Overview

Scenario Description

My First Single Sign-On Project

In my opinion, every enterprise must have an Identity Management (IDM) system and a Single Sign-On (SSO) system.

These two are very important and critical for companies, since they are  increasing security and productivity while decreasing cost, downtime and repetitive tasks.

Let me give brief descriptions of IDM and SSO firstly.

Identity management (IDM) describes the management of individual principals, their authentication, authorization and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks. SAP Identity Management helps companies to centrally manage their user accounts (identities) in a complex system landscape. This includes both SAP and non-SAP systems.

Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. SAP NW Sigle Sign-On also offers authenticating once and subsequently accessing SAP and non-SAP applications in a secure and user-friendly way.

Let me come to my project after brief introduction.

I am involved in an SSO project. This was my first Single Sign-On project implementation. Of course we had some difficulties about the project. But in the end we were happy what we have done so far in the project.

We benefited from below scn links. Thanks to the writers of the document and implementers of the videos. There are configurations for both 1.0 and 2.0 versions on both links.

Implementing Single Sign-On with X.509 Certificates

SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates

Also many thanks to my colleague Zekeriya. He was the main implementer in the project.

We have all kinds of systems in our landscape. You can see the system landscape in below picture.

Configuration was done for all ABAP, Java and webgui systems. BO, non-SAP systems' configuration still continues.

Project Implementation Steps

We implemented Single Sign-On Project with the following implementation steps.

• NW 7.4 Java Installation
• Secure Login Server 2.0 SP4 Add-On Installation
• Secure Login Server Initialization
• SSL Activation on SL Server
• Secure Login Client Installation
• NW Java Configuration
• NW ABAP Configuration
• Configuration of Apachr Reverse Proxy
• BO System Configurations (Not implemented)
• Non-SAP System Configurations (Not implemented yet)

Customer Organization

• Presentations to explain the topic
• Pilot work with IT and Key Users
• Distribution of Secure Login Client
  • Install Server, create package
• Going Live
• Support

Diffficulties and Problems

As we know we can have problems during implementations and installations. Even when we have done it many times.

If you are doing the implementation for the first time, it is inevitable having difficulties and problems.

The major problem was about the Apache Reverse Proxy Server.

We built up the system and configured one of our java system (it was  Portal indeed). We looged on a host with a domain user and tried to login to portal using SSO. But it was still asking us user and password. We realized that proxy server was not transferring the certificates. After some googling and working with our proxy expert we changed settings in proxy configuration files and succeded transferring certificates.

Another issue was about Service Principle name. Since our AD Admin did not define service principle name correctly we lost some time to overcome the problem.

We faced problems when we were installing Secure Login Clients.

Solved problems using ShowUserPoliciesPage registry parameter. This parameter helped us to trace problems.

Also Secure Login Server Support must be selected when SL Client is installed.

Another problem or issue was BO SSO configuration for us. We investigated and rerad many documents for this issue.

And tried to configure BO SSO using x.509 certificates. Unfortunately BO system does not accept x.509 certificates yet. We learnt this ofter opening an OSS message. In our case AD SSO configuration does not help us since AD domain (*.mycompany.com.tr) and Apache Reverse Proxy domain (*.mycompany.com) was different.

One of the other issue was the videos we followed. Since they were for SSO version 1.0, the configuration steps were different for version 2.0. For example secure login console is changed from /secure login to /slac.

Regards,

Yuksel AKCINAR

hi All,

We have SSO 2.0 configured for ABAP and JAVA systems currently with SP4, and wanted to check what would be steps / any config changes to go to SP5 .

regards

Jonu Joy 

Dear Gurus

We are planning to use kerberos authentication SSO mechanism from Windows desktop where SAP gui (740) installed ,  to the SAP ERP servers ECC EHP7 installed on (PAS -HP-Ux) and all Apps on Linux server.

could you plsease shed some light on it. whether this solution is still acceptable,

is there any documentation for it.  and SSO2.0 reuires any license from SAP.

Thanks in advance

Hi.

I have read quite a lot of documentation regarding SAP SSO 2.0.

But, i am unable to find anything regarding availability etc.

Should the NW JAVA running secure login server be HA ?

What happens once we have integrated all our backend-systems and the SLS goes down ??

Will it only affect new users that have not logged on yet ?

BR Gerhard.

SSO friends,

We're currently in a TRIAL, testing NW SSO 2.0 SP04.

ECC 6.0 EHP6 ABAP AS w NW7.31 SP07

CRM 7.0 EHP2 ABAP AS w NW7.31 SP07

Pure JAVA AS w NW7.02 SP16

All 3 are AIX 6.1 with Kernel 7.21EXT #331

The 2 ABAP stacks have notes: 1832706 / 2010613 / 1819808

Following the GREAT Videos here: http://scn.sap.com/docs/DOC-40178

Our Windows7 PCs also have the corresponding SLC SP04, and a SAPGUI utilizing the changes needed for SNC.

SPnego for ABAP with SNC for SAPGUI is working.  No MAJOR problems there (yet).  We can reach and integrate the WEBGUI/NWBC/BSPs between the systems and not need a password once we log into AD.

But....we want to go to SP05!  Not a big deal in terms of pushing out a new SLC SP05 to the PCs..but what about the Secure Logon Library at the UNIX OS LEVEL??

I mean, my real question is....If I "un-SAR" the newest library into my /usr/sap/SID/INSTANCE/SLL directory, MUST I restart the SAP instance entirely in order to get the SP05 functionality/patch????

I hope that makes sense.  You guys are great, I have really enjoyed all the great information in the SSO space!!

--NICK

Configuring SAP Fiori Client for Single Sign-On with iOS SAP Authenticator

In his latest blog, Nikola Simeonov explains in detail how to enable mobile single sign-on for the SAP Fiori Client using one-time password authentication via the SAP Authenticator app. May 15, 2015

SP5 for SAP Single Sign-On 2.0 Now Available

SAP just released the latest support package for SAP Single Sign-On 2.0, including a number of enhancements in the areas of two-factor authentication, mobile single sign-on, and risk-based authentication. For more information and to download the new SP5, read Martina Kirschenmann’s blog. May 5, 2015

SNC Product Migration: Now is the Time

In the current version of SAP GUI and many RFC clients we have added a capability that significantly simplifies SNC product migration. In his latest blog, Christian Cohrs explains how to upgrade your landscape to SAP Single Sign-On step by step. April 20, 2015

My understanding is the accepting SAP Java AS will retrieve cookie information from MYSAPSSO2 and using the certificate from issuing system to authenticate the session.

My question is, is JSESSIONID and other HTTP information used together with MYSAPSSO2 information for session authentication?

What we've observed is, if we delete JSESSIONID from the client cookie, the session is invalid right away, although we don't touch any MYSAPOSS2 information.  -> But we're not sure whether this is a behavior of SAP NW Java AS or the IBM Tivoli SSO server which authenticates the access at the first place.

Also, if MYSAPSSO2 is the only information used for authentication, can the session be hijacked if this information is captured by other session?

We have a JAVA AS with two Java instances.

Also it uses Logon Ticket as authentication method. The SSO sever is IBM Tivoli which will does the user authentication.

My understanding is that the Java AS which receive the user ID in http header will generate logon ticket / cookie MYSAPSSO2 to the browser, so that next time request can go through without further authentication.

My question is, what might happen if this Java instance that the user is connecting to goes down? Will another Java instance be able to validate this cookie information or the user will be forced to log on again?

Gurus,

We have a trial license for NW SSO 2.0 SP05

We have these versions of SAP:

ECC 6.0 EHP6 ABAP AS w NW7.31 SP07

CRM 7.0 EHP2 ABAP AS w NW7.31 SP07

Pure JAVA AS w NW7.02 SP16

All 3 are AIX 6.1 with Kernel 7.21EXT #331

Our PCs are all Windows7 32-bit Enterprise SP1

We use IE10 browser

We use Microsoft AD to authenticate our PCs

Our AD login ID matches our SAP ID

I feel really good about having correctly setup SPnego for ABAP.  I think we followed all the steps very closely and correctly:

Not to go into too much detail, but I followed the videos, applied the notes:

1.  Install/config Secure Login Library for ABAP (at the AIX server/OS SAP level)

2.  Created our AD service user with the setSPN per the video

3. enabled all the SNC/SPnego stuff in RZ10

4. followed all the steps to gen the keytab and PIN, credV2..just like in the video

5. restarted the SAP instance

6. TCODE SPNEGO...added the entry to reflect our AD user / domain that matches our keytab command

7. Installed the secure logon client

8.  Rebooted the PC

9.  Edited SU01 for our users to add the SNC entry...matching the Kerberos ticket to their SU01...looks good

10. edited SAPGUI logon pad to use SNC

So Logon pad is great...SNC always works.

SPnego for ABAP works awesome in terms of getting me to WEBGUI via IE browser...as well as NWBC via IE browser.  No password.  SWEET!

But ICWEB...aka Interaction Center webclient is a whole other issue.

when I hit the URL:

I use our typical URL to get direct to our CRM QA instance of ICWEB:
http://ourSAPhostname:ourSAPICM-HTTPport/sap/crm_logon

And I get right to the part where I can select my business role.  And that is cool, because normally, before we did SSO, I would have been presented with a typical logon screen.

So I select my business role...just a custom role based off of an Utilities interaction center agent (since we are IS-U)

And them it hits me with a logon screen!

In case you can't read that , it says:

the server XXXX at SAP application server SID/CLIENT requires a username and password

Now, I can keep clicking "cancel" and get to the main screen, where I can work...but that isn't correct.  It should just let me in!

And I swear this was all working a few days ago!  But now I get this screen and so do all my other users who are testing.

This happens to all the folks, regardless of what PC they use, etc

Sounds crazy but this was working...and now I get this every time!

Help!  what do you guys think?

thanks!  NICK

All,

We have all the settings needed for SPnego on ABAP.  I don't want to go into them here, but as the discussion moves forward I can explain all that!

SOMETIMES.....SOMETIMES when trying to log in via NWBC / WEBGUI and CRM ICWEB, users are presented with login screens.

When NWBC/WEBGUI presents a login screen, it's the typical login screen you would see as if no SSO was setup.

And if I refresh the URL a few times, I will end up getting in without actually putting in any user/pass.

When they see the ICWEB login screen, it's really just a pop up in the browser.  Saying "Windows Security" (at the top) then, in the window, it says:

"The server myCRMhostname.MyDomain.com at SAP Netweaver Application server [SID/CLIENT] requires a username and password."

Then you see a box for the username/password.

Again, just hit 'cancel' a few times and you will get in....

Sooooo strange.  SSO will work great for all users across all PCs for a few hours at a time.  Then it will stop working and we'll get those errors I noted above.

I've done TONS of research on this.  I highly suspect our Microsoft AD network...KDC has a problem, but I know nothing about that side of the house.

There are a few notes out in SAP, and threads out of google searches that talk about the KDC, instead of sending a Kerberos token, will send something called a NTLM token.  And when that happens, you can't login.  But it all comes down to why/how the Kerberos KDC is sending that.

How do you prove / disprove that the KDC is sending a Kerberos token (or a NTLM token) from an SAP ABAP perspective?

Or how else could I effectively trouble-shoot this issue?

I really believe that NW SSO could be great for our environment, but because of all these moving parts it is proving very difficult to troubleshoot when it breaks.

Thanks

NICK

Hello Gurus,

We are running Netweaver Portal 7.3 and have SPNego configured for users inside the network. I know that this solution does not work for users out side network. We can use SAML but the issue is that even the SAML IDP will will need one time authentication.

Is there a way, for example to use some sorta system to issue certs(Like SAP Passport) to users that can be used to authenticate users to SAML IDP and then we can redirect SAML IDP to NW portal accepting the SAML cert.

Basically, we don't want even the external customers to enter ID and Password.

Any thoughts/ideas will be appreciated.

Thanks,

Karan

Overview

You can locally build an SAP Fiori Client plugin to work with Android SAP Authenticator by installing Apache Cordova. After this implementation, your users will be able to log on to SAP Fiori Client through single sign-on (SSO). For more information about the SSO configuration, see Setting Mobile Single Sign-On.

For this process, SAP Authenticator should use the URL for an identity provider (IdP) initiated SSO, starting with sapfioriclient:// scheme and containing j_username=[username]&j_passcode=[passcode] parameters, in order to launch a SAP Fiori Client build as described in this blog. The IdP should use TOTPLoginModule for authentication. For more information about the login module settings, see Configuring the Login Modules.

Scenario Description

The following scenario describes how a user accesses an SAP Fiori or AS ABAP application through mobile single sign-on. That means the user does not have to provide credentials to log on to the application from the mobile device.

1. SAP Authenticator sends a URL for IdP-initiated SSO to SAP Fiori Client.
   1. An employee chooses the SAP Fiori Client application from the SAP Authenticator’s list of favorite applications.

      Note: A user adds the application as favorite by activating mobile SSO and scanning a QR code.

   2. SAP Authenticator generates a passcode and sets the username and passcode in the URL.
   3. SAP Authenticator sends the URL to SAP Fiori Client.
   4. SAP Fiori Client processes the URL by setting its scheme.
2. SAP Fiori Client sends an authentication request containing the passcode and the user’s name, password or cookie.
3. The IdP processes the request and issues a SAML 2.0 assertion, which is sent back in the response to the SAP Fiori Client.
4. SAP Fiori Client redirects the SAML 2.0 assertion to the SAP Fiori or AS ABAP service provider and the user accesses the application.

• If you are using the AS ABAP service provider, see Mobile Single Sign-On for SAP Fiori.
• If you are using the SAP Fiori service provider, see Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet.

Prerequisites

• SAP Mobile Platform (SMP)
• Android 3.0 (API level 11)
• Apache Ant
• JDK
• Android SDK
• Eclipse plugins
• Git
• Node.js
• Apache Cordova

To fulfill these prerequisites, you should proceed as follows:

1. Install SAP Mobile Platform SDK.

   For more information about this installation, see Installation: SAP Mobile Platform SDK for Windows.

2. Download and extract a binary Apache Ant distribution.

   For more information, see Prerequisites at Setting Up the Development Environment.

3. Install Java JDK.

   For more information, see Setting Up the Development Environment.

4. Install Android SDK.

   For more information, see Setting Up the Development Environment.

   Make sure that in the Android SDK Manager you have installed the required packages listed in SDK Manager. In addition, if you are using a proxy server,configure HTTP proxy and port.

5. If you are using Eclipse, download and install the plugins.

   For more information, see Setting Up the Development Environment.

6. Install Git.

   For more information, see Installing Git at Setting Up the Development Environment.

7. Install Node.js v0.10.* and its package manager, npm, because it is necessary for the installation of Apache Cordova.

   For more information, see Node.js.

   CAUTION We recommend you install v0.10.25 node version because the latest version, v0.12.0, has incompatibility problems and may produce an error like the following: “…Request path contains unescaped characters…”

   CAUTION If you are using a proxy server, you must configure npm. For more information, see Setting Up the Development Environment.

8. Install Apache Cordova with the following command.

   npm install -g cordova@<version>

   CAUTION You have to install the Apache Cordova version according to the description inInstalling Apache Cordova with Node.js.You can check the available Apache Cordova version on your Windows OS with the following info command: npm info cordova.

9. Restart the command prompt and verify the Apache Cordova installation by entering the following command.

   cordova -v

Creating SAP Fiori Client with Apache Cordova

1. Modify C:\SAP\MobileSDK3\KapselSDK\apps\fiori_client\config.json file with the following code.

   {

       "packageName": "com.sap.fiori.client",

       "targetFolder": "FioriClient",

     "appName": "FioriClient",

     "platforms": ["android"],

     "crosswalkLocation" : "C:\\Crosswalk\\crosswalk cordova-10.39.235.15-arm\\bin"

   }

   Note: In the above example I use version 10.39.235.15 of Crosswalk Cordova. If you have installed another version, set the path with your correct bin directory location.

2. If necessary, install Crosswalk and plugman.

   As of SMP SDK 3.0 SP06, the Fiori Client on Android should use Crosswalk to render HTML pages rather than the Android WebView for improved performance. When Crosswalk is used, the platform must be Android only as plugman is used rather than the Cordova command-line interface (CLI) which can build cross-platform projects. For more information about the Crasswalk installation, see Cordova with Crosswalk. You install plugman with the npm install -g plugman command. For more information, see Installing Plugman.

3. Create a Cordova project containing Kapsel and Cordova plugins.

   Go to folder C:\SAP\MobileSDK3\KapselSDK\apps\fiori_client and run the following commands:

   npm install

   node create_fiori_client.js

   The create_fiori_client.js script creates the project.

4. Build and run the project.
   • If you are using Crosswalk, you can build and run the project with C:\SAP\MobileSDK3\KapselSDK\apps\fiori_client\FioriClient\cordova\run.bat.
   • If you are not using Crosswalk, but the standard WebView, copy the files to the platform directory by running cordova -d prepare and use the Android IDE to deploy and run the project.

Running SAP Fiori Client with Android SAP Authenticator

The Android SAP Authenticator is a mobile application installed on Android mobile devices. This application is used to generate passcodes for one-time password authentication. For more information, see SAP Authenticator Mobile Application.

1. Add a plugin to support a custom URL scheme.

   You need to add a specific plugin to your SAP Fiori Client project in order to handle the sapfioriclient URL scheme. You can use the following Apache Cordova plugin: http://plugins.telerik.com/plugin/custom-url-scheme.You can install the plugin according to the following conditions:

   • If Crosswalk is used, you install the plugin by using plugman.

     plugman install --platform android --project . --plugin https://github.com/Telerik-Verified-Plugins/Custom-URL-scheme --variable URL_SCHEME=sapfioriclient

   • If Crosswalk is not used, you install the plugin by using the command-line interface (CLI).

     cordova plugin add https://github.com/Telerik-Verified-Plugins/Custom-URL-scheme --variable URL_SCHEME=sapfioriclient

   As a result, a new folder with the plugin is created, which contains LaunchMyApp.js.

2. Add the following new method at the end of the LaunchMyApp.jsplugin file.

   function handleOpenURL(url) {     // wrapping in a little timeout, so it doesn't interfere with other apps’ setup     setTimeout(function() {             customScheme = "sapfioriclient";             sap.FioriClient.MobileSSO = url.replace(customScheme + "://", "https://");     }, 300); };

3. Update fioriclient.js to use the handled URL.

   The code to be added is marked in green.

   ... var goToFioriURL =  function(errorCallback) {           sap.FioriClient.getFioriURL(function (retrievedFioriURL) {               if (!context.smpRegContext){                   // If sap.FioriClient.context.smpRegContext is null,                   // don't allow the user to skip                   // the logon plugin by changing the URL.                   // sap.FioriClient.context.smpRegContext will be set                   //once logon is successful.                   // Once logon completes and the app navigates to the URL,                   //sap.FioriClient.context.smpRegContext will                   // be undefined, so it will pass this test.                   return;               }                             if (!isUrl(retrievedFioriURL)) {                   errorCallback();                   return;               }                                                     if  (!sap.FioriClient.MobileSSO) {                   setFioriURL(retrievedFioriURL);             }                             // Add extra query string to force page reload.               var buster = "smphomebuster=" +  Math.random()*10000000000000000; ... var getFioriURL = function(callback) {         function  getFioriURLFromAppPreferencesFailed(error) {                 sap.Logger.info(error, 'FIORI_CLIENT');               // The Fiori URL wasn't found, so use the hardcoded value.               doHttpsConversionIfNeeded(context.appConfig.fioriURL, callback);         }         function  getFioriURLFromAppPreferencesSuccess(url) {               if (sap.FioriClient.MobileSSO) {                   url = sap.FioriClient.MobileSSO;               }               if (url != null) {                   doHttpsConversionIfNeeded(url, callback);               } else {                   doHttpsConversionIfNeeded(context.appConfig.fioriURL,  callback);               }         }           sap.AppPreferences.getPreferenceValue('fioriURL', getFioriURLFromAppPreferencesSuccess,  getFioriURLFromAppPreferencesFailed);     }; ...

4. Build and run the SAP Fiori Client project on your Android device (emulator).

   For more information, see step 4 in Creating SAP Fiori Client with Apache Cordova section.

SAP Fiori Client should be ready to handle any mobile SSO requests from SAP Authenticator. That means when a user adds SAP Fiori Client account and application in SAP Authenticator, the user will be able to log on to the SAP Fiori Client through mobile SSO.

More Information

• SAP Fiori Client (New in SP04)
• One-Time Password Authentication

All,

The details given in the setup of SPnego for ABAP from this series videos assumes one APP/CI server:

http://scn.sap.com/docs/DOC-40178

The videos Only assumes one APP/CI server, and puts all the SNC/SPnego profile params in the INSTANCE profile.  It also puts the Secure Login Library files in the /usr/sap/{SID}/{INSTANCE}/SLL directory.

So what if you have one CI/app and one pure app server?  so would it be OK to put them in /sapmnt/{SID}/SLL?  that is shared across CI/APP, of course the profile param would have to reflect that.  or does it even matter when app servers are involved?

Would it be OK to put all the SNC/SPnego profile params in the DEFAULT.PFL ?  SO then you would not have to enter them multiple times?

Also, when you execute the commands to create the keytab

{SLLDIR}/sapgenpse keytab -p SAPSNCSKERB.pse -a MYAD-ID@MYDOMAIN.COM

MUST you do the keytab stuff at the OS level twice?  once for the APP/CI OS/server and once again on each pure app server?

our $SECUDIR is different depending on the CI and APP server:

/usr/sap/{SID}/DVEBMGS00/sec

/usr/sap/{SID}/D00/sec

Or would one time, for the CI/APP do this trick?

Hope that makes sense.

NICK

Friends,

I'm still having fun with SPnego on ABAP, trying to get it working consistently.  I came across an interesting note today:

2010596   SICF: "SPNEGO Authentication" disappears from "Alternative Logon Procedure"

besides the note corrections and the recommendation to be a certain kernel level, it mentions some errors that might happen if you mess with the logon procedures.  That got me thinking.

if you want to implement SPnego for ABAP, and you have certain specific services such as:

/sap/crm_logon

/sap/bc/nwbc

/sap/bc/gui/sap/its/webgui

if you click on them in SICF --> Logon Data (tab) --> Procedure = " Standard"

but if you go into change mode, you can change it to "Alternative Logon Procedure".  Then scroll to the bottom and there is a list of order:

1 Logon Through HTTP Fields

2 Logon Through SSL Certificate

3 SAP Logon/Assertion Ticket

4 SAP Assertion Ticket

5 Basic Authentication

6 SAP RFC Logon

7 SPNego Logon

8 SAML Logon

9 Logon Through Service Data

So, my question is, if you want to SPnego for ABAP, do we need to mess with this?  Should we change to "Alternative Logon Procedure". and move SPnego up above "Basic Authentication"?

Or maybe just check the box that says "Use all Logon Procedures"?

Anyway, I could not find any notes / threads specifically on this and was wondering if you guys had any ideas?

Thanks,

NICK

Hi Experts,

I need implement in a customer the SAP NetWeaver Single Sign-On 2.0 using X.509 Certificate and NetWeaver 7.4. Here in SCN there are five videos about this subject, but to SSO version 1.0 and old NetWeaver. (SAP ECC and HCM)

Someone can help me with documentation, comments or even videos?

Thanks a lot to everybody.

Hello ,

Recently, I had raised an query related to SSO issue and was able to solve it using below two notes

1467488 - Start WebClient UI with user credentials of SAP GUI

352295 - Microsoft Windows Single Sign-On options

Now, as an extension of this, when I create an incident ticket in Solman. I receive an email notification which contains Incident number and status along with ticket link.

When I click on the link, it should directly take me to the ticket without login credentials, but I get an pop-up for username and password.

Kindly let me know on what I am missing in the configuration so that it takes me to the ticket directly.

Regards

HM

Hi experts,

we have implemented SSO2 in our BW system and its working fine. The problem is on our BO (4.1, SP3). when i start a webi report, using the scheduling, we always receive the error message:

Database error: Unable to connect to SAP BW server Incomplete logon data.. (IES 10901)

I've read 1 million notes, but till now, no luck. I saw the light after reading this treath:

Re: Issues with SNC SSO after upgrade to 4.1 sp05 patch 1

but no luck. even after deploying gx64krb5.dll, in our BO server (CMC and SNC_LIB) we still have the same error.

I have this parameters on BW side:

profile:

spnego/krbspnego                            /usr/sap/XXX/SLL/libsapcrypto.so

spnego/krbspnego_lib                        /usr/sap/XXX/SLL/libsapcrypto.so

spnego/enable                               1

snc/force_login_screen                      0

snc/r3int_rfc_secure                        0

snc/r3int_rfc_qop                           8

snc/data_protection/use                     3

login/password_max_idle_productive          120

login/min_password_lowercase                1

login/min_password_uppercase                1

login/password_compliance_to_current_policy 1

snc/permit_insecure_start                   1

ssf/name                                    SAPSECULIB

snc/identity/as                             p:CN=SAP/KerberosXXX@XXXXXXXXXXXXXXXXXXXX

snc/enable                                  1

snc/data_protection/min                     2

SNC0 - its GREEN

strust and strustsso2 - certificates of (BO server) are in, with both clients (000 and 100)

BO user has the correct permissions and SNC is activated with SNC DATA (GREEN)

BO SIDE:

CMC:

   Entitlement Systems  : ok

role import: ok

SNC settings:

Enable Secure Network Communication [SNC]  - checked

Prevent insecure incoming RFC connections - checked

SNC library settings : C:\sapcrypto\gx64krb5.dll

SNC name of SAP system: p:CN=SAP/KerberosXXX@XXXXXXXXXXXXXXXXXXXX

SNC name of Enterprise system : p:CN=XX, OU =XXX, O=XXX, L=XXXXXXXXX, C=XX

OPTIONS:

SAP SSO Service : Keystore was uploaded

OS:

SNC_LIB environment variable to point to C:\sapcrypto\gx64krb5.dll

Please help

thx in advance

Nuno

SCN pals,

We have SPnego / SNC setup on both our NW7.31SP07 and NW7.40SP07 systems.

We used the basic steps outlined in the videos:

http://scn.sap.com/docs/DOC-40178

But one thing that I have noticed, is that once I have established a connection into SAPGUI via SNC or WEBGUI via SPNEGO, my ticket in "klist" looks like this:

C:\Users\nwells>klist

Current LogonId is 0:0x5b639

Cached Tickets: (2)

#0>     Client: MY-ID @ MY-DOMAIN.COM
        Server: krbtgt/MY-DOMAIN.COM @ MY-DOMAIN.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x60a00000 -> forwardable forwarded renewable initial pre_authent
        Start Time: 5/20/2015 15:26:53 (local)
        End Time:   5/21/2015 1:26:53 (local)
        Renew Time: 5/27/2015 15:26:53 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96

#1>     Client: MY-ID @ MY-DOMAIN.COM

        Server: krbtgt/MY-DOMAIN.COM @ MY-DOMAIN.COM

        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96

        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent

        Start Time: 5/20/2015 15:26:53 (local)

        End Time:   5/21/2015 1:26:53 (local)

        Renew Time: 5/27/2015 15:26:53 (local)

        Session Key Type: AES-256-CTS-HMAC-SHA1-96

#2>     Client: MY-ID @ MY-DOMAIN.COM
        Server: SAP/SA-AGC-ABAP-SID@ MY-DOMAIN.COM
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
        Start Time: 5/20/2015 15:26:53 (local)
        End Time:   5/21/2015 1:26:53 (local)
        Renew Time: 5/27/2015 15:26:53 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)

#3>     Client: MY-ID @ MY-DOMAIN.COM

        Server: HTTP/my-hostname.my-domain.com@ MY-DOMAIN.COM

        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)

        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent

        Start Time: 5/20/2015 15:26:53 (local)

        End Time:   5/21/2015 1:26:53 (local)

        Renew Time: 5/27/2015 15:26:53 (local)

        Session Key Type: RSADSI RC4-HMAC(NT)

Does anyone know why my SAP Kerberos tokens come over as RSADSI RC4-HMAC(NT) ?

When I created the keytab at the OS level, I got this as part of the output:

keytab: KeyTab content stored:

    Version  Time stamp                 KeyType   Kerberos name

          1  Thu May  7 15:42:25 2015   DES       SA-AGC-ABAP-SID@MY-DOMAIN.COM
          1  Thu May  7 15:42:25 2015   AES128    SA-AGC-ABAP-SID@MY-DOMAIN.COM
          1  Thu May  7 15:42:25 2015   AES256    SA-AGC-ABAP-SID@MY-DOMAIN.COM
          1  Thu May  7 15:42:25 2015   RC4       SA-AGC-ABAP-SID@MY-DOMAIN.COM

and in the SPNEGO transaction, I have these listed:

DES-CBC-CRC

DES-CBC-MD5

AES128_CTS_HMAC_SHA1_96

AES256_CTS_HMAC_SHA1_96

RC4-HMAC-MD5

RC4-HMAC-MD5-56

So I would think that I'm covered.

I read this note and applied it in my NW7.31 but it was N/A on 7.40.  I meet the kernel requirements too for both.

1832706 - SPNego ABAP: Fixes for Algorithms AES128, AES256, DES

If I get my AD administrator to click the button for my user SA-AGC-ABAP-SID@MY-DOMAIN.COM that says "This account support Kerberos AES 256 bit encryption" in the account options....NOTHING works!  SPnego just goes back to username/pass, and SNC pops up a message when you try  to login that says "GSS-API(min): A2210217:the verification of the Kerberos ticket failed

target="p:CN=SA-AGC-ABAP-SID"

I also read this note:

1677641 - Kerberos authentication problem (SNG/GSS error a2210217)

but we already have the latest NWSSO2.0 SP05 login library and note 1832706.  I'm certain my user/pass for AD is correct.

Anyway..I know I said a lot....ANY thoughts?

thanks,

NICK