SSO with KM document shortcut in MS Outlook

Hi Guys,
SSO was setup in our Portal and was successful implemented for months. This means that whenever a user login from Windows, he is able to get into the Portal without having to sign-in.
My question to all is, when we have an announcement via MS Outlook to our user community, which contains KM documents (like news, PDF etc) in the form of URL, the below scenarios are experienced.
Scenario1: With Internet Explorer (IE) open
User click on URL link from email and the KM document is presented in Internet Explorer (portal layout)
Scenario2: Without Internet Explorer (IE) open
User click on URL link from email and user get a pop-up asking for userID and password. Only after thats input, then user is able to see the KM document.
Can anyone pls share their experience and if there is a solution such that our enduser can access the KM document even without having an IE session open (so no pop-up asking for userID and password).
Thx
Ray

Hi Krishna,
Below are my findings so far with the different auth scheme:
1) basicauthorisation (all content editors access via WebDav are working but End User will have to enter their userid and password upon clicking URL shortcut from email)
2) default (all content editors access are not working in WebDav but End User will access Portal document upon clicking shortcut from email)
3) anonymous (all content editors is able to access the Portal folder but end in error while copying files but End User will access Portal document upon clicking shortcut from email)
Thus, I will stay with the original option 1 above for all and the End User will have to either:
1) Open Internet Explorer first, after which clicking the shortcut from email, the Portal document will pop-up without requesting for userID and password
2) Enter their userID and Password and then flag the "remember my password". Next time when the user click on URL shortcuts in outlook, they will simply just need to click "ok" to display the Portal document.
I'm still open to suggestion from the SDN community and if someone has the same experience and a workable solution around it, I would love to hear from them.
Anyway, thanks for the help Krishna !! Much Appreciated.
Edited by: Raymond Heng on Mar 12, 2008 1:27 PM
Edited by: Raymond Heng on Mar 12, 2008 1:28 PM

Similar Messages

Getting Error in SSO with OWA scenario.

Hi All,
I am trying the SSO with OWA with EP 6.0 SP13. I am refering the document " Integration Of OutLook Web Access into SAP Enterprise Portal "
I am getting following error:
Portal Runtime Error
An exception occurred while processing a request for :
iView : N/A
Component Name : N/A
Unknown Logon Method 'null' for system 'SSO_OWA'.
See the details for the exception ID in the log file.
I do not find any option which allows me to specify the Login Method While creating a system, in SP13.
What should I do to get the successful implementation?
Thanks in Advance.
Pradnya

Hi Pradnya
There are three methods for creating a new system
1. Use the XML profile in a deployed PARfile
The new system inherits all the global properties defined in the PAR file component. It inherits property names, meta attributes and any default property values.
2. Use an existing template.
If the template was created directly from the PAR file, the new system is identical to the one generated by the first method. If the template has undergone changes, the system inherits the changes made to the property attributes in the template.
3. Copy an existing system
The procedure you use to create a system is not application-sensitive.
You run the same wizard for creating the system for any of the applications to which the portal provides connectors, or for which you have created and deployed a PAR file. The differences reside in the XML profiles, whose properties are determined by the application being defined, as each application has some unique connectivity requirements.
For further details, please go through the following link.
http://help.sap.com/saphelp_erp2004/helpdata/en/ec/0fe43d19734b5ae10000000a11405a/content.htm
Hope that was helpful.
Warm Regards
Priya
P.S: Please consider rewarding points if your problem is solved.

SSO with Logon Ticket to non-SAP Unix based application

Hi all,
Anyone has implemented SSO with Logon Ticket to a Unix box ?
We need to achieve Single Sign On between our EP5.0 SP5 Portal and a third-party web application with a front-end on a Unix AIX machine with Apache.
We achieved SSO with non-SAP applications with Logon Tickets, but one was to an IIS system in another domain (we therefore used the standard Web Filter for IIS and declared it in usermanagement for cross-domain support) and another one running on Windows platform (we used the C libraries provided in the "Logon Ticket Toolkit": NT or Linux only).
From what we understand and found on the web sites, we cannot reuse any standard web filter (none for Unix, am I correct ???) and want to implement custom code using SAP libraries, if possible using Java
-> Are there any Java libraries that are available to both:
. verify the logon ticket with the deployed Portal public key
. decrypt/extract the authenticated username from this ticket ??
I've seen a mention of Java libraries, and Unix, in a SAP EP 6.0 document but I'm not sure where to find them...
Is the SAP Logon Ticket issued the same way in EP 5.0 and EP 6.0 ?
I managed to find something called SAPSSOEXT, for AIX, which contains some partial library and a sample, but it is dated 2000 !! Anyone has more information about this ?
Any hint is very much appreciated.
Thanks a lot
Olivier

Check these links for reference regarding AIX and Apache using X.509 certificates:
http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/cas_pki.htm
And just using cookies -
http://forums.devshed.com/archive/t-105611 (perl based)
You can also use mod_ssl built into your Apache to facilitate both certificate based authentication as well as encryption.
The mod_ssl route is most secure (because of the encryption), the IBM link is comprehensive but requires extra infrastructure (LDAP).
Nick
Nick

SSO with ITS & Webenabling WEBGui

Hello,
We have configured SSO with R/3 system. It works fine.
The requirement is, we have to webenable R/3 system thru SAP GUI For Windows and SAP GUI For HTML.
We are able to do both on developement environment where both R/3 and portal has got the same host names.
But in the qa environment, we are able to webenable R/3 with SAP GUI For Windows and the SSO also works fine. But when we try to using SAP GUI For Html, it asks for the username and pwd again. Here the portal and R/3 has different host names.
Otherwise the settings in dev and test are exactly the same. Has anybody got a clue why is it not working?
Regards,
Rukmani

Hi all,
it is always good to start with a good checklist. Here is probably the best one: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/sso checklist.html
My suggestion is: do not skip even simple steps, sometimes problem appears there
Regards,
Pavol

SSO with SAP logon tickets to non-SAP web app

I am trying to implement SSO to an oracle portal based web application using SAP logon tickets, but can't seem to find a way for it to work. I thought maybe it would be a web server filter, but am unsure if this would work for oracle portal. Anyone tried similar?
Cindy

Hi Cindy,
If it is EP6 SP2 probably you can checkout the following document.
http://service.sap.com/ep60
Go to Documentation Help>How-To-Guides>Current How To Guides section.
checkout the following how to guide.
Perform Cross Domain SSO with SAP Logon tickets zip file.
If you want the zip file please send an e-mail to
[email protected]
Regards
-Venkat Malempati

How to configure sso with SSL step by step

Purpose
In this document, you can learn how to configure SSO with SSL. After user have certificate installed in browser, he can login without input username and password.
Overview
In this document we will demonstrate:
1. How to configure OHS support SSL
2. How to Register SSO with SSL
3. Configure SSO for certificates
Prerequisites
Before start this document, you should have:
1. Oracle AS 10g infrastructure installed (10.1.2)
2. OCA installed
Note:
1. “When you install Oracle infrastructure, please make sure you have select OCA.
2. How Certificate-Enabled Authentication Works:
a. The user tries to access a partner application.
b. The partner application redirects the user to the single sign-on server for authentication. As part of this redirection, the browser sends the user's certificate to the login URL of the server (2a). If it is able to verify the certificate, the server returns the user to the requested application.
c. The application delivers content. Users whose browsers are configured to prompt for a certificate-store password may only have to present this password once, depending upon how their browser is configured. If they log out and then attempt to access a partner application, the browser passes their certificate to the single sign-on server automatically. This means that they never really log out. To effectively log out, they must close the browser.
Enable SSL on the Single Sign-On Middle Tier
The following steps involve configuring the Oracle HTTP Server. Perform them on the single sign-on middle tier. In doing so, keep the following in mind:
l You must configure SSL on the computer where the single sign-on middle tier is running.
l You are configuring one-way SSL.
l You may enable SSL for simple network encryption; PKI authentication is not required. Note though that you must use a valid wallet and server certificate. The default wallet location is ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default.
1. Back up the opmn.xml file, found at ORACLE_HOME/opmn/conf
2. In opmn.xml, change the value for the start-mode parameter to ssl-enabled. This parameter appears in boldface in the xml tag immediately following.
<ias-component id="HTTP_Server">
<process-type id="HTTP_Server" module-id="OHS">
<module-data>
<category id="start-parameters">
<data id="start-mode" value="ssl-enabled"/>
</category>
</module-data>
<process-set id="HTTP_Server" numprocs="1"/>
</process-type>
</ias-component>
3. Update the distributed cluster management database with the change: ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct opmn
4. Reload the modified opmn configuration file:
ORACLE_HOME/opmn/bin/opmnctl reload
5. Keep a non-SSL port active. The External Applications portlet communicates with the single sign-on server over a non-SSL port. The HTTP port is enabled by default. If you have not disabled the port, this step requires no action.
6. Apply the rule mod_rewrite to SSL configuration. This step involves modifying the ssl.conf file on the middle-tier computer. The file is at ORACLE_HOME/Apache/Apache/conf. Back up the file before editing it.
Because the Oracle HTTP Server has to be available over both HTTP and HTTPS, the SSL host must be configured as a virtual host. Add the lines that follow to the SSL Virtual Hosts section of ssl.conf if they are not already there. These lines ensure that the single sign-on login module in OC4J_SECURITY is invoked when a user logs in to the SSL host.
<VirtualHost ssl_host:port>
RewriteEngine on
RewriteOptions inherit
</VirtualHost>
Save and close the file.
7. Update the distributed cluster management database with the changes:
ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct ohs
8. Restart the Oracle HTTP Server:
ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server
9. Verify that you have enabled the single sign-on middle tier for SSL by trying to access the OracleAS welcome page, using the format https://host:ssl_port.
Reconfigure the Identity Management Infrastructure Database
Change all references of http in single sign-on URLs to https within the identity management infrastructure database. When you change single sign-on URLs in the database, you must also change these URLs in the targets.xml file on the single sign-on middle tier. targets.xml is the configuration file for the various "targets" that Oracle Enterprise Manager monitors. One of these targets is OracleAS Single Sign-On.
1. Change Single Sign-On URLs
Run the ssocfg script, taking care to enter the command on the computer where the single sign-on middle tier is located. Use the following syntax:
UNIX:
$ORACLE_HOME/sso/bin/ssocfg.sh protocol host ssl_port
Windows:
%ORACLE_HOME%\sso\bin\ssocfg.bat protocol host ssl_port
In this case, protocol is https. (To change back to HTTP, use http.) The parameter host is the host name, or server name, of the Oracle HTTP listener for the single sign-on server.
Here is an example:
ssocfg.sh https login.acme.com 4443
2. Restart OC4J_SECURITY instance and verify the configuration
To determine the correct port number, examine the ssl.conf file. Port 4443 is the port number that the OracleAS installer assigns during installation.
If you run ssocfg successfully, the script returns a status 0. To confirm that you were successful, restart the OC4J_SECURITY instance:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Then try logging in to the single sign-on server at its SSL address:
https://host:ssl_port/pls/orasso/
 3. Back up the file targets.xml:
cp ORACLE_HOME/sysman/emd/targets.xml ORACLE_HOME/sysman/emd/targets.xml.backup
4. Open the file and find the target type oracle_sso_server. Within this target type, locate and edit the three attributes that you passed to ssocfg:
· HTTPMachine—the server host name
· HTTPPort—the server port number
· HTTPProtocol—the server protocol
If, for example, you run ssocfg like this:
ORACLE_HOME/sso/bin/ssocfg.sh http sso.mydomain.com:4443
Update the three attributes this way:
<Property NAME="HTTPMachine" VALUE="sso.mydomain.com"/>
<Property NAME="HTTPPort" VALUE="4443"/>
<Property NAME="HTTPProtocol" VALUE="HTTPS"/>
5.Save and close the file.
6. Reload the OracleAS console:
 ORACLE_HOME/bin/emctl reload
7. Issue these two commands:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Registering mod_osso
1. This command sequence that follows shows a mod_osso instance being reregistered with the single sign-on server.
$ORACLE_HOME/sso/bin/ssoreg.sh
 -oracle_home_path $ORACLE_HOME
 -config_mod_osso TRUE
 -mod_osso_url https://myhost.mydomain.com:4443
2. Restarting the Oracle HTTP Server
After running ssoreg, restart the Oracle HTTP Server:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
Configuring the Single Sign-On System for Certificates
1. Configure policy.properties with the Default Authentication Plugin
Update the DefaultAuthLevel section of the policy.properties file with the correct authentication level for certificate sign-on. This file is at ORACLE_HOME/sso/conf. Set the default authentication level to this value:
DefaultAuthLevel = MediumHighSecurity
Then, in the Authentication plugins section, pair this authentication level with the default authentication plugin:
MediumHighSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOX509CertAuth
2. Restart the Single Sign-On Middle Tier
After configuring the server, restart the middle tier:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Bringing the SSO Users to OCA User Certificate Request URL
The OCA server reduces the administrative and maintenance cost of provisioning a user certificate. The OCA server achieves this by authenticating users by using OracleAS SSO server authentication. All users who have an Oracle AS SSO server account can directly get a certificate by using the OCA user interface. This reduces the time normoally requidred to provision a certificate by a certificate authority.
The URL for the SSO certificate Request is:
https://<Oracle_HTTP_host>:<oca_ssl_port>/oca/sso_oca_link
You can configure OCA to provide the user certificate request interface URL to SSO server for display whenever SSO is not using a sertificate to authenticate a user. After the OracleAS SSO server authenticates a user, it then display the OCA screen enabling that user to request a certificate.
To link the OCA server to OracleAS SSO server, use the following command:
ocactl linksso
opmnctl stoproc type=oc4j instancename=oca
opmnctl startproc type=oc4j instancename=oca
You also can use ocactl unlinksso to unlink the OCA to SSO.

I have read the SSO admin guide, and performed the steps for enabling SSL on the SSO, and followed the steps to configure mod_osso with virtual host on port 4443 as mentioned in the admin guide.
The case now is that when I call my form (which is developed by forms developer suite 10g and deployed on the forms server which is SSO enabled) , it calls the SSO module on port 7777 using http (the default behaviour).
on a URL that looks like this :
http://myhostname:7777/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
and gives the error :
( Forbidden
You don't have permisission to access /sso/auth on this server at port 7777)
when I manually change the URL to :
https://myhostname:4443/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
the SSO works correctly.
The question is :
How can I change this default behaviour and make it call SSO on port 4443 using https instead ?
Any ideas ?
Thanks in advance

Weblogic SSO with AD - My Try - What's wrong?

Dear All
I'm trying to setup Weblogic to Authenticate using AD and have SSO with a Windows workstation(joined to the domain).
I just setup an Active Directory(Win2K3), a Windows XP(SP2) and a Linux System(CentOS5) with Weblogic 10.3.
I'm wondering what is wrong with my configuration. I can only logon on Adminstration Console using weblogics local users, and even with entering username(those which created on AD) and password AD Authentication does not work.
Anyone has simliar experiance or any clue?
Appreciated
TIA
Cheers
Here is the setup:
The domain is: example.com and machines are: dc.example.com (AD), winclient.example.com (Windows XP joined to the example.com domain) and weblogic.example.com (CentOS with Weblogic 10.3 installed)
The hosts file on all three machines are filled with their FQDN, Machine Name and corresponding IP addresses. They all have ping working successfully between each two of them. Firewalls are checked to be off.
These are the steps I came through based on documentation I could found on the net:
h1. 0. Configuring Your Network Domain to Use Kerberos
In Linux Machine(Weblogic Server) edit Kerberos configuration file for appropriate values:
*/etc/krb5.conf*
\[logging\]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
\[libdefaults\]
default_realm = EXAMPLE.COM
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des_cbc_crc
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime =28800
forwardable = yes
\[realms\]
EXAMPLE.COM = {
kdc = 192.168.1.193:88
admin_server = dc
default_domain = EXAMPLE.COM
\[domain_realm\]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
\[kdc\]
profile = /var/kerberos/krb5kdc/kdc.conf
\[appdefaults\]
autologin = true
forward = true
forwardable = true
encrypt = true
pkinit = {
allow_pkinit = false
h1. 1. Create two users on AD: "New->User" with "User must change password at next logon" option cleared (not tidked)
weblogic (for weblogic service) (with password = "password1")
weblogicusr (the user which should access Weblogic Administration Console) ("password2")
* Note that group membership of these two users are left default.(Domain Users)
h1. 2. For "weblogic" & "weblogicusr" user set these Account Optiones:
- Use DES encryption types for this account (ticked)
- Do not require Kerberos preauthentication (cleared)
* then reset the password again for "weblogic" (with password = "password1") and "weblogicusr" (with "password2").
h1. 3. Create Service Principal Names for Weblogic Server and User on Win2K3 machine:
- >setspn -a host/weblogic.example.com weblogic
- >setspn -a HTTP/weblogic.example.com weblogic
here is the result
C:\Documents and Settings\Administrator.DC>setspn -L weblogic
Registered ServicePrincipalNames for CN=weblogic,CN=Users,DC=example,DC=com:
HTTP/weblogic
host/weblogic
HTTP/weblogic.example.com
host/weblogic.example.com
and
- >setspn -a HTTP/weblogic.example.com weblogicusr
and the result
C:\Documents and Settings\Administrator.DC>setspn -L weblogicusr
Registered ServicePrincipalNames for CN=Weblogic User,CN=Users,DC=example,DC=com:
HTTP/weblogicsrv.example.com
HTTP/weblogicsrv
h1. 4. Create the keytab file for Weblogic Server:
On AD machine issue:
(ktpass from MS Windows Support Tools)
>ktpass -princ host/[email protected] -pass password1 -mapuser weblogic -out c:\temp\weblogic.host.keytab
>ktpass -princ HTTP/[email protected] -pass password1 -mapuser weblogic -out c:\temp\weblogic.HTTP.keytab
(ktab from JRE 6)
>ktab -k c:\temp\weblogic.keytab -a [email protected]
Password for [email protected]:*password1*
Done!
Service key for [email protected] is saved in c:\temp\weblogic.keytab
** Note I could not kinit successfully merely with weblogic.host.keytab and/or weblogic.HTTP.keytab, I got this error +"Key table entry not found while getting initial credentials"+ how ever the keytab I created using ktab("weblogic.keytab") works fine in this case, so I decided to merge whole three of them into a keytab.
>\[root@weblogic keytabs\]# kinit -k -t weblogic.host.keytab [email protected]
>kinit(v5): Key table entry not found while getting initial credentials
h1. 5. Port and Merge keytabs
Then I ported these three files to the Linux Machine(weblogic.example.com): weblogic.host.keytab, weblogic.HTTP.keytab and weblogic.keytab
and merged into one keytab:
ktutil: "rkt weblogic.host.keytab"
ktutil: "rkt weblogic.HTTP.keytab"
ktutil: "rkt weblogic.keytab"
ktutil: "wkt weblogic-keytab"
ktutil: "q"
* then put the result keytab "weblogic-keytab" somewhere in Weblogic Path:
>/root/bea/user_projects/domains/base_domain/kerberos
h2. 5.1 Test the keytab and kerberos configuration
>\[root@weblogic keytabs\]# kinit -k -t weblogic-keytab [email protected]
>\[root@weblogic keytabs\]# klist
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: [email protected]
>
>Valid starting Expires Service principal
>09/04/09 16:16:42 09/05/09 00:16:42 krbtgt/[email protected]
>
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
h1. 6. Creating a JAAS Login File
Create krb5Login.conf and put it in here: "/root/bea/user_projects/domains/base_domain/kerberos/"
krb5Login.conf
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal=*"[email protected]"* useKeyTab=true
keyTab=*/root/bea/user_projects/domains/base_domain/kerberos/weblogic-keytab* storeKey=true;
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal=*"[email protected]"* useKeyTab=true
keyTab=*/root/bea/user_projects/domains/base_domain/kerberos/weblogic-keytab* storeKey=true;
h1. 7. Modify startup options
add these option to "/root/bea/user_projects/domains/base_domain/bin/startWebLogic.sh"
h2. 7.1 Kerberos
-Djava.security.krb5.realm=EXAMPLE.COM
-Djava.security.krb5.kdc=dc.example.com
-zjava.security.auth.login.config=$PATHTOKRB/krb5Login.conf
-Djavax.security.auth.useSubjectCredsOnly=false
-Dweblogic.security.enableNegotiate=true h2. 7.2 Debug
-DDebugSecurityAdjudicator=true
-Dweblogic.debug.DebugSecurityAtn=true
-Dsun.security.krb5.debug=true
-Dweblogic.StdoutDebugEnabled=true";
-Dweblogic.log.StdoutSeverity=Debugh1. 8. Configuring the Identity Assertion Provider
In Weblogic Administration I created a Security Realm called "example.com" with everything default and made it default. Then restarted the Weblogic Server.
Again in Administation Console did this to example.com Security Realm:
h2. 8.1 -> Prividers: Add 3 Providers
Negotiate WebLogic Negotiate Identity Assertion provider 1.0
 DIA WebLogic Identity Assertion provider 1.0
 AD Provider that performs LDAP authentication 1.0 (Active Directory provider)
 Default WebLogic Authentication Provider 1.0
h2. 8.2 -> Change the default parameters
h3. 8.2.1 Negotiate WebLogic Negotiate Identity Assertion provider
-> Base64 Decoding Required: false (No Change, but shouldn't it be true and how to change?)
-> Form Based Negotiation Enabled: Removed the tick
h3. 8.2.2 DIA WebLogic Identity Assertion provider (no changes)
(no changes)
h3. 8.2.3 AD Provider that performs LDAP authentication (Active Directory provider)
-> Control Flag: *SUFFICIENT*
-> User Name Attribute: *sAMAccountName*
-> Principal: *HTTP/[email protected]*
-> Host: *192.168.1.193*
-> User Base DN: *CN=Users,DC=example,dc=com*
-> Propagate Cause For Login Exception: *ticked*
-> Group Base DN: *CN=Users,DC=example,dc=com*
-> Credential: *password1*
* others left with their default values.
h1. 9. Configuring an Internet Explorer Browser
On Windows XP machine (winclient.example.com):
h2. 9.1 Configure Local Intranet Domains
- In Internet Explorer, Tools > Internet Options -> the Security tab -> Local intranet -> Sites:
> "Include all sites that bypass the proxy server" *ticked*
> "Include all local (intranet) sites not listed in other zones" *ticked*
- then in -> Advanced Dialog Box added this:
> weblogic.example.com
h2. 9.2 Configure Intranet Authentication
- In Internet Explorer, Tools > Internet Options -> the Security tab -> Local intranet -> Custome Level:
> In the Security Settings dialog box -> the User Authentication section.
> "Automatic logon only in Intranet zone" *ticked*
h2. 9.3 The Proxy Settings
No proxies are enabled
h2. 9.4 Enable Integrated Windows Authentication
- In Internet Explorer, Tools > Internet Options -> Advanced tab -> Security section:
> "Enable Integrated Windows Authentication" *ticked* by default
Edited by: Mehdi Sarmadi on Sep 4, 2009 5:51 AM

I found something in Logfile:
<Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <LDAP Atn Login username: weblogicusr>
<Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <new LDAP connection to host 192.168.1.193 port 389 use local conne
ction is false>
<Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <created new LDAP connection LDAPConnection { ldapVersion:2 bindDN:
""}>
<Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <connection failed netscape.ldap.LDAPException: error result (49);
80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@>
<Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <[Security:090294]could not get connection>
According to this post: Re: WL10.3 and SSO and Active Directory
a correct ldap connection should look like this:
<LDAP Atn Login username: Administrator>
<userExists? user:Administrator>
<new LDAP connection to host 10.10.0.254 port 389 use local connection is false>
<created new LDAP connection LDAPConnection { ldapVersion:2 bindDN:""}>
<connection succeeded>
*<getConnection return conn:LDAPConnection {ldaps://10.10.0.254:389 ldapVersion:3 bindDN:"HTTP/[email protected]"}>
<getDNForUser search("CN=Users,DC=DOMAIN,dc=local", "(&(&(cn=Administrator)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>xist>*
Moreover, I turned AD's debug logging and this is what happens when I try to login with a AD user: Why "Anonymous Logon"?!
Event Type: Information
Event Source: NTDS LDAP
Event Category: LDAP Interface
Event ID: 1535
Date: 9/4/2009
Time: 6:47:07 PM
User: NT AUTHORITY\*ANONYMOUS LOGON*
Computer: DC
Description:
Internal event: The LDAP server returned an error.
Additional Data
Error value:
80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
Any help would be greatly appreciated

Cannot view SharePoint Online documents through CRM Online Outlook Connector - iframe error

We are integrating CRM 2013 Online with SharePoint 2013 Online. We have installed the CRM List Component solution. We have also modified the SharePoint master page to permit display of SharePoint content in iframes. We can view SharePoint documents within
CRM using Internet Explorer after setting the Documents link for an opportunity to point to a document set in SharePoint. However we cannot view documents through the CRM Outlook Connector. We receive the error that "This content cannot be displayed in
a frame".
We have tried adding *.sharepoint.com, *.dynamics.com, and *.microsoftonline.com to IE's Trusted Zone with no effect.
The application launched by the Outlook Connector is called Microsoft.Crm.Application.Outlook.WebFormsHost and it's my understanding that it uses the IE engine to render online content.
Is there anyway to view SharePoint content embdedded in CRM via an iframe with the Outlook Connector?

I have the same problem here.
The integration works fine outside of Outlook, but if, for example, an account is opened within CRM for Outlook the error occurs.
- No masterpage modification
- Some security setting in IE 11 (perhaps IE 11 is the problem)
- Installed the solution in the used site collection
- Configured CRM settings
Dirk

Integration of SSO with Third Party Application

Hello Colleagues,
I have requirement where I have to integrate SSO with a third party application.
After some R & D I found out that there is some one class "SSO2Ticket.java" which can do that or help in verify the ticket.
Since I am new to this area, I am not sure how do I go ahead with the execution of this java file.
Can somebody help me with this.
Also, is there any documents which talks about SSO integration or about the above mentioned JAVA file.
Best regards,
Arvind

Which type of 3rd party application is this, and which SSO authentication methods does it support?
If you can find a common one, then that will be good for you.
Specifically for non-SAP systems re-using the SAP LogonTickets, I know that you can extract the user name from the ticket. I think SAP even provides some verification tools here for external applications to verify the ticket?
Currently there is much excitement about SAML 2.0 which is also worth taking a look into as well.
Cheers,
Julius

NW04 EP60 SSO with Tivoli

Hi there,
Is there any how-to guide or technical documentation on how to setup and configure NW04 EP6.0 on Web AS 6.40 for SSO with Tivoli Access Manager? I was only able to get IBM information but its based on EP5.0.
Thanks.

Hi Torsten,
From the document - In 2.c, what web appliation or template you use to add logon module HeaderVariableLoginModule?
2. Adjust the J2EE web applicationu2019s login module stack by adding in the HeaderVariableLoginModule:
a. In the Visual Administrator, choose Server (name) - Services - Security Provider.
b. Select Policy Configurations - Authentication.
c. Select the J2EE web application that is to be configured to support header variable authentication. Alternatively, an authentication template used by the J2EE Web application may be selected (for example, SAP NetWeaver EP Core uses the ticket authentication template). Modifying an authentication template will affect every application configured to use the template.
d. Add the login module HeaderVariableLoginModule to the login module stack by clicking on Add New and selecting HeaderVariableLoginModule.
Thanks.
Ed

When I open a pdf document from my dropbox to view it, the document shows up blank, even though it is filled out. This also happened with pdf documents that have been e-mailed to me.

When I open a pdf document from my dropbox to view it, the document appears blank, even though I know the information is actually there. This also has happened with pdf documents that have been e-mailed to me, then opened to view and they are blank?? Why are they showing up blank?

When I open emails with PDFs I click on the attachment (doing this all on my iPad) it gives me the option to "open in iBooks", I accept then after that the document is sucked into my iPad but I can't do anything with the PDF after that. Where is the actual file on my iPad? Why can't I email or send these PDFs to my cloud (Dropbox)?
It's like once they go into iBooks they're stuck forever.

10g - how to configure sso with iis-

hi, experts, I have followed Oracle® Business Intelligence Enterprise Edition Deployment Guide to configure SSO with IIS.
but I always meet this message.
Not Logged In
You are not currently logged in to the Oracle BI Server.
If you have already logged in, your connection might have timed out, or a communications or server error may have occurred
what steps are missing?
how to check?

hi, experts,
I checked C:\OracleBIData\web\log\sawlog0.log on the obi server (windows server 2003 standard).
at Thu Feb 17 14:48:46 2011 , I logined OBI on another machine (not via the browser on the obi server).
however, the log shows the login user is the administrator of the obiserver (obiserver\administrator ).
any setup on IIS are wrong? thank you very much!
=========================================================================================
Running job 'MinutelyMonitor' took 7422 milliseconds, 12.3% of job's frequency (60 seconds).
Type: Error
Severity: 40
Time: Thu Feb 17 14:48:46 2011
File: project/webodbcaccess/odbcconnectionimpl.cpp Line: 371
Properties: ConnId-1,1;ThreadID-1796
Location:
     saw.odbc.connection.open
     saw.connectionPool.getConnection
     saw.subsystem.security.checkAuthenticationImpl
     saw.threadPool
     saw.threads
Odbc driver returned an error (SQLDriverConnectW).
State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
[nQSError: 43001] Authentication failed for obiserver\administrator in repository Star: invalid user/password. (08004)
Type: Error
Severity: 42
Time: Thu Feb 17 14:48:46 2011
File: project/webconnect/connection.cpp Line: 276
Properties: ThreadID-1796
Location:
     saw.connectionPool.getConnection
     saw.subsystem.security.checkAuthenticationImpl
     saw.threadPool
     saw.threads
Authentication Failure.
Odbc driver returned an error (SQLDriverConnectW).
---------------------------------------

SSO with KRB/ADS on Enterprise Portal 7

Dear All
while i am trying to configure SSO with KRB/ADS on Enterprise Portal 7 i am getting this on the trace file..completed the configuration through SpNego and when i try to log in its promting for user name password..
i have attched the trace file extract for your advice..
Regards
Buddhike
#1.5 #001CC45E6DA0008000000004000054FC00044F76844D9013#1213270351029#com.sap.engine.services.security.authentication.logincontext#
sap.com/com.sap.security.core.admin
#com.sap.engine.services.security.authentication.logincontext#Guest#0####3e642d50387311ddc2a0001cc45e6da0#Thread[Thread-110,5,SAPEngine_Application_Thread[impl:3]_Group]#
#0#0#Error#1#/System/Security/Authentication#Plain###
LOGIN.FAILED User:N/A Authentication Stack:com.sun.security.jgss.accept
*Login Module Flag Initialize Login Commit Abort Details*1. com.sun.security.auth.module.Krb5LoginModule OPTIONAL ok exception false null#
#1.5 #001CC45E6DA0006E00000029000054FC00044F76844D95C5#1213270351029#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/com.sap.security.core.admin#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#Guest#0####3e669e50387311dda053001cc45e6da0#SAPEngine_Application_Thread[impl:3]_2##0#0#Error##Java###Acquiring credentials for realm KEELLS.INT failed
[EXCEPTION]
#1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!) at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
 at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
 at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
 at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
 at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
 at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
 at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
 at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:236)
 at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
 at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:337)
Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Access Denied. at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:297)
 at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:324)
 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
 at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
 at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
 at java.security.AccessController.doPrivileged(Native Method)
 at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
 ... 9 more
Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: Internal server error. An error log with ID [001CC45E6DA0008000000001000054FC00044F76844D8A3F] is created. For more information contact your system administrator.
 at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:156)
 at java.security.AccessController.doPrivileged(Native Method)
 at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
 ... 23 more

Hi,
please check if the options defined in the KRB5LoginModule are correct.
First of all check for the option prinicpal. Did you provide this option and also provided the correct value?
This error often occurs if you provided a wrong value for option prinicpal
Cheers

SSO with EP 6.0 and R/3 as backened not working

Hi ,
I am implementing ESS in EP 6.0 and r/3 4.7c as backend. SSO is working with UIPWD. but when I try with LogonTickets it does not work.
I tried with ordinary SAP transaction SSO with logon tickets works. But through ITS if I call a ESS transaction service It asks me for login user and password.
What are the setting to be done in ITS for SSO towork. I have set the parameter
msapcomusesso2cookie = 1 in the global.svrc file.
I do not know what is wrong. Please help.
Regards,
Ramesh

Hi,
I am using a standalone ITS for a R/3 4.7 system.
How should I maintain a FQDN for ITS?
You are right,
now it is not of the format hostname.domain.com:port format. It is of the format hostname:port.
But where should I change this format. The host name of the system where the ITS is setup is <hostname> only.
can you please tell me as to where should I maintain the FQDN as the specific format you suggested.
Regards,
Ramesh

SSO with XI 3.1

I have BO XI 3.1 SP3 installed on a Windows 2008 4 bit server. I enabled SSO with Tomcat, it is working but not all the times.
I configured SSO, when users go to Infoview it dosen't prompt them for user credentials but this is not happening all the time. I would say 50% it doesn't, 50% it does prompt, it is not consistent. Any one has seen this problem.
Thanks.

What documentatin are you using, also what are the desktop OS's? SSO occurs on the client workstation and when intermittent issues occur usually it's the client however their are some best practices that are in the current documentation. KB 1483762 should be used if possible.
Regards,
Tim

SSO with KM document shortcut in MS Outlook

Similar Messages

Maybe you are looking for