that the browser send authentication data in the next request).
  This brings up the "mylogonform" page, even though it appears that a user has already been authenticated. If I try to logon as another user, the following is shown:
  Message : LOGIN.FAILED
  User: Administrator
  Authentication Stack: mystack
  Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
  com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          exception  false      true       authscheme not sufficient: basicauthentication<mylogonform
  Central Checks                                                                                exception             Call logout before login.
  I guess one cannot authenticate as a new user until the current user has been logged out.
  So ... why does the "ticket" login module get called in the second case, but not in the first case (or only shows logging in the second case) ?
  What is the logic behind portal authentication and showing a logon page?
  If I want to use custom authentication and a custom logon page, why is the "ticket" stack called at all?

  Jayesh,
  there is no such thing like "login module stacks". The <b>do</b> exist on the other hand:
  - login module
  - logon stacks
  Login module and logon stacks are part of the JAAS concept for defining a complex pluggable authentication scheme, original by SUN (see: java.sun.com/products/jaas)
  A logon process is defined by a logon stack which itself consists of several login modules. Each login module performs an authentication step. Example:
  login module 1: check if valid sap logon ticket provided
  if module 1 fails: then login module 2: request user id/password
  if module 2 succeeds: then login module 3: create new sap logon ticket for user
  You can define multiple logon stacks and configure individual applications to use the one stack or the other.
  The logon stack configuration is done using visual administrator. Here select the security provider service for configuring logon stacks.
  btw: As logon stacks are "java-only", there are no transaction names (which only exist on Web AS ABAP).
  Regards,
  Dominik

• EP Sneak Preview - Moving from Portal Authentication to LDAP

  Has anyone used the EP sneak preview, configuring first against portal authentication alone and then moving users to LDAP and leaving just the roles in the portal db, without having disaster strike and have to reinstall, etc.?
  Thanks in advance.

  hi,
  according to the Quick Install Guide
  <i>(url: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/Quick%20Installation%20Guide%20for%20SAP%20NetWeaver%20EP%20on%20MaxDB,%20Developer%20Edition%20Sneak%20Preview.htm)</i>
  first i installed the latest JDK, which is 1.4.2_08
  manually i set the following environment variables (like i read a few threads before):
  CLASSPATH =
  %JAVA_HOME%lib;%JAVA_HOME%jrelib;
  JAVA_HOME = C:j2sdk1.4.2_08
  Path = %JAVA_HOME%bin;c:j2sdk1.4.2_08bin;c:j2sdk1.4.2_08jrebin;...
  when clicking sapinst.exe it says: <i>latest JRE 1.4.2 with latest Patch level could not be found.</i>
  then i checked startinstgui.bat and get the following error:
  the system cannot find the path.
  Starting SAPinst GUI with local Java Runtime
    Java Runtime found in JAVA_HOME environment variable
    Java path: C:j2sdk1.4.2_08binjava.exe
  a logon screen appears for sagui installation, which wants to logon to localhost and port 21212. this does not work as i have no webserver running...
  i am riding xp - maybe the whole thing really works only on win2000 or win server 2003?
  any comments apreciated.
  Matthias

• Caching for Web Portal Authenticated clients

  Reading CUWN documentation, Sticky Key Caching works only on WPA2-enabled WLANs.   Is it possible to enable a caching to help Web Portal Authenticated clients perform intra-controller roaming faster?

  Ok, so here's how it works:
  When the client gets on the network, the controller contacts the DHCP server and hands the client back its IP (as with any helper address).
  In order for web auth to work, you need to open a browser on the client.
  When you go to a page (say www.google.com) your browser does a DNS query for the IP address of the site (www.google.com), the controller intercepts the query.
  Since you have not been authenticated yet, the controller does not allow the query directly, but it proxies the query to the DNS server you were trying to resolve against. It sources this query from its interface that is on the VLAN the SSID your client is on maps to.
  That reply is proxied back to your computer, and then your browser does its normal request to Google?s IP.
  The controller then intercepts that request, and sends a reply back redirecting the browser to the controller login page (usually https://1.1.1.1).
  Once you log into the web page, you will be redirected back to your original page (www.google.com).
  I hope I explained it well. If I wasn't clear, please let me know.
  -Eric

• Extend the SSO Oracle Portal Authentication Mechanism

  Hi All,
  I need to put some logic just before the Oracle Portal user is authenticated to SSO.
  Specifically I need to collect some information about the user from a database just before the SSOLoginServlet is called with all the parameters it needs. (username, password, sitetoken etc...)
  Is there a class i can extend, an API I can use.... whatever
  In fact I need to extend and put some more logic to the login mechanism of SSO.
  Is there a way to do that?
  If there are many what is the best method?
  Thanks

  I'm not an expert, but I think this might be fairly easy to implement. If you look at Chapter 12 of the SSO Admin Guide (http://download-east.oracle.com/docs/cd/B28196_01/idmanage.1014/b15988/custom.htm), it tells you what parameters and what url to call for the login process to complete. Therefore, you should be able to submit your custom login page to another servlet for your pre-processing, and then forward on to the sso logon servlet.

• Portal authentication failing intermittently post self registration

  We are in the process of upgrading from EP6 to EP7 and have hit a critical authentication problem that is proving difficult to diagnose and resolve.
  Our self registration process leads straight into user logon:
  1) the user fills in the registration form with their user ID, password etc and selects Submit which creates the user ID in our R/3 user store
  2) the user is presented with text informing them that their registration has been successful and a Proceed button which when selected authenticates them with the portal with their newly created user ID
  Step 2) above is working intermittently in our EP7 system - sometimes the process works exactly as expected others an exception is raised (com.sap.security.core.logon.imp.UMELoginException: USER_AUTH_FAILED).
  It seems as though the cause is that the user creation process has not completed fully before the logon step.
  We tried implementing a wait step (10 seconds) following selection of the Proceed button which reduced the incidence rate of the problem but didn't cure it entirely.
  A possible contributing factor is hardware performance as we are testing the upgrade on an impact analysis system which is not as efficient as our live portal landscape.
  I've pasted the code which performs the authentication and extracts from the DIAGTOOL portal logs below which show the login module configuration (SAP standard I believe).
  Any help/advice what to try next would be greatly appreciated as we are running out of ideas.
  Thanks,
  Alan
  The following code performs the authentication and redirection to the portal user's home page:
  public void onRedirect(Event event) throws PageException {
                 getBean();
                 //Get resource bundle
                 ResourceBundle rbSetup =
                      ResourceBundle.getBundle(
                           "setup",
                           ((IPortalComponentRequest) this.getRequest()).getLocale());
                 ILogonAuthentication logonAuthentication =
                      UMFactory.getLogonAuthenticator();
                 HttpServletRequest req =
                      ((IPortalComponentRequest) this.getRequest())
                           .getServletRequest();
                 HttpServletResponse res =
                           (IPortalComponentRequest) this
                                .getRequest())
                                .getServletResponse(
                           true);
                 req.setAttribute(
                      ILoginConstants.LOGON_UID_ALIAS,
                      SelfRegBean.getLogonUid());
                 req.setAttribute(
                      ILoginConstants.LOGON_PWD_ALIAS,
                      SelfRegBean.getPassword());
                 Subject subject = null;
                 try {
                      subject = logonAuthentication.logon(req, res, AUTHSCHEME);
                      if (null != subject) {
                           res.sendRedirect(rbSetup.getString("REDIRECT_URL"));
                 } catch (LoginException e) {
                      SelfRegBean.setError(rb.getString(LOGIN_FAILED));
                 } catch (IOException e) {
                      SelfRegBean.setError(rb.getString(REDIRECT_FAILED));
  Full exception thrown when the authentication process fails:
  com.sap.security.core.logon.imp.UMELoginException: USER_AUTH_FAILED at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:949) at uk.ac.ncl.SelfRegistration$SelfRegistrationDynPage.onRedirect(SelfRegistration.java:507) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at com.sapportals.htmlb.page.DynPage.doProcessCurrentEvent(DynPage.java:172) at com.sapportals.htmlb.page.PageProcessor.handleRequest(PageProcessor.java:115) at com.sapportals.portal.htmlb.page.PageProcessorComponent.doContent(PageProcessorComponent.java:134) at com.sapportals.portal.prt.component.AbstractPortalComponent.serviceDeprecated(AbstractPortalComponent.java:209) at com.sapportals.portal.prt.component.AbstractPortalComponent.service(AbstractPortalComponent.java:114) at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189) at com.sapportals.portal.prt.component.PortalComponentResponse.include(PortalComponentResponse.java:215) at com.sapportals.portal.prt.pom.PortalNode.service(PortalNode.java:645) at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189) at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:753) at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240) at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524) at java.security.AccessController.doPrivileged(Native Method) at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265) at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172) -
  Key log extracts from DIAGTOOL:
  Exception on login: 
  [EXCEPTION]
  com.sap.security.core.server.userstore.UserstoreException: Could not refresh user postsp15p
  Caused by: com.sap.security.api.NoSuchUserAccountException: USER_AUTH_FAILED: User account for logonid "postsp15p" not found!
  LOGIN.FAILED
  User: N/A
  Authentication Stack: ticket
  Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
  1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false                 true      
          #1 ume.configuration.active = true
  2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          exception             true       Authentication did not succeed.
  3. com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok                                true      
          #1 ume.configuration.active = true
  com.sap.security.core.logon.imp.UMELoginException:
  ObjectID handed over is 'null'!
  Guest | LOGIN.ERROR | null |  | Login Method=[uidpwdlogon], UserID=[null], IP Address=[10.64.65.191], Reason=[Authentication did not succeed.]
  USER_AUTH_FAILED

  We are in the process of upgrading from EP6 to EP7 and have hit a critical authentication problem that is proving difficult to diagnose and resolve.
  Our self registration process leads straight into user logon:
  1) the user fills in the registration form with their user ID, password etc and selects Submit which creates the user ID in our R/3 user store
  2) the user is presented with text informing them that their registration has been successful and a Proceed button which when selected authenticates them with the portal with their newly created user ID
  Step 2) above is working intermittently in our EP7 system - sometimes the process works exactly as expected others an exception is raised (com.sap.security.core.logon.imp.UMELoginException: USER_AUTH_FAILED).
  It seems as though the cause is that the user creation process has not completed fully before the logon step.
  We tried implementing a wait step (10 seconds) following selection of the Proceed button which reduced the incidence rate of the problem but didn't cure it entirely.
  A possible contributing factor is hardware performance as we are testing the upgrade on an impact analysis system which is not as efficient as our live portal landscape.
  I've pasted the code which performs the authentication and extracts from the DIAGTOOL portal logs below which show the login module configuration (SAP standard I believe).
  Any help/advice what to try next would be greatly appreciated as we are running out of ideas.
  Thanks,
  Alan
  The following code performs the authentication and redirection to the portal user's home page:
  public void onRedirect(Event event) throws PageException {
                 getBean();
                 //Get resource bundle
                 ResourceBundle rbSetup =
                      ResourceBundle.getBundle(
                           "setup",
                           ((IPortalComponentRequest) this.getRequest()).getLocale());
                 ILogonAuthentication logonAuthentication =
                      UMFactory.getLogonAuthenticator();
                 HttpServletRequest req =
                      ((IPortalComponentRequest) this.getRequest())
                           .getServletRequest();
                 HttpServletResponse res =
                           (IPortalComponentRequest) this
                                .getRequest())
                                .getServletResponse(
                           true);
                 req.setAttribute(
                      ILoginConstants.LOGON_UID_ALIAS,
                      SelfRegBean.getLogonUid());
                 req.setAttribute(
                      ILoginConstants.LOGON_PWD_ALIAS,
                      SelfRegBean.getPassword());
                 Subject subject = null;
                 try {
                      subject = logonAuthentication.logon(req, res, AUTHSCHEME);
                      if (null != subject) {
                           res.sendRedirect(rbSetup.getString("REDIRECT_URL"));
                 } catch (LoginException e) {
                      SelfRegBean.setError(rb.getString(LOGIN_FAILED));
                 } catch (IOException e) {
                      SelfRegBean.setError(rb.getString(REDIRECT_FAILED));
  Full exception thrown when the authentication process fails:
  com.sap.security.core.logon.imp.UMELoginException: USER_AUTH_FAILED at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:949) at uk.ac.ncl.SelfRegistration$SelfRegistrationDynPage.onRedirect(SelfRegistration.java:507) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at com.sapportals.htmlb.page.DynPage.doProcessCurrentEvent(DynPage.java:172) at com.sapportals.htmlb.page.PageProcessor.handleRequest(PageProcessor.java:115) at com.sapportals.portal.htmlb.page.PageProcessorComponent.doContent(PageProcessorComponent.java:134) at com.sapportals.portal.prt.component.AbstractPortalComponent.serviceDeprecated(AbstractPortalComponent.java:209) at com.sapportals.portal.prt.component.AbstractPortalComponent.service(AbstractPortalComponent.java:114) at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189) at com.sapportals.portal.prt.component.PortalComponentResponse.include(PortalComponentResponse.java:215) at com.sapportals.portal.prt.pom.PortalNode.service(PortalNode.java:645) at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136) at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189) at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:753) at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240) at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524) at java.security.AccessController.doPrivileged(Native Method) at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265) at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172) -
  Key log extracts from DIAGTOOL:
  Exception on login: 
  [EXCEPTION]
  com.sap.security.core.server.userstore.UserstoreException: Could not refresh user postsp15p
  Caused by: com.sap.security.api.NoSuchUserAccountException: USER_AUTH_FAILED: User account for logonid "postsp15p" not found!
  LOGIN.FAILED
  User: N/A
  Authentication Stack: ticket
  Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
  1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false                 true      
          #1 ume.configuration.active = true
  2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          exception             true       Authentication did not succeed.
  3. com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok                                true      
          #1 ume.configuration.active = true
  com.sap.security.core.logon.imp.UMELoginException:
  ObjectID handed over is 'null'!
  Guest | LOGIN.ERROR | null |  | Login Method=[uidpwdlogon], UserID=[null], IP Address=[10.64.65.191], Reason=[Authentication did not succeed.]
  USER_AUTH_FAILED

• SAPGUI and Portal Authentication using AD Credentials with usr/passw prompt

  Hi Experts,
  We have the following requirements:
  1. Portal/EP has UME set to ABAP (in other words using ECC6 system's user/password).
  2. ECC6 user-id's differ from Active Directory user.
  3. User logs in to Active Directory.
  4. User wants to log on to SAPGUI (ECC6 system), with a user-name password prompt, using the Active directory Credentials.
  5. User wants to log on to Portal/EP, with a user-name password promt, using the Active Directory Credentials.
  The following suggested solution was the closest to the requirement (without to much technical detail):
  1. For SAPGUI, implement SSO on the workstation GUI's and maintain the Active Directory user in transaction SU01 in the ALIAS field.
  This should enable the user to, after having logged onto the Active Directory, to open the SAPGUI and WITHOUT user-name password prompt, be authenticated and logged into SAP. This would entail settings to be done on each workstations GUI.
  2. For the Portal/EP, implement Kerberos on the portal, setting it to authenticate to the AD. As per note 935644 maintain an additional attribute on the UME, to enable the mapping between the UME and the AD users.
  This should enable the user, after having logged onto the Active Directory, to open Internet Explorer, go to the Portal URL, and be authenticated and logged into the portal, without WITHOUT user-name password prompt.
  Do you know the viability of this solution, or whether there is any better suggestion (especially to keep the user-name password prompt, and without changing the ECC6 or Active directory users).
  Regards.

  AJP,
  The description you have given is an exact description of the capability of our product. I represent a company called CyberSafe, and our products are designed and sold to SAP customers for integrating the SAP user authentication with Active Directory authentication. We have some unique features in our product which you could benefit from, e.g. our SAP GUI SNC library has the ability to popup a logon screen asking user for Active Directory account and password before it logs the user onto SAP. Also, when the SAP system has authenticated the user, either via the Web browser or via SAP GUI their Kerberos principal name (determined from AD account name and domain) is mapped onto a SAP user using a table in the ABAP system. The browser authentication even uses this same table for mapping so that an authenticated account name does not need to be same as the SAP user they log onto.
  If you would like to discuss our product more, and/or arrange a free evaluation please contact me using the email address in my SDN business card.
  Thankyou,
  Tim

• Creator 2 Portlet project and accessing portal authenticated user

  Hello friends,
  I have started a portlet JSR-128 project with Creator 2.
  The question is how can I access the user that is authenticated thru portal single-signon feature?
  Thank you so much

  There is a standard way to access users. It requires adding the user attributes you would like to access to the portlet.xml file and then accessing them with the following code:
  Map userInfo = (Map) request.getAttribute(PortletRequest.USER_INFO);To learn more, go to http://www.manning.com/hepper/. Read the download instructions and download your free version of the book "Portlets and Apache Portals". There is a section of the book called "Accessing User Attributes" which has the info you need.
  Let me know if you get it to work!!!
  It is easier to access user info with the specific portal APIs, but it makes your code less portable.
  Thanks,
  Dean

• Options for 3rd Party Portal Authentication

  We are implementing EP 6.0 SP12 at Tellabs. But there is  BroadVision portal that is at the front and so authentication happens at BroadVision. Since we need single sign-on between the 2 portals, we are exploring various options for this.
  Option 1: Custom Login Module - We will need to implement a Custom Login Module that picks up a cookie from BroadVision request, use that cookie to check with BV and then allow access to EP resources.
  Option 2: Portal Service - We will need to implement a Portal Service that picks up a cookie from BroadVision request, use that cookie to check with BV and then if the user is authenticated pass the request to a standard login module.
  Option 3: Servlet filter – Is it possible to use a J2EE Servlet Filter for all requests coming to irj? We have implemented a standard Servlet Filter and tested it on some custom J2ee applications on Web AS 6.40. But we are unable to integrate it with the irj application. How should we deploy/configure the Filter with the standard Header Login module?
  We tried deploying the Filter using the Visual administrator, NW Developer Studio and the Deploy Tool - but for some reason the Filter does not deploy on irj. Is there anyway to deploy a Servlet Filter (a J2EE
  filter) on irj and make it work?
  We are considering Option 1 since we are facing deployment issues with Option 3. If we get a solution for Option 3, it would save us a lot of development/testing time. (Servlet Filter has already been developed and tested)
  Thanks
  - Mayur Khera

  did you find a solution for the problem? if so, can u share the code - [email protected]

• Enterprise Portal authentication disregard data source domain

  Our SAP Enterprise Portal supports multiple SAP applications. The portal has two different data sources, i.e. internal (intranet) active directory (IAD) and external (extranet) active directory (EAD). The IAD contains internal users, e.g. employees. But due to internal reasons, the EAD contains the same set of internal users as well as external users, such as bidders / vendors of SRM system. When we tried to make use of both data source, the portal throws an error (user id duplicated) because the same user ID, i.e. an internal user ID, exists in both data source. It seems that the portal does not consider the "domain" of the user account, i.e. "IAD/user1" versus "EAD/user1". Because of this awareness, we are forced to use only the EAD (which is a superset of the two directories) for both internal and external users and activities. The question is why doesn't the enterprise portal take the data source (domain) name into account when authenticating a user?

  Jay,
  Why have you chosen to use AD as your user data source ? Is it so you can use SPNEGO authentication ?
  Thanks,
  Tim

• Adhoc Query Execution / Portal Authentication

  Hi there,
  When executing an adhoc query via the query designer I am asked to authenticate via the portal before the query is executed.
  Is this the way it should work in netweaver 2004s ?  Or do we have a communication problem between portal & BW?
  My portal consultant wasnt really able to give me any ideas.
  thanks
  Mark

  Hi,
  You have any Idea on the User Administration mapping done in the Portal Iview?
  I guess the Single Sign On done is not proper (SSO).You can achive this in the User Administration Properties of the System Created in Portal for BW. Portal Consultant will be the best person who can solve this.Else you can get the help of Basis who takes care the SSO.
  Regards
  Happy Tony

• SPNEGO when the Portal Authentication is set to ABAP

  Hi all,
  I have seen documentation (994791) showing how to set up SPNEGO if the authentication is of type DB or ADS. But i cannot see how to do it if the authentication is of type ABAP.
  I have added the krb5principalname in to the config as per note 994791, but with type ABAP the Customized Information field (krb5principalname) is not coming up in User Creation/modification?
  Can anyone help?
  Thanks,
  Guy

  The only thing I know is that this is not officially supported by SAP.
  Up to SP11 there was said to be a workaround which I failed to implement myself as there was no help from SAP via OSS.
  Since SP12 in general SAP supports SpNego config by the new SPNego wizard only so I think the possibilities have become even less.
  But let me say: I have had the same problem as you have and I was not able to solve it.
  Sigi

• Portal Authentication from web service

  I would like to run a web service on a remote machine that checks if the user of the web service exists as a portal user.
  My initial thought was to just log the user in whenever they attempt to use the web service and then log them out at the end. I have researched the AuthContext class and attempted a test implementation however it errors looking for certain AM Property files.
  Perhaps I should just access the directory server directly? Basically, I just want to restrict usage of the web service to the existing portal users.
  If anyone could offer any suggestions it would be appreciated. (Code examples or snippets would be appreciated)
  Thanks in advance...
  Jason

  Hi,
  1) If your webservice is on the same network:
  - Just bind to LDAP (this is the fastes way)
  2) OR You can also use identity SDK to connect
  to your instance and receive AMUser object.
  3) If you are not on the same network( SRAP access):
  You can create a "stand alone" jsp or servlet which
  doing (1) or (2) and your webservice talks over https to this servlet.
  4) Logging user to portal is too much overhead and
  at the end you don't know if user is a portal user or
  just has login privilege to identityserver...
  Cheers,
  Alex :-)