Configuring Integrated Windows Authentication in the Portal Using the IisProxy Module 

Purpose

The following description applies to using integrated Windows authentication where the Microsoft Internet Information Server (IIS) is used as an intermediary server and the IisProxy module is installed.

However, unless a specific application still requires the use of the IIS and the IISproxy module, we recommend using Kerberos authentication as described in Using Kerberos Authentication for Single Sign-On instead of the IIS and IisProxy module for integrated Windows authentication.

Integrated Windows authentication means that if a user has successfully logged on to a Windows desktop session, he or she can access the portal in that desktop session without having to reenter his or her Windows authentication credentials. This is possible if the enterprise portal is implemented as an intranet portal only. The following section provides a step-by-step description of how to set up integrated Windows authentication in the portal. Both NTLM and Kerberos authentication is supported.

To use integrated Windows authentication, there must be a Microsoft Internet Information Server (IIS) in front of the portal. When the user accesses the portal through the IIS, the IIS gets the user ID with which the user logged on to his or her Windows desktop session and forwards this ID in the REMOTE_USER header variable to the portal installation. The underlying Web AS Java uses this information to identify the user and log him or her on.

To set up integrated Windows authentication, you need to install the IisProxy module to enable the connection between the IIS and the portal. You must set up the IIS for integrated Windows authentication. Finally you must adjust the login module stacks on the SAP Web AS Java to use the information from the REMOTE_USER header variable.

As of Web Application Server 6.40 SP8 (NetWeaver SP Stack 05), it is possible to use integrated Windows authentication in a multi-domain environment even if users’ logon IDs are not unique across all domains. For more information, see SAP Note 762419 Multi-Domain Logon Using Microsoft Active Directory.

Prerequisites

●     Clients must have a Windows operating system and use Microsoft Internet Explorer as browser.

●     You require a Microsoft Internet Information Server (IIS) 5.0 or 6.0 as portal Web server. For Windows authentication you cannot use the native Web server of SAP J2EE Engine. It is possible to have the portal running on a UNIX machine and the IIS running on a Windows machine.

If you are using IIS 6.0, see SAP Note 734462.

·        The IIS and the clients must be in the same Windows domain or there must be a trust relationship between the IIS Windows domain and client Windows domain.

If there is a trust relationship between the IIS Windows domain and the client Windows domain, user IDs must be unique across all trusted domains to prevent two different users from being logged on as the same user.

●     Users must have the same Windows user IDs and portal user IDs.

Security Measures

If appropriate security measures are not taken, attackers can impersonate a user by sending a request with a user ID in the REMOTE_USER header variable to the SAP Web Application Server. To prevent this, you should do the following:

●     Use the IisProxy module 1.7.0.0 or higher. These versions do not forward the REMOTE_USER header variable directly from the client to the server.

●     Using appropriate measures, make sure that the HTTP and HTTPS ports of the Web AS Java or portal cannot be directly accessed by client browsers, for example by using firewalls. The Web AS should only be accessed through the IisProxy module on the IIS. This prevents attackers from bypassing the IIS and impersonating authenticated users.

●     If it is not possible to block the HTTP and HTTPS ports of the Web AS Java, you must configure Secure Sockets Layer (SSL) with mutual authentication between the IisProxy module and the SAP Web AS Java. In this way, the Web AS Java can trust the user information contained in the header variable.

To set this up, you must add the certificate of the IisProxy module to the list of trusted root certificates in the J2EE Engine. Then you configure the J2EE Engine to only accept incoming requests that are signed with this certificate. For more information, see Configuring SSL When the IIS is the Intermediary Server.  

Process Flow

...

       1.      Install the IisProxy module.

       2.      Test the IisProxy module.

       3.      Configure the IIS for integrated Windows authentication.

       4.      Adjust the login module stack used by the portal.

       5.      Test whether you successfully configured integrated Windows authentication by launching the portal via the IIS with the following URL: http://<Web_server_host>:<Web_server_port>/irj.

http://myIIS.mycompany.com:3030/irj

       6.      If integrated Windows authentication is not working, check the log files. For more information on finding and configuring the log files, see Logging and Tracing.

Result

When users, who have already logged on to the Windows operating system, launch the portal through the Web server they are logged on to the portal with their Windows user ID. The portal then issues a logon ticket for the authenticated user.

When users log off from the portal using the log off link, they are redirected to the logon page. Since integrated Windows authentication does not require a logon screen, the users are automatically logged back on again. To prevent this from happening, it is possible to redirect users to a screen other than the default logon screen after they log off the portal. For more information, see SAP Note 696294.