Windows Integrated Authentication on an ABAP data source

Similar Messages

• Are Multiple (Concurrent) ABAP Data Sources for AS Java UME Possible?

  Hi All,
  We have a solution which is using a JAAS logon module for partner authentication. for reason's I won't go into we have decided that it is best to use an ABAP data source. We will also be using the same JAAS approach for other ABAP applications in the future. Ideally we would configure the same JAAS server to use ABAP UME data sources from ABAP server 1 and ABAP server 2.
  I see there are provisions in the documentation for multiple UME data sources of different types but it doesn't clearly say about different concurrent data sources. IS this even possible? If so is it wise?
  Thanks,
  Doug

  Julius,
  Thanks again for your reply. This is confusing. We have an existing .Net logon application where we centrally administer accounts and where users log in. On successful login they are issued a .net Auth cookie. Our JAAS module takes that cookie, does a web service call back to .Net and authenticates them. So authentication is done on the basis of the .Net cookie, not the java UME. We simply need a java ume to allow users to execute the application that invokes the JAAS module. The application invokes the JAAS module and if they successfully authenticate they are forwarded to the requesting SAP application. So the JAAS ume is really just needed to allow various users to run the JAAS invoking application starter. Ideally we'd use the same starter application for users of SAP Application 1,2,3, etc.
  So that's where the question came from on multiple ABAP  UME data sources for a single Java instance.
  Hope that makes sense. Regardless the answer I guess is not possible but you see the method to our madness. And yes it is madness.
  Thanks,
  Doug

• WebLogic 10gR3 and Windows Integrated Authentication

  Hi:
  I have an intranet web application running on WebLogic 10gR3 and would like to make use of the Windows Integrated Authentication (SSO, SPNEGO, Active Directory) so that the intranet users don't have to log in to access the web application.
  In weblogic, I've managed to create an ActiveDirectoryAuthenticator and can see all the users and groups from Active Directly. Also created a NegotiateIdentityAsserter with both WWW-Authenticate.Negotiate and Authorization.Negotiate options.
  When I set the web.xml login-config to BASIC, the browser shows the login dialog and authentication happens through AD. I've changed the login-config to CLIENT_CERT as suggested by the documentation:
  <login-config>
       <auth-method>CLIENT-CERT</auth-method>
  </login-config>but I'm getting the following error:
  Error 401--Unauthorized
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.2 401 Unauthorized
  The request requires user authentication. The response MUST include a
  WWW-Authenticate header field (section 14.46) containing a challenge
  applicable to the requested resource. The client MAY repeat the request
  with a suitable Authorization header field (section 14.8). If the request
  already included Authorization credentials, then the 401 response indicates
  that authorization has been refused for those credentials. If the 401
  response contains the same challenge as the prior response, and the user
  agent has already attempted authentication at least once, then the user
  SHOULD be presented the entity that was given in the response, since
  that entity MAY include relevant diagnostic information. HTTP access
  authentication is explained in section 11.Help is highly appreciated
  Albert
  Edited by: albertattard on Jul 13, 2009 3:40 PM
  Edited by: albertattard on Jul 13, 2009 3:42 PM

  Hi:
  I have an intranet web application running on WebLogic 10gR3 and would like to make use of the Windows Integrated Authentication (SSO, SPNEGO, Active Directory) so that the intranet users don't have to log in to access the web application.
  In weblogic, I've managed to create an ActiveDirectoryAuthenticator and can see all the users and groups from Active Directly. Also created a NegotiateIdentityAsserter with both WWW-Authenticate.Negotiate and Authorization.Negotiate options.
  When I set the web.xml login-config to BASIC, the browser shows the login dialog and authentication happens through AD. I've changed the login-config to CLIENT_CERT as suggested by the documentation:
  <login-config>
       <auth-method>CLIENT-CERT</auth-method>
  </login-config>but I'm getting the following error:
  Error 401--Unauthorized
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.2 401 Unauthorized
  The request requires user authentication. The response MUST include a
  WWW-Authenticate header field (section 14.46) containing a challenge
  applicable to the requested resource. The client MAY repeat the request
  with a suitable Authorization header field (section 14.8). If the request
  already included Authorization credentials, then the 401 response indicates
  that authorization has been refused for those credentials. If the 401
  response contains the same challenge as the prior response, and the user
  agent has already attempted authentication at least once, then the user
  SHOULD be presented the entity that was given in the response, since
  that entity MAY include relevant diagnostic information. HTTP access
  authentication is explained in section 11.Help is highly appreciated
  Albert
  Edited by: albertattard on Jul 13, 2009 3:40 PM
  Edited by: albertattard on Jul 13, 2009 3:42 PM

• JavaMail Exchange Server Windows Integrated Authentication

  I need to send an email using Java Mail by Exchange Server that uses Windows Integrated Authentication.
  Is it possible? If so how?
  (I read some old posts and I get some info but I have to sure is it possible or not just sending mail)

  Hi, jeff81.
  I had same problem with Win2003 server. Try this:
  Start -> Settings -> Control Panel -> Administrative Tools -> Services
  then select "PROPERTIES/LOGON" for necessary service.
  Change "Local System account" to your user account.
  Make sure that user account have necessary grants.
  ps. sorry my poor english :(

• Exchange 2013 CU1 Outlook Web App LogOff with Basic or Windows Integrated Authentication

  Hi all,
  Exchange 2013 CU1 has a new OWA LogOff behaviour when Basic or Windows Integrated Authentication is configured. When clicking the LogOff Button you receive the message "Close All your Browser Windows.." but OWA does not sign out. This is not the
  case when using Formbased Authentication...
  The problem in our case is the OWA publishing over the Internet via TMG. When publishing via TMG, only Basic and NTLM authentication is supported. This means you have to change the Authentication for the OWA Virtual Directory to basic or Windows Integrated.
  OK so far, now we can use the TMG Authentication Form. but... TMG is not able to Catch the OWA LogOff. So we will still receive "Close all your Browser Settings.." and no log out from OWA.
  It is a known issue that TMG cannot catch the OWA Logoff with the Exchange 2013 CU1 Release..So my Question:
  Does anyone get that "Real LogOut" fixed via TMG or directly on the CAS Server for Exchange 2013 CU1?
  I know another possibility is to activate Form Based Authentication on the CAS Servers and external users directly authenticate against the CAS Server without pre-authentication at TMG Level, but this of course does not provide the highest security
  we can have.

  Hi SLShare,
  As far as I know, if there is no TMG involved, with Exchange 2013 when the user signs out of mail, the authentication tokens are cleared and the user will be presented with the
  Login Screen.  There will not be a need to click on "Close Window" or any other pop ups that may appear.
  Therefore, you may ask the TMG forum about this question and see whether there are still some other workaround we can temporary bypass this issue. For your convenience:
  Forefront TMG and ISA Server Forum - TechNet - Microsoft
  http://social.technet.microsoft.com/Forums/forefront/en-US/home?forum=Forefrontedgegeneral
  Thanks,
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Simon Wu
  TechNet Community Support

• Windows Integrated Authentication Help From Middle Tier

  We are trying to enable single sign-on using Windows Integrated Authentication so that the user does not have to enter a username or password, they just get logged in automatically. I created the current Oracle account on the database and it works just fine when I try to connect from my local computer to the database. Our problem is that our application calls an application that runs as a Windows services on the middle tier, and so it gets an invalid username/password error. I can see in the audit logs that it is trying to connect to the database as NT AUTHORITY\ANONYMOUS LOGON.
  The client, middle tier, and database are all Windows based operating systems. The applications is a .Net application and we turned on Impersonation which we read will help pass the client OS user to middle tier so that the application runs as them. And that appears to be working correctly. Again we can get this working when we host the windows service locally, it just wont work when it is hosted on the middle tier. Any ideas how to get this to work?
  Oracle version 11.2.0.2 and 11.2.0.3
  Windows Server 2008 R2

  Hi, jeff81.
  I had same problem with Win2003 server. Try this:
  Start -> Settings -> Control Panel -> Administrative Tools -> Services
  then select "PROPERTIES/LOGON" for necessary service.
  Change "Local System account" to your user account.
  Make sure that user account have necessary grants.
  ps. sorry my poor english :(

• Authentication error with Yammer Data Source

  Hi,
  I want to show Yammer post in my Siena application (Beta 3). I have added Yammer data source by providing Client id (by registering app) and provided
  redirect URL as my organization Yammer page (https://www.yammer.com/******.com).
  However when I try any function it ask for credentials twice and give error “There was an error in retrieving sample data. Error : An error occurred
  during authentication”.
  Can you please let me know if I am missing something. I tried giving different redirect URLs
  (viz. http://bing.com), but same error.
  I tried solution suggested
  here but no luck .
  Regards,
  Omkar

  I get the same error.
  I want to use an Excel source for a financial report . This excel document has financial data for prevoius year and does not need refreshing.
  It has approximately 27200 rows and columns from A to M.
  Is there any solution to use this datasource
  I use WebI Rich Client for Business Objects XI 3.1 (EDGE)

• Does Data Integrator work fine with excel data sources?

  Post Author: sasidhar
  CA Forum: Data Integration
  Hi,
         We are pulling 10 different excel data sheets into a Oracle database, is anybody aware of any issues migrating that data using BODI?
  Thanks,
  Sasi.

  Post Author: msavage
  CA Forum: Data Integration
  No it works great.  It used to be kind of crappy because you had to go through an ODBC connection to do it.  However in the last major version upgrade XIR2 they added it as an actual object in the Formats tab next to the Data Sources tab.  This makes it a lot easier as you can just drag the object into your data flow, enter in the appropriate information and you are good to go.

• Windows Integrated Authentication to SAP R/3

  Hi,
  I dont know weather this issue has to be posted here or in WAS or GUI.
  Is there any way to do the Integrates Windows Authentication to SAP R/3. Once the Users logs in to the Network domain adn then to SAP GUI, the User should not prompt for User id and should directlt take in to the Role Menu.
  I know for Portal it is possible, but i am not sure for R/3. Please let me know if there is any documentation for the same.
  Thanks & Regards
  Sumanth

  Sumath,
  there are various variants to do so:
  If your R/3 is running on Windows (and in the same / trusted domain), you can use SNC with either NTLM or Kerberos authentication
  Otherwise you can log on with SAP Logon Tickets. You mentioned already that you know NTLM/Kerberos is feasible with EP. Now, if you simply integrate your R/3 systems in EP by means of SAP logon tickets you have essentially a smooth SSO for your users.
  Finally, you can use ITS up to 6.20 on Windows to SSO to R/3 (the latter on not neccessarily on Windows, too). Simply setup webgui, active SAP logon tickets and configure the PAS service to use Windows authentication.
  Whatever you decide on, al alternatives are a piece of cake to set up.
  Regards,
  Dominik

• SPNEGO in portal with abap data source + mapping on login & alias id

  Hello
  I successfully set up the new spnego autentification (with AD)  on our EP7 portal.
  Spnego module is configured with Mapping mod u201Cprincipal onlyu201D with source  u201Clogin idu201D.
  SSO is working perfectly for all users with the same u2018sap loginu2019 as the AD login.  ( they can use portal to connect on all sap ECC6 server true iview without login& password )
  But for user with login name different between AD and SAP , this doesnu2019t work. They have to enter their sap login & password on the portal. So spnego is not working for them.
  Such user have different login name between AD et SAP because abap system limit user length to 12 caracters.   So I could not change abap username. 
  And I could not change their AD login name. ( too much impact).
  Exemple :
  p.nametoolong  = 13  character  on  AD but too long for abap
  p.name = 6 ok for abap but different from AD login name.
  So if I could not change login id I have to work on user mapping.
  The Portal UME use our abab CUA as datasource. So I could not set up user mapping inside the u201Cuser management u201C
  A solution could be that Spnego mapping use as source  the u201Calias idu201D and not the u201Clogin idu201D.
  So I have to set all the u201Calias idu201D. I can do a script for copying in su01 all u201Clogin idu201D to u201Calias idu201D and then edit the u201Calias idu201D of user with a different AD login. ( by the way do you know a tx for that ? )
  But this is a little dirtyu2026 is there a simple way to do that ?
  it would be perfect if i could do mapping on user id or on alias id if it set. So that i should only manage the alias id user with a AD name different... is that possible ?
  thank you  !
  cdlt
  GSV
  Edited by: Patrick FABRIES on Oct 4, 2011 12:08 PM
  Edited by: Patrick FABRIES on Oct 4, 2011 12:11 PM

  Hi Patrick,
  Even if you perform this operation, the situation will worsen overtime.
  By the way, if you still want to do it, this is pretty simple: call 'BAPI_USER_CHANGE' with the username and pass:
  ALIAS = <new alias>
  ALIASX = 'X'
  Isn't there another attribute that you could use as a pivot: e-mail, maybe?
  Best regards,
  Guillaume

• Windows Integrated Authentication & SAP Logon tickets

  1) We have configured windows authentication and the IISproxy on a SPS frontend server to our SAP portal environment.
  2)We have configured SAP logon tickets on the SAP portal (running on hp-ux).
  3) Both the IIS server and the sap portal server exist on the same domain inside our firewall (iis_server.lsv.internal_company_name.com and sap_portal_server.lsv.internal_company_name.com)
  4) A virtual URL has been created on the IIS server, http://sap_portal.external_company_name.com, using a domain alias.
  5) When an authenticated user is passed from the IIS server to the SAP portal the SAP logon ticket that is created is for external_company_name.com alias rather than lsv.internal_company_name.com. This logon ticket is not accepted by any of the backend SAP systems that have been configured to except logon tickets because they all exist in the lsv.internal_company_name.com domain.
  6) The portal security guide says:
  "The Portal Server issues a SAP logon ticket for the Internet domain or a sub-domain of the
  Portal Server only."
  Given this scenario, is there some configuration that can be added to allow the use of this alias or is there a bug in the SAP portal code that needs to be addressed?

  Hi,
  You cannot use the external alias. You can however set SSO on the portal not to look to the total url. For example it would work if you use:
  sap_portal_server.lsv.internal.company_name.com
  and
  sap_portal.external.company_name.com
  The prerequisite here is that at least the domain name should be the same i.e. the last two parts.
  Greetings,
  Vincent

• "Open sql" report no data sourced defined in windows

  when I want to import data from sql database, the Open sql window report error
  "There are no data sourced defined. Please create one to continue",
  but I have defined the odbc data source using windows 's odbc administrator, why the error?
  chuliang

  A couple of possibilities.
  First are you licensed for Sql interface? If not, you might get that message.
  Second, where did you create the ODBC connection on your computer or the server. It has to be on the server.
  Third, did you create the odbc as a system driver? it needs to be so
  Fourth, what operating system? If it's unix or AIX there is a hole bunch more you need to do to get odbc connections working. If it's windows, it's pretty easy.
  Fifth, did you test the connection before trying it in Essbase?

• SSRS 2008 R2 data source authentication issue

  Hello,
  End-users with Browser permissions for the necessary SSRS folders and reports are getting "The permissions denied to user [Windows user] are insufficient for performing this operation (rsAccessDenied)" even though the data source for the report is configured
  to use "credentials stored securely in the report server" and "Use as Windows credentials when connecting to the data source" is checked. Users who are members of the local admin machine hosting the Report Manager site don't get the error. But users with full
  control permissions to the SSRS directories, including the config files, do get the error. Obviously, the solution shouldn't entail giving end-users local admin or even full control permissions to the SQL Server SSRS folders.  Moreover, the error only
  occurs when using Windows credentials but not when using only a database credential, i.e. non Windows credentials.  This workaround doesn't work for me since I'm also using a data source connection to SSAS, which doesn't appear to use database logins
  - only Windows credentials that are added to roles.
  Please advise.
  Thanks,
  Ben Lezin

  Hi Ben,
  Generally, the error "The permissions denied to user [Windows user] are insufficient for performing this operation (rsAccessDenied)" should be caused
  by one of the following reasons:
  1. User Access Control (UAC). Windows Vista, Windows 7 and Windows Server 2008 limit the overuse of elevated permissions by removing administrator permissions
  when accessing applications. Because the operating system removes permissions, members of the local Administrators group run most applications as if they are using the Standard User account.
  If this issue is caused by UAC, please run Internet Explorer as administrator. From the Start menu, click All Programs, right-click Internet Explorer,
  and select Run as administrator. For more information about UAC, please refer to this document:
  http://msdn.microsoft.com/en-us/library/bb630430.aspx
  2. User has insufficient permissions to perform the operation. Please check the following items:
  a. End-users belong to "Browser" role. In Report Manager Home page, click "Folder Settings", make sure the end-users are in the security list and with
  Browser role permission.
  b. "Browser" role has permissions to perform the operation. You can use SSMS to connect to report server, expand Security/Roles, double click "Browser",
  and then check the tasks list.
  If there is anything unclear, please feel free to ask.
  Thanks,
  Albert Ye

• Launch ODBC data source window in Java

  Hi , In windows OS , when config the database data source ,I have to launch the ODBC data source administrator window in the control panel , I think this is a troubled thing .Can I call the window in java program directly ? Thanks.
  Liwei

  I read this recently on this Forum. So, yes .. apparently it can be done.
  <------ Search 'DB' etc - by date and look for something 2 days back. Also if you check the New To.. forum I posted a jdbc.odbc program about 5 days back to test your driver. Good luck (actually this is a bit tricky the first time, so keep at it)

• Where is the UME data source configuration XML file stored on the server?

  I'm trying to activate windows integrated authentication in my portal server.  The java engine's UME configuration has been loaded as a deep AD read only database using the file "dataSourceConfiguration_ads_deep_readonly_db.xml" but I can't find this on my server.  I need to modify a couple of parameters in there to activate kerberos principal management.  My recent portal training course offered me a completed working example but it was for an ads_flat_writeable_db so I can't simply load that and I need to understand the changes required.
  Where to I find the configuration file on my java instance server so I can make the necessary changes to a copy and upload that?

  Try to read
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/e1959b90-0201-0010-849c-d2b1d574768b
  UME user data is stored in one or more data sources. Each type of data source has its own persistence adapter. The persistence manager consults the persistence adapters when creating, reading, writing, and searching user management data. Persistence adapters for the following types of repositories are available: 1. Database: See the Product Availability Matrix on SAP Service Marketplace (http://service.sap.com/pam60) for details on which databases are supported. 2. u2022 Lightweight Directory Access Protocol (LDAP) directory: See the Product Availability Matrix on SAP Service Marketplace (http://service.sap.com/pam60) for details on which directories are supported. 3. SAP Systems based on Web Application Server 6.20 You can configure UME to use one or more of these persistence devices in parallel. Users can also be stored in several different physical LDAP directory servers, or in different branches of the same LDAP directory server.