SSO using a domain wide cookie

Similar Messages

• SSO using Windows Active Directory but without EP or Java stack

  Good morning and thank you in advance for your help.
  The question is:
  our environment includes windows domain with Active Directory, ECC 6.0 ABAP (DEV, QAS, PROD), BW 7.0 (DEV, QAS, PROD) only ABAP stack.
  I would like to know if we can enable SSO using only this configuration without introducing EP or Java stack.
  Best regards
  Max

  Hi Willi,
  It won't be that easy to understand each other... as my english is not that good either
  Most of the points introduced in the SAP help link are automatically performed by sapinst.
  Almost all my customers running on MS are not using an AV, and neither get into troubles...
  but no user ever connect on the SAP server, only admin, for maintenance purpose or SAP admin when needed...
  Internet explorer should not be used on a sever, MS itself says it should be uninstalled...
  Best regards
  SAP on SQL General Update for Customers & Partners April 2014
  10. Do Not Install SAPGUI on SAP Servers
  Windows Servers have the ability to run many desktop PC applications such as SAPGUI and Internet Explorer however it is strongly recommended not to install this software on SAP servers, particularly production servers.
  To improve reliability of an operating system it is recommended to install as few software packages as possible.  This will not only improve reliability and performance, but will also make debugging any issues considerably simpler
  “A server is a server, a PC is a PC”.  Customers are encouraged to restrict access to production servers by implementing Server Hardening Procedure. 
  SAP Servers should not be used as administration consoles and there should be no need to directly connect to a server. Almost all administration can be done remotely
  SAP on SQL General Update for Customers & Partners September 2013
  Internet Explorer (and any other non-essential software) should always be removed from every SAP DB or Application server. 
  The following command line removes IE from Windows 2008 R2, Windows 2012 and Windows 2012 R2:
  Open command prompt as an Administrator ->  dism /online /Disable-Feature /FeatureName:Internet-Explorer-Optional-amd64

• How to login CRM 2007 BSP page use account domain of Microsoft AD

  Dear friends,
  I am finding solution to setup system with the requisite:
  - Login to CRM 2007 Business Server Page use account domain which is managed by Microsoft Acitve Directory.
  - Users use only web browser, they didn't use SAPGUI and they must type username, password ( their username,password are managed in Microsoft AD, not in SAP system) in every login to BSP page, don't use solution like X.509 client certificate.
  I used to configured using SNC and I could login to SAP System using SAPGUI without type SAP username and password when I log in my computer by account domain( my computer is joined in domain).
  But my requisite is have to use account domain( username and password)  and type them in web browser when I want to log in SAP system, could not configured to go to directly SAP application ( BSP page ) without type username/password of account domain.
  After time looking for solution about authentication :
  http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/8039306e-cea4-2a10-15b9-8e96d40c51ef [original link is broken]
  I think may be I could login to java portal by used username/password of account domain to authenticate after login  to portal I use SSO to switch to BSP page without type username password again. This solution may be accepted because I was login to SAP application from web browser and used account domain.
  Could you show me, there are anymore solution or how could I do to to set up my above solution.
  Thanks and Best Regards.

  The normal way to do this is to configure the authentication stack required on a JAVA stack (e.g. portal or standalone Java instance of NetWeaver or dual stack) and then configure the BSP app in SICF transaction to redirect to Java stack when no SSO2 ticket is sent by browser (e.g. user has already authenticated). The redirect to Java stack will be done, such that after user has authenticated to Java stack they will be issued with an SSO2 ticket and redirected back to the BSP app URL. From end users perspective, they will access the BSP app URL and get authenticated using Active Directory, and they won't know about the redirection since they will be logged into the BSP app once they have authenticated.
  The authentication using Active Directory can be done using two methods:
  - Using credentials already on workstation from workstation logon, e.g. using Integrated Windows Authentication
  - Showing user a form where they enter AD account and password.
  Thanks,
  Tim

• Domain-wide administration port?

  Hi,
  I tried to start a cluster of 2 servers across 2 physical machines, I got error and server starting failed:
  "Starting Managed Servers in Standby mode requires the domain-wide administration port."
  My topology is as following:
  Domain A is created in machine A and copy to machine B:
  Machine A: admin serverr at port 8001. Managed server at port 8088 of cluster1.
  Machine B: Managed server at port 8088 of the same cluster1.
  What is wrong? Why I cannot start cluster? Why I got error " need domain-wide administration port"? What is "domain-wide administration port"? Why my created domain admin server at Machine A didn't work?
  Your prompt help is highly appreciated. I am waiting for your help.
  Thank you in advance

  Hi,
  First of all the domain-wide administration port enables you to start a WebLogic Server instance in STANDBY state. It also allows you to separate administration traffic from application traffic in your domain.
  so check in ur console whether u have specified the start up mode as STANDBY.if so change it to Running and try restarting the server:-
  You can do that by chking the below link:-
  http://e-docs.bea.com/wls/docs92/ConsoleHelp/taskhelp/startstop/SpecifyAStartupMode.html.
  Domain-wide administration port is used when you have configured ssl for ur servers. Refer http://e-docs.bea.com/wls/docs103/ConsoleHelp/taskhelp/domainconfig/EnableTheDomainwideAdministrationPort.html for more info.

• Problem about SSO using logon ticket  with user mapping

  Hi everyone ,
  I had done SSO with Portal , BW and R/3 system.
  I use logon ticket with user mapping .
  When user name is same in Portal as in R/3 system, or user name is same in Portal as in BW , user can access R/3 transactions and BW report without logon.
  There are some Portal users name which are different with R/3 user and  BW user. And I done the user mapping for these  user.
  But some user mapping works fine,but most of them can't work,means that most of them need to enter mapped user ID and password.
  What's the reason?
  When SSO using logon ticket with user mapping, the Portal user which is different with R/3 user and BW user,  can they access R/3 transaction iview and BW report iview without logon?

  Hi Chen,
  What you have done is correct. But the problem lies here.
  Since you are using the same system object for accessing the iview, where the ticket method is set to SAPLOGONTICKET in the user Management property of the system object.
  To avoid this create another system object like the previous one but set the logon method to UIDPW and select admin, user from the drop down box. Also create a system alias for this system.
  Now create another iview like the previous one but link this iview to the new system. Now do the user mapping for the users which are different in portal compared with R/3. Now you should be able to login without any problems.
  Another important point is login to portal with Fully qualified domain name. In the ITS property of the system object also give the FQDN.
  Hope this helps
  Regards
  Arun

• Problem in configuring SSO using SAML for applications hosted on diff m/c

  Hi Techies,
  I am stuck in a weird problem for past month or so without any resolution. Not much help by googling. So I hope i get the answer from the mouth of the horses -
  I am trying to use SSO using the sample application appA and appB as stated in the tutorial of SSO by BEA.
  I am summarizing the problem below -
  Steps followed for Configuring SSO using SAML
  1. Created 2 domains on 2 seperate machines namely domainA and domainB
  2. Source appliction is deployed on domainA and the target application is deployed on domaninB
  The steps mentioned in the following tutorial has been followed-
  http://dev2dev.bea.com/pub/a/2006/12/sso-with-saml.html
  3. As mentioned in the tutorial the certificate is generated using keytool utility. The same certificate is copied
  to WEBLOGIC_HOME/server/lib of destination machine.
  4. The certificate was successfully registered on desitnation or host 2 but while activating the configuration
  changes(SSL client Ientity Alias and SSL Client Identity Pass Phrase) for Federation services the following error
  is thrown -
  " SAMLBeanUpdateListener: SAMLKeyManager.prepareUpdate() failed with exception:
  weblogic.descriptor.BeanUpdateRejectedException: SAML key Manage failed to validate key (SSL Client) configuration
  in the FederationServicesMBean, key alias: testalias "
  The interesting bit of the problem is that the same configuration works on 2 domains created on same machine. The
  problem only occurs when domains are created on seperate machines.
  Alterative to the problem: when the certificate is generated seperately for domainB and copied to
  WEBLOGIC_HOME/server/lib, it works. However, the certificate generated in domainA should have been copied.
  Note: I am using Weblogic portal 9.2.1
  Any quick replies will be much appreciated. Thanks.
  Edited by saurabh.agrawal at 02/06/2008 2:01 PM

  Hi François,
  You are right about the use of the NameID format. But the issue here is/was that OIF at SP is integrated with OAM, and the authenticated user at OIF-SP and OAM will be the Anonymous user rather than the user who was identified at the IdP even though the remaining attributes sent are for the IdP user. I think these attributes can be used by with OAM for authorization using custom authorization plug-ins but haven't tried that one out.
  As for the attribute sharing profile, it's this one - http://www.oasis-open.org/committees/download.php/18058/sstc-saml-x509-authn-attrib-profile-cd-02.pdf, although for the life of me, I cannot remember why I suggested this in the first place!
  -Vinod

• Design a site, use my domain name, and host it via .mac

  It sounds simple, and I thought a search through these forums would yield some easy answers, but no luck, so here goes:
  I'm an advanced Photoshop and Final Cut Studio user, running an audio/video/image restoration and transfer business, but I'm a total beginner in the iWeb/.Mac area.
  About three years ago, I decided it was time for a web site, so I went to a local company; they designed and still host my site, for which I pay them $30.00 per month; it's a simple site with no ecommerce, and six or seven pages. There is a contact form through which potential customers can email me.
  I also have a domain name, for which I pay $15.00 per year to the same company.
  My site is OK, but it's the same as it was three years ago; any small changes I have asked the company to make (mostly just text additions/changes) they have done at the rate of $75.00 per hour.
  What I want to do is cancel my account with them, design a totally new site using iWeb, start a .mac account, and have the site hosted using my domain name, so that the average customer who sees my newspaper ad can navigate to my new site exactly as they can with the current one. (I only have one email account, through my ISP, which I don't want to change.)
  I've got lots of questions, but mostly, what else do I have to do to make this switch besides cancelling my account with my current company? (After an overlap period, of course) What happens with my domain name--who will I pay to keep it? And finally, what simple things am I not thinking of?
  Many thanks in advance to anyone with enough patience to read through this, and still find time to provide some assistance.

  You can design your site in iWeb and upload it to either .Mac or a commercial server.
  You would then provide the domain name registrar with your server ID number or, in the case of .Mac, your .Mac URL and instruct them to point your domain name in that direction.
  .Mac is neither intended for, nor the best option, for a business site.
  For example the company I host with - Host Excellence - allows you a free domain name registration and up to 6 sites with unlimited web mail and more server space than you are likely to need for about the cost of a .Mac account.
  Commercial servers are a lot more reliable than .Mac, have wider bandwidth and usually have good tech support.
  You only have to look at the number of problems in this forum concerning .Mac to see that tech support is not readily available from Apple.
  I'm not putting down .Mac. I use it myself for various purposes and it is good for its intended use of one clicking publishing of personal websites.

• SSO using SAML2 in WebLogic Server 10.3 not working

  Dear all,
  I have tried all possible configuration to configure SSO but with no hope :(
  My requirement is to configure SSO using SAML2, weblogic 10.3 and 1 domain.
  I followed the following links in my configuration:
  1- http://biemond.blogspot.com/2009/09/sso-with-weblogic-1031-and-saml2.html
  2- http://blogbypuneeth.wordpress.com/2011/01/15/steps-to-configure-saml-2-on-weblogic-server-10-3-0/
  Please if anyone can send me any other tutorial or working sample application as maybe i am configuring the web/weblogic xmls in a wrong way
  Appreciate any help

  Hi,
  This is how my web.xml looks like :
       <display-name>SAML Destination Site Application</display-name>
       <welcome-file-list>
            <welcome-file>index.jsp</welcome-file>
       </welcome-file-list>
       <security-constraint>
            <web-resource-collection>
                 <web-resource-name>SecurePages</web-resource-name>
                 <description>These pages are only accessible by authorized users.</description>
  <url-pattern>samldest01App/restricted01/*</url-pattern>
  <http-method>GET</http-method>
            </web-resource-collection>
            <auth-constraint>
                 <description>These are the roles who have access.</description>
                 <role-name>SamlUser</role-name>
            </auth-constraint>
            <user-data-constraint>
                 <description>This is how the user data must be transmitted.</description>
                 <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
       </security-constraint>
       <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>myrealm</realm-name>
       </login-config>
       <security-role>
            <description>These are the roles who have access.</description>
            <role-name>SamlUser</role-name>
       </security-role>
  </web-app>
  weblogic.xml :
  <?xml version='1.0' encoding='UTF-8'?>
  <weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/90"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
       <security-role-assignment>
            <role-name>SamlUser</role-name>
            <principal-name>SAML_SSO_GRP</principal-name>          
       </security-role-assignment>
       <context-root>/samldest01App</context-root>
  </weblogic-web-app>

• Use of domain administration port breaks session access?

  WLS 8.1.2;
            We have a third-party app deployed in a pretty basic cluster setup (two managed servers, each on a separate machine). When accessing the main web app, it works fine. If/when we enable the domain-wide administration port (DAP)(after enabling SSL on each server), we can no longer access the application - we get the exception shown below.
            Note - if we shut down one of the two managed servers with DAP enabled, the app works. If we disable DAP and run both managed servers using SSL, the app works.
            What have done wrong?
            tia,
            Rick
            <snip>
            ####<Jun 9, 2005 10:26:49 AM EDT> <Error> <HTTP Session> <OYARSA4> <ep01> <ExecuteThread: '9' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <BEA-100060> <An unexpected error occurred while retrieving the session for Web application: ServletContext(id=247422,name=eprovision-client,context-path=/eprovision-client).
            java.lang.SecurityException: User <anonymous> does not have access to the administrator port.
                 at weblogic.rjvm.BasicOutboundRequest.sendReceive(BasicOutboundRequest.java:108)
                 at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:138)
                 at weblogic.cluster.replication.ReplicationManager_812_WLStub.create(Unknown Source)
                 at weblogic.cluster.replication.ReplicationManager.trySecondary(ReplicationManager.java:1064)
                 at weblogic.cluster.replication.ReplicationManager.createSecondary(ReplicationManager.java:997)
                 at weblogic.cluster.replication.ReplicationManager.register(ReplicationManager.java:391)
                 at weblogic.cluster.replication.ReplicationManager.register(ReplicationManager.java:376)
                 at weblogic.cluster.replication.ReplicationManager.register(ReplicationManager.java:370)
                 at weblogic.servlet.internal.session.ReplicatedSessionData.<init>(ReplicatedSessionData.java:95)
                 at weblogic.servlet.internal.session.ReplicatedSessionContext.getNewSession(ReplicatedSessionContext.java:304)
                 at weblogic.servlet.internal.ServletRequestImpl.getNewSession(ServletRequestImpl.java:2472)
                 at weblogic.servlet.internal.ServletRequestImpl.getSession(ServletRequestImpl.java:2169)
                 at weblogic.servlet.security.internal.SecurityModule$SessionRetrievalAction.run(SecurityModule.java:637)
                 at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:317)
                 at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:118)
                 at weblogic.servlet.security.internal.SecurityModule.getUserSession(SecurityModule.java:612)
                 at weblogic.servlet.security.internal.FormSecurityModule.stuffSession(FormSecurityModule.java:404)
                 at weblogic.servlet.security.internal.FormSecurityModule.checkUserPerm(FormSecurityModule.java:391)
                 at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:197)
                 at weblogic.servlet.security.internal.FormSecurityModule.checkA(FormSecurityModule.java:181)
                 at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
                 at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3539)
                 at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2585)
                 at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
                 at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
            Caused by: java.lang.SecurityException: User <anonymous> does not have access to the administrator port.
                 at weblogic.rjvm.RJVMImpl.dispatchRequest(RJVMImpl.java:910)
                 at weblogic.rjvm.RJVMImpl.dispatch(RJVMImpl.java:844)
                 at weblogic.rjvm.ConnectionManagerServer.handleRJVM(ConnectionManagerServer.java:222)
                 at weblogic.rjvm.ConnectionManager.dispatch(ConnectionManager.java:794)
                 at weblogic.rjvm.t3.T3JVMConnection.dispatch(T3JVMConnection.java:570)
                 at weblogic.socket.SSLFilter.dispatch(SSLFilter.java:281)
                 at weblogic.socket.NTSocketMuxer.processSockets(NTSocketMuxer.java:105)
                 at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:32)
            </snip>

  An unexpected error occurred while retrieving the session for Web application: logContext.
            Cause might Failed to retrieve the session from persistent store.
            pl. check your configuration
            Prasanna Yalam

• Enterprise Edition 5 domain-wide SSL cert

  We have a domain-wide cert (valid for hostnames *.uwrf.edu) we'd like to use for new installs of DSEE v5.2 2005 Q4. The Manage Certificates task, as well as the documentation I can find on certutil, assume that you will be generating the private key for Directory Server certs on the host in question, and within the Sun tools to boot. Neither of those is true when you create a cert to be used domain-wide. Is it possible to convince the DS cert store to use the private key and cert we already have?

  Is it possible to convince the DS cert store to use
  the private key and cert we already have?Should be. Try using pk12util to set up your cert8/key3.db. It is part of the Mozilla NSS toolkit, which is the SSL package used by Sun DS.
  http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html
  It's included in recent versions of Solaris at /usr/sfw/bin/pk12util.
  Good luck!

• Pcnscfg, domain wide setting?

  When you're implementing PCNS, once you have PCNS installed on all your DCs and you add a target using the Pcnscfg.exe addtarget command in the command prompt. Is this setting domain wide? Do you run it just once on one of the DCs and the value for the
  target FIM instance will replicate to all the others or do you need to run the command on each DC with PCNS installed?

  All settings are stored in configuration partition not in Schema.
  One thing that is good to know and that I could not find. If you PCNS is installed in a different forest the SPN should be created in the domain that the target server is in. The pcnscfg.exe will tell you about that the SPN is missing but it's ok if you
  got it right.
  /Robert

• WLST with Domain-wide Admin Port configured

  Anybody tried WLST with Domain-wide Administration Port (DAP) turned on?
  Is there a set of instuctions to change over smoothly to using the DAP URL instead
  of the plain-text URL?
  Thanks,
  -RAJ

  Hello Raj, to use DAP start WLST as
  java -Dweblogic.security.SSL.ignoreHostnameVerification=true
  -Dweblogic.security.TrustKeyStore=DemoTrust weblogic.WLST
  if you are using the demonstration SSL keys and certificates
  Thanks,
  -satya
  Raj Sesetti wrote:
  Anybody tried WLST with Domain-wide Administration Port (DAP) turned on?
  Is there a set of instuctions to change over smoothly to using the DAP URL instead
  of the plain-text URL?
  Thanks,
  -RAJ

• Datasync and domain Wide administration port problem

  Hi,
  After enabling domain wide administration port in WLP 8.1, wee start to see following
  exception on our managed servers log file. This happes in every mananaged server.
  Datasync.war is deployed only in adminserver as the manual says. We see this error
  every time we boot our managed servers.
  Any ideas?
  ####<Nov 3, 2003 11:00:27 PM EET> <Error> <DataSync> <demomachine> <ManagedServer1>
  <main> <<anonymous>> <> <BEA-400618> <Creation of the Master Data Repository failed.
  Application data will not be available to services. Correct the problem and redeploy
  the application.
  java.lang.SecurityException: User <anonymous> does not have access to the administrator
  port.
  Regards, Mika

  Cause might The managed server was given a URL to boot from that resolves to a managed server address. If the managed server is running on the same machine as the admin server, this can be caused by a failure to specify a unique admin port.
  Inspect the address:port provided to the managed server from which to boot. This address should be changed to reference the admin server rather than resolving to a managed server. If the managed server is running on the same machine as the admin server, you must differentiate them by providing a unique port number.
  Now we log a clear message that prints something like ,
  The address provided to get to the admin server x.x.x.x resolves to a m
  anaged server local address x.x.x.x:nnnn rather than a remote address as
  expected, or the local managed server port might already be in use if you
  have setup domain wide admin port, please check the configuration and correct
  the problem.
  Regards,
  Prasanna Yalam

• Domain wide administration port and node manager

  I need a little help understanding how to properly configure the domain-wide
  administration port in a clustered domain using node manager. After I enabled
  the port in my domain, node manager will no longer start the managed servers
  running on the same box as the domain's admin server. I don't have problems
  starting remote managed servers. I see the problem but I don't know how to
  fix it.
  <Error> <Configuration Management> <BEA-150019> <The address provided to
  get to the admin server (https://<host>@port) resolves to a managed server
  local address (host@port) rather than a remote address as expected, or the
  local managed server port might already be in use if you have setup domain
  wide admin port, please check the configuration and correct the problem.>
  The host I'm specifying is the host of my admin server, the port is the domain-wide
  administration port. I don't get this error when starting my remote managed
  servers, only the managed servers running on the same box as the admin server.
  Grant

  Cause might The managed server was given a URL to boot from that resolves to a managed server address. If the managed server is running on the same machine as the admin server, this can be caused by a failure to specify a unique admin port.
  Inspect the address:port provided to the managed server from which to boot. This address should be changed to reference the admin server rather than resolving to a managed server. If the managed server is running on the same machine as the admin server, you must differentiate them by providing a unique port number.
  Now we log a clear message that prints something like ,
  The address provided to get to the admin server x.x.x.x resolves to a m
  anaged server local address x.x.x.x:nnnn rather than a remote address as
  expected, or the local managed server port might already be in use if you
  have setup domain wide admin port, please check the configuration and correct
  the problem.
  Regards,
  Prasanna Yalam

• Configuring Kerberos authentication SSO with Vintela: SSO in multi-domains

  Business Objects XI 3.1 with service pack 2.
  We have a distributed environment with:
  - 2 web servers:
  - 4 application servers.
  All servers belong to the following domain: xxx.rocca.spa.it and we have defined in that domain a service user: yodbowebi.
  I followed the document of Tim Ziemba and the users of xxx.rocca.spa.it can access the Infoview in sso.
  Following the Kb 1199995  (Error: "The Active Directory Authentication plug in could not authenticate at this time" (FQDN registry key) and the Kbs relating to the configuration of the file krb5.ini, the users of another domain (rip.net.contr) can access but they cannot access in single sign on, that is they have to log on specifying the user + @rip.net.contr.
  Therefore my problem is the following. How can the users of the domain rip.net.contr can access in SSO considering that now they are able to access manually?.
  It is defined an external trust beetween XXX.ROCCA.SPA.IT and RIP.NET.CONTR
  This is my krb5.ini:
  [libdefaults]
  default_realm = XXX.ROCCA.SPA.IT
  dns_lookup_kdc = true
  dns_lookup_realm = true
  default_tgs_enctypes = rc4-hmac
  default_tkt_enctypes = rc4-hmac
  forwardable = true
  udp_preference_limit = 1
  [realms]
  XXX.ROCCA.SPA.IT = {
  kdc = SERVER100.XXX.ROCCA.SPA.IT
  default_domain = XXX.ROCCA.SPA.IT
  RIP.NET.CONTRA = {
  kdc = SERVER200.RIP.NET.CONTRA
  default_domain = RIP.NET.CONTRA

  OK so you have SSO enabled for users of the local domain (meaning they click on infoview and it auto logs them in) correct?
  and if you login manually(typing in username locally and username @DOMAIN.COM for remote domains) in tomcat everyone can login?
  And the only thing failing is SSO from remote domains or a remote domain?
  If that's correct let me know normally muklti-domani SSO is easier to configure than manual is (because of the krb5.ini) SSO does not use the krb5.ini. Test if you can login to client tools (deski/designer/ccm) with the users from the remote domain (use domain\user)
  Regards,
  Tim