Forum Discussion

njseq's avatar
njseq
Icon for Altostratus rankAltostratus
Jul 19, 2019

APM SSO and SAP error no supported WWW-Authenticate header is found

Hello,

We are using APM to publish SAP Portal Access resource and other Web apps in F5 BIG-IP VE.

We configured SSO NTLMV1 for the VS Access Profile

SAP application is not authenticating. It's giving error: Disabled the SSO for this session: no supported WWW-Authenticate header is found;

All other Web apps work fine.

If we change SSO in Access Profile to BASIC, then SAP works but other Web apps don't.

We cannot enforce NTLMV1 for each individual Web app because they inherit the Access Profile SSO.

Creating another VS and another Profile for SAP is not an option because we must use a single Access Profile with all Web Apps including SAP.

 

What can we do to solve this out?

Thanks a lot!

Kind regards,

 

NS

application delivery
BIG-IP
BIG-IP Access Policy Manager (APM)
devops

7 Replies

Sort By
  • njseq's avatar
    njseq
    Icon for Altostratus rankAltostratus
    Jul 22, 2019

    Hi Niels,

     

    Thanks for answering.

     

    What happens is that in order for SAP to work we need to configure SSO Basic in the Access Profile, but then the other apps in the Portal Access will not work because they inherit SSO Basic even if I configure a different SSO profile in their resources...

    So my question is to know how can I overcome this?

    Thanks.

    NS

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Jul 22, 2019

    Hi NS,

    Strange. The SSO configured in the Portal Access Resource Items should take precedence over the SSO configured in the Access Policy. You can also select a SSO method by using an iRule. See an example below.

    when HTTP_REQUEST {
    if { [HTTP::host] eq "siteb.example.com" } {
        WEBSSO::select SSO_KERBEROS_TEST
    }
}
  • njseq's avatar
    njseq
    Icon for Altostratus rankAltostratus
    Jul 22, 2019

    Hi Niels,

    Thanks for helping.

    I've used this iRule:

     

    when HTTP_REQUEST {

      if { [HTTP::host] contains "/irj/portal/" } {

        WEBSSO::select sso-basic

      }

    }

     

    The sso-basic is my SSO Profile for HTTP Basic that works for SAP.

     

    I get the same responses, with or without the iRule:

     

    CLIENT

    No Proxy-Authorization Header is present.

    No Authorization Header is present.

     

    SERVER

    No Proxy-Authenticate Header is present.

    www-authenticate Header is present: Negotiate

    www-authenticate Header is present: Negotiate

     

    What can be wrong?

    Thanks.

    NS

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Jul 22, 2019

    The webserver seems to indicate that it expects Kerberos authentication, since it is sending the www-authenticate: negotiate http header. Try to configure it with Kerberos SSO.

  • njseq's avatar
    njseq
    Icon for Altostratus rankAltostratus
    Jul 22, 2019

    Hi Niels,

     

    It worked for this iRule (I changed it a bit).

    when HTTP_REQUEST {

      if { [HTTP::uri] contains "irj" } {

        WEBSSO::select sso-basic

      }

    }

     

    So it finds "irj" which is SAP Netweaver URL in Portal and applies the SSO HTTP Basic profile I've created.

    The Access Profile is configured for NTLMV1 and all other web apps open through this SSO.

     

    Thanks.

    NS