Dear Community,

We've been working for many years with SSO on ABAP working fine using library gx64krb5.dll.

Since we ugraded to EHP7 for SAP ERP 6.0 (Stack 04) we would like to take the opportunity to also connect in SSO on ABAP web and JAVA.

I have have followed the implementation for SPNEGO on ABAP side on our SandBox as described in the videos http://scn.sap.com/docs/DOC-40178 but half success.

The good news is that the ABAP stack starts well, no shouting.

So we went from

snc/gssapi_lib = $(DIR_EXECUTABLE)\gx64krb5.dll

snc/identity/as = p:SAPServiceSBX@MYCOMPANY.NET

to

snc/gssapi_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll

snc/identity/as = p:SAPServiceSBX

(I replaced my company name with MYCOMPANY.NET)

The SAP GUI can connect without SNC

The bad news is that the SAP GUI does connect in SNC. The SNC filed up my previous connections automatically with p:CN=SAPServiceSBX.

But I am getting the following error message attached.

Can somebody help please ?

Hi All,

Customer want to configure SSO between SAP HCM and Successfactos. Client dont have Netweaver Portal, ESS is in NWBC HTML client. Can any one help me the process to configure SSO between HCM NWBC and Successfactors?

I have gone thru the documents in scn but all are referring to netweaver portal and successfactors, I could not able to fine info on NWBC and SF integration. It would be a great help if you can provide the process.

Regards,

Chandra

Hi All,

Problems:

We have the SAP Screen Personas, an UI product based on WebGui(ITS),  installed on our internal box.

Presently , we have to enter username and password every time we open SAP Screen Personas, and since there will be another logon at the backend, there will be another entering of username and password .

Requirements:

we hope that, instead of entering username and password, we could logon using SAP security logon client and SSO for later logon.

the present landscape:

we have a netweaver  ABAP server 7.41 installed (no java),

no https connections activated

no other security settings made till now

could you please tell me a configuration path to meet our requirements.

thanks,

Torren

I am workinig on setting up SSO for BO4.0 in the following environment:

Windows 2008 Server

Apache Tomcat 7.0

BusinessObjects BI Platform 4.0

The instructions from http://scn.sap.com/docs-DOC-26314 have been followed along with the instructions at http://scn.sap.com/blogs/josh_fletcher/2012/06/11/active-directory-sso-for-sap-businessobjects-bi4 AND Steve Fredell's document referenced at http://alteksolutions.com/sp/index.php/2012/02/active-directory-andsso-bi4/.

I receive an error when testing the manual logon to the BI Launchpad (step 8 on the first two documents, section 6 of the S. Fredell document).  When trying to navigate to the BI Launchpad, the logon page displays but it automatically displays the error:

Account Information Note Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a vald mapped group and try again.  If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006).

And, I do not get a 'commit succeeded' entry in the tomcat7-stdout log.  Instead, I get:

Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false                    [Krb5LoginModule] user entered username:  @ABC.ABC

                    [Krb5LoginModule] authentication failed Generic error (description in e-text) (60)

(NOTE:  ABC.ABC is in place of the actual domain info.)

However, it will allow me to manually tupe in my AD credentials.  Once I do this, even though I got the FWM 0006 error, then I get the 'commit succeeded' entry in the tomcat7-stdout log file.

I have also tried continuing on with the instruction with step 9, however, I continue to get the FWM 00006 error on the BI Launchpad logon screen and I do not get the 'credentials obtained' in the stdout log file.  At this point after implementing the items in step 9, since the Tomcat (java tab) now knows the service account password, it should log me on automatically and it does not.  I can't help but think it is related back to the FWM 00006 error.

I've, along with coworkers, have checked the syntax of the krb5.ini, bscLogin.conf, and global.properties files and all are good.  The spns on the AD service account also appear to be good.

Any suggestions or recommendations?  I'm under a time crunch, so if I can't get this working, I may be looking at a SiteMinder soultion for SSO in BO.

Thanks!

Is there a way to default a trusted SAML 2.0 identity provider so that users are not presented with the inital screen where they are forced to choose a(the only) provider and click continue?

Hello Experts,

We are using SAP NetWeaver Single Sign-On to enable SAP GUI SSO.  Our configuration uses Kerberos integration (SAP GUI for Window, Secure network communications - SNC).

I've been ask to change the password of the Kerberos service account as part of a yearly security task but it is not clear what all the steps that are needed to ensure Kerberos authentication is not interupted

Certainly I can change the pwd for the SPN account in Windows but I am not clear on what steps need to be taken on the SAP side to maintain the Kerberos authentication.  From what I have read, a new keytab needs to be created but how exactly is this done?  I also read there is a command line utility SAPGENPSE that is used to generate PSE file and Kerberos keytab when initially configuring the setup.  Would this be used again to generate a new keytab file?  Is there any other method that can be accessed from SAPGUI instead of a command line utility program?

Would very much appreciate your help to get a clear picture of the steps required to successfully update the SPN account password.

Regards,

Stephen Brewer

Hi Experts,

We have a SAP HANA XS Application which has a drill down link to an ECC Web Application. When this link is clicked the User is prompted for the Login Screen by the ECC System.

The requirement is to have SSO configured for this ECC System such that if the user is coming from HANA XS Application, then the user should be automatically logged in with the required user into the ECC system.

Is there a way that this can be achieved?

--

Thanks and Regards,

Shreepad Patil

Today I updated my Gui instalation from GUI730 to GUI740 with NWBC5.0 and afterwords the SSO is not working anymore.

Is there another update that is required to make in order for this functionality to work?

Thanks in advance.

Hello,

As of today we are connecting to CRM 7.0 system using X509 certificate and assuming all is done properly user can login without having to enter any credentials.

In near future we want to basicaly replace X509 by a SAML2 authentication process.

In order to achieve this we have configured a trusted provider (type Identity provider) in SAML2 tcode.

It seems to work fine for SAML2 process (a collagues trace the process) BUT still user is getting a prompt to confirm usage of X509 certificate.

In addition if the user doesn't want to use the certificate (= click "Cancel") then starts a long chain of windows security popup:

the server ... at SAP NetWeaver Application Server [...] requires a username and password

At the end of that long chain of windows security popup the SAP CRM netweaver Web AS logon page opens

I tried to play with CRM_LOGON Service config but no effect.

What is missing between SAML2 which seems to return the token and CRM netweaver not able to get it (and thus ptompting for credentials)

thanks for your help

Hello Friends,

This document follows, SSO between SAP Enterprise Portals to BO & SAP BO to BW SSO Configuration Document.

Agenda:-

1. Objective

2. Configure SSO in SAP Portal    

      2.1 BO System Creation in SAP Portal

     2.2 BO iView Creation.

3. SSO Set UP for BO 4.0 to BW

      3.1 Generate keystore and certificate for SAP BO BI4.0

                    3.1.1 Generate KeyStore

                    3.1.2 Generate certificate with keytool

      3.2 Import the BO certificate into BW

4. Setup SSO service in SAP BO BI 4.0 CMC

5. Set up SSO for Open Document

     5.1 SSO setup in BO server for open document

     5.2 Mount the BO iView in sap Portal

11  Objective

In BI 4.0 we don’t need install the SAP integration kit separately. The Integration KIT is included by default in the BI4.0 installer.

Having enterprise-wide access to relevant business information from a standard enterprise portal allows customers to make better-informed decisions. Consolidating the infrastructure for application and BI content delivery leads to reduced cost and time savings.

User can access the BW Data in SAP portal via SAP BO without entering the secondary credential.Ie.Implement the SSO between the below servers.

• SAP portal to SAP BO server.
• SAP BO to SAP BW server.
• SAP Portal to SAP BW server (Applicable only FI)

12      Configure SSO in SAP Portal:

2.1      BO System Creation in SAP Portal

      a) Specify SAP Business Object property.

The domain name we need to specify in the BO system creation should match the below criteria.

If we need to perform SSO between EP to BO then the marked domain names should be the same word.

For Example :

BO URL : https://hostName:123/BOE

FS Portal URL : https://HostName:3456/irj/portal

Please note that, The BO URL should be sync with your portal URL.

     (.ie After the First. (DOT) , all the names should be sync).

     Other wise SSO will not work.

If the domain names are not valid, then  you will get the below alert.

“Session Manager will not work. Please check DSM log for details”

In this case SSO will not work.

b) Connector properties

c) User Management properties

  d) System Alias Properties

2.2      BO iView Creation.

BO document viewer template iview can create from the SAP Business Objects document viewer template.

If the above template is not available in portal, then download the same from the BO server and deploy to the SAP Portal.

          PCD contents :  com.sap.businessobjects.iviews.templates.epa

In the BO iView, specify the document id, System Name.

Specify the Document ID from the BO report which you can get it from CMC.

     Login in to the CMC.

               Navigate to the Folder.

          Find the Report.

               Right click on the Report ---->Properties.

                         Get the Report ID (CUID).

3  SSO Set UP for BO 4.0 to BW:

3.1      Generate keystore and certificate for SAP BO BI4.0

1. Login in to BO server.
2. PKCSTool will be located under  “D:\ BOU \ SAP BusinessObjects \ SAP BusinessObjects Enterprise XI4.0 \ java \ lib” folder.

3.1.1Generate KeyStore:

    Navigate to PKCSTool through command prompt.

Then enter the command like below mentioned screen shot.

CN = hostname of the BI  server (MWDT32.lta.gov.sg).

     Hrisdev is the aliasname

Once the key store is generated as per the below screen shot ,

then we have to generate the certificate.

3.1.1Generate certificate with keytool:

     Enter the command which is specified in the screen shot.

     Then the password which we have given while run the PKCSTool.jar.

3.1      Import the BO certificate into BW:

Step 1) Execute STRUSTSSO2 Tcode.

Step 2) Import cert.der file which is created in  BO server.

(D:\ BOU \ SAP BusinessObjects \ SAP BusinessObjects Enterprise XI4.0 \ java \ lib)

Step 3) Add the certificate to the ACL List.

Click Add button to certificate list.

Check certificate list which we have specified in BO certificate generation.

Step 4) Add certificate to ACL List.

Click button “Add to ACL” to add the certificate to the Access control List.

Enter System ID - This System ID will be used in BI4.0 CMC for setup of SAP SSO Service.

Enter Client - Client has to be 000.

Then Save All changes.

4. Setup SSO service in SAP BO BI 4.0 CMC

           Login in to BO CMC as a administrator.

Go to Authentication -> SAP Setup Entitlement Systems

In the Entitlement System select the system Name.

Then enter the user name and password of the Enterprise user.

Then Enter BW server details click on new / update button.

In the options TAB check the Enable sap authentication check box.

Then import the keystore.p12 file which is generated by the keystore tool.

Then enter the keystore user ID and password.

In the System ID , enter the name which we have specified in the BW system as System Id while adding the certificate to ACL.

Setup Security Token Service:

The Security Token Service is running as part of Adaptive Processing Server (APS).

Go to CMC -> Servers and check if APS has Security Token Service.

If the Security service is not available , then stop APS and add Security Token service , then start APS.

5.Set up SSO for Open Document:

     5.1      SSO setup in BO server for open document:

With portal integration, SAP Business Objects allows you to integrate Business Intelligence (BI) content from Business Objects into the SAP NetWeaver Enterprise Portal.

Perform the setting as per below screen shots.

5.2      Mount the BO iView in sap Portal:

Once the BO document iviews are mounted in the portal role, then we can view the BI reports in sap portal.

Hope this is helpful !!!

Thank you,

Regards

Vijay kalluri

Hi all,

Does SAP actually support Microsoft Windows Azure Active Directory (AAD) and FortiAuthenticator for user authentication? If not when?

Azure Active Directory

User Authentication, Two-factor Authentication and Identity verification | Fortinet

Thanks!

Best regards,

Kurt

Hi Experts,

We have to implement SSO for one of our customers where we have ECC, EP, BI &GRC systems. They are looking to achieve this using

• Kerberos with SNC for AS-ABAP
• Kerberos with SPNEGO for AS-JAVA

Also the AD User and SAP User ID's are not the same.

So here's are my queries:

1. As the users are not the same in SAP and AD,  I have to set the CN Name according to the AD User in SU01 of the respective SAP Id, but as I have around 1000 users is there any way that I can set it for all the users at one shot ?

2. One risk I could see is that if anyone who can edit the CN name of a SAP ID to his respective Kerberos Token ID, he would be able to access any user !!! so can this be avoided by any means ??

3. Are there any other disadvantages associated with the above approach with Kerberos for AS-ABAP and AS-JAVA and with different AD and SAP User ID's

Thanks in Advance !!!

Regards,

Srikanth G

Hello Everyone,

I am new to SSO Configuration So please guide for this Scenario.

I have SAP HANA system as source on that BO Reporting . Now i want to implement SSO windows AD As studied SSO Configuration is of 3 types:

● Kerberos

● SAML

● X.509 client certificates

*******Do I have to implement one of these technique? if yes then

1st. Which one will be better in my case?

2nd. Do this require any additional Licensing?

Please provide information in detail.

I have already searched forum before posting this.

Regards,

Vaishali Wadhwa.

Hello,

I'm trying to set up a prototype for a SAML 2.0 scenario. The set up includes NW SSO as the SAML Identity Provider and a NW 7.4 Server as the Service Provider. One of the requirement is to have multi-factor authentication during the user authentication, which means that basic password check must be followed by a one time password (OTP) check as well. For this OTP check, we have a specific login module which in a regular authentication (non SAML) scenario works fine as part of an authentication stack.

For the SAML 2.0 scenario, this OTP login module has been assigned to a custom authentication context on the IDP side. The SP's SAML policy has been configured to request this additional auth. context as well. During the SAML authentication, this OTP login module gets called, so that auth. context part of the set up looks correct.

The issue I'm facing is that there is no way to specify the flag for these login modules in the SAML 2.0 scenario, I'd like to set one to 'REQUIRED', and the other one to 'REQUISITE'. SAP NW SSO calls all login modules that are part of the requested authentication context with the 'SUFFICIENT' flag, if any of them is successful, the login will be allowed. So, if I specify a wrong password with a correct OTP, it will let me in or if I specify a correct password with no or incorrect OTP, it will let me in as well.

Class SAML2AuthnContextLoginModule does the processing of these authentication contexts but I don't see any way how it could be influenced to read the flags for those login modules from somewhere or to specify a stack for the contexts similar how the regular auth. stacks can be defined.

Has anybody faced the same issue or been able to resolve it? Any suggestion is welcome.

Thank you,

David

Hi,

We have configured the SSO with kerberos, while trying to login getting the below error

Please advice.

Regards,

Sam

Hi guys,

can the SLS produce X.509 certificates that use SHA256 as their hash algorithm rather than SHA1 and/or MD5? During the certificate creation process (i.e. Create New Root CA) one can only specify the key length but not the hashing algorithm.

Thanks

Michael

Am looking to implement SAP SSO leveraging an existing PKI.  The PKI is a Microsoft Certificate Server.

SAP SSO would be used for SAP GUI for Windows, portal, NWBC.

According to the SSO install guide, it appears that the Secure Login Client is required but that the Secure Login Server is not required in this case of an existing MS Cert Server.  And the MS Cert Server could be used for x.509 certificates.

In looking through the install guide and blogs, I'm not seeing anything specific along these lines (install SSO w/MS Cert Server), would appreciate any direction towards existing document/blogs on how to do this.

Does anyone have any thoughts on this one?

thanks.

Login testing the service WebGUi

1. SICF->Default_Host->sap->bc->gui->sap->its->webgui –test the service

Getting this Prompt for first AD user ID and Password and then SAP user ID and Password.

2. Same thing happens with NWBC and BW-Portal Login- it Prompts for AD ID and then SAP ID and passowrd.

Where as ABAP SSO work perfect.

Here are my configuration steps.

• Our OS: Windows Server 2012
• DB: MSSQL 2012
• AD: Microsoft Active Directory
• SAP NW7.4 with SPS5
• SAP Installation – Central System
• SSO product- SAP NW SSO2.0 SP03
• SID – SB1, SE1 ….
• DOMAIN: MYCOMPANYNAME.COM ( Just an example, not the real name)

NWSSO Configuration Steps.

1.  Service User in the MSADfor AS-ABAP or AS-JAVA/Portal with following information

  • User ID: SAPService<SID>(existing individual<SID> Service user id)

  • Set the User cannot change the password

  • Set Password never expire

2.  Created SPN for this Service User

  • For ABAP -SAP/SAPService<SID>

  • Web (HTTP/ Hostname for ABAP apps server)

3.  Installed Secure Login Library on SAP Server

  •  Created a folder name (SLL)in /user/sap/<SID>/DVEBMGS00 ($(DIR_INSTANCE)\SLL)

   • Verified SLLibrary:(Version - 8.4.18.0)

(Starting NW7.4 sapcrypto library is coming and check the version is same at SLL directory and in the Kernel Dir.

4.  Define the following SNC parameters using RZ10

   snc/identity/as = p:CN=SAPServiceSB1@mycompany.com

   snc/enable  = 1

   snc/accept_insecure_cpic = 1

   snc/accept_insecure_rfc = 1

   snc/accept_insecure_gui = 1

   snc/data_protection/min = 3

   snc/data_protection/max = 3

   snc/data_protection/use = 3

   snc/permit_insecure_start = 1

   snc/r3int_rfc_qop = 8

   snc/r3int_rfc_secure = 0

   snc/force_login_screen = 0

   spnego/enable = 1

   spnego/krbspnego_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll

   snc/gssapi_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll

5.  Kerberos KeyTab was generated successfully for SPNEGO/SNC and verified 

        #sapgenpse seclogin -l –v

6.  Configured Credential file and verified

7.  Install Secure Login Client and defined SNC name as p:CN=SAPServiceSB1@mycompany.com

8.  Configure User Mapping in SAP AS ABAP – SNC name – p:CN=<USERID>@MYCOMPANY.COM

9.  Restarted the SAP server and my ABAP SSO is working perfectly.

10.     SPNEGO Configuration:

     a.  Define Kerberos KeyTab for SPNEGO using tcode – SPNEGO

     b.  Created UPN - SAPServiceSB1@MYCOMPANY.COM with the password of this server ID.

For WebGui all the required Service are activate and published via SICF and also per http://scn.sap.com/docs/DOC-29485

Created SAP Message and SAP also confirmed all your setting looks and Kerbros being case sensitive but since my ABAP SSO is working so that possibility is also ruled out.

Are there any different steps or know issue with above setting for SPNEGO. I have not mention the steps for Portal because first lets get the Webgui or NWBC resolve which usages the SPNEGO configuration.

Hello,

How can we achieve SSO for SAPGUI with AD authentication when SAP system resides in a separate domain and end users are logging in from a different domain? I have read that in order to accomplish this, we need to setup trust between the two domains. However if setting up trust is not an option (due to security/various reasons), then is there any other workaround/option to accomplish single sign-on for SAPGUI? Does SAP provide any product to accomplish to achieve this? Or is there a 3rd party product that can provide this feature? I am looking more along the lines where SAP system is hosted in a cloud and the SAPGUI users need to use SSO to login into the system but without setting up trust between the domains.

Any help will be greatly appreciated.

Thanks

Sid

Dear Experts,

We are planning to implement NW single sign-on 2 in our landscape.

Could you please share some sucess stories of this product ?

Best Regards,

KK