Using Integrated Windows and User ID/Password
Authentication 
Purpose
The following description applies to using integrated Windows authentication where the Microsoft Internet Information Server (IIS) is used as an intermediary server and the IisProxy module is installed.
However, unless a specific application still requires the use of the IIS and the IisProxy module, we recommend using Kerberos authentication as described in Using Kerberos Authentication for Single Sign-On instead of the IIS and IisProxy module for integrated Windows authentication.
If you wish to have a portal that uses mixed authentication where internal users use integrated Windows authentication and external users log on with user ID and password, you must configure your installation as outlined in this section.
Basically, you need to define two Web sites for the portal in the Microsoft Internet Information Server (IIS). Then you set up one Web site for integrated Windows authentication and one for anonymous logon. You can use the same IisProxy module for both Web sites. As each Web site has a different port, internal users who are logging on with integrated Windows authentication can use one port and external users who log on with user ID and password can use the other port. On no account should users logging on with user ID and password access the Web AS Java directly. This is illustrated in the following figure.
Prerequisites
See the Prerequisites under Configuring Integrated Windows Authentication in the Portal.
Process Flow
...
1. Install the IisProxy module as described in Installing the IisProxy Module and Testing the IisProxy Module.
2. On the IIS, create two Web sites for the portal. Configure one for integrated Windows authentication and one for anonymous logon.
3. Set up the login module stack used by the portal to first check for Windows authentication and then ask for user ID and password. Use the procedure described in Adjusting the Login Module Stacks.
The following is an example of how you can set up the login module stack. In this example, the login module stack first checks if the user has a SAP logon ticket. If yes, the authentication succeeds and control returns to the application. If not, the next login module checks for integrated Windows authentication by checking for a value (user ID) in the REMOTE_USER header variable. If there is a value, a logon ticket is issued for this user ID. If there is not a value in the header variable, the BasicPasswordLoginModule authenticates the user with user ID and password. If this authentication is successful, the user is issued a logon ticket.
Login Modules |
Flag |
Options |
EvaluateTicketLoginModule |
SUFFICIENT |
{ume.configuration.active=true} |
HeaderVariableLoginModule |
OPTIONAL |
{ume.configuration.active=true, Header=REMOTE_USER, windows_integrated=true} |
CreateTicketLoginModule |
SUFFICIENT |
{ume.configuration.active=true} |
BasicPasswordLoginModule |
REQUISITE |
{} |
CreateTicketLoginModule |
OPTIONAL |
{ume.configuration.active=true} |
4. Make sure that you implement the Security Measures under Configuring Integrated Windows Authentication in the Portal.
Result
Users can log on with integrated Windows authentication if they specify the port of the IIS website that is set up for integrated Windows authentication. They can log on with user ID and password if they specify the port of the IIS website that is set up for anonymous logon.