NWBC instantiates and uses a normal Internet browser for the authentication process. The same authentication process is used in NWBC as in the browser. The advantage of this is that all different types of authentication processes supported in the browser are also supported in NWBC, including the use of digital certificates or other browser-based authentication systems.
Since NWBC uses a Microsoft Internet Explorer browser to render all HTML-based content areas, all (security) settings from Microsoft Internet Explorer also apply to all HTML content that is rendered with NWBC .
In more detail, the NWBC approach to authentication is to load a specific URL from the server. First, a pop-up window is displayed that hosts an Internet Explorer (IE) control. The IE is set to load a page called ticket issuer. The first request to the server on this URL (in the browser instance) causes the server to trigger the authentication process. There can be any number of browser-based steps to complete the authentication process, using any authentication process that the server supports for browser-based logon, for example, basic authentication, form-based authentication, or authentication based on digital certificates.
Once the user is authenticated, either a MYSAPSSO2 cookie (logon ticket) or a SAP_SESSIONID cookie (assertion ticket) is set by the server and the ticket issuer page is loaded. The logon ticket or assertion ticket is absolutely required, for all further steps, for NWBC to pass authentication information to all applications started. The ticket issuer page is a simple page so that NWBC can recognize that the authentication process is completed and a ticket has been issued.
In summary, for authentication, NWBC uses a browser instance to load a simple URL. This is to trigger the server-configured authentication process to complete authentication and obtain a logon or assertion ticket. This logon process generates the statement that NWBC supports all authentication processes that run in a browser on the server.
To test this authentication process in a browser on an ABAP server, load the following URL in the browser:
Example : https://<server>.<domain>.<ext>:<port>/sap/bc/nwbc/TicketIssuer
Observe whether any form of authentication process is triggered and whether a simple XML page is consequently displayed. With any HTTP trace tool it is possible to see the logon tickets ( MYSAPSSO2 or SAP_SESSIONID cookie) in one of the last HTTP responses. Similarly, on a portal server, the ticket issuer URL is as follows:
Example : http://<server>.<domain>.<ext>:<port>/TicketIssuer/TicketIssuer
NWBC does not store or persist any authentication data in any form.
NWBC uses a standard Internet Explorer control to run the standard browser-based logon. For this reason, the logon screen in the browser and in NWBC look exactly the same. The concept described above is illustrated in the following figure:
It is the responsibility of the customers to make whatever security settings are necessary in the browser. Pay particular attention to your proxy settings. NWBC uses the security settings from the Internet Explorer. NWBC does not store or persistently keep any authentication data in any form.