Hi,
we are not able to download NW SSO 2.0 dvd's. for our SMP login, download link is not available. please guide me how to proceed in that.
Thanks
Balaji
↧
SSO 2.0 not available for download
↧
SNC - GSS/API Kerberos related errors
Hello Experts,
I am trying to get SNC (SSO) on the SAPGUI working after migrating from Windows 2008 / Oracle to the Linux RHEL 6.4 /Sybase .
Currently we are testing on the target LINUX [RHEL 6.4 ] server, against a Windows AD domain.
I was following the realtech document and it was a very good starting point.
The OS part of SSO still works, I get a TGT, klist shows me the correct credentials, etc., but the ABAP stack does no longer authenticate via SSO.
Kinit works fine with the Linux server getting authenticated at the Windows AD [via root]
[root@orsapbisbx01 ~]# kinit -V -k SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
Using default cache: /tmp/krb5cc_0
Using principal: SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
Authenticated to Kerberos v5
[root@orsapbisbx01 ~]#
Kinit via sbadm
--------------------------
orsapbisbx01:sbqadm 51> kinit -V -k SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
Using default cache: /tmp/krb5cc_500
Using principal: SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
Authenticated to Kerberos v5
Klist shows us the
Klist shows us the ticket [ both via root / sbqadm]
--------------------------------------------------------------------------------
orsapbisbx01:sbqadm 54> klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
Valid starting Expires Service principal
07/23/14 18:01:01 07/24/14 04:01:06 krbtgt/<MYDOMAIN.COM>@<MYDOMAIN.COM>
renew until 07/30/14 18:01:01
orsapbisbx01:sbqadm 55
SNC Is correctly initialized ,as seen in the dev_w* traces
N SncInit(): Initializing Secure Network Communication (SNC)
N AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* = 16/64/64)
N UserId="sbqadm" (500), envvar USER="sbqadm"
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=/usr/lib64/snckrb5.so
N File "/usr/lib64/snckrb5.so" dynamically loaded as external SNC-Adapter.
N The SNC-Adapter identifies as:
N External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N SncInit(): found snc/identity/as=p/krb5:SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
N SncInit(): Accepting Credentials available, lifetime=Indefinite
N SncInit(): Initiating Credentials available, lifetime=09h 30m 53s
M SNC (Secure Network Communication) enabled
A
On the Front end, I have done the below settings
In the SAPGUI
-----------------------
Under the SNC tab, the SNC name is as below
SNC Name: p/krb5:SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
On the SAP server, the SNC name is typed as below under the SNC tab of user account properties?
On the front end system
-------------------------------------
I'm using the "gsskrb5.dll" library, which I moved into the directory %windir%\system32
After that I had to add the system variable SNC_LIB with the value "gsskrb5.dll". I tried both manually as well as via the installer from SAP Note 595341 alternatively.
Inspite of all these settings, the ABAP stack doesnt authenticate the users, the All I get is a funny error popup "SAP System Message: S".
The corresponding errors are noticed in the ABAP stack dev_w* work process traces.
N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3364]
N GSS-API(maj): Unspecified GSS failure. Minor code may provide more information
N GSS-API(min): No key table entry found for SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
N Unable to establish the security context
N <<- SncProcessInput()==SNCERR_GSSAPI
M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 1035]
M {root-id=00221982BAFF1EE484E27E91C40A025A}_{conn-id=00000000000000000000000000000000}_0
M *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c 1040]
M {root-id=00221982BAFF1EE484E27E91C40A025A}_{conn-id=00000000000000000000000000000000}_0
Additionally I have verified using Kerbtray.exe on the frontend that the kerberos ticket on the Linux server is also received at the front end .
Ticket
-->krbtgt/<MYDOMAIN.COM>
|
-->Service Principal [krbtgt/<MYDOMAIN.COM>@MYDOMAIN.COM
Service Name krbtgt/<MYDOMAIN.COM>@<MYDOMAIN.COM>
Target Name krbtgt/<MYDOMAIN.COM>@<MYDOMAIN.COM>
Is there something wrong with my configuration , I feel the issue is at the front end, do I need to change my snc/gssapi_lib library [ as we are on RHEL 6.4 ] , since we are using /usr/lib64/snckrb5.so , which was compiled for linux from the snc adapter downloaded from SCN.
Any help will be greatly appreciated , as we have started going in circles after nearly 2 weeks of configuration.
Regards
Prashant Vijaydas
↧
↧
configure SAP Screen Personas for SSO
Hi All,
Problems:
We have the SAP Screen Personas, an UI product based on WebGui(ITS), installed on our internal box.
Presently , we have to enter username and password every time we open SAP Screen Personas, and since there will be another logon at the backend, there will be another entering of username and password .
Requirements:
we hope that, instead of entering username and password, we could logon using SAP security logon client and SSO for later logon.
the present landscape:
we have a netweaver ABAP server 7.41 installed (no java),
no https connections activated
no other security settings made till now
could you please tell me a configuration path to meet our requirements.
thanks,
Torren
↧
Error in connection testing in SSO
Hi Experts,
While testing SSO in portal system i got below connection errors,
While i am checking in Support i got below error,
Please help me. for above errors.
Thanks
J Jana
↧
Secure login client is not working in VPN
Hi,
We have scenario where users connect to office network though VPN and access SSO. When users connect through VPN, users are not able to login in SLC and hence not receiving X.509 user certificate. It shows the following error when try to login in SLC.
"There are currently no logon servers available to service the logon request"
But the same SLC is working when users connect directly (ex LAN or WI-FI) to the network.
We have enabled secure login client trace and found the below errors in the trace when user is connected through VPN.
SLC trace file
[2014.04.23 14:23:24.531][ERROR][sbus.exe ][BASE ][ 6060] ERROR(0xA0100017) in CRYPT->sec_crypt_cipher_get_cipher_len(): An attribute is missing
[2014.04.23 14:23:39.578][WARN ][sbus.exe ][Kerberos ][ 6056] Getting kerberos ticket for 'HTTP/ssodev' with algorithm 23 returned error
[2014.04.23 14:23:39.578][WARN ][sbus.exe ][Kerberos ][ 6056] 0/C000005E There are currently no logon servers available to service the logon request.
[2014.04.23 14:23:39.578][WARN ][sbus.exe ][Kerberos ][ 6056] Getting kerberos ticket for 'HTTP/ssodev' with algorithm 3 returned error
[2014.04.23 14:23:39.578][WARN ][sbus.exe ][Kerberos ][ 6056] 0/C000005E There are currently no logon servers available to service the logon request.
[2014.04.23 14:23:39.578][WARN ][sbus.exe ][Kerberos ][ 6056] Getting kerberos ticket for 'HTTP/ssodev' failed (user name is sap.helpdesk4@domain.companyresource.local)
[2014.04.23 14:23:39.578][ERROR][sbus.exe ][Kerberos ][ 6056] ERROR(0xA2600202) in KERBEROS->sec_kerberos_clientGetTicket(): No Kerberos ticket for the requested service
[2014.04.23 14:23:39.578][ERROR][sbus.exe ][Kerberos ][ 6056] ERROR(0xA2600202) in KERBEROS->sec_kerberos_spnego_CreateToken(): No Kerberos ticket for the requested service
[2014.04.23 14:23:39.578][WARN ][sbus.exe ][Kerberos ][ 6056] Getting kerberos ticket for 'HTTP/ssodev@domain.companyresource.local' with algorithm 23 returned error
[2014.04.23 14:23:39.578][WARN ][sbus.exe ][Kerberos ][ 6056] 0/C000005E There are currently no logon servers available to service the logon request.
[2014.04.23 14:23:39.578][WARN ][sbus.exe ][Kerberos ][ 6056] Getting kerberos ticket for 'HTTP/ssodev@domain.companyresource.local' with algorithm 3 returned error
[2014.04.23 14:23:39.578][WARN ][sbus.exe ][Kerberos ][ 6056] 0/C000005E There are currently no logon servers available to service the logon request.
[2014.04.23 14:23:39.578][WARN ][sbus.exe ][Kerberos ][ 6056] Getting kerberos ticket for 'HTTP/ssodev@domain.companyresource.local' failed (user name is sap.helpdesk4@domain.companyresource.local)
[2014.04.23 14:23:39.578][ERROR][sbus.exe ][Kerberos ][ 6056] ERROR(0xA2600202) in KERBEROS->sec_kerberos_clientGetTicket(): No Kerberos ticket for the requested service
[2014.04.23 14:23:39.578][ERROR][sbus.exe ][Kerberos ][ 6056] ERROR(0xA2600202) in KERBEROS->sec_kerberos_spnego_CreateToken(): No Kerberos ticket for the requested service
[2014.04.23 14:28:38.171][TRACE][sbus.exe ][sbusslogin.d][ 6056] { CSecureLogin_Protocol_2_0::Send_DeleteSession
Anyone suggest us to fix this issue.
Regards,
Yogesh Kumar D
↧
↧
Multi Factor Authentication support for NW SSO?
Hi Experts,
is Multi-Factor Authentication (MFA) supported by NW SSO?
What i've read is the Secure Login Server has a SecureLoginModule20RADIUS module which can use to integrate with the RSA Server.
My query is
- Does the RSA token replace the need for a user to enter any passwords while he/she logons to SAP? or
- The user enter his/her user id and password as usual, and there will be a pop-up for him/her to enter the code from the RSA token?
Thanks!
↧
SAP Screen Personas enablement for Single Sign On
Hi All,
We have a customer here who is planning to implement SAP Screen Personas which is a UI product based on SAP webgui technology.
However, they have concerns about enabling Personas for Single-Sign-On.
Since I have very limited knowledge of Single-Sign-On, so I refer to you for help.
the customer decide to install Personas on the same system, same client as where ERP is located.
the customer is now using Portal, and they would like to embed Personas into Portal, so they want to use Portal as an entry point for logon.
so finally, here is the requirement: how to do SSO for Personas which is incorporated into Portal.
I would be grateful if any one could give the configuration path or any documents or hint.
thanks,
Torren
↧
NW SSO & BO BI 4.1 ???
Dear Sirs,
Is it possible to use NetWeaver SSO for BO BI 4.1 authorization?
Anyone implemented something like this?
Best regards,
Alexet Lugovskoy
↧
Secure Login for SAP NetWeaver Single Sign-On Implementation Guide
Secure Login is an innovative software solution specifically created for improving user and IT productivity and for protecting business-critical data in SAP business solutions by means of secure single sign-on to the SAP environment.
↧
↧
Restart of SAP after Renewal of SNC certificates
Hi All,
Can some body help me on the below Question.
After renewal of SNC certificates, do we really require restart of SAP (CI & App servers) or is there any other way via online activity which we can do this with our restarting( no downtime)
Thanks
Raj
↧
Two IdPs for different Apps on the same ABAP server?
Hi Experts,
I have a SAML issue and wonder someone can give me some hints?
Suppose we have two services (app1 and app2) running on the same ABAP server. App1 is a standard app and linked to IdP1 for authentication. App2 has higher security requirements and must connect to IdP2. The authentication result of IdP1 shall not be accepted by App2.
I understand I should create a SP on ABAP and trust two IdPs. But what should I do to separate the authentication for these two apps?
Best Regards
Jack Xiong
↧
Document does not contain OLAP connections
Hi All,
I am trying to Schedule with SAP BusinessObjects Analysis, edition for Microsoft Office.
Environment:
SAP BI NW 7.4, SAP BusinessObjects Enterprise XI 4.0, Windows, MS SQL.
Steps Taken:
I have configred SSO ABAP in my BI system which is working fine. I then followed all the steps in this link:
to set up SSO for BOBJ.
Steps taken:
Installed Add-Ins per: http://www.mastering-sap-and-businessobjects.com/scheduling-with-sap-businessobjects-analysis-edition-for-microsoft-offi…
Generate keystore and certificate for SAP BO BI4.0
Import SAP BO BI4.0 certificate into SAP BW
Setup of SAP SSO Service in SAP BO BI4.0 CMC
Setup of SSO againt SAP BW for SAP BO BI4.0 BICS or JCO connections
Result:
When I schedule an Analysis Workbook Document, it fails with:
Any ideas would be appreciated.
Thanks,
Diana
↧
Regarding SNC Connection to SAP
Hiie All,
I'm new to SAP single sign-on.
I need to enable SNC connection from my system to SAP and I have followed the below URL
https://websmp101.sap-ag.de/~sapidb/011000358700001270931999E/SNCHBEN.PDF
It's bit confusing, so please let me know what all the steps i need to follow to create SNC connection .
Regards,
Lokeswar Reddy Byni.
↧
↧
SSO from BOBI to BPC/EPM reports
BPC/EPM reports are published to BOBI 4.1 thru the EPM Connection Manager plug-in. Now we would like to host the BPC/EPM reports on the
SAP Enterprise Portal and utilized single sign on(SSO) to open the BPC/EPM reports. How is the SSO setup?
↧
ABAP SAML2 and Personas parameters
Hi All,
This is my first post in SCN.
I am testing SAP Personas at the moment. I am trying to mix it with SAML2 authentication for user access. What I would like to do is to force some transactions or systems in the URL based on parameters like "fullscreen=true&system=53E4981169A546A".
However, whenever the user first logon using SAML2, those parameters get lost. Is it something anyone ever experienced? I can't manage to figure out where is the setup for correctly forwarding those URL parameters.
Regards,
Aymeric
↧
SAML2 configuration upload metadata file
Hi experts,
currently, we are implementing SAML2 and we have an issue by uploading the metadata.xml within the SAML2 trusted provider tab. I tried to upload the metadata.xml file of the identity provider on service provider site. After clicking upload the field get empty and nothing happends. Also no error.
SAP Note 1791729 - FileUpload error: "Error when uploading; the file name is invalid or the file is too large was already implemented.
System data:
SAP_BASIS 730 0009
SAP_ABA 730 0009
PI_BASIS 730 0009
ST-PI 2008_1_710 0006
BI_CONT 737 0004
SAP_BW 730 0009
ST-A/PI 01Q_710 0000
Thanks!
Sandro
↧
Single Sign On for HANA Mobile Application
Hi,
I need to setup a SSO landscape for a HANA Mobile Application (i.e) I need to configure the SSO setup for the HANA Mobile Application such that end user need not to log in multiple times once he/she is within the application. I have referred to couple of documentation w.r.t to HCP and SUP but I am still not able to get the overall picture regarding the end to end steps an User/Administrator have to perform such that the SSO for the HANA application is configured.
Can someone refer me a guide which explains the end to end steps starting from the configuration steps at the mobile application level and to the HCP server and so on detailing the complete setup.
Regards
Priya Murthi
↧
↧
Facing issue with SSO communication after Upgrade to SAP EP7.31
Hi Experts,
This is happening post upgrade of system from 7.0 to 7.31. We are using SSO to connect ECC(back-end system) in two ways, logon Ticket and User-Mapping
Issue:
When we click on a tab, lets say "A tab/ User Administration Tab" which uses User-Mapping to communicate with back-end system and clicking on another tab say, "B tab / Content Administration Tab" in portal which uses Logon Ticket to communicate with back-end system.
When both the tabs are clicked one after the other the SSO communication should be different, but in our case it uses the same SSO communication for all the back-end communication, which does not delete the cookies / uses the different SSO mode of communication when clicked on the other tabs.
Kindly help to solve this issue.
Thanks,
Preetha Balan
↧
SSO for Jive Forum in Enterprise Portal
Scenario:
NW 7.4 Sp7
Forum component installed
Portal is configured with SPNego logon.
User is automatically logged on to portal when using https://server:port/irj/portal
Using Forum embedded works.
Using https://server:port/forum url does not log on user automatically.
Starting portal first (to be logged on) and then launch the forum also works since the ticket is present in the browser.
What have I foreseen? I have tried to search guidelines, installation instructions etc. I do not find any instructions to activate any sso parameters.
I assume there is a setting in NWA on the forum application that we have not configured. But what and where?
Question
What shall I do to activate SSO for the "standalone" UI?
User shall be able to launch forum without opening portal.
/fredrik
↧
Enabling certificate revocation (CRL) by PKI-Login on SAP GUI
Hello everybody,
Due to SAP Notes 1975482 it should be possible on SAP NetWeaver Single Sign-On 2.0 Support Package 03 to use Certificate Revocation Check (CommonCryptoLib) on backend site. So I've configured all relevant xml parameters for CommonCryptoLib (SAP Note 1996839 ) on specific SAP Test System. For Example I set revocation check (revCheck = yes) and set the specific path for CRL Cache Directory where the latest Certifcate Revocation Lists (CRL's) from the Intermediate CA's are stored.
After Configuration I tested PKI Login on SAP GUI / SAP Test System with a locked PKI-Certificate which is listed in CRL, but I get Access to SAP System, so he didn't check against CRL / CommonCryptoLib on backend site. Did I forget a configuration task?
I also found a SAP documentation to configure Certificate Revocation on SAP Systems with transaction STRUST but in my point of view is this an alternative way to Certifcate Revocation Check (CommonCryptoLib) on backend site or am I wrong? Could anyone help me?
Thank you very much.
↧