Update: Please take a look at SAP Note 886214 - End of Maintenance of IisProxy ISAPI module. This logon procedure will not be supported anymore! There are two Blogs describing the new kerberos based authentication:

• kerberos implementation with ADS made easy
• Windows Integrated Authentication via Kerberos on an LDAP data source

In Integrated Windows Authentication with SAP EP 6.0 SP 3 and higher Part 1 of 2 of this Weblog series you’ve seen how to configure the IisProxy Module in Microsoft IIS. Now we are going to adopt the User management configuration in the Portal to accept the authentication which is done by the IIS. Comprehensive documentation can be found at http://service.sap.com/security -> Media Library -> Technical Documentation -> 'Using Header Variables and Integrated Windows Authentication'.

Configuring IIS for authentication

But let’s start with my quick and easy description. First of all we had to change the configuration of our IIS so only authenticated users are allowed to connect.

• Start IIS Manager
• Rightclick on Default Website -> Properties
• Tab: Directory Security
• Edit...
• Disable Anonymous access
• Ok
• Tab: Web Site
• Check that „Keep Alive“ is activated
• Ok

Configure User Management of the Portal

Now we can change the User Management configuration. In the first step we add a new Login Module.

• Start the J2EE Visual Admin
• Open Server -> Services -> Security Provider
• User Management tab and choose Manage Security Stores.
• Add Login Module.
• Ok
• Class Name: com.sap.security.core.server.jaas.HeaderVariableLoginModule
• Display Name: HeaderVariableLoginModule
• OK

Done that we check what Authentication Scheme is used in our installation

• Server -> Services -> Configuration Adapter
• cluster_data -> server -> persistent -> com.sap.security.core.ume.service -> authschemes.xml.
• If you haven’t done any changes till now the result should be like in the documentation

Please do only continue if you have read the documentation and your check returns the same as in the documentation.

• In Visual Admin open Server -> Services -> Security Provider
• Click on ticket
• Add New -> HeaderVariableLoginModule
• Click on HeaderVariableLoginModule -> Modify
• Set: Position 2, Flag Optional, ume.configuration.active = true, Header = REMOTE_USER, windows_integrated = true. Additionaly you can add the Option domain with a comma-separated list of Windows domains.
• Add New -> CreateTicketLoginModule
• Click on CreateTicketLoginModule-> Modify
• Set: Position 3, Flag Sufficient, , ume.configuration.active = true

Configure Logoff URL

When you use integrated Windows authentication you should define a URL where the browser is redirected when you click logoff. This is described in SAP Note #696294. Here in short form:

• Login to the Portal
• Choose System Administration -> System Configuration -> UM Configuration -> Direct Editing
• Set the parameter ume.logoff.redirect.url to a valid URL
• Restart the J2EE Server

Testing

When you open the URL http://your.portal.host/irj you will possibly get the error message: “The request entity must be less than 4096 The request entity must be less than”. Then you have to apply SAP Note No. 657759:

• Start Visual Admin
• Open Dispatcher -> Services -> HTTP Provider
• Set MaxRequestHeadersLength to 16384

And now no more login screen when you access the Portal. I wish you happy Single Sign On.

Related SAP Notes

• 713568 - Troubleshooting IisProxy module
• 715303 - IIS 6 specific configurations for IisProxy module
• 706968 - Problems with Windows integrated authentication
• 629947 - IisProxy: Release notes and known issues
• 629946 - IisProxy: Manual installation and update
• 734462 - EP 6.0: HTTP 400 Error when using IIS 6.0 and Portal
• 886214 - End of Maintenance of IisProxy ISAPI module
• Microsoft Knowledge Base article 820129