There are ways to sync the AD server with the KDC, so in effect they are
separate but equal.
On Aug 20, 2016 12:14 PM, "Darren Terry" wrote:
List,
I am currently working on a project where I am required to integrate a
Windows 2012R2 domain with an existing Kerberos
List,
I am currently working on a project where I am required to integrate a
Windows 2012R2 domain with an existing Kerberos realm. The domain has not
been built yet so I have the luxury of having no technical debt to deal
with, I get a fresh start on the Windows side. Does anyone have experience
Hello,
We are the end users of Kerberos for the SSO and majorly we are using it with
SAP systems.
Issue we are having is that SSO fails when we use the Timzezone redirection
feature of windows while using RDP,
It happens when time-zone of the remote user is equal to or greater than 10
hours
Hello Kerberos Community.
At the organisation where I work we are trying to achieve SSO
authentication using Kerberos mechanism on the following setup:
- physical load-balancer (machine1) receiving incoming http sessions,
but redirecting the traffic to a WebLogic Server (machine2
I am working on enabling Kerberos based SSO (with PKI used for initial
authentication) in our test environment.
Domain controller is windows server 2008 R2, Access resources are few web
applications hosted on (IIS of a server 2008 R2 machine) and Resource client
is windows 7 machine, in which
Hello
A client of mine asked me how it can be complex if not impossible to find a
WORKING HPC web Job Scheduler
(http://en.wikipedia.org/wiki/Job_scheduler) that
supports trasparent SSO in a mixed windows / linux env with an AD as domain
dontroller (KERBEROS master KDC ). This web HPC job
We are having problems getting SSO to work to SAP systems running on RHEL 6.3.
We have a number of systems running on RHEL 5.8, and SSO is working without any
problems, but it is failing for some reason with the systems on the RHEL 6.3
systems.
The server and library information
Hello!
I have windows 2008R2 with AD and few Linux servers.
I've installed debian squeeze on one of the servers and next integrated
it with domain (kerberos, winbind, samba etc) with test PDC.
As the SSO with putty was working fine, the system has been cloned to
remaining machines.
Next
On 10/11/2012 3:44 PM, Jarek wrote:
Hello!
I have windows 2008R2 with AD and few Linux servers.
I've installed debian squeeze on one of the servers and next integrated
it with domain (kerberos, winbind, samba etc) with test PDC.
As the SSO with putty was working fine, the system has
Hi,
We are planning to configure SAP SSO (Kerberos) on UNIX servers. All SAP
Servers are running on Solaris and Linux. Can you please provide the
architecture, procedure and process we need to follow to setup this ? So
that I will discuss with customer.
Please share links for reference
[mailto:kerberos-boun...@mit.edu] De la part de
Sekhar kota Envoyé : jeudi 26 juillet 2012 10:18 À : kerberos@mit.edu Objet :
SAP SSO Setup on UNIX Solaris and Linux
Hi,
We are planning to configure SAP SSO (Kerberos) on UNIX servers. All SAP
Servers are running on Solaris and Linux. Can you please
Or maybe you can take a look at http://sap.cybersafe.com
Thanks,
Tim
-Original Message-
From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On Behalf Of
Sylvain Cortes
Sent: 26 July 2012 18:07
To: Sekhar kota; kerberos@mit.edu
Subject: RE: SAP SSO Setup on UNIX Solaris
with the same openldap backend. Many things works as expected :
* The windows clients can join samba domain (auth/share)
* The linux hosts can use kerberos and samba (auth/share)
* The user database is unique
Now we wonder about SSO. It works fine with kerberos clients on linux
(tried
Hello everybody
I create Service Accaunt
setspn - a BOSSO/TESTVM2.MTRC.NET bo
I grant delegation trust for tesvm2 machine and service acount
but I am stil get the error on client machine
please help :)
Account Information Not Recognized: An error has occurred propagating the
security context
november 2010 21:11
Aan: SANDERS Miguel; kerberos@mit.edu
Onderwerp: RE: SSO Linux -- AD using GSSAPI
Yes I have that checked, no other changes made to PuTTY.
# tail -f /var/log/secure | grep credentials Nov 26 12:08:33 bilbo-rh5
sshd[19970]: debug1: Got no client credentials Nov 26 12:08:33
.
-Original Message-
From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On Behalf Of
Douglas E. Engert
Sent: November-29-10 7:29 AM
To: kerberos@mit.edu
Subject: Re: SSO Linux -- AD using GSSAPI
On 11/26/2010 2:13 PM, SANDERS Miguel wrote:
Hmm, what value do you have
[mailto:miguel.sand...@arcelormittal.com]
Sent: November-26-10 12:05 PM
To: Carter, Joel; kerberos@mit.edu
Subject: RE: SSO Linux -- AD using GSSAPI
Did you check the Delegate credentials in PuTTY? (Connection - SSH -
GSSAPI)
Met vriendelijke groet
Best regards
Bien à vous
Miguel SANDERS
november 2010 21:11
Aan: SANDERS Miguel; kerberos@mit.edu
Onderwerp: RE: SSO Linux -- AD using GSSAPI
Yes I have that checked, no other changes made to PuTTY.
# tail -f /var/log/secure | grep credentials Nov 26 12:08:33 bilbo-rh5
sshd[19970]: debug1: Got no client credentials Nov 26 12:08:33 bilbo-rh5
: November-26-10 12:13 PM
To: Carter, Joel; kerberos@mit.edu
Subject: RE: SSO Linux -- AD using GSSAPI
Hmm, what value do you have for the RealmFlags in the registry ?
http://technet.microsoft.com/en-us/library/cc736698%28WS.10%29.aspx
Met vriendelijke groet
Best regards
Bien à vous
Miguel
printing this e-mail
-Oorspronkelijk bericht-
Van: Carter, Joel [mailto:jo...@trailerwizards.com]
Verzonden: vrijdag 26 november 2010 21:20
Aan: SANDERS Miguel; kerberos@mit.edu
Onderwerp: RE: SSO Linux -- AD using GSSAPI
Thank you for your help.
HKEY_LOCAL_MACHINE\SYSTEM
Message-
From: SANDERS Miguel [mailto:miguel.sand...@arcelormittal.com]
Sent: November-26-10 12:27 PM
To: Carter, Joel; kerberos@mit.edu
Subject: RE: SSO Linux -- AD using GSSAPI
If you have the proper kerberos SRV records, just create a key under domains
(LOCAL.CA) and set RealmFlags to 6 (4
have been working to implement an SSO product across my enterprise. The
product works by configuring browsers to read the Kerberos ticket information
from the local machine and forward the information inside of the ticket to my
SSO web service for verification.
I can accomplish this on all my
Hi All,
I am busy with SSO and I am using the red book of IBM.
At the moment I do kinit I get the followwing message can anyone help me?
I am struggling for weeks with this.
Hep please
kinit -k krbsvr400/cbsys01.cbvs.lo...@cbdks01.cbvs.local
Message 0x96c73a44 not found in catalog
@mit.edu'
Subject: Problems unwrapping SPNEGO token for Single Signon (SSO) in WebLogic
Server 8.1.
First of all, a quick description of our issue. We've tried many different
things, but cannot get WebLogic to unwrap the SPNEGO token so it authenticates
using Kerberos. We received several errors
First of all, a quick description of our issue. We've tried many different
things, but cannot get WebLogic to unwrap the SPNEGO token so it authenticates
using Kerberos. We received several errors while trying to debug, here's the
one we see most:
KDC has no support for encryption type (14)
to Russ) for clarifying this.
My goal when doing SSO for web applications is that I don't trust the
web applications so much not to reveal the user's credentials.
Your choices are based on necessity, not trust. If the web application
needs delegated credentials (e.g. to authenticate as the user
always be very cautious in delegating,
as a delegated TGT is usually as good as the one you get with login or kinit.
SSH has the ssh_config GSSAPIDelegateCredentials yes to control delegation.
My goal when doing SSO for web applications is that I don't trust the
web applications so much
Michael B Allen [EMAIL PROTECTED] writes:
If you read the whole thread you'd know I'm only talking about the
*IntrAnet* scenario. With SPNEGO you do not type in a passwords at all
whereas with WebAuth you might need to.
You're making a bogus comparison. If you don't have to type in passwords
Michael Ströder [EMAIL PROTECTED] writes:
Russ Allbery wrote:
(If you use Firefox, you don't have to actually be a member of the
domain; you can use a different mechanism for getting Kerberos tickets,
such as NIM.)
What is NIM?
Network Identity Manager, although properly speaking the bit
is that all
of this configuration, and fallback, is handled at a single location
which greatly simplifies management, both of services (which only
need to know how to talk to your Web SSO system), and clients (which
only need to be set up to do SPNEGO with your Web SSO login host, if
at all
complicates
your trust model.
The advantage of a WebSSO system like Cosign or WebAuth is that all
of this configuration, and fallback, is handled at a single location
which greatly simplifies management, both of services (which only
need to know how to talk to your Web SSO system), and clients
to their requirement for redirects. For us, this was a
small price to pay.
SPNEGO handles authenticating POST just fine.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https
. The
original poster explicitly ... does not want to use AD in any
solution.
While I'm here, I should also respond to:
Then you have SSO solutions like OpenID which are really more like
triple sign on since you have to login to your workstation, then to
the OpenID service and then put in the OpenID
Michael B Allen wrote:
On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery [EMAIL PROTECTED] wrote:
And that is the scenario where direct SPNEGO / NTLMSSP solutions are
going to perform better.
If by better you mean pretty much the same, yes, modulo the
configuration note that I mentioned.
No, I
Active Directory SPNEGO SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
of a POST, nor is there any good way to stash the
data that comes along with a POST while bouncing the user through the
login server without application support for the SSO system (which is
contrary to a primary goal: ability to drop WebSSO in front of any
arbitrary web application without modifying
Michael Ströder [EMAIL PROTECTED] writes:
Is the TGT sent by the browser in the SPNEGO blob? Up to now I thought
it's just a service ticket.
It's optional. The browser can choose to delegate credentials or not,
based on local configuration. (In Firefox, for example, it's two separate
, then a TGT will be included.
Which entity has to set this flag when calling into the API? The web
browser or the web server?
My goal when doing SSO for web applications is that I don't trust the
web applications so much not to reveal the user's credentials.
Ciao, Michael
, if you're using Windows clients in an AD environment and the
HTTP service account has Trusted for delegation turned off, the TGT
will not be sent.
My goal when doing SSO for web applications is that I don't trust the
web applications so much not to reveal the user's credentials.
Your choices are based
Michael B Allen [EMAIL PROTECTED] writes:
Your choices are based on necessity, not trust. If the web application
needs delegated credentials (e.g. to authenticate as the user with
another tier), then you need to send the TGT [1].
Unless you use a system such as WebAuth or Cosign that supports
Hi All,
I was actually interested in implementing a web SSO solution for my
environment. I have five applications -- all web applications, so a web SSO
is needed -- and three run off of Windows, while the other two are Unix and
Linux. Since they are web apps, it won't matter from where
Sharad Desai wrote:
Hi All,
I was actually interested in implementing a web SSO solution for my
environment. I have five applications -- all web applications, so a web SSO
is needed -- and three run off of Windows, while the other two are Unix and
Linux. Since they are web apps
and the network.negotiate-auth.trusted-uris option.
The main (and probably only) drawback of this method is that is all
about HTTP basic authentication, and most of applications only allow
some kind of cookie based auth.
You might want to look at PAPI (http://papi.rediris.es), it only
provides Web SSO, but I
authentication, and most of applications only allow
some kind of cookie based auth.
You might want to look at PAPI (http://papi.rediris.es), it only
provides Web SSO, but I think is enough for you. Allows multiple
authentication backends, and although it is not packaged as default it
is possible
Sharad Desai [EMAIL PROTECTED] writes:
Also, (I'm not sure how familiar people are with Cosign) since Cosign
transforms Kerberos authentication to a cookie-based authentication
which the browsers can use, I was wondering if you have had any
experience with this.
Given your platform
) since Cosign
transforms Kerberos authentication to a cookie-based authentication which
the browsers can use, I was wondering if you have had any experience with
this.
When trying to determine the right SSO solution for your web
applications, it is important to realize that the mode of operation
familiar people are with Cosign) since Cosign
transforms Kerberos authentication to a cookie-based authentication which
the browsers can use, I was wondering if you have had any experience with
this.
When trying to determine the right SSO solution for your web
applications, it is important
Thanks Russ.
Given your platform constraints and desire to avoid Active Directory, I
think Cosign is definitely your best option. However, I believe that you
will need a UNIX server to run the Cosign login daemon, even though you
can use IIS for specific web applications. I could be wrong,
Sharad Desai wrote:
You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS
have SPNEGO built in, and can use the Kerberos in Active Directory.
Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any
platform
see the about:config and the
Michael B Allen [EMAIL PROTECTED] writes:
For example, you mentioned WebAuth and CoSign. Both of these solutions
are really targeted for highly heterogeneous environments like
University networks where the only client requirement is that the
browser support cookies. So it works on the
environment where clients are logged into a domain 90% of
the time, the performance and flexibility of direct SPNEGO / NTLMSSP
is almost always going to be a better solution.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com
Russ Allbery wrote:
(If you use
Firefox, you don't have to actually be a member of the domain; you can use
a different mechanism for getting Kerberos tickets, such as NIM.)
What is NIM?
Ciao, Michael.
Kerberos mailing list
and the 200 response is less than 20 ms (or ~50
ms if the user is in a few hundred groups).
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu
Michael B Allen [EMAIL PROTECTED] wrote:
On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery [EMAIL PROTECTED]
wrote:
And that is the scenario where direct SPNEGO / NTLMSSP solutions are
going to perform better.
If by better you mean pretty much the same, yes, modulo the
configuration note that I
it as trusted for delegation.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Michael B Allen [EMAIL PROTECTED] writes:
On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery [EMAIL PROTECTED] wrote:
If by better you mean pretty much the same, yes, modulo the
configuration note that I mentioned.
No, I definitely meant better.
With direct SPNEGO we 401 the initial HTTP
Hi,
I'm trying to configure SSO between SAP GUI 6.40 (Windows) and SAP
6.40 (Red Hat). I followed the instructions at
http://help.sap.com/saphelp_nw04s/helpdata/en/44/0ebf6c9b2b0d1ae1000a114a6b/content.htm
(but used libgssapi_krb5.so instead of gsskrb5.dll) but I have a
trouble:
The checkbox
[EMAIL PROTECTED] wrote:
SAP Support says, that the guys at MIT have successfully implemented
such a scenario
One of my customers also successfully installed that. I wasn't involved
in that though.
With this particular error message I'd examine two things:
1. DNS A and PTR RRs for all
[EMAIL PROTECTED] wrote:
On 9 Jun., 10:17, Michael Ströder [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote:
SAP Support says, that the guys at MIT have successfully implemented
such a scenario
One of my customers also successfully installed that. I wasn't involved
in that though.
With
KB885887 could'nt be a factor, because SP3 already includes it.
We've installed the SAP SSO Kerberos solution using Calin Barbat's
fine
instruction posting on this list. In this posting he mentions, that
for him
Kerberos SSO also doesn't work all the time. With no specifics.
SSO works initially every
On 9 Jun., 10:17, Michael Ströder [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote:
SAP Support says, that the guys at MIT have successfully implemented
such a scenario
One of my customers also successfully installed that. I wasn't involved
in that though.
With this particular error
.
Danny
Date: Fri, 22 Feb 2008 18:14:24 -0500
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
CC: [EMAIL PROTECTED]; kerberos@mit.edu
Subject: Re: support SSO in Windows with Keberos TGT
sylvain cortes wrote
as you said for keeping the time in synch...
but tilme issues can provide some stange behaviour with kerberos.Sylvain CORTES
[EMAIL PROTECTED]
Date: Fri, 22 Feb 2008 18:14:24 -0500 From: [EMAIL PROTECTED] To: [EMAIL
PROTECTED] CC: [EMAIL PROTECTED]; kerberos@mit.edu Subject: Re: support SSO
sylvain cortes wrote:
hi - you always can do everything...it's a question about time ;-) I
did the classic way before using centrify, and it was hell to
maintain: manage the keytab, manage the ad account, manage the NTP
client to have the right ticket session, etc...
Sorry but NTP doesn't use
: Re: support SSO in Windows with
Keberos TGT sylvain cortes wrote: it's managed by the centrify client
deployed on the Unix/Linux host You do understand that the issue here is how
to use applications written to use KFW and applications written to use
Kerberos SSP on the Windows platform
sylvain cortes [EMAIL PROTECTED] wrote:
So, for example, a windows computer which use Putty can present a
kerberos ticket to a Unix machine with the Centrofy client, without
any re-authentication. And Unix to Windows, or Unix to Unix works
also in the same way.
You can do that without paying
PROTECTED] To: [EMAIL PROTECTED] CC: kerberos@mit.edu
Subject: Re: support SSO in Windows with Keberos TGT Date: Tue, 19 Feb 2008
13:08:22 -0600 sylvain cortes [EMAIL PROTECTED] wrote: So, for
example, a windows computer which use Putty can present a kerberos ticket
to a Unix machine
suggesting that the user switch from Windows based clients to
UNIX/Linux
based clients as a solution to his SSO issues on Windows?
smime.p7s
Description: S/MIME Cryptographic Signature
Kerberos mailing list Kerberos@mit.edu
https
it's managed by the centrify client deployed on the Unix/Linux hostSylvain
CORTES [EMAIL PROTECTED]
Date: Wed, 13 Feb 2008 18:46:17 -0500 From: [EMAIL PROTECTED] To: [EMAIL
PROTECTED] CC: kerberos@mit.edu Subject: Re: support SSO in Windows with
Keberos TGT Sylvain - MVP GPOs wrote: Hi
Sylvain - MVP GPOs wrote:
Hi,
perharps you can have a look on www.centrify.com which provide a interop SSO
between Windows/Unix/linux based on Kerberos...
sylvain
How would that solve the need a single credential cache problem
that this thread is discussing?
smime.p7s
Description: S
hello folks,
i have gone through the mail archive for suggestions but i can't seem
to make headway. i am not sure what i am missing. am i supposed to
export contents of krb5.keytab and copy them to the client systems?
i can't even log on to the kerb server. the ssh session just drops to
hello folks,
i have gone through the mail archive for suggestions but i can't seem
to make headway. i am not sure what i am missing. am i supposed to
export contents of krb5.keytab and copy them to the client systems?
i can't even log on to the kerb server. the ssh session just drops to
the
Dodin/Haifa/[EMAIL PROTECTED]
Subject
01/15/2008 06:05 Re: Fw: SSO with telnet/rlogin/rsh
PM
to be written.
How we can support SSO with Kerberos TGT. how all other products is
able to do this.
What do you mean by other products?
They are maintaining their own clients for supporting SSO?
What do you mean by maintaining their own clients?
Here my problem is all client
Hi,
Using Mit Kerberos how can I support SSO?
You can obtain your tickets during the windows logon process from your
domain controller and then access them from KFW aware applications by
setting the default ccache to MSLSA: or by permitting Network Identity
Manager to synchronize the MSLSA
Eswar S wrote:
Hi,
Using Mit Kerberos how can I support SSO?
You can obtain your tickets during the windows logon process from your
domain controller and then access them from KFW aware applications by
setting the default ccache to MSLSA: or by permitting Network Identity
Manager
Hi,
Using Mit Kerberos how can I support SSO?
Is it possible to update Microsoft cache? How can I make other kerberised
application to use cache file which is generated by my application.
I mean when I got credentials (TGT) from KDC, I will store to cache file. I
will set it as default cache
to, is indeed SAP certified.
But depending on your implementation scenario and the user's main
access point: you might want to think about implementing SSO via SAP
Enterprise Portal. This is a very robust solution that requires no
additional software license.
Best Regards,
Eric Labiner
SAP NetWeaver
SSO into that application
server running on AIX.
Any help is greatly appreciated!
Best Regards,
Rick Taylor
OGE Energy Corp.
SAP / Database Administrator
phone: (405) 553-2426
Mobile: (405) 623-7537
Kerberos mailing list Kerberos
-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Taylor, Richard
Sent: 17 January 2008 17:14
To: kerberos@mit.edu
Subject: Kerberos SSO with SAP ERP (AIX) and SAP GUI
Hi,
If possible, please point me to some successful documentation where
Kerberos V is used to setup Single Sign
] On Behalf Of Ido Levy
Sent: Tuesday, January 15, 2008 3:53 PM
To: kerberos@mit.edu
Cc: Olga Dodin
Subject: Fw: SSO with telnet/rlogin/rsh
We did a dipper investigation of this issue and found out that the difference
between sshd and telnetd is in the user credential cache file name.
While ssh
Subject
SSO with telnet/rlogin/rsh
SSO with telnet/rlogin/rsh
Hello,
I am trying to set up SSO in a Linux environment which has the following
components up and running:.
Kerberos 5
LDAP
Kerberized NFSv4 ( security flavor krb5 )
Automount
When using ssh everything works fine, tickets
Douglas E. Engert [EMAIL PROTECTED] writes:
From a Kerberos prospective both could be correct. Using the process ID
as part of the cache name allows for session based credentials, so each
telnet session has its own cache.
telnetd should include both the UID and the PID in the cache name.
Ken Hornstein wrote:
telnetd should include both the UID and the PID in the cache name. This
works much more smoothly with rpc.gssd and is what I do in pam-krb5.
In a perfect world, we'd chuck the whole horrid scheme and create some utility
to send the Kerberos credentials to rpc.gssd or
That is what DCE did. The PAG number was part of the cache name in
a well know location.
I don't want the cache in a well known location. I want to tell the OS
or some utility, Hey, here's my TGT, or perhaps even, Talk to me on this
socket/port/door to get a ticket for a service.
--Ken
Douglas E. Engert [EMAIL PROTECTED] writes:
OK that works too. But I thought the main problem as stated in the note
was that the rpc.gssd could not read the environment of the process, and
thus alway defaulted to using the default ticket cache.
This is the same set if issues I have with Nico
Ken Hornstein [EMAIL PROTECTED] writes:
telnetd should include both the UID and the PID in the cache name.
This works much more smoothly with rpc.gssd and is what I do in
pam-krb5.
In a perfect world, we'd chuck the whole horrid scheme and create some
utility to send the Kerberos
Ken Hornstein wrote:
That is what DCE did. The PAG number was part of the cache name in
a well know location.
I don't want the cache in a well known location. I want to tell the OS
or some utility, Hey, here's my TGT, or perhaps even, Talk to me on this
socket/port/door to get a ticket
I think AFS uses the correct model. Credentials are really an attribute
of the user and for the best security should be tracked by the kernel like
any other security attribute of the user (UID, GID, supplemental groups,
capabilities, etc.). But that gets into really nasty cross-platform
issues,
On Jan 15, 2008 3:19 PM, Douglas E. Engert [EMAIL PROTECTED] wrote:
Ken Hornstein wrote:
That is what DCE did. The PAG number was part of the cache name in
a well know location.
I don't want the cache in a well known location. I want to tell the OS
or some utility, Hey, here's my
Hello,
I am trying to set up SSO in a Linux environment which has the following
components up and running:
Kerberos 5
LDAP
Kerberized NFSv4 ( security flavor krb5 )
Automount
When using ssh everything works fine, tickets ( for both user and nfs ) are
forward and when
Hi
I'm in the process of implementing SSO for SAP systems. The systems
in the landscape include DEV-QA-PRD and some sandbox also.
We want to achieve Desktop SSO so that users are not asked to re-enter
access credentials (password, username). Once an user signs in one of
the systems
Senthil,
Can I ask why you don't want to use any 3rd party tools to implement SSO
with your SAP systems ?
Anyway, you might want to check http://www.cybersafe.com/d2 then click
on the link provided, and watch the flash videos to see how to setup SSO
with SAP GUI.
Thanks,
Tim
-Original
data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Markus
[EMAIL PROTECTED] wrote in messagenews:[EMAIL PROTECTED]
You can get rid of the loginbox by setting the option KrbMethodK5Passwd
to off in your Kerberos configuration (I would recomment this, because
this is the SSO you
hi,
currently we had a heavy problem with our SSO configuration. u can see
in subject which configuration we have. its a apache2 with kerberos
modules and the users are in an MS active directory.
everything works rather fine. but some of the users get a login
message dialog box few times a day
@mit.edu
Betreff: Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some
Users
hi,
currently we had a heavy problem with our SSO configuration. u can see
in subject which configuration we have. its a apache2 with kerberos
modules and the users are in an MS active directory
,
Florian
Original-Nachricht
Datum: Mon, 26 Nov 2007 03:04:43 -0800 (PST)
Von: palm [EMAIL PROTECTED]
An: kerberos@mit.edu
Betreff: Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for
some Users
hi,
currently we had a heavy problem with our SSO
thanks guys !!
@florian
i do all this things allready ... browser are configured fine for
kerberos
@nikhil
i check all the tickets and there seems to be everything okay but the
login box pop's up ?!?! i dont know why and im still searching
You can get rid of the loginbox by setting the option KrbMethodK5Passwd to
off in your Kerberos configuration (I would recomment this, because this is
the SSO you want).
But if you do this people will get Access denied instead of the loginbox if
Kerberos is not working.
Regards,
Florian
1 - 100 of 212 matches
Mail list logo