Hi,

We have installed the secure login server 2.0. And configured SSO for SAP (ABAP, JAVA) systems using X.509 certificate. it is working fine.

We want to configure SSO for some non SAP applications like MS outlook, Outlook Web Access, Sharepoint.

I dont see any documentation in the implememntation guide of NW SSO 2.0 for how to configure these non sap applications to accept X.509 certificates.

Anyone please share the details of how to configure SSO for MS outlook, OWA and Sharepoint

Regards,

Yogesh Kumar D

Hi everyone,

I am developing an external Java applicatoin that connects to SAP using JCo and would like to utilize Kerberos as our method of authentication. Can I use the NWSSO libraries to accomplish this? I've seen many examples of the connecting JCo applicatoins using X.509 certificates but none using Kerberos. What library file SNC_LIB should my JCo program use (sapcrypto.dll, secgss.dll)? Any help from someone with experience would be appreciated.

Thanks

Kevin Spillman

Hi all,

I'm trying to configure Netweaver Portal 7.4 SP3 as Identity Provider to issue SAML2 assertion tickets to establish trust connections between SAPUI5 apps and SAP NW Gateway.

Anyone has a how to, useful links or tutorial to configure all components¿?

We've configured SAP Portal as IDp and SAP NW GW to trust SAML2 tickets but a GW logon screen appears when SAPUI5 apps access to GW services.

Thanks in advance,

Kind regards

Hello Experts,

Currently we don't have NW SSO license so we want to use SNC logon with user password in GUI-

So my question is how can we test the same, If I am login with AD user , which password do I need to supply, it's windows password or SAP password ?

SPN  is -

C:\Windows\system32>setspn -l KERBEROSED1

Registered ServicePrincipalNames for CN=KERBEROSED1,OU=Services,OU=Internal Accounts,DC=abc,DC=def:

HTTP/ancecdci1.abc.def

SAP/KERBEROSED1

I have already maintained user snc tab and SNC parameters

snc/identity/as                             p:CN=SAP/KERBEROSED1@xvz.com

SNC tab -

p:CN=ED1ADM@abc.def

Trust is setup between xyz.com and abc.def domain and I am testing with user <SID>adm which is created on domain abc.def but I am not able to login from windows password.

Please suggest.

Saurabh

Join the SAP NetWeaver Single Sign-On Customer Engagement Initiative

Interested in sharing your feedback on planned features for SAP NetWeaver Single Sign-On? Join our upcoming customer engagement initiative! With your help, we want to develop, discuss, and evaluate new ideas, such as the introduction of central access policies for risk- and context-based authentication, RFID-based user identification, two-factor authentication and single sign-on for the mobile portal. To find out more, contact Regine Schimmer. March 20, 2014

Single Sign-On with SAP NetWeaver Business Client (NWBC)

SAP NetWeaver Business Client (NWBC) enables users to access data from ABAP back-end systems using multiple UI technologies. In her first blog, Sandra Thimme described step-by-step how to make data access both simple and secure by leveraging SAP NetWeaver Single Sign-On. In her latest blog, she explains how to access multiple systems in remote scenarios. March 5, 2014

Take the SAP Fiori Experience to a New Level with SAP NetWeaver Single Sign-On

In their latest blog, Regine Schimmer and Jens Koster describe how you can implement single sign-on for your SAP Fiori apps. SSO not only simplifies the user experience, it also helps organizations keep sensitive data secure at all times. January 21, 2014

hi,

we have NW 7.4 system.It is pure java system.

We are trying to install on SSO add-on using SUM tool.

In configuration phase it asking for java administrator user.And when provided,it gives error message that "Error while trying to validate Administrator password".

detailed error as...

Could not display dialog UserPasswords. Could not execute dialog UserPasswords. See previous messages. Error while trying to validate Administrator password. Possible reason: the J2EE engine is not started. Error while trying to get initial context. com.sap.engine.services.jndi.persistent.exceptions.NamingException: Exception during getInitialContext operation. No server is running. [Root exception is com.sap.engine.services.security.exceptions.BaseLoginException: Exception in creating new RemoteLoginContext instance.] com.sap.engine.services.security.exceptions.BaseLoginException: Exception in creating new RemoteLoginContext instance. com.sap.engine.services.rmi_p4.P4ConnectionException: Incorrect client ID. The stub is not connected yet. Nested exception is: com.sap.engine.services.rmi_p4.P4ConnectionException: The stub cannot establish connection.

With same user i am able to login system.

As per note,we tried deleting files .sdt_keystore and .sdt_storage from ../SUM/sdt/data  and restarted SL controller but still error pursist.

Hoping your reply soon.

Regards,

Suhas.

Hi All,

We have activated SPNEGO, One of our existing service with Technical user is not working.

When SPNEGO is disabled it works.

Regards

Ram

Hi All,

Went through the docs + forums & even in the midst of OSS support but without any luck. Any insight will be much appreciated.

As per topic attempting to make use of SAP SNC with SLL without SSO. SAP ABAP on Unix & Active directory on Windows. Below config

Setspn command

setspn -S SAP/LDOWNIHRSADM DOMAINCONTROLLER\LDOWNIHRSADM

Registering ServicePrincipalNames for CN=LDOWNIHRSADM,CN=Users,DC=TST,DC=DOMAIN,DC=COM

SAP/LDOWNIHRSADM

Updated object

snc status -v

------------------------------------------------------------------------------

------------ status    -------------------------------------------------------

------------------------------------------------------------------------------

Product version     : Secure Login Library 1.0 SP 4 Patch 3

                    : CryptoLib            8.3.7.12

                    :                      aix-6.1-ppc-64

GSS library         : available

GSS library name    : libsecgss.so

PSE directory       : (existing) /usr/sap/SM1/DVEBMGS00/sec

PSE file            : (existing) /usr/sap/SM1/DVEBMGS00/sec/pse.zip

STRUST cred file    : (missing ) /usr/sap/SM1/DVEBMGS00/sec/cred_v2

SNC config file     : (existing) /usr/sap/SM1/DVEBMGS00/SLL/gss.xml

PSE accessible      : yes

PSE logged in       : yes

PSE credentials     : MasterPassword SystemDefault

Kerberos keyTab     :  4 entries

1: LDOWNIHRSADM@TST.DOMAIN.COM (KeyType DES)

2: LDOWNIHRSADM@TST.DOMAIN.COM (KeyType AES128)

3: LDOWNIHRSADM@TST.DOMAIN.COM (KeyType AES256)

4: LDOWNIHRSADM@TST.DOMAIN.COM (KeyType RC4)

------------------------------------------------------------------------------

SNC keys registered :  0 entries

Trusted certificates:

log from dev_w0

N  SncInit(): Initializing Secure Network Communication (SNC)

N        IBM RS/6000 with AIX (st,ascii,SAP_UC/size_t/void* = 16/64/64)

N        UserId="sm1adm" (5180), envvar USER="sm1adm"

N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():   found snc/data_protection/min=1, using 1 (Authentication Level)

N  SncInit():   found snc/data_protection/use=1, using 1 (Authentication Level)

N  SncInit(): found  snc/gssapi_lib=/usr/sap/SM1/DVEBMGS00/SLL/libsecgss.so

N    File "/usr/sap/SM1/DVEBMGS00/SLL/libsecgss.so" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x

N  SncInit():   found snc/identity/as=p:CN=LDOWNIHRSADM@TST.DOMAIN.COM

N

N Thu Apr 17 10:52:21 2014

N  SncInit(): Accepting  Credentials available, lifetime=Indefinite

N  SncInit(): Initiating Credentials available, lifetime=Indefinite

M  ***LOG R1Q=> p:CN=LDOWNIHRSADM@TST.DOMAIN.COM [thxxsnc.c    265]

M  SNC (Secure Network Communication) enabled

Instance Profile for SNC

snc/permit_insecure_start = 1

snc/data_protection/use = 1

snc/data_protection/max = 3

snc/data_protection/min = 1

snc/accept_insecure_r3int_rfc = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_rfc = 1

snc/accept_insecure_cpic = 1

snc/enable = 1

snc/gssapi_lib = /usr/sap/SM1/DVEBMGS00/SLL/libsecgss.so

snc/identity/as = p:CN=LDOWNIHRSADM@TST.DOMAIN.COM

ssf/ssfapi_lib = $(ssl/ssl_lib)

sec/libsapsecu = $(ssl/ssl_lib)

SAP Logon Entry

Error when logging on.

If you have read this far thanks!

Hi,

I have recently Installed SAP Netweaver 7.4 Java only server, after which i have followed the template specific configuration, in which the prime configuration was BI Java where in the main motive was to configure my portal as a landscape to retrieve reports from BI ABAP systems. So, a system and SSO for BI ABAP has been configured successfully. BEX analyzer was working smoothly. After this i have configured SPNEGO and performed the complete activities. The windows authentication scheme to login to portal without User ID and password was working perfectly fine. But ABAP SSO was not working, So i raised a ticket to SAP wherein they have suggested me to follow the below ticket entries:

Original Entry:

1. EvaluateTicketLoginModule SUFFICIENT

ume.configuration.active=true

2. SPNegoLoginModule SUFFICIENT

3. BasicPasswordLoginModule REQUISITE

4. CreateTicketLoginModule OPTIONAL

SAP requested changes:

1. EvaluateTicketLoginModule SUFFICIENT

ume.configuration.active=true

2. SPNegoLoginModule SUFFICIENT

3. CreateTicketLoginModule SUFFICIENT

4. BasicPasswordLoginModule REQUISITE

5. CreateTicketLoginModule OPTIONAL

After changing with SAP entries my SPNEGO is not working and everytime i login their is a prompt for user id and password. This is weird and am not getting any ideas since there is no change in the configuration. Kindly help!! then later i have changed these entries to the old one, recreated SPNEGO entry in the configuration wizard but still no luck. Attached is the latest error log!! Please help!!

Regards,

Mohammed Imran

Hello,

I used SPNego on NW 7.01.

I have upgraded my system from NW7.01 to NW 7.40.

I have regenerated the spnego by SPNego Wizard.

I have recreated the entry spnego by offlinecfgeditor (template=spnego).....I had to delete it after upgrade to be able to connect to the system.

Now, I can't connect using SPNego :

LOGIN.FAILED

User: N/A

IP Address: 128.41.15.233

Authentication Stack: sap.com/SSOEAR*login

Authentication Stack Properties:

        policy_domain = /login

        realm_name = Upload Protected Area

Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details

1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false                 true      

        #1 trusteddn1 = CN=D39,OU=DSIRH,OU=DGRH,O=SAP Trust Community,C=DE

        #2 trustediss1 = CN=D39,OU=DSIRH,OU=DGRH,O=SAP Trust Community,C=DE

        #3 trustedsys1 = D39,000

        #4 ume.configuration.active = true

2. com.sap.security.core.server.jaas.SPNegoLoginModule                     OPTIONAL    ok          exception             true      SPNego authentication has failed during previous attempt.

        #1 com.sap.security.spnego.legacy = false

        #2 com.sap.spnego.creds_in_thread = true

        #3 com.sap.spnego.jgss.name = DJ1SAPSSO@EMEA.LOREAL.INTRA

        #4 com.sap.spnego.uid.resolution.attr = krb5principalname

        #5 com.sap.spnego.uid.resolution.mode = simple

3. com.sap.security.core.server.jaas.CreateTicketLoginModule               SUFFICIENT  ok          false                 true      

        #1 ume.configuration.active = true

4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          false                 false     

5. com.sap.security.core.server.jaas.CreateTicketLoginModule               REQUISITE   ok          false                 true      

        #1 ume.configuration.active = true

No logon policy was applied

Can you help me?

Regards

How to configure SingleSignOn between GRC and BOBJ 4.1?

We have configured the System entitlement in BOBJ CMC. But didn't do anything on the GRC system.

User can login from BOBJ to GRC with password but not with SSO.

We haven't configured SNC . I don't this for this simple flow, we need to have SNC.

We haven't set up the Trust certificate exchange as well between BOBJ and GRC.

Please help us to know what are the mandatory settings need to be done to create a Relational connection for a ERP/GRC system  from BOBJ client tool IDT?

thanks,

Tilak

Hi all,

SSO worked 100% for my client before we did an upgrade of BW 7.3 to SP11. The SSO bit is in fact still working but after the upgrade users are forced to change their expired BW passwords again.

During the BPC installation and testing of SSO we found the 'login/password_change_for_SSO' profile parameter in RZ11. After setting the parameter value to 0 the users weren't prompted to change their passwords once it expired. This worked for about 2 months then we performed the upgrade as I mentioned in the beginning.

The 'login/password_change_for_SSO' profile parameter in RZ11 hasn't changed at all - anybody have any ideas as to what else may have caused this problem?

Thanks

Hello,

I'm intending to use NW SSO in my work environment and want to know what people's experience has been with browser applications (CRM 2007 in this case) in an environment with firewalls.

The largest number of users in this environment use CRM and need to connect through firewalls. I'm hoping that as opposed to SAP Logon tickets NW SSO would perform well.

Does anyone have experience with this type of environment?

Really appreciate the feedback.

Paul

  Hi,

We have installed the secure login server 2.0. And configured SSO for SAP (ABAP, JAVA) systems using X.509 certificate. it is working fine.

We want to configure SSO for some non SAP applications like MS outlook, Outlook Web Access, Sharepoint.

I dont see any documentation in the implememntation guide of NW SSO 2.0 for how to configure these non sap applications to accept X.509 certificates.

Anyone please share the details of how to configure SSO for MS outlook, OWA and Sharepoint

Regards,

Yogesh Kumar D

Hello,

I have developed a Mobile App using SAP UI 5 framework, HTML, JavaScript and Apache Cordova / PhoneGap.

The app is completed, but I am still stuck with the Login Authentication task. The code which I have written, pertains to OData Service based BASIC Authentication using Username and Password(which the user enters through the app's UI). The code works fine for Valid Login credentials, but doesn't work at all, when the user enters Invalid credentials.

I came to know that instead of using BASIC Authentication (with Username and Password), either of SSO / SSL / X.509 or SAML based Authentication mechanisms needs to be used for SAP UI5 mobile app.

I Researched and found some links which speak about SSO Authentication but are either for Java EE or Microsoft .Net applications(and they are irrelevant in my context).

I am looking for code, which is in JavaScript, as I my entire app is HTML, JavaScript with SAP UI5 framework and I have also used Apache Cordova/PhoneGap to transform my HTML and related project files into an iOS app( and later will be morphed into an Android app as well).

It would be of great help, if I could get any sort of help, either in the form of sample code or some leads.

PLEASE NOTE ->

1. For the rest of the app's Business Logic, I have used OData services and " OData.read(...); " statements to fetch the data and store them in  "sap.ui.model.json.JSONModel(); "model, for further manipulations and binding them to the UI controls.
2. In case the SSO / SSL or any such implementation needs any additional setup or any kind of modification in the code to fetch the data, kindly highlight that as well.
3. And at this instant, we do not intend to use SAP HANA Cloud Platform, as it does not fall under our project scope and requirements.

Thanks and Regards,

Suraj Kumar Y Midgay

Hi,

I have two domains configured in SPNego of secure login server (SS0 2.0). Secure login client is receiving certificate for one domain users when user manually enters password in SLC. But Secure login is not receiving user certificate for the second domain/AD. It shows "Supplied credentials not accepted by the server".

When i check the Diagtool log, it shows "SPNEGO realm is not enabled" for the second domain/AD. But both the SPNego configurations are enabled only in NWA.

Attached the error screen, SLC trace and Diagtool trace files.

Anyone pls help on this?

Regards,

Yogesh Kumar D

hi,

I have configured SSO between windows and SAP EP. It works well on IE 8 and IE 7. But it does not work on IE 9 browser. Please suggest what settings need be done on the IE 9 browser for SSO to work

thank you !

seventyros

SAP EP

Hi to everyone in the SAP Netweaver Single Sign-On Community,

for the last few days I have been stuck trying to implement Single Sign-On with Kerberos authentication for an AS ABAP system running on AIX 6.1. Whatever I try to do, I always seem to end up with the same generic error:

(domain names in this picture and all following files and traces have been removed or replaced with "generic.domain")

Hopefully somebody with more experience would be so kind to take a look at this post and the attached traces to help me figure out where the problem with my configuration lies.

Attached you will find the developer trace of the first work process, the trace of the Secure Login Library with trace level 4 of an authentication attempt, and the traces of the Secure Login Client during the same authentication attempt. Additionally this post contains the configuration of the application server and the service user.

Generic information:

Platform:    IBM AIX 6.1

Kernel:    7.21 Patch Level 226

Version of the Secure Login Library (output of ./sapgenpse):

Loaded CommonCryptoLib from sapgenpse folder

"/sapmnt/K31/exe/uc/rs6000_64/SLL/libsapcrypto.so"

Platform:    aix-6.1-ppc-64  (aix-6.1-ppc-64)

Versions:  SAPGENPSE    2.0 SP2 Patch 3 (Feb 22 2014)

  FILE-Version  8.4.10.3

  CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.10 pl40 (2.0 SP2 Patch 3) (Feb 22 2014) MT-safe

USER="k31adm"

Environment variable $SECUDIR is defined:

"/usr/sap/K31/DVEBMGS03/sec"

Configuration of SNC parameters in the instance profile of the application server:

snc/enable = 1

snc/data_protection/use = 3

snc/data_protection/min = 2

snc/data_protection/max = 3

snc/gssapi_lib = /sapmnt/K31/exe/uc/rs6000_64/SLL/libsapcrypto.so

snc/accept_insecure_gui = 1

snc/accept_insecure_cpic = 1

snc/accept_insecure_rfc = 1

snc/permit_insecure_start = 1

snc/force_login_screen = 0

snc/identity/as = p:CN=svc-sap-sso@GENERIC.DOMAIN

snc/r3int_rfc_secure = 0

snc/r3int_rfc_qop = 8

Availability of required personal security environments for the user k31adm (output of ./sapgenpse seclogin -l):

running seclogin with USER="k31adm"

0: CN=svc-sap-sso@GENERIC.DOMAIN

        /usr/sap/K31/DVEBMGS03/sec/SAPSNCSKERB.pse

1: CN=svc-sap-sso@GENERIC.DOMAIN

        /usr/sap/K31/DVEBMGS03/sec/SAPSNCS.pse

2 readable SSO-Credentials available

Configuration of the Microsoft Active Directory service user:

domain:                          generic.domain

samaccountname:          svc-sap-sso

serviceprincipalname:    SAP/svc-sap-sso

Hi,

We have scenario where users connect to office network though VPN and access SSO. When users connect through VPN, users are not able to login in SLC and hence not receiving X.509 user certificate. It shows the following error when try to login in SLC.

"There are currently no logon servers available to service the logon request"

But the same SLC is working when users connect directly (ex LAN or WI-FI) to the network.

We have enabled secure login client trace and found the below errors in the trace when user is connected through VPN.

SLC trace file

[2014.04.23 14:23:24.531][ERROR][sbus.exe            ][BASE        ][  6060] ERROR(0xA0100017) in CRYPT->sec_crypt_cipher_get_cipher_len(): An attribute is missing

[2014.04.23 14:23:39.578][WARN ][sbus.exe            ][Kerberos    ][  6056] Getting kerberos ticket for 'HTTP/ssodev' with algorithm 23 returned error

[2014.04.23 14:23:39.578][WARN ][sbus.exe            ][Kerberos    ][  6056]     0/C000005E There are currently no logon servers available to service the logon request.

[2014.04.23 14:23:39.578][WARN ][sbus.exe            ][Kerberos    ][  6056] Getting kerberos ticket for 'HTTP/ssodev' with algorithm  3 returned error

[2014.04.23 14:23:39.578][WARN ][sbus.exe            ][Kerberos    ][  6056]     0/C000005E There are currently no logon servers available to service the logon request.

[2014.04.23 14:23:39.578][WARN ][sbus.exe            ][Kerberos    ][  6056] Getting kerberos ticket for 'HTTP/ssodev' failed (user name is sap.helpdesk4@domain.companyresource.local)

[2014.04.23 14:23:39.578][ERROR][sbus.exe            ][Kerberos    ][  6056] ERROR(0xA2600202) in KERBEROS->sec_kerberos_clientGetTicket(): No Kerberos ticket for the requested service

[2014.04.23 14:23:39.578][ERROR][sbus.exe            ][Kerberos    ][  6056] ERROR(0xA2600202) in KERBEROS->sec_kerberos_spnego_CreateToken(): No Kerberos ticket for the requested service

[2014.04.23 14:23:39.578][WARN ][sbus.exe            ][Kerberos    ][  6056] Getting kerberos ticket for 'HTTP/ssodev@domain.companyresource.local' with algorithm 23 returned error

[2014.04.23 14:23:39.578][WARN ][sbus.exe            ][Kerberos    ][  6056]     0/C000005E There are currently no logon servers available to service the logon request.

[2014.04.23 14:23:39.578][WARN ][sbus.exe            ][Kerberos    ][  6056] Getting kerberos ticket for 'HTTP/ssodev@domain.companyresource.local' with algorithm  3 returned error

[2014.04.23 14:23:39.578][WARN ][sbus.exe            ][Kerberos    ][  6056]     0/C000005E There are currently no logon servers available to service the logon request.

[2014.04.23 14:23:39.578][WARN ][sbus.exe            ][Kerberos    ][  6056] Getting kerberos ticket for 'HTTP/ssodev@domain.companyresource.local' failed (user name is sap.helpdesk4@domain.companyresource.local)

[2014.04.23 14:23:39.578][ERROR][sbus.exe            ][Kerberos    ][  6056] ERROR(0xA2600202) in KERBEROS->sec_kerberos_clientGetTicket(): No Kerberos ticket for the requested service

[2014.04.23 14:23:39.578][ERROR][sbus.exe            ][Kerberos    ][  6056] ERROR(0xA2600202) in KERBEROS->sec_kerberos_spnego_CreateToken(): No Kerberos ticket for the requested service

[2014.04.23 14:28:38.171][TRACE][sbus.exe            ][sbusslogin.d][  6056] { CSecureLogin_Protocol_2_0::Send_DeleteSession

Anyone suggest us to fix this issue.

Regards,

Yogesh Kumar D

Hi all,

I'am working on implementation of SSO with SAP Portal EP and SAP Logon Tickets.

We can call a TCODE from the portal and then access to another JAVA apps without login again

My question is, is there a way to call a tcode SAP from the Java apps (on websphere) without passing through the EP Portal ?

Thanks a lot for your answers

Regards

Bertrand