Hi Experts,

There are 2 SAP Java stack systems in our landscape. Following are the details about the system:

Java stack 1 : Secure Login Server and Identity Federation component (Domain A)

Secure Login server issues X.509 certificates to provide SSO to ABAP systems.

Identity Federation compoenent i.e Identity Provider to provide cross domain SSO

Java stack 2 : SAP IDM system (in a different domain & company). (Domain B)

I've configured Service Provider on Java stack 2 to trust Identity Provider of Java stack 1.

Requirement:

When a user from Domain A tries to access resources on Java stack 2  (Domain B) using https://<IP>:<port>/idm he should be redirected to Java stack 1 (Identity Federation component) for authentication.

If a user has valid X.509 certificate issued from Secure Login Server, he should be authenticated to Identity Federation in java stack 1 with out entering password and SAML2.0 assertion should be sent back to Java stack 2 . Then Java stack 2 will create a session for authenticated user.

Question:

1. I've configured Secure Login Server, Identity Provider and Service Provider as mentioned in the document. User has a valid X.509 certificate issued by Secure Login Server. But when the user tries to access resource on java stack 2, he is never redirected to Identity provider.Did I miss something in the config? It would be great if you can share the document on this. I've already done everything based on a wiki guide.

2.   Is it possible to use X.509 certificate to autheticate with Identity Provider?  Is this a  limitation with SAP Identity Provider product?

Please advice if I'm on the correct track.

Note:

IDM is just an example. I want to extend this design to to other Java stack systems which are out of our domain

Dear Portal Gurus,

I humbly come to you with a question that I know has been asked repeatedly, but I have spent days wading through SCN and Notes to no avail.

Our requirement is for users to login into their Windows workstation with their Microsoft Active Directory 2008  userid and password, clickon a url to the SAP Enterprise Portal 7.3 Enhancement pack 1 support stack 004 , and be automatically authenticated  to the portalm, backend BW 7.3.1.4.

• We have SCN working with the Sapgui to the same BW ABAP using kerberos
• Wehave configured SPNEGO in NWA and it shows green.
• SSO Logon tickets work correctly between NW Portal and BW.
• ABAP is UME and validates ok
• Maintained connector properties in system landscape alias for SNC
• Made sure IE8 options for security is enabled for Windows Authentication
• Users are enabled for SCN in SU01 in the ABAP
• Restarted SAP and J2EE and cleared IE browswer cache and restarted.. many times on many PCs

Still, when we specify http://server:50000/irj  the portal is still requiring users to login.  Again, the user can login automaticlaly to the BW ABAP system in Sapgui, but the requirement is for them to be automatically logged into the SAP portal.

Is this possible? I am beginning to wornder.  If you have accomplished this and can share what we may be missing, I would be so grateful and wish much good karma to you!

Lee Lewis

Dear All,

I need to enable identity provider ADFS2.0  to create users in the service provider  SAP EP 7.3 which is integrated and using SAP R/3 UME.

The scenario is we should allow to auto generate users through SSO from ADFS 2.0 to SAP EP 7.3.

I configured SAP portal as SAML 2.0 service provider and ADFS 2.0 as Identity Provider.

Now SSO is working with same and different User ID's between IdP and Sp.

Now how do I enable IdP (adfs 2.0)  to automatically create users in Sp ( sap nw 7.3).?

In SAML 2.0 Configuration Page on NWA , I selected "Identity Federation" tab and in the "Supported Name ID Formats " table list I added Unspecified Name of Federation type "Persistent Users (Advanced) " and selected Allow Automatic Creation of Accounts check box and maintained

User ID Source as Assertion Subject NameID and User Id Mapping Mode as LogonID.  Also I specified Assertion based attributes and Default Roles.

When I log in to the Service Provider, it redirects me to Identity provider. I logged in with the user in identity provider. It then redirects me to service providers application but didn't create user. It lands on login page with the warning message, "Your account on identity provider [ADFS 2.0] is not federated with any local account ". When I click on the link New Here?Register Now and Federate Accounts  , It creates the account and assigns the user default roles and user attributes I maintained.

How to federate ADFS 2.0 user account with local account in SAP EP 7.3?

Regards,

Eben Joyson

Hello Gurus,

We have successfully configured the Single Sign on (SSO) on our Development and Quality systems using kerberos. These two systems are central systems(No application server attached it.). We have tested the functionality and is working fine.

Now we have to configure the same setup in Production system where it has an application server which also works as fail-over node. How do I do here?  Could someone of you confirm on the below points.

1) Do I need to Install the kerberos on both Central Instance and Dialogue Instance.?

2) Do I need to generated 2 separate keytabs in AD for CI and DI?

3) Do I have to set the SPN 2 times (CI & DI) for the same user id?

3) Do I need to maintain the SNC parameters in Instance profile of both CI and DI?

4) I have a logon group created and assigned to both CI and DI. In normal case the load balancing happens. What all the changes that I need to in saplogon.ini do if I have to have the same load balancing mechanism even after implementing SSO?

Please clarify them in detail. I would really much appreciate all your help.

Thanks,

Nick S

Hi All,

               I would like to configure SNC enable single sign on sap  in linux environment .

Please help me what are the steps to proceed in configuring.

Thanks

Srikanth

We are In the process of configuring SSO on BO server with the “Windows AD authentication"

Manually we are able to login but SSO we are unable to login, window authentication window popup but when i will provide user is and
password manually it will give below mention error:

ERROR

Type Status report

HTTP Status 500- 

message com.wedgetail.idm.sso.ProtocolException:
com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure
unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException:
Successfully matched service principal "sapbotservicesso@ROOT.LOCAL"
but not key type (18) + KVNO (3) in this entry: Principal: [1]
SAPBOTServiceSSO@ROOT.LOCAL TimeStamp: Thu Jan 01 01:00:00 CET 1970 KVNO: -1 EncType:
23 Key: 16 bytes, fingerprint = [af a2 4a 14 6a d7 b8 10 ea 16 ab 1c 48 52 d0
74] )

description The
server encountered an internal error (com.wedgetail.idm.sso.ProtocolException:
com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure
unspecified at GSS-API level (Mechanism level:
com.dstc.security.kerberos.KerberosException: Successfully matched service
principal "sapbotservicesso@ROOT.LOCAL" but not key type (18) + KVNO
(3) in this entry: Principal: [1] SAPBOTServiceSSO@ROOT.LOCAL TimeStamp: Thu
Jan 01 01:00:00 CET 1970 KVNO: -1 EncType: 23 Key: 16 bytes, fingerprint = [af
a2 4a 14 6a d7 b8 10 ea 16 ab 1c 48 52 d0 74] )) that prevented it from
fulfilling this

Apache Tomcat 6.0.35

if any one face same problem please share the solution.

Regards

Arpan Saini

Good afternoon - I have a question regarding NW SSO. We are considering buying a number of licenses, but perhaps not enough for every user to be able to logon using single sign-on. So some users would have the Secure Login Client on their PCs and others would not. For the ones who don't have the client installed, they would still be able to login to a system with SAPGui by entering their username and password, right? The reason for my question is that I know that during the setup of NW SSO we will make changes in the saplogon.ini file to indicate the SNC name of the application server, and then also have to make entries in tcode SU01 for the user's SNC name. I see on the SNC tab in SU01 that there is an option to allow password logon for SAPGui, so for the users who we have not purchased a license for, could we just check that box so that they could still enter their ID and Password in SAPGui as usual?

I would appreciate any help with this!

Regards,

Blair Towe

Hi,

I need to setup SSO in my SAP systems, using Kerberos, so that users from Windows terminals can login to a system using SAPGUI without giving a user/password.

I know it is possible because I have seen it somewhere in the past.

However, despite searching on SAP Help, I still cannot find the steps for it. I checked the following links, but they all talked about setup where SAP system is on Windows platform, but I cant find anything for AIX (or any other Unix/Linux flavor).

http://scn.sap.com/community/netweaver-sso/blog/2012/08/17/how-to-configure-sap-netweaver-single-sign-on-for-sap-gui-for-windows-with-kerberos-integration

http://help.sap.com/saphelp_nwpi711/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm

Please help.

Regards,

Shitij

Hi,

I am involved in a project where it is required to deploy SAP HCM and hosting self service portal for all colleagues in the organization. The requirement is the portal application will be deployed in forest abc.123.com but users are spread across 4 forests i.e. abc.123.com,   efg.456.ad,   hij.789.net and xyz.012.co. There is a two way trust established from abc.123.com to each of other 3 domains.

Is it possible to configure SSO using SPNego?

Thanks & Regards

Sreedhar Gadamsetty

Hi all,

I'm trying to implement SSO between SAP GUI and an ABAP system.  Eventually, the SSO will include AS Java and ABAP WebGUI as well.

So far I have deploy the SSO Server on an AS Java 7.3 system.  The SSO Server has the root certificate and the user CA certificate configured.  The Login Module is SecureLoginModuleLDAP.  The Login Module in the NetWeaver Administrator is configured for my MS AD.

On the ABAP system, I have configured the ABAP instance profile as described in http://scn.sap.com/docs/DOC-29687.  I have created the PSE for SNC manually and modified the SNC name for my test user in SU01.

On the client side, I have the SSO Client and SAP GUI installed.  When I login with my MS AD user, I can see the Kerberos Token activated.  I can also authenticate myself on the MS AD using the SSO Client and obtain a certificate.  SNC_LIB points to <Library path>\secgss.dll.  SSF_LIBRARY_PATH points to <Library path>\secssf.dll.

The problem is that when I try to logon to the ABAP system using SNC with the SAP GUI, I have an error message saying "SAP System Message: S".  There is also a few entries in SM21; "Delete session 001 after error 044".

This does not seem like a popular error on SCN as I did not find much past cases.

Any help will be much appreciated.

Cheers

Hello,

I have succesfully configured the Secure Login Server to authenticate users via Windows Login / SPNEGO. Unfortunatelly the enrollment does NOT work for users in different domains, but only one domain AT A TIME. So the Secure Login Server SPN sits within the Kerberos Realm that allows users in exactly this Realm to login via SPNEGO. (Of course all users from all domains are visible in dthe Secure Login Servers UME)

But we have 4 domains in a forrest..So, according to note 994791 that states:

• Domain Forest
  • Create and configure a J2EE service user in one of the domains part of  the forest # it doesn#t matter if this domain will be the root domain or any of the child domains
  • Configure UME to use multiple ADS data sources (for each domain in the forest)
  • In the #Kerberos Realm# step of the wizard you should provide  information only for the domain where you have created the service user for the J2EE Engine

..I have configured SPNEGO only for the realm that hosts the SPN.

Unfortunatelly it doesn't work. Please help me if you have experience with cross domain SPNEGO authentication via Secure Login Server.

Thank You,

Philippe

Hi,

I have installed Secure Login client and secure login server in our landscape. SSO is working perfectly fine in the environment. We have to login to Secure Login Client atleast once a day for the SSO to work. We now want to get rid of this additional login and want the Windows credentials to be automatically taken up for generating the X.509 certificate.

I read in the manual that this can be done only in case of SPNego with windowslogin. Request you to please let me know if this can be achieved in our case as well. We have configured through SecureLoginModuleLDAP in our environment.

The excerpt from the document is as follows:

"promptedlogin

Using this profile, the user is prompted to enter the user credentials. This applies for the login modules SecureLoginModuleLDAP, SecureLoginModuleSAP, SecureLoginModuleRADIUS, and BasicPasswordLoginModule.

windowslogin

Using this profile, the user credentials are provided automatically (only available for Microsoft Windows authentication with SPNegoLoginModule).

The default value is windowslogin"

Thanks in advance for your reply.

Regards,

Rohit

Hello Experts,

for our ABAP systems I have configured SSO via standard MIT Kerberos on Linux/Intel (RHEL5) as well as Solaris/SPARC and Solaris/Intel  - works like a charm.

Now when I upgrade the Linux servers to RHEL6, the OS part of SSO still works, I get a TGT, klist shows me the correct credentials, etc., but the ABAP stack does no longer authenticate via SSO. All I get is a funny error popup "SAP System Message: S".

Is there any known change of the API from RHEL5 to RHEL6 and ideally a way to work around it?

The entry in dev_wx for the log attempt is:

N  *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3357]

N        GSS-API(maj): No credentials were supplied, or the credentials were unavailable or inaccessible

N      Unable to establish the security context

N  <<- SncProcessInput()==SNCERR_GSSAPI

M  *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c    1034]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

M  *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c    1039]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

M  in_ThErrHandle: 1

M  *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c   11313]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

The parameters (which are working just fine under RHEL5) are:

snc/enable = 1

snc/gssapi_lib = /usr/lib64/sasl2/libgssapiv2.so

ssl/ssl_lib = $(DIR_EXECUTABLE)/libsapcrypto.so (this is the current PL 43)

sec/libsapsecu = $(DIR_EXECUTABLE)/libsapcrypto.so

ssf/ssfapi_lib =$(DIR_EXECUTABLE)/libsapcrypto.so

login/accept_sso2_ticket = 1

login/create_sso2_ticket = 2

snc/accept_insecure_cpic = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_rfc = 1

snc/extid_login_diag = 1

snc/permit_insecure_start = 1

ssf/name = SAPSECULIB

Installed packages on RHEL5 (all x86_64):

cyrus-sasl-gssapi-2.1.22-7.el5_8.1

krb5-libs-1.6.1-70.el5

krb5-libs-1.6.1-70.el5

krb5-workstation-1.6.1-70.el5

libgssapi-0.10-2

pam_krb5-2.2.14-18.el5

and on RHEL6:

cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64

krb5-libs-1.10.3-10.el6.x86_64

krb5-workstation-1.10.3-10.el6.x86_64

libgssglue-0.1-11.el6.x86_64

pam_krb5-2.3.11-9.el6.x86_64

Any info is much appreciated.

Andreas Niewerth

Hi all experts,

Really need your help in configuring SAP SSO between Windows 2008 R2 ADS & SAP Users.

I followed all the steps provided in SAP NW SSO SP4 SLL document from SAP.

But, I stuck up at couple of steps, the major is part is our ADS Administrator does'nt want to edit SPN for Kerberos user,

instead he suggested to use either RC4 or AES256.

During the SNC setup, I am facing  a below error in dev_w0 file:

SncInit(): found  snc/gssapi_lib=E:\usr\sap\SID\SLL\windows-x86-64\sapcrypto.dll

N    File "E:\usr\sap\SID\SLL\windows-x86-64\sapcrypto.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2

N  SncInit():   found snc/identity/as=p:CN=SAP/SAPServiceSID@<FQDN>.com

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1439]

N        GSS-API(maj): No credentials were supplied

N        GSS-API(min): No credentials found for this name (not logged on) (USER=SAPServiceAES)

N      Could't acquire ACCEPTING credentials for

N 

N      name="p:CN=SAP/SAPServiceSED@<FQDN>.com"

N  SncInit(): Fatal -- Accepting Credentials not available!

N  <<- SncInit()==SNCERR_GSSAPI

N           sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    237]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    239]

M  in_ThErrHandle: 1

M  *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c   11321]

Below is SNC Status:

E:\usr\sap\SID\SLL\windows-x86-64>snc.exe

Using command 'status -v', call with -h to see more commands

------------------------------------------------------------------------------

------------ status -------------------------------------------------------

------------------------------------------------------------------------------

Product version      : Secure Login Library 1.0 SP 4:
CryptoLib                 : 8.3.7.5

                                  : windows-x86-64

GSS library               : available

GSS library name    : secgss.dll

PSE directory           : (existing) E:\usr\sap\SID\DVEBMGS00\sec

PSE file                     : (existing) E:\usr\sap\SID\DVEBMGS00\sec\pse.zip

STRUST cred file     : (existing) E:\usr\sap\SID\DVEBMGS00\sec\cred_v2

SNC config file        : (existing) E:\usr\sap\SID\SLL\windows-x86-64\gss.xml

PSE accessible        : yes

PSE logged in          : yes

PSE credentials      : MasterPassword SystemDefault

Kerberos keyTab    : 12 entries

SAP/ServiceSID@<fqdn>.com (KeyType DES)

SAP/ServiceSID@<fqdn>.com(KeyType AES128)

SAP/ServiceSID@<fqdn>.com(KeyType AES256)

SAP/ServiceSID@<fqdn>.com(KeyType RC4)

SAP/ServiceSID@<fqdn>.com(KeyType DES)

SAP/ServiceSID@<fqdn>.com(KeyType AES128)

SAP/ServiceSID@<fqdn>.com (KeyType AES256)

SAP/ServiceSID@<fqdn>.com (KeyType RC4) 

SAP/ServiceSID@<fqdn>.com  (KeyType DES)

SAP/ServiceSID@<fqdn>.com  (KeyType AES128)

SAP/ServiceSID@<fqdn>.com(KeyType AES256)

SAP/ServiceSID@<fqdn>.com(KeyType RC4)

SNC keys registered :  0 entries

Trusted certificates:

in PSE CN=SID, OU=<Cust. No.>, OU=SAP Web AS, O=SAP Trust Community, C=DE

Quick responce really needed as pressure increased.

Thanks and Regards

Ahsan.

Hello,
I have a problem to configure SSO in ECC 6.0 Ep5 with Microsoft AD.
Every part of the LDAP is working, I'm already mapped the users in AD and update the SAP running without problem.

When active in the CNS (snc / enable = 1), SAP does not start.
The Next error I received the file dev_w:Hello,
I have a problem to configure SSO in ECC 6.0 Ep5 with Microsoft AD.
Every part of the LDAP is working, I'm already mapped the users in AD and update the SAP running without problem.

When active in the SNC (snc / enable = 1), SAP does not start.
The Next error I received the file dev_w:

*************************************************************************************
SncInit(): found snc/gssapi_lib=C:\Windows\System32\gx64krb5.dll
N File "C:\Windows\System32\gx64krb5.dll" dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N SncInit(): found snc/identity/as=p:svc-sapprd\localiza.corp
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1439]
N GSS-API(maj): No valid credentials provided (or available)
N GSS-API(min): SSPI::IniSctx#1()==Specified target is unknown or unreachable
N Could't acquire ACCEPTING credentials for
N
N name="p:svc-sapprdlocaliza.corp@LOCALIZA.CORP"
N SncInit(): Fatal -- Accepting Credentials not available!
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 237]
M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 239]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 11329]
***************************************************************************************************

This configuration is being performed in the environment:
Instacia Central - Windows 2008R2 - SqlServer 2008R2
Workstation - Windows 7

Thank you.
Ederson Meneses

Hi Matthias Kaempfer,

I have bex queries which i want to run on Internet explorer but when i run this report i need to give login credentials again, how to overcome this. So that I do not need to give login credentials again.

Thanks & Regards

Manna Das

Hi,

I have successfully achieved SSO for  SAPGUI, NWBC and NWBC for HTML, using the SNC and SSL key issued by the NetWeaver Secure login server.

Secure login client is installed in my  local client system.

I am able to achieve SSO to multiple client in same system using SAPGUI - SNC Certificate.

But using NWBC - SSL Certificates, single signon is happening for only one client and for second client in same system, it is asking user name and password.

Please let me know do I need to do any special setting to achieve SSO to multiple client in same system using NWBC / NWBC for HTML.

-------

I have maintained SNC tab in SU01 and in table SM30 - VUSREXTID - External ID type DN for my user id.

-------

Regards,

Nalla

As I did not receive any reply on my earlier post, re-posting my question in simplified way.

Dear All,

I have to configure SSO for SAPGUI for html from client browser. I have read the blogs and notes but still have some questions.

First of all, our environment is ECC 6.0 on HP-UX 11.31 and client PCs are usually running windows 7. Ref to note 1257108, we have two options:

• SAP logon tickets
• X.509 client certificates

Questions: SSO between Web AS running on HP-UX 11.31 and Client PC on Win 7 using X.509 certificates would be possible without any third party product?

I will be following the SAP Help documentation
http://help.sap.com/saphelp_nwpi71/helpdata/en/b1/07dd3aeedb7445e10000000a114084/content.htm to configure SSO for SAPGUI for html, any other resource/blog that could help in this?

Thanks in advance for your help and support.

Regards,

Yasir.

Hi all,

we installed  SSO aplicattion on IDD system, and the Secure Login Client on notebook using Active Directory Microsoft Network with Kerberos integration.

When this notebook startup outside Microsoft Network, the login on Secure Login Server doesn´t work and a error message appear (see
bellow). We receive some  complains about this message.

We need that this message doesn´t appear when notebook startup outside of microsoft network. Is this possible ?

Thank you in advance,

Rodrigo

Hi,

We have a SAP EP (7.3) system integrated and SSO configured with backend SAP R/3 (ehp4).

Now we need to allow the customer to open our SAP portal  from within their portal. Means that We need to establish SSO with their portal. They use standard SSO techniques, including SAML on their portals.

What method I can implement for this?

Regards,

Eben Joyson