Forum Discussion
njseq
Altostratus
AltostratusAPM SSO and SAP error no supported WWW-Authenticate header is found
Hello,
We are using APM to publish SAP Portal Access resource and other Web apps in F5 BIG-IP VE.
We configured SSO NTLMV1 for the VS Access Profile
SAP application is not authenticating. It's giving error: Disabled the SSO for this session: no supported WWW-Authenticate header is found;
All other Web apps work fine.
If we change SSO in Access Profile to BASIC, then SAP works but other Web apps don't.
We cannot enforce NTLMV1 for each individual Web app because they inherit the Access Profile SSO.
Creating another VS and another Profile for SAP is not an option because we must use a single Access Profile with all Web Apps including SAP.
What can we do to solve this out?
Thanks a lot!
Kind regards,
NS
The SSO profile in the Access Profile is more or less the default SSO method when no other SSO profile is configured at another level. With Portal Access you can configure a SSO profile per portal. You can set this at the Portal Access Resource Items. See:
https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-portal-access-11-6-0/2.html
njseqHi Niels,
Thanks for answering.
What happens is that in order for SAP to work we need to configure SSO Basic in the Access Profile, but then the other apps in the Portal Access will not work because they inherit SSO Basic even if I configure a different SSO profile in their resources...
So my question is to know how can I overcome this?
Thanks.
NS
Hi NS,
Strange. The SSO configured in the Portal Access Resource Items should take precedence over the SSO configured in the Access Policy. You can also select a SSO method by using an iRule. See an example below.
when HTTP_REQUEST { if { [HTTP::host] eq "siteb.example.com" } { WEBSSO::select SSO_KERBEROS_TEST } }- njseq
Hi Niels,
Thanks for helping.
I've used this iRule:
when HTTP_REQUEST {
if { [HTTP::host] contains "/irj/portal/" } {
WEBSSO::select sso-basic
}
}
The sso-basic is my SSO Profile for HTTP Basic that works for SAP.
I get the same responses, with or without the iRule:
CLIENT
No Proxy-Authorization Header is present.
No Authorization Header is present.
SERVER
No Proxy-Authenticate Header is present.
www-authenticate Header is present: Negotiate
www-authenticate Header is present: Negotiate
What can be wrong?
Thanks.
NS
The webserver seems to indicate that it expects Kerberos authentication, since it is sending the www-authenticate: negotiate http header. Try to configure it with Kerberos SSO.
- njseq
Hi Niels,
It worked for this iRule (I changed it a bit).
when HTTP_REQUEST {
if { [HTTP::uri] contains "irj" } {
WEBSSO::select sso-basic
}
}
So it finds "irj" which is SAP Netweaver URL in Portal and applies the SSO HTTP Basic profile I've created.
The Access Profile is configured for NTLMV1 and all other web apps open through this SSO.
Thanks.
NS
Hi NS,
Good to hear it is working now.
Kind regards,
Niels
