UI5 and SPNEGO authentication

Hi,
we already use the Netweaver Gateway to provide some OData services.
These services are consumed by some 3rd party software components.
To authenticate the user at the Gateway, these applications are using the SPNEGO authentication mechanism.
Now I wanted to start to develop my first UI5 app. Of course I'd like to consume the OData services from our existing gateway installation.
The main problem that I'm currently facing is, that I don't know how to use Single Sign On (based on Kerberos tickets) to consume the gateway services from an UI5 app. I would like to use SPNEGO but I didn't find any information on how to implement SPNEGO in an UI5 app.
Can you please provide me some information (or even some code snippets) on how to use SPNEGO authentication from an UI5 app!?!?
Thanks in advance
Holger

Hi Michael,
Thanks for that.  My opinion of secondary authentication is the same, but hey ho.  The client insists.  I think the main iview is the payslip iview, so it is on the same server as the portal. 
My thinking was that as form based logon uses com.sap.portal.runtime.logon.certlogon and basic authentication uses com.sap.portal.runtime.logon.basicauthentication they could have different priorities set in authschemes.xml and consequently it asks for secondary authentication.  However, I see your point that they are both in the ticket logon stack.
Paul

Similar Messages

  • Logoff not working after SPNego Authentication

    Hi Experts,
    Configured SPNego authentication sucessfully.
    But after clicking logoff button again logged in back again.
    As per some advice, done as follows
    Example: Portal SSO URL: http://portal.example.com
    Create a URL like http://nonssoportal.example.com (Create the name in the DNS and point it to the IP of your portal server)
    Changed the logoff paramter to point to the new URL. After restart once logoff clicks went to new URL but still SSO ticket authenticating.
    I need to get the login page again so that i can login with administrator or other test user IDs.
    Please post your suggestions.
    Regards,
    Raja. G

    Hi,
    Created the alias for that server and made the logoff URL as http://<alias of the server>:<port>/irj/portal.
    Now am able to achieve the login page however it is asking for the windows authentication while logging off.
    If we click cancel then we can able to achieve the login page.
    Any idea to avoid the popup for asking windows credentials?
    Regards,
    Raja. G

  • Portal Drive Single Sign On and Kerberos Authentication

    Hi,
    We are using NW2004s SP10 Portal and we have successfully configured Kerberos authentication with Windows Active Directory 2003. To access the KM Content in windows explorer format, we are using Portal Drive but Portal Drive still asks for authentication i.e. SSO is not working for Portal Drive. I have understood from the forums and sap help site that SSO from portal drive will work only for NTLM authentication and client certificates. Can you please help regarding below questions.
    1. Can Kerberos and NTLM authentication be configured together.
    2. If yes, what are the steps to configure NTLM authentication for NW2004s SAP Portal and Active Directory 2003.
    3. Any other approach to make Portal Drive SSO work.
    Helpful answers will be rewarded.
    Regards,
    Chandra

    Hi Gregor,
    I did two things:
    first i made a change in the portalapp.xml in the PAR file "com.sap.km.cm.par". In the section authentication scheme for "docs" I changed the authentication scheme to "default" to make sure that documents are opened using the default authentication scheme (SPNego) instead of basic authentication
    second, I used the SPNego wizard to configure SPNego. So I didn't adjust anything in the Visual Admin or the authentication template apart from adding the Template to the Ticket policy configuration.
    Again, this only worked after installing the latest vesion.
    Hope this helps
    Marcel

  • HTTP/SPNEGO Authentication

    Hi,
    Having read in posting [http://forums.sun.com/thread.jspa?threadID=5362388&tstart=15|http://forums.sun.com/thread.jspa?threadID=5362388&tstart=15] that "Sun's GSSAPI implementation (a.k.a. JGSS) can only generate and consume raw Kerberos tokens and SPNEGO tokens containing Kerberos tokens" I' still wondering why the getPasswordAuthentication() in class MyAuthenticator of Sun's [HTTP/SPNEGO example (2nd case)|http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/lab/part6.html#Example] is not called upon starting the client without giving any arguments, i.e.
    java RunHttpSpnego http://www.ad.local/hello/hello.htmlFrom the server the client receives a
    WWW-Authenticate: Negotiateresponse, and the client should enter the HTTP/SPNEGO challenge/response protocol.
    To summarize, class MyAuthenticator looks like:
    class MyAuthenticator extends Authenticator {
            public PasswordAuthentication getPasswordAuthentication() {
                // I haven't checked getRequestingScheme() here, since for NTLM
                // and Negotiate, the usrname and password are all the same.
                System.err.println("Feeding username and password for "
                   + getRequestingScheme());
                return (new PasswordAuthentication(kuser, kpass.toCharArray()));
        }It should be called as a side effect of openConnection() upon executing the following code:
    Authenticator.setDefault(new MyAuthenticator());
    URL url = new URL(args[0]);
    InputStream ins = url.openConnection().getInputStream();
    ...My client environment is Windows Vista, Java 1.6.0_16, and the client is not a member of an Active Directory.

    Perhaps the issue is with this quote:
    "Sun's GSSAPI implementation (a.k.a. JGSS) can only generate and consume raw Kerberos tokens and SPNEGO tokens containing Kerberos tokens"
    I believe the HttpURLConnection class in JDK 1.6 can handle NTLM.
    Meaning, if you logon to your workstation as a domain user and run the java code, it is probably using NTLM.
    I recall noticing this when I put TCPMon between the workstation and the server.

  • What is SPNego Authentication Scheme?

    Could anybody please give me overview of SPNego authentication scheme?
    Why its needed??Any docs Available.
    Thanks in advance.
    Any help will be highly appretiated.
    Thanks and Regards
    Gaurav Namdeo

    Hi Gaurav,
    SPNego is Authentication Scheme,And it Ovecomes the limitations of other schems like it works smoothly with Unix And other OS,And many more.
    Go through thease links.
    spnego
    Download ZIP archive from SAP Note 994197
    Unzip the archive
    Deploy EARs
    sap.comtcsecauthjmx~ear.ear
    sap.comtcsecauthspnego~wizard.ear
    ecurity_example.ear
    Active Directory configuration and further more settings have to be done in the Zip file you will get a user guide just refer thet and proceed acording to that.
    Regards
    Vinit

  • SPNego authentication to Portal

    Hi
    Can anyone tell me whether SPNego authentication would work when you call the Portal via a web dispatcher? I can authenticate automatically when calling the Portal directly so I know it's configured and working when called directly.
    We have hidden our servers behind a VLAN and allow access only via the web dispatchers.
    Thanks
    Mark

    Thanks Patrick
    Have you got this scenario working yourself?
    I have the following scenario. False names to protect the innocent!!!
    Lets assume Portal server is called - pserver1.sap.somedomain.com
    N.B. Sits in subdomain sap of domain somedomain.com
    It is fronted by two load balanced web dispatchers in the parent domain somedomain.com
    webdisp1.somedomain.com
    webdisp2.somedomain.com
    load balancer is referred to as webdisp.somedomain.com
    To gain access to the portal the dispatcher is running on port 8107 on both web dispatchers
    so...
    Direct access to portal is
    http://pserver1.sap.somedomain.com:50000/irj/portal
    Web dispatcher access is
    http://webdisp.somedomain.com:8107/irj/portal
    Because i'm not sure I have grasped the full implications of Kerberos realms I have set up the following on both domains. It's overkill I know but I wanted to be sure.
    service user s-sid-j2ee on DC for sap.somedomain.com
    setspn -a HTTP/webdisp.somedomain.com:8107 s-sid-j2ee
    setspn -a HTTP/webdisp1.somedomain.com:8107 s-sid-j2ee
    setspn -a HTTP/webdisp2.somedomain.com:8107 s-sid-j2ee
    setspn -a HTTP/pserver1.sap.somedomain.com s-sid-j2ee
    service user s-sid-j2ee on DC for somedomain.com
    setspn -a HTTP/webdisp.somedomain.com:8107 s-sid-j2ee
    setspn -a HTTP/webdisp1.somedomain.com:8107 s-sid-j2ee
    setspn -a HTTP/webdisp2.somedomain.com:8107 s-sid-j2ee
    setspn -a HTTP/pserver1.sap.somedomain.com s-sid-j2ee
    I configured the SPNEGO wizard with both realms and their respective service users.
    result
    I get logged in when accessing pserver1
    I don't when accessing via web dispatcher load balnced address or each individual web dispatcher.
    Any ideas?
    Thanks
    Mark

  • SPNEGO Authentication Error

    I have a web application monitor that is throwing an odd error.  It tells me that the "Response Body Evaluation Result" is in error and when I check the response body, I get:
    <html><head><title>SPNEGO authentication is not supported.</title></head><body>SPNEGO authentication is not supported on this client.</body></html>
    The odd part is that the monitor is set up woth no authenticatin.  So, why am I getting theis error?
    Thank
    Bert

    It sounds like the server asks for negotiation of authentication (windows auth?) and since your client doesn't use it, it gets an error. Maybe you would have to use windows auth with this site, in your synthetic test?

  • SPNego Authentication

    Hi
    I am trying to Implement SPNego Authentication
    I have Installed kerbTray in my System . I am getting Blank Screen.
    The List Tickets dosent Come up anything . Client Pricipal says "No Network Credentials".
    please let me know if anything needs to be done.
    I have created a service User and SPN for the same.
    Thank you
    Regards

    Hi
    I am getting following Error. This analysis is thru Dagtool
    please need solution badly
    6.com.sap.engine.config.diagtool.tests.authentication.krb.Krb5ServerTest
    2009/04/08 19:30:30 class com.sap.engine.config.diagtool.tests.authentication.krb.Krb5ServerTest
    This test tries to authenticate the J2EE service user against the KDC using
    the Kerberos configuration of the J2EE engine. It copies the "krb5.conf" and
    "keytab" files used by the J2EE engine and generates "jaas.conf" file that
    contains "com.sun.security.jgss.accept" policy configuration with
    "Krb5LoginModule" login module that has the same options like in the J2EE
    engine. The output of the test contains the traces of the Krb5LoginModule.
    Debug is  true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is null KeyTab is null refreshKrb5Config is false principal is j2ee-dep-depportalMWRD.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
    >>>KinitOptions cache name is C:\Documents and Settings\depadm\krb5cc_depadm
    *Error creating GSS context.*
    *[EXCEPTION]*
    *GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)*at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
    at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
    at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
    at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
    at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
    at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
    at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
    at com.sap.engine.config.diagtool.tests.authentication.krb.Krb5ServerTest.createGSSContext(Krb5ServerTest.java:104)
    at com.sap.engine.config.diagtool.tests.authentication.krb.Krb5ServerTest.execute(Krb5ServerTest.java:75)
    at com.sap.engine.config.diagtool.Task.execute(Task.java:55)
    at com.sap.engine.config.diagtool.Launcher.run(Launcher.java:334)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:324)
    at com.sap.engine.config.diagtool.Launcher.main(Launcher.java:385)
    Caused by: javax.security.auth.login.LoginException: java.lang.UnsatisfiedLinkError: C:\j2sdk1.4.2_12-x64\jre\bin\w2k_lsa_auth.dll: %1 is not a valid Win32 application
    at java.lang.ClassLoader$NativeLibrary.load(Native Method)
    at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1586)
    at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1503)
    at java.lang.Runtime.loadLibrary0(Runtime.java:788)
    at java.lang.System.loadLibrary(System.java:834)
    at sun.security.krb5.Credentials$1.run(DashoA12275:585)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.krb5.Credentials.a(DashoA12275:582)
    at sun.security.krb5.Credentials.acquireDefaultCreds(DashoA12275:423)
    at sun.security.krb5.Credentials.acquireTGTFromCache(DashoA12275:277)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:520)
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:324)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
    at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
    at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
    at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
    at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
    at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
    at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
    at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
    at com.sap.engine.config.diagtool.tests.authentication.krb.Krb5ServerTest.createGSSContext(Krb5ServerTest.java:104)
    at com.sap.engine.config.diagtool.tests.authentication.krb.Krb5ServerTest.execute(Krb5ServerTest.java:75)
    at com.sap.engine.config.diagtool.Task.execute(Task.java:55)
    at com.sap.engine.config.diagtool.Launcher.run(Launcher.java:334)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:324)
    at com.sap.engine.config.diagtool.Launcher.main(Launcher.java:385)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:730)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
    at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
    ... 15 more
    *Acquire credential failed for realm MWRD.LOCAL* Thank you
    Regards
    Krishna kanth
    Edited by: siddi siddi on Apr 9, 2009 9:05 PM
    Edited by: siddi siddi on Apr 9, 2009 9:05 PM

  • Graphics builder and os authentication

    I'm running on NT 4 sp6. I'm trying to get OS authentication working with graphics. It works great for forms and reports, but I cannot get graphics builder or the graphics runtime to work with os authentication. I've tried it with developer 2000 r2 and 6i release 2. Thanks is advance.
    null

    Is the state of OCCI and OS Authentication still the same? Or has it changed in the 2.5 years since this question was first asked and answered?
    I've yet to find any indication that it is now supported, but could I confirmation of that fact?
    If it is not, what is the Oracle recommended method for accomplishing this?

  • Remote users sending email - RBL and SMTP authentication

    I've read about the problem of using RBL's with remote Outlook IMAP/SMTP users who may be using dynamically assigned IP addresses. There is a good chance that they will be appear on the RBL and so not be able to send email via the GWIA.
    One work around is to have them send their email via their ISP's SMTP server, but this is a pain, because when they are back in the office, then need to switch their SMTP server back to the inhouse one.
    So on the GW 7.0.3 server running on SLES 10, I wondered if the one host could handle multiple GWIA's??
    1st existing GWIA:
    To handle the regular in/out email with RBL's protection on it.
    2nd new GWIA on a separate port but same IP address to handle just inbound email. This would be used by remote users and require authentication so no need for an RBL on it.
    Is this a sound approach?
    Any gotchas for setting up two gwia's on the one server and IP address besides separate ports?
    I am aware there is the option of using the Groupiwse client or webmail, but firstly these users don't want to change from 'LookOut" due to their address book synch with their mobile phones and secondly sometimes they like to use their smart phones for remote email synchronisation.

    Maybe I should simplify this a little...
    Can the one host handle multiple GWIA's??
    1st existing GWIA:
    To handle the regular in/out email with RBL's protection on it.
    2nd new GWIA on the same host and IP address, but on a separate port to handle just inbound email. This would be used by remote users and require authentication.

  • Can we provide UN and pwd Authentication 4r SMTP Mail Configuration

    Dear All,
    Previously we are able to send the mails from SAP to Outside World. After chaning the Mail Server to MS Exchange 2003
    We enabled the Port the 25.
    We are facing a problem While configuring a mail via SMTP for Exchange Server 2003.
    Throws an Error Message:
    Internal error: CL_SMTP_RESPONSE ESMTP error code is not known. 554 554 > : Recipient add
    As per network Team :
    Unless we provide a Username and password, the Send/Receive process does not happen.
    Is there any option in SAP - SMTP Mail Configuration to Provide user and password Authentication.
    I searched in SDN as well as in market place. but i could not succeed. Please guide me the process.
    Regards
    SNB.

    Hi we are configuring Google SMTP getting below error..
    No delivery to xxx.com, authentication required
    Message no. XS856
    Diagnosis
    The message was processed successfully in the SAP system. The mail server that is to receive the message for further processing requires authentication. Probably there is no logon data specified in the SAPconnect configuration.
    Information from external system (if available)
    smtp.gmail.com:587
    530 5.7.0 Must issue a STARTTLS command first. i91sm11178241qgd.25 - gsmtp
    Procedure
    Enter the logon data in the SAPconnect node.
    Using Gmail SMTP server using "smtp.gmail.com" with port 587
    Please advise.
    Regards,
    Sudarshan

  • XI 3.1 Client Tools and LDAP Authentication

    I have Business Objects XI 3.1 SP2 installed.  For the web clients (InfoView) single sign on and LDAP authentication are working correctly.  However when a user tries to log in using LDAP authentication to one of the client tools (Universe Designer, Webi Rich Client, etc) the error "Cannot access the repository (USR0013)" occurs with the following details:
    [repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Security plugin error: Failed to set parameters on plugin.(hr=#0x80042a01)
    Are there troubleshooting or setup guides dealing specifically with LDAP authentication with the various client tools?

    Make sure that the File and Printer Sharing for Microsoft Networks component is installed and enabled on your clients.
    Take a look at note 1272536 (http://service.sap.com/notes)
    Regards,
    Stratos

  • Username and Password authentication

    Hi,
    I am new to both JDBC and MSSQL. I've been connecting to msSQL server without providing username and password (DriverManager.getConnection(String url)). I am wondering how to enforce the username and password authentication so that username and password have to be verified before a connection is made. Thanks in advance.

    but where can I get the username & password? I can get
    the connection even with any username & password, why?Hi WeiHang,
    This is regarding the options you have set in the SQL Server. You have to choose from Windows NT authentication and SQL Server Authentication. If you give SQL Server authentication you have mentioned the username and password and you can connect to database simple using DSN(if you are using JDBC-ODBC). However if you choose WindowsNT authentication you donot specify the user name and password there and you have to enter the same at runtime.
    Hope this can help you

  • Get an error for changing the windows authentication mode to the both SQL and windows authentication mode

    I installed the SQL server Express 2008 R2 and then SQL Server Management Studio 2008 R2 . But during the installation, I could not choose the both SQL and windows authentication mode and an error accrued so I did that just with windows authentication mode. 
    Now, I want to change the windows authentication mode account to the SQL authentication mode but it shows me an error which is you do not have permission (Although I am the administrator in windows), what can I do?
    Following steps are the steps that I went but I got an error:
    Server properties >> security >> choose the option of SQL Server and Windows Authentication mode 
    and the error that I got is attached(access is denied)  
    Can you please help me?

    You can change the setting after you gain admin rights to your SQL Server. You don't admin rights automatically, you have to explicitly add yourself during the install
    Here's a guide on how to (re)gain those rights:
    http://v-consult.be/2011/05/26/recover-sa-password-microsoft-sql-server-2008-r2/

  • Cisco ISE (1.3) Posture and re-authentication

    Hello,
    With posture and re-authentication, during the re-authentication the posture status swithes to pending. This results in a redirect to client provisioning and a temperorly but unwanted state with no access to network resources.
    Is there a way to work around this?
    Regards,
    Dennis

     24423  ISE has not been able to confirm previous successful machine authentication  
    Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
    first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
    log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

Maybe you are looking for

  • How do I route multiple SB302 switches at different sites and their VLANs?

    Hello Cisco Support Community, First thank you for any replies. The video posted today on 302's and multiple VLAN's on one switch was nice. Thank you, I have that working but it's not really what I need. Though pictures are worth a 1000 words so I ho

  • Drilldown in Smartforms , possible ?

    Requirement To create drilldown report from output screen of smartforms Question Is it possible to do that ? Please mention or kindly show me some alternative ideas. Actually, I convert smartforms to PDF and need drill down from PDF. But drilldown in

  • Mount option in finder is missing in snow leopard

    with Leopard it was possible to click on a folder or drive then more option, this is not possible anymore. they must forgotten this option.

  • How to manage photos saved online

    I just started using photoshop yesterday and today i get this message that my online storage is full and looks like i should order more storage for photoshop to work again. I dont want to buy more storage yet i want to learn first how this works. How

  • How to put RAC database in restricted mode?is it with srvctl?

    I know for standalone database its SQL> startup restrict --if its down SQL> alter system enable restricted session; --if its up Any idea for RAC ? any option with srvctl ? what are the steps ..... Thanks in advance for help Gagan