"arduk" <arduk@nospam.nospam> wrote in message
news:874CD6F9-0684-4464-90B3-D05F04FD8E87@microsoft.com...
>I have implemented Single Sign On (SSO) between windows and SAP Enterprise
> Portal (EP) - so if a user is logged into windows, they can go to our EP
> site, and EP knows who they are, and applies permissions appropriately.
>
> I have pretty much got this working, however I have run into a couple of
> things which I can't really explain, and would be interested in hearing
> why
> it might be occurring:
>
> 1. If you open a browser, and then type in the address of the portal, the
> single sign on works fine
> 2. If you have a browser window open (on any page) and then click a link
> (eg
> in an email) that takes you to the portal, the SSO works fine
> 3. If you close all of your browser windows, and then click a link (eg in
> an
> email) that takes you to the portal, then the user is prompted to enter
> their
> username and password (this is a windows style login box). After they have
> entered their username and password, they are taken straight into the
> portal
> (ie no portal login box)
> 4. If you add the portal site address to either "trusted sites" or "local
> intranet" (in IE, this is in Tools->Internet Options->, then do point 3
> above, you are not prompted to login. (if you go to the portal address, it
> comes up as being in the local intranet anyway, so am not sure what this
> actually achieves)
>
> Point 3 is the issue that I don't understand - why are you prompted to
> login? And what is the difference if you have a browser open or add the
> site
> to "local intranet"?
>
> If anyone could help me out on this it would be greatly appreciated!
>

"Ken Schaefer" wrote:

> I think this KB article will answer your question:
> http://support.microsoft.com/?id=258063
>
> Basically, IE uses those security zones to work out whether to send
> credentials to a server without prompting the user. Additionally, sites that
> are netbios style names (i.e. http://servername) are by default, in the
> Intranet zone. Check the KB article for more details.
>
> Cheers
> Ken
>
> --
> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
>
> "arduk" <arduk@nospam.nospam> wrote in message
> news:874CD6F9-0684-4464-90B3-D05F04FD8E87@microsoft.com...
> >I have implemented Single Sign On (SSO) between windows and SAP Enterprise
> > Portal (EP) - so if a user is logged into windows, they can go to our EP
> > site, and EP knows who they are, and applies permissions appropriately.
> >
> > I have pretty much got this working, however I have run into a couple of
> > things which I can't really explain, and would be interested in hearing
> > why
> > it might be occurring:
> >
> > 1. If you open a browser, and then type in the address of the portal, the
> > single sign on works fine
> > 2. If you have a browser window open (on any page) and then click a link
> > (eg
> > in an email) that takes you to the portal, the SSO works fine
> > 3. If you close all of your browser windows, and then click a link (eg in
> > an
> > email) that takes you to the portal, then the user is prompted to enter
> > their
> > username and password (this is a windows style login box). After they have
> > entered their username and password, they are taken straight into the
> > portal
> > (ie no portal login box)
> > 4. If you add the portal site address to either "trusted sites" or "local
> > intranet" (in IE, this is in Tools->Internet Options->, then do point 3
> > above, you are not prompted to login. (if you go to the portal address, it
> > comes up as being in the local intranet anyway, so am not sure what this
> > actually achieves)
> >
> > Point 3 is the issue that I don't understand - why are you prompted to
> > login? And what is the difference if you have a browser open or add the
> > site
> > to "local intranet"?
> >
> > If anyone could help me out on this it would be greatly appreciated!
> >
>
>

"arduk" <arduk@nospam.nospam> wrote in message
news:63DCB301-6415-4A6A-8858-9077EDB7688F@microsoft.com...
> Hi Ken, thanks very much for your response!
>
> That sounds like it explains the problem, the only question that is left
> unanwered is why you are not prompted if you already have a browser open
> (point 2 in my original post). If you have any ideas on that, I would love
> to
> hear them.
>
> Thanks again for your prompt and helpful reply!
>
>
>
> "Ken Schaefer" wrote:
>
>> I think this KB article will answer your question:
>> http://support.microsoft.com/?id=258063
>>
>> Basically, IE uses those security zones to work out whether to send
>> credentials to a server without prompting the user. Additionally, sites
>> that
>> are netbios style names (i.e. http://servername) are by default, in the
>> Intranet zone. Check the KB article for more details.
>>
>> Cheers
>> Ken
>>
>> --
>> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
>>
>> "arduk" <arduk@nospam.nospam> wrote in message
>> news:874CD6F9-0684-4464-90B3-D05F04FD8E87@microsoft.com...
>> >I have implemented Single Sign On (SSO) between windows and SAP
>> >Enterprise
>> > Portal (EP) - so if a user is logged into windows, they can go to our
>> > EP
>> > site, and EP knows who they are, and applies permissions appropriately.
>> >
>> > I have pretty much got this working, however I have run into a couple
>> > of
>> > things which I can't really explain, and would be interested in hearing
>> > why
>> > it might be occurring:
>> >
>> > 1. If you open a browser, and then type in the address of the portal,
>> > the
>> > single sign on works fine
>> > 2. If you have a browser window open (on any page) and then click a
>> > link
>> > (eg
>> > in an email) that takes you to the portal, the SSO works fine
>> > 3. If you close all of your browser windows, and then click a link (eg
>> > in
>> > an
>> > email) that takes you to the portal, then the user is prompted to enter
>> > their
>> > username and password (this is a windows style login box). After they
>> > have
>> > entered their username and password, they are taken straight into the
>> > portal
>> > (ie no portal login box)
>> > 4. If you add the portal site address to either "trusted sites" or
>> > "local
>> > intranet" (in IE, this is in Tools->Internet Options->, then do point 3
>> > above, you are not prompted to login. (if you go to the portal address,
>> > it
>> > comes up as being in the local intranet anyway, so am not sure what
>> > this
>> > actually achieves)
>> >
>> > Point 3 is the issue that I don't understand - why are you prompted to
>> > login? And what is the difference if you have a browser open or add the
>> > site
>> > to "local intranet"?
>> >
>> > If anyone could help me out on this it would be greatly appreciated!
>> >
>>
>>

"Ken Schaefer" wrote:

> Has the user ever visited the SSO page or portal prior to clicking the link
> etc? IE will continue sending the user's credentials until either:
> a) the browser window is closed
> or
> b) the server sends back 401 (Not Authorized)
>
> So, if the user has ever authenticated to this resource earlier in the
> session, they would not nee to authenticate again if re-using the same IE
> process (iexplore.exe)
>
> Cheers
> Ken
>
> --
> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
>
> "arduk" <arduk@nospam.nospam> wrote in message
> news:63DCB301-6415-4A6A-8858-9077EDB7688F@microsoft.com...
> > Hi Ken, thanks very much for your response!
> >
> > That sounds like it explains the problem, the only question that is left
> > unanwered is why you are not prompted if you already have a browser open
> > (point 2 in my original post). If you have any ideas on that, I would love
> > to
> > hear them.
> >
> > Thanks again for your prompt and helpful reply!
> >
> >
> >
> > "Ken Schaefer" wrote:
> >
> >> I think this KB article will answer your question:
> >> http://support.microsoft.com/?id=258063
> >>
> >> Basically, IE uses those security zones to work out whether to send
> >> credentials to a server without prompting the user. Additionally, sites
> >> that
> >> are netbios style names (i.e. http://servername) are by default, in the
> >> Intranet zone. Check the KB article for more details.
> >>
> >> Cheers
> >> Ken
> >>
> >> --
> >> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
> >>
> >> "arduk" <arduk@nospam.nospam> wrote in message
> >> news:874CD6F9-0684-4464-90B3-D05F04FD8E87@microsoft.com...
> >> >I have implemented Single Sign On (SSO) between windows and SAP
> >> >Enterprise
> >> > Portal (EP) - so if a user is logged into windows, they can go to our
> >> > EP
> >> > site, and EP knows who they are, and applies permissions appropriately.
> >> >
> >> > I have pretty much got this working, however I have run into a couple
> >> > of
> >> > things which I can't really explain, and would be interested in hearing
> >> > why
> >> > it might be occurring:
> >> >
> >> > 1. If you open a browser, and then type in the address of the portal,
> >> > the
> >> > single sign on works fine
> >> > 2. If you have a browser window open (on any page) and then click a
> >> > link
> >> > (eg
> >> > in an email) that takes you to the portal, the SSO works fine
> >> > 3. If you close all of your browser windows, and then click a link (eg
> >> > in
> >> > an
> >> > email) that takes you to the portal, then the user is prompted to enter
> >> > their
> >> > username and password (this is a windows style login box). After they
> >> > have
> >> > entered their username and password, they are taken straight into the
> >> > portal
> >> > (ie no portal login box)
> >> > 4. If you add the portal site address to either "trusted sites" or
> >> > "local
> >> > intranet" (in IE, this is in Tools->Internet Options->, then do point 3
> >> > above, you are not prompted to login. (if you go to the portal address,
> >> > it
> >> > comes up as being in the local intranet anyway, so am not sure what
> >> > this
> >> > actually achieves)
> >> >
> >> > Point 3 is the issue that I don't understand - why are you prompted to
> >> > login? And what is the difference if you have a browser open or add the
> >> > site
> >> > to "local intranet"?
> >> >
> >> > If anyone could help me out on this it would be greatly appreciated!
> >> >
> >>
> >>
>
>

"arduk" <arduk@nospam.nospam> wrote in message
news:845D76FC-FB7C-471E-BBBE-AB9D8B6CCBB2@microsoft.com...
> Sadly it isn't that simple - the user hasn't visited the site - they could
> open up a browser straight to google, and then if they click a link in an
> email that takes them to the portal, they will not be challenged.
>
>
> "Ken Schaefer" wrote:
>
>> Has the user ever visited the SSO page or portal prior to clicking the
>> link
>> etc? IE will continue sending the user's credentials until either:
>> a) the browser window is closed
>> or
>> b) the server sends back 401 (Not Authorized)
>>
>> So, if the user has ever authenticated to this resource earlier in the
>> session, they would not nee to authenticate again if re-using the same IE
>> process (iexplore.exe)
>>
>> Cheers
>> Ken
>>
>> --
>> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
>>
>> "arduk" <arduk@nospam.nospam> wrote in message
>> news:63DCB301-6415-4A6A-8858-9077EDB7688F@microsoft.com...
>> > Hi Ken, thanks very much for your response!
>> >
>> > That sounds like it explains the problem, the only question that is
>> > left
>> > unanwered is why you are not prompted if you already have a browser
>> > open
>> > (point 2 in my original post). If you have any ideas on that, I would
>> > love
>> > to
>> > hear them.
>> >
>> > Thanks again for your prompt and helpful reply!
>> >
>> >
>> >
>> > "Ken Schaefer" wrote:
>> >
>> >> I think this KB article will answer your question:
>> >> http://support.microsoft.com/?id=258063
>> >>
>> >> Basically, IE uses those security zones to work out whether to send
>> >> credentials to a server without prompting the user. Additionally,
>> >> sites
>> >> that
>> >> are netbios style names (i.e. http://servername) are by default, in
>> >> the
>> >> Intranet zone. Check the KB article for more details.
>> >>
>> >> Cheers
>> >> Ken
>> >>
>> >> --
>> >> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
>> >>
>> >> "arduk" <arduk@nospam.nospam> wrote in message
>> >> news:874CD6F9-0684-4464-90B3-D05F04FD8E87@microsoft.com...
>> >> >I have implemented Single Sign On (SSO) between windows and SAP
>> >> >Enterprise
>> >> > Portal (EP) - so if a user is logged into windows, they can go to
>> >> > our
>> >> > EP
>> >> > site, and EP knows who they are, and applies permissions
>> >> > appropriately.
>> >> >
>> >> > I have pretty much got this working, however I have run into a
>> >> > couple
>> >> > of
>> >> > things which I can't really explain, and would be interested in
>> >> > hearing
>> >> > why
>> >> > it might be occurring:
>> >> >
>> >> > 1. If you open a browser, and then type in the address of the
>> >> > portal,
>> >> > the
>> >> > single sign on works fine
>> >> > 2. If you have a browser window open (on any page) and then click a
>> >> > link
>> >> > (eg
>> >> > in an email) that takes you to the portal, the SSO works fine
>> >> > 3. If you close all of your browser windows, and then click a link
>> >> > (eg
>> >> > in
>> >> > an
>> >> > email) that takes you to the portal, then the user is prompted to
>> >> > enter
>> >> > their
>> >> > username and password (this is a windows style login box). After
>> >> > they
>> >> > have
>> >> > entered their username and password, they are taken straight into
>> >> > the
>> >> > portal
>> >> > (ie no portal login box)
>> >> > 4. If you add the portal site address to either "trusted sites" or
>> >> > "local
>> >> > intranet" (in IE, this is in Tools->Internet Options->, then do
>> >> > point 3
>> >> > above, you are not prompted to login. (if you go to the portal
>> >> > address,
>> >> > it
>> >> > comes up as being in the local intranet anyway, so am not sure what
>> >> > this
>> >> > actually achieves)
>> >> >
>> >> > Point 3 is the issue that I don't understand - why are you prompted
>> >> > to
>> >> > login? And what is the difference if you have a browser open or add
>> >> > the
>> >> > site
>> >> > to "local intranet"?
>> >> >
>> >> > If anyone could help me out on this it would be greatly appreciated!
>> >> >
>> >>
>> >>
>>
>>

"Ken Schaefer" wrote:

> You will need to get a packet capture or similar to be 100% sure of what is
> happening here. At the same time, verify what security zone IE thinks it is
> in.
>
> Cheers
> Ken
>
> --
> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
>
> "arduk" <arduk@nospam.nospam> wrote in message
> news:845D76FC-FB7C-471E-BBBE-AB9D8B6CCBB2@microsoft.com...
> > Sadly it isn't that simple - the user hasn't visited the site - they could
> > open up a browser straight to google, and then if they click a link in an
> > email that takes them to the portal, they will not be challenged.
> >
> >
> > "Ken Schaefer" wrote:
> >
> >> Has the user ever visited the SSO page or portal prior to clicking the
> >> link
> >> etc? IE will continue sending the user's credentials until either:
> >> a) the browser window is closed
> >> or
> >> b) the server sends back 401 (Not Authorized)
> >>
> >> So, if the user has ever authenticated to this resource earlier in the
> >> session, they would not nee to authenticate again if re-using the same IE
> >> process (iexplore.exe)
> >>
> >> Cheers
> >> Ken
> >>
> >> --
> >> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
> >>
> >> "arduk" <arduk@nospam.nospam> wrote in message
> >> news:63DCB301-6415-4A6A-8858-9077EDB7688F@microsoft.com...
> >> > Hi Ken, thanks very much for your response!
> >> >
> >> > That sounds like it explains the problem, the only question that is
> >> > left
> >> > unanwered is why you are not prompted if you already have a browser
> >> > open
> >> > (point 2 in my original post). If you have any ideas on that, I would
> >> > love
> >> > to
> >> > hear them.
> >> >
> >> > Thanks again for your prompt and helpful reply!
> >> >
> >> >
> >> >
> >> > "Ken Schaefer" wrote:
> >> >
> >> >> I think this KB article will answer your question:
> >> >> http://support.microsoft.com/?id=258063
> >> >>
> >> >> Basically, IE uses those security zones to work out whether to send
> >> >> credentials to a server without prompting the user. Additionally,
> >> >> sites
> >> >> that
> >> >> are netbios style names (i.e. http://servername) are by default, in
> >> >> the
> >> >> Intranet zone. Check the KB article for more details.
> >> >>
> >> >> Cheers
> >> >> Ken
> >> >>
> >> >> --
> >> >> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
> >> >>
> >> >> "arduk" <arduk@nospam.nospam> wrote in message
> >> >> news:874CD6F9-0684-4464-90B3-D05F04FD8E87@microsoft.com...
> >> >> >I have implemented Single Sign On (SSO) between windows and SAP
> >> >> >Enterprise
> >> >> > Portal (EP) - so if a user is logged into windows, they can go to
> >> >> > our
> >> >> > EP
> >> >> > site, and EP knows who they are, and applies permissions
> >> >> > appropriately.
> >> >> >
> >> >> > I have pretty much got this working, however I have run into a
> >> >> > couple
> >> >> > of
> >> >> > things which I can't really explain, and would be interested in
> >> >> > hearing
> >> >> > why
> >> >> > it might be occurring:
> >> >> >
> >> >> > 1. If you open a browser, and then type in the address of the
> >> >> > portal,
> >> >> > the
> >> >> > single sign on works fine
> >> >> > 2. If you have a browser window open (on any page) and then click a
> >> >> > link
> >> >> > (eg
> >> >> > in an email) that takes you to the portal, the SSO works fine
> >> >> > 3. If you close all of your browser windows, and then click a link
> >> >> > (eg
> >> >> > in
> >> >> > an
> >> >> > email) that takes you to the portal, then the user is prompted to
> >> >> > enter
> >> >> > their
> >> >> > username and password (this is a windows style login box). After
> >> >> > they
> >> >> > have
> >> >> > entered their username and password, they are taken straight into
> >> >> > the
> >> >> > portal
> >> >> > (ie no portal login box)
> >> >> > 4. If you add the portal site address to either "trusted sites" or
> >> >> > "local
> >> >> > intranet" (in IE, this is in Tools->Internet Options->, then do
> >> >> > point 3
> >> >> > above, you are not prompted to login. (if you go to the portal
> >> >> > address,
> >> >> > it
> >> >> > comes up as being in the local intranet anyway, so am not sure what
> >> >> > this
> >> >> > actually achieves)
> >> >> >
> >> >> > Point 3 is the issue that I don't understand - why are you prompted
> >> >> > to
> >> >> > login? And what is the difference if you have a browser open or add
> >> >> > the
> >> >> > site
> >> >> > to "local intranet"?
> >> >> >
> >> >> > If anyone could help me out on this it would be greatly appreciated!
> >> >> >
> >> >>
> >> >>
> >>
> >>
>
>

> Hi Arduk,
>
> According to your discussion with Ken, it looks like the issue is regarding
> to unexpected behavior of IE authentication. Below are some thoughts of
> mine:
>
> 1. We can gather and review IIS log to determine if there is some actual
> difference when IE prompts for login(without opening a browser window
> first) and not(with a window opening). To do this:
>
> 1) Reproduce the popup behavior without opening a browser window first.
> Then wait for several minutes(to make sure the records are written into the
> log file) and collect the lastest log files in \System32\LogFiles\W3SVC[n]\
> directory (n here is the Site ID which can be viewed in the right panel by
> clicking Web Sites folder in IIS).
>
> 2) Gather log again with a IE window opened(no login popup) as the same
> steps.
>
> 2. To narrow down if the issue is specific to the client machine and IE,
> please test with some other machines. If other client doesn't encounter the
> bahavior, we can confirm this is not an IIS server-side issue.
>
> I look forward to your update.
>
> Have a nice day.
>
> Sincerely,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ==================================================
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscriptions/support/default.aspx.
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

> Hi,
>
> As I know, IIS is the only web server which supports Kerberos auth... To
> confirm, you can use WebFetch to capture a trace to confirm.
>
> HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
> http://support.microsoft.com/default.aspx?scid=kb;en-us;284285
>
> To use, please input:
>
> Host: (The site's domainname/hostheader or servername or just IP address)
> Port: (The site's port number if it isn't using the default 80)
> Path: (The relative path of your page.)
> Auth: (Select Kerberos, specify proper user credential)
>
> Press Go! to issue a http request to the server and check what response is
> returned. I think the trace should slow us with the details. Please paste
> the whole log data here.
>
> I'll wait for your update.
>
> Have a nice weekend.
>
> Sincerely,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ==================================================
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscriptions/support/default.aspx.
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

> Hi,
>
> According to the trace, the Kerberos auth works smoothly. So the
> server-side configuration should be fine. The issue looks purely on IE
> client side. Could you please check if all the settings are identical on
> your IE client per the following doc?
>
> Accessing J2EE Engine with Kerberos Authentication
> http://help.sap.com/saphelp_nw04/helpdata/en/43/49a2aefd975f89e10000000a1553
> f6/content.htm
>
> Have a nice week.
>
> Sincerely,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ==================================================
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscriptions/support/default.aspx.
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>