Since December 2009 Single Sign on has blighted us. We have had inconsistant problems with some users being able to close their browser and hop straight back in an authenticated portal where as others have simply had no luck and been pestered for credentials at each and every attempt.
I have completed EP100 and EP200 at SAP’s excelent Heathrow base & I must admit I was initally critical of EP200’s use. A week long course that to be fair to the instructor was blighted by some pretty basic issues with the equipment being used!! During EP200 I was introduced to Kerberos; and I must admit I
maybe didnt take as much notice as maybe I should (I had no idea at that stage that the problems facing us were going to be all kerberos).
I was tasked at the start of 2012 to fix our coporate SSO woes. great. I wish I had listened in EP200…
I started off full of confidence:
- checked the certificate store – tick.
- checked my client machine for integrated authentication – tick
- checked my trusted sites list – tick
At which point, my enthusiasm wained and I ran out of ideas!
I found Holger Bruchelt and his FANTASTIC SPnego blog. To say this blog saved my life (and reputation!) is an understatement.
Using this I completely took apart every element of our configuration and rebuild it in our QA environment. Armed with this, a decent client HTTP trace and SAP trace collector I was then able to do comparisons of config and run traces on both the client and server.
I quickly established that the problem was not in the configuration of our portal but in the issuing of kerberos by our DC’s. I could see the tell take TIRM NTLM issue by using client side HTTP tracing. this in itself caused a headache as I had checked out the usual suspects:
- SPN was correct
- Client was using correct IE settings
- Java version was correct
- DES encryption was enabled on portal user
Turning off DES on the AD user amazingly then started producing kerberos tickets – kerbtray was looking great, but still no SSO!!!!!
How about if we have a mix of OS levels on our DC??? across our range of 6 DC, we had two levels of OS, 2003 and 2008R2.. OK, DES isnt recognised as a secure channel now, so DES is turned off in 2008 and R2… Turn it on… no SSO. B*****R.
Ok, the DC is configured, the portal is configured, AD is configured – what else can be wrong???
Well, the usual lame questoin from all ICT support desk in the world.. Is it turned on??
So if all else fails, make sure your realm is enabled!!!!!!!!!!!!