Skip to Content

Integrated Windows Authentication with SAP EP 6.0 SP 3 and higher Part 2 of 2

Update: Please take a look at SAP Note 886214 – End of Maintenance of IisProxy ISAPI module. This logon procedure will not be supported anymore! There are two Blogs describing the new kerberos based authentication:

In Integrated Windows Authentication with SAP EP 6.0 SP 3 and higher Part 1 of 2 of this Weblog series you’ve seen how to configure the IisProxy Module in Microsoft IIS. Now we are going to adopt the User management configuration in the Portal to accept the authentication which is done by the IIS. Comprehensive documentation can be found at -> Media Library -> Technical Documentation -> ‘Using Header Variables and Integrated Windows Authentication’.

Configuring IIS for authentication

But let’s start with my quick and easy description. First of all we had to change the configuration of our IIS so only authenticated users are allowed to connect.

  • Start IIS Manager
  • Rightclick on Default Website -> Properties
  • Tab: Directory Security
  • Edit…
  • Disable Anonymous access
  • Ok
  • Tab: Web Site
  • Check that „Keep Alive“ is activated
  • Ok

Configure User Management of the Portal

Now we can change the User Management configuration. In the first step we add a new Login Module.

  • Start the J2EE Visual Admin
  • Open Server -> Services -> Security Provider
  • User Management tab and choose Manage Security Stores.
  • Add Login Module.
  • Ok
  • Class Name:
  • Display Name: HeaderVariableLoginModule
  • OK

Done that we check what Authentication Scheme is used in our installation

  • Server -> Services -> Configuration Adapter
  • cluster_data -> server -> persistent -> -> authschemes.xml.
  • If you haven’t done any changes till now the result should be like in the documentation

Please do only continue if you have read the documentation and your check returns the same as in the documentation.

  • In Visual Admin open Server -> Services -> Security Provider
  • Click on ticket
  • Add New -> HeaderVariableLoginModule
  • Click on HeaderVariableLoginModule -> Modify
  • Set: Position 2, Flag Optional, = true, Header = REMOTE_USER, windows_integrated = true. Additionaly you can add the Option domain with a comma-separated list of Windows domains.
  • Add New -> CreateTicketLoginModule
  • Click on CreateTicketLoginModule-> Modify
  • Set: Position 3, Flag Sufficient, , = true

Configure Logoff URL

When you use integrated Windows authentication you should define a URL where the browser is redirected when you click logoff. This is described in SAP Note #696294. Here in short form:

  • Login to the Portal
  • Choose System Administration -> System Configuration -> UM Configuration -> Direct Editing
  • Set the parameter ume.logoff.redirect.url to a valid URL
  • Restart the J2EE Server


When you open the URL you will possibly get the error message: “The request entity must be less than 4096 The request entity must be less than”. Then you have to apply SAP Note No. 657759:

  • Start Visual Admin
  • Open Dispatcher -> Services -> HTTP Provider
  • Set MaxRequestHeadersLength to 16384

And now no more login screen when you access the Portal. I wish you happy Single Sign On.

Related SAP Notes

  • 713568 – Troubleshooting IisProxy module
  • 715303 – IIS 6 specific configurations for IisProxy module
  • 706968 – Problems with Windows integrated authentication
  • 629947 – IisProxy: Release notes and known issues
  • 629946 – IisProxy: Manual installation and update
  • 734462 – EP 6.0: HTTP 400 Error when using IIS 6.0 and Portal
  • 886214 – End of Maintenance of IisProxy ISAPI module
  • Microsoft Knowledge Base article 820129
You must be Logged on to comment or reply to a post.
  • Nice blog Gregor, but there are a few more pitfalls you can fall into (which I have done).

    1. Make sure the net logon service is enabled and running in the services
    2. I’ve had some problems where I had to give domain users read access to the ISAPI filter

    It is a good idea to optimize the standard IIS error pages (the 403 and 401 HTTP error pages), as they are by default 4-5 KB. For each authentication process these pages are sent multiple time (do some sniffing and have a look). This is much more important if you are running NTLM, since this requires a re-authentication for each new tcp connection.

    Also, it is a good idea to set the recovery options of your “World Wide Web
    Publishing Service” and “IIS admin”   service (right click the service and select properties, then go the recovery tab). I usually set them to restart the service or run the IISreset command. And of course you need to monitor if your http servers are up as well as the portal servers.

    • Very useful blog Gregor,
      I’ve noticed 401 errors showing up in the log for
      /irj/servlet/prt/portal/prteventname/Navigate/prtroot/pcd!3aportal_content!2fevery_user!2fgeneral!2fdefaultDesktop!2fframeworkPages!2fframeworkpage! buildTree=false&NavPathUpdate=false&windowId=WID1129557480972
      The subsequent requests get reauthenticated, but I would prefer there are no 401 messages, keep-alive should’ve taken care of that.
  • Hi
    I read in the “SAP Enterprise Portal Security Guide” that there is a constraint for Integrated Windows Authentication to work – “Windows authentication works only from client machines where the IIS is not installed.”

    Is there a way around it, because, there are a lot client machines that have IIS installed.


    • Hello Sriram,

      is there a more detailed explaination why a local IIS causes this problem? Have you asked this question also in the Portal Forum here in SDN? Why do you have so many Machines with IIS installed?


      • Hi Gregor:

        I asked the same question in the forum as well @ /thread/16539 [original link is broken]

        Most of the .Net developers have IIS installed on their machines. However, I tested on a client machine that does not have IIS installed. Even there I got the “Enter Network Password” prompt. Once I entered the user id and password for that client machine, it logged me into the portal. It is not automatically logging me into the portal.

        Please advice.

  • There seems to be a issue with comma-seperated list of domains. It seems this option is case-sensitive.

    I found that, regardless if a users enter the domain\userid in lowercase or not, the test are done in upper-case.

    Thus if you are sure everything is setup correctly and you get errors in the log file about the domain, change the domain name in the option to upper case.

  • Good blog, however I and some others have come across a problem which we cannot solve.

    IisProxy seemed to work fine, however when we use it we are unable to navigate around the portal. Every page you select returns you to the first page that appeared when you logged on!

    Apparet from that it reall clear to understand and follow!

  • Hi,

    SAP EP 6.0 SP14 is installed on machine with Windows 2003 Server and IIS 6.0. Is possible to install IisProxy Module in the same machine?

    Best Regards,

  • Hi Gregor,

    Another question, is posible to install IisProxy Module in a machine with ITS??


  • hi

    I had followed the same path as given in the blog, But,I was not able to find the file IISPROXY16_0-10001433.SAR. Instead i found only SAPJ2EE620C_16-10001433.SAR.

    Can you help me in locating the file.


  • Hi,

    I just wanted to impelement the integrated Windows authentication for our Portal 6.0 based on J2EE 6.40 Patch 14. But the procedure with IISPROXY is not available anymore. Bad luck.

    Did anybody manage to configure the same with Kerberos based on the online docu ? from

    My environment is purely Microsoft Windows.

    I would appreciate any feedback about the Kerberos implementation.

    Thank you.

  • Hi Gregor,
    This is very good blog. But iam new to Kerberos implementation with Active directory. I need some suggestion to implement

    we have ECC6.0 (ABAP+JAVA),BI+EP(ABAP+JAVA) 7.0 environment which is already integrated SSO Logon ticket.Now we wanted to Implement Kerboros authentication so that user should not get portal login credentials>it should login automatically

    Can you please suggest step by step what can be done at domain controller side and Portal server .Because our client is fully secured , we need to give proper information so that they will create ADS user and Keytab file.

    Thanks in advance,

    • Hello Kristene,

      haven’t you seen the Links I’ve provided at the beginning of my Blog. They point to Blog’s here in SDN describing how to configure Kerberos. You can also try to search for Blogs regarding Kerberos using the SDN Search.


    • Hello Kristene,

      simple answer: No. You don’t need to configure IIS. The J2EE Server takes complete care about Kerberos authentication.


  • Hi

    I am working on EP 7 SPS 13.
    We use LDAP as user data stirage.

    I completed all the steps in Part 1 and 2 of the blog but this thing does not work for me.

    Are there some different steps that I need to perform for having SSO between network and Portal.

    Vineet Vikram

    • Hello Vineet Vikram,

      have you noticed the first paragraph of my Blog which mentions that the described authentication method is no longer supported and was replaced by the kerberos authentication?

      Best regards