Quantcast
Channel: SCN : All Content - SAP Single Sign-On
Viewing all 865 articles
Browse latest View live

SAP Single Sign-On Product Overview


Secure Login Client - Kerberos Token disappeared

$
0
0

Dear Colleagues,

We are using Secure Login Kerberos Token for our SSO in the SAP GUI. SAP GUI Version is 7.30 Patch 5 and Secure Login is Version 2, Support Package 3, Patch level 2.

In rare cases endusers are not able to login via SSO. When we check the PC and open SAP Secure Login Client we detect that there is no Kerberos Token to select. At the moment our solution is to reinstall the whole SAP Secure Login Client with the SAP GUI for the user.

We are not sure why a kerberos token would suddently not be available in the sap secure login client. Any idea in which area to look?

Regards,

Alexander

SSO via Apache Reverse Proxy

$
0
0

Hello,

 

We are trying to implement NW Single Sign-On for our SAP systems.

We are also using Apache Reverse Proxy for our systems.

 

Some info for implementation;

All Users' Domain : mycomp.com.tr

SL Server FQDN   : nwsso.mycomp.com.tr

Apache Proxy DNS for SLServer : sso.mycomp.com

SPNEGO User : SL-JAVA-SSO (SPNs: HTTP/nwsso.mycomp.com.tr, HTTP/sso.mycomp.com)

SLA Console URL : https://sso.mycomp.com/slac

 

We are using portal.mycomp.com, bo.mycomp.com, erp.mycomp com DNSs to reach SAP systems through Apache.

All systems are members of the "mycomp.com.tr" domain and all users are members of the same domain.

 

My question is:

 

Is it possible to implement SSO when we are using "*.mycomp.com" for URLs although our domain is "mycomp.com.tr"?

And if yes how?

 

Can you help, please?


Thanks and Regards,

Yuksel AKCINAR

Secure Login Server and SSL Certificates

$
0
0

Dear All,

 

I am trying to use an SSL certificate created in Secure Login Server (SSO 2.0) for an ABAP system.

I have exported the the certificate as an PSE file and imported the certificate into the Server SSL node.

 

I noticed that the issuer will be removed as soon as I save the certificate into the SSL node.

I have done the same in an AS Java system and here all worked fine.

 

I know I need a third party PKI but can this not be achieved by the SSO 2.0 product?

 

Regards,

Ridouan

Sap sso using kerbros constrained delgation

$
0
0

   We are getting SSO error Miscellaneous failure GSS-API(min) Kerbros SSPI not usable with this User-account Stop! initial call togs_indicate_mechs() failed Time.

 

We have mapped our sap service user to the spn and when we select the option in AD to delegate authority to any application it works but when we select delegation to particular spn it gives above error.

 

Anyone suggest?

SAP GUI SSO with MSADS

$
0
0

Hi,

We have ECC 6.0 on NW 7.31 on Linux platform. End-users use Windows 7 and SAP Gui to login to ECC. At present users log-into their desktops and then again login to SAP though GUI using there respective passwords.

I am looking for some solution to configure SSO on SAP Gui with MSADS. So that once the user logs on the desktop, he does not have to re-authenticate on sap gui to connect ECC. I want some solution where we don't have to install any tool/library on user desktop and there is minimum foot prints on user machines.

I heard that NW 7.31 SP-15, SAP Gui can have SSO with MSADS using SPNEGO etc.

Please suggest some solution.

 

Thanks

Vik

SAP Netweaver SSO 2.0 - keytab lifetime

$
0
0

Hi,

 

just a short question.

 

Do we need to update the keytab file ( SAPSNCSKERB.pse ) with ( crontab )

 

../SLL/sapgenpse keytab -p SAPSNCSKERB.pse -a USER@DOMAIN.ORG -nopsegen -y " "

 

like we have to do it in the old SNC connection method ( kinit -k planned in the crontab ) ? or is it enough to build the pse one time.

 

 

Are there tickets that will expire ?

 

 

 

sapgenpse keytab -p SAPSNCSKERB.pse -nopsegen

 

#############################################################################

License Disclaimer SAP NetWeaver Single Sign-On

You are about to configure trust for single sign-on or SNC Client Encryption.

Please note that for single sign-on you require a license for

SAP NetWeaver Single Sign-On.

As exception, the usage of SNC Client Encryption only without SSO is free

as described in SAP Note 1643878.

#############################################################################

 

keytab: Found keyTab entries in PSE.

keytab: KeyTab content stored:

 

    Version  Time stamp                 KeyType   Kerberos name

 

          1  Fri Dec 12 09:43:16 2014   DES       USER@DOMAIN.ORG

          1  Fri Dec 12 09:43:16 2014   AES128    USER@DOMAIN.ORG

          1  Fri Dec 12 09:43:16 2014   AES256    USER@DOMAIN.ORG

          1  Fri Dec 12 09:43:16 2014   RC4       USER@DOMAIN.ORG

 

 

greetings

 

Oliver

SSO based on Kerberos Token

$
0
0

Hi All,

 

I have configured an ABAP system to re-use my Windows authentication.

My system is starting fine but SAPGUI is giving me the following issue:

 

Screen Shot 2014-11-30 at 23.02.24.png

Any clues?

 

Thanks very much.

 

Regards,

Ridouan


(Kerberos Authentication) Windows AD id and SAP GUI id's are different

$
0
0

Hi All,

 

We are planning to implement Kerberos authentication using our Window AD. I have below queries regarding the same.

 

1. Our ERP is ECC 5.0 with SAP_BASIS 640 patch 31, will this support Kerberos authentication.

2. If supports, we have different user id's in Windows AD and ECC for the same user. Will this supports. (For example in Windows AD we      have SSOTEST, same user has TESTSSO in ERP)

3. Is Kerberos authentication required separate license.

 

If possible provide links for the same.

 

Regards,

Sree

SAP GUI authentication through MSAD (LDAP)

$
0
0

Hi,

How do i achieve user authentication on SAP Gui through MSAD (LDAP). Please note, i do not want Single Sign On (SSO). I want following:

1, User login to Windows 7/MAC desktop authenticated from Microsoft Active Directory account

2, User opens SAP Gui client and logs on to ECC instance once again using the user/ID password of corporate active directory.

 

I do not want SSO where user  clicks on sap gui connection and it automatically connects to instance without asking user credentials.

 

Please let me know how could i achieve this.

 

 

Thanks

Vik

A221021F Server refuses certificate based key exchange.

$
0
0

Dear All,

 

We have implemented SSO , almost every user is connected without problem. Only 3 users having below error logging.

1.png2.png

 

Can You Please let me know what would be the problem and How to solve issue.

 

Regards,

Phani

Getting error when connecting SAP from WCF service "Kerberos SSPI not usable with this User account"

PI Java only 7.4 SSO to Solman 7.1 for CTS browser

$
0
0

In PI 7.4 Java only - via ESR -> open CTS transport browser I receive the logon popup for our Solman system (for charm). I am trying to implement SSO.

 

I have exported the SAPLogonTicketKeypair-cert (from PI NWA Keystorage) and imported in Solman (7.1 SP11) client 000. I have exported the Solman x.509 crt and imported into PI Ticketkeystore.

 

I still get the popup to supply login details. My id exists in both systems.

 

Has anyone done and can share details? Not sure what I missed. ..thanks in advance.

Cross Domain Authentication via SPNEGO

$
0
0

Hello,

 

I have succesfully configured the Secure Login Server to authenticate users via Windows Login / SPNEGO. Unfortunatelly the enrollment does NOT work for users in different domains, but only one domain AT A TIME. So the Secure Login Server SPN sits within the Kerberos Realm that allows users in exactly this Realm to login via SPNEGO. (Of course all users from all domains are visible in dthe Secure Login Servers UME)

 

But we have 4 domains in a forrest..So, according to note 994791 that states:

 

  • Domain Forest
    • Create and configure a J2EE service user in one of the domains part of  the forest # it doesn#t matter if this domain will be the root domain or any of the child domains
    • Configure UME to use multiple ADS data sources (for each domain in the forest)
    • In the #Kerberos Realm# step of the wizard you should provide  information only for the domain where you have created the service user for the J2EE Engine

..I have configured SPNEGO only for the realm that hosts the SPN.

 

Unfortunatelly it doesn't work. Please help me if you have experience with cross domain SPNEGO authentication via Secure Login Server.

 

Thank You,

Philippe

Cross-domain authentication using SPNEGO

$
0
0

Hi Experts,

 

Consider this scenario.

 

Case 1:

There are 2 domains (forests), Domain A and Domain B.

SAP users are located in Domain A, while AS-JAVA server is located in Domain B.

There is a One Way Forest Trust (OWFT) between Domain A and Domain B, in which Domain A is the trusted domain, while Domain B is the trusting domain.

AS-JAVA is using Active Directory (Domain B) as the UME data source.

We run ‘setspn’ in Domain B for the AS-JAVA resource.

We create the Kerberos Realm in AS-JAVA for Domain B.

Would this SSO configuration work?

On this scenario, what would be the KPN (principal@REALM) of the user? Is it principal@DomainA or principal@DomainB?



Another side question I have:

when configuring SPNEGO authentication, is there a step where we need to connect from AS-JAVA to the LDAP (AD) server?

Can this connection be secured using LDAPS on port 636/tcp?



Thanks in advance.


Best Regards.


SAP Single Sign-On: Overview Presentation

$
0
0

This presentation introduces the SAP portfolio for compliant identity and access management. The SAP Single Sign-On solution and its benefits are explained in detail. Various scenarios covered by the solution are outlined. In addition, recommendations and best practices for your single sign-on project are provided.

View this Presentation

sso-saml logout issue

$
0
0

Hi Experts,

 

We have configured SSO-Saml between Oracle web center portal and SAP-Abap. OWC portal(Idp) will initiate the saml request to SAP(sp) and we used  Email-id as a identity federation.

 

 

Previously when owc portal initiated the saml request, we have faced relay state error while log into sap. So in Service provider ACS, we have mentioned the webgui services as a default application path and its started working and we are able to access SAP system through Sap gui for html(webgui) from OWC.

 

But when we are logging off from SAP,only SAP is logged off but SAML session is not logged off. I mean OWC portal in not logged off.

 

 

 

please guide me what we need to do in SLO for log off of the entire SAML session and is there any option to provide our own URL to redirect to logout page or what else we need to do.

 

 

 

Thanks in Advance,

 

 

Regards,

Lakshmanan V

,

spnego for sso for NWBC for HTML. Is client software required?

$
0
0

Hi gurus,

We bought the SAP Netweaver Single Sign-On license so we can perform single sign on in NWBC for HTML.  Per the NW SSO implementation guide, I put the login library on the ABAP server, set the appropriate parameters, and am configuring transaction spnego in the ABAP system.  What steps do I follow once that is done so that users won't have to enter a password in NWBC for HTML?  Is the SecureLogin client or SecureLogin Server required for this scenario?  Since spnego is available for ABAP, can I assume it is like spnego for Java where the functionality provided by the Internet Explorer client is enough and I don't need any other software?

 

Warm regards, CM

Secure Login Client does not bring SL Server Certificate

$
0
0

Hello,

 

We want to implement NW Single Sign-On for our SAP systems. We have done the implementations as follows; (with the help of Implementation Guide and http://scn.sap.com/docs/DOC-40179 Implementing Single Sign-On with X.509 Certificates)

 

Secure Login Server

  • We installed NW 7.4 and Secure Login Server 2.0 SP4
  • Configured UME for MS AD
  • Initialized the Secure Login Server
  • Activated SSL
  • Activated SPNEGO
  • Configured Apache Reverse Proxy

 

Secure Login Client

  • Imported Root CA to client
  • Applied Policy Registry files (ProfileDownloadPolicy_xxx.reg)
  • Installed SL Client
  • Inserted “ShowUserPoliciesPage” with the value 1 in the registry path

 

System Info is as follows;

SL Server FQDN          : mycmnwsso.mycmp.com.tr

SPNEGO User              : SL-JAVA-SSO (SPNs: HTTP/mycmnwsso.mycmp.com.tr, HTTP/sso.mycmp.com

SLA Console URL        : https://sso.mycmp.com/slac           

Enroll URL                    : https://sso.mycmp.com:443/SecureLoginServer/slc/getProfiles?grouppolicy...

 

I login to one of the client with domain user. I donot see the SLServer Root Certificate on SL Client. I opened trace. There is “[2014.12.03 17:08:50.754000][WARN ][sbus.exe            ][LOADER      ][ 6300] ERROR(0xA0800200) in sec_get_SEC_DLL: Failed to load library sbusslogin” error.

 

Why I cannot get SL Certificate on SL Client?

Although I entered ShowUserPoliciesPage registry entry I cannot see Profile tab page on SL Client Tool?

 

Any recommendation about the issue?

 

Can you help, please?

 

Thanks and Regards,

Yuksel AKCINAR

Alternative Name DN Feature for ICM (X.509 SSO for ABAP WebAS)

$
0
0

Hi Experts,

 

happy new year! I have a customer using X.509 based SNC for SAP GUI with configured alt. name DN feature (gss.xml) so the SAP CommonCrypto Library or the Secure Login Library uses the E-mail address instead of the subject DN.

 

On this system my customer now wants to enable SSO for ICM based web applications. He don't want to use X.509 as he doesn't see any chance to configure a alternate name mapping as for SNC, so he tried with Kerberos/SPNEGO for ICM. The SPNEGO uses the SNC Name mapping from USRACL (pname) equal E-mail address.

 

Is there any way to solve this? Currently the only way I see is to recommend to the customer using SPENGO (on this system) for SAP GUI (SNC) AND ICM/web.

 

Thanks.

Carsten

Viewing all 865 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>