0

SAP gateway we are getting 403 unauthorized when trying to get a csrf token.

The same username / password is working for read operations.

I've looked at some other posts in the sap forums and also posted there: https://answers.sap.com/questions/715798/sap-gateway-unauthorized-when-trying-to-get-a-csrf.html

We are using http, but we have the login/ticket_only_by_https set to 0.

I also looked at the service and did not see the parameter ~CHECK_CSRF_TOKEN = 0 as described at: https://archive.sap.com/discussions/thread/3723417

The parameters list came up as blank.

Any other ideas?

I wrote a small c# program to just try to get the csrf token and it works against our test system but it is failing on a customer's system. I haven't been able to figure out why.

Sandra Rossi
  • 11,934
  • 5
  • 22
  • 48
Derek
  • 7,615
  • 5
  • 33
  • 58

2 Answers2

0

One way to fix it was to append the following to the URL: “?spnego=disabled”.

I found this info at:

https://launchpad.support.sap.com/#/notes/0002462330

2462330 - Your browser is not configured for using SPNego error on Fiori Client - FC/KAP Version 1 from 24 Apr 2017 in English Component:MOB-FC Priority:Normal Category:Problem Release Status:Released to Customer Rated Helpful: (2 people) Quality Rating:  DescriptionProductThis document is referenced byLanguagesRate This Document Symptom Attempting to connect Fiori Client iOS to Netweaver Gateway receives error "Your browser is not configured for using SPNego Press F5 (Page Refresh) to continue". Environment • Fiori Client 1.8.7 iOS • Netweaver Gateway with SPNego configured Reproducing the Issue 1. Configure Netweaver Gateway and Fiori Launchpad with SPNego (Negotiate) authentication. 2. Attempt to connect with iOS Fiori Client. 3. Observer error "Your browser is not configured for using SPNego". Cause Fiori Client on all platforms does not support SPNego (Negotiate) authentication. Resolution User added URL parameter spnego=disabled to Fiori URL and issue was resolved. Example: http://:/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html/?spnego=disabled

Derek
  • 7,615
  • 5
  • 33
  • 58
0

Another way to fix it might be to make sure there is a trailing / at the end of the url to get the csrf token from. At one user's site, using fiddler we see 307 redirect calls followed by 401 unauthorized pretty regularly. Locally, when I run I see 307 redirect calls but no failures. With the trailing / at the end of the url we don't get the 307 redirect and it seems to be working better.

EDIT: Confirmed, the customer is running much better now.

Derek
  • 7,615
  • 5
  • 33
  • 58