Hello,

Our customer has existing PKI (client certificates) which they want to use to logon to Secure Login Server using “heavy” Secure Login Client (not web client) for employees.

Their reasons are:

1. They want to have two factor authentication (PIN for X.509)
2. Somebody had this idea…
3. They want to check CRL for existing PKI certificates
4. They have a bunch of “old” ABAP systems they don’t want to upgrade to version supporting CRL check directly on SNC handshake

Based on documentation I’ve told them, that UME authentication is possible. Finally I’ve found in installation guide, that only basic authentication is supported with UME and Secure Login Client which is installed locally on the PC.

I think that following questions are for developer of Secure Login Client.

1. Is it possible to use another client certificate (I don’t know which object/framework is used for SSL comunication) to establish communication between Secure Login Client and Secure Login Server over HTTPS?
2. Would it be possible to use new value for parameter pseType to make Secure Login Client to not prompt for username/password and just establish SSL with client certificate?

PS: I’m currently trying to configure workaround using Kerberos (SPNego) configuration but with Authentication configured for X.509 certificate.

Best Regards,

Honza Vrzak

Dear Experts,

We have gone-live with SSO 1.0 for NW AS ABAP using Kerberos technology on 20+ landscapes this year.Next year we are planning to upgrade to SSO 2.0 suite.

Now we have a question posted by our customers "Is there any way to restrict the incorrect password locked users to do SSO to AS ABAP?"

The reason behind this to make sure that an account is not a victim of an attack.If the users continue to SSO even though their account is locked due to incorrect password that means there is a possibility to oversee that their accounts are being attacked.

SAP has already treated this as a vulnerability on J2EE servers and released a note to fix this.Is there any possibility to achieve this on AS ABAP server as well?

Hope to hear soon!

Regards,

Karthik

Hi Guys,

I have doubts about setting LDAP as data source for Netweaver Portal 7.3, with this configuration windows users can log on to sap portal without writting their password again? do I have to set kerberos, also?

if you have some guides could you send me please.

My LDAP will be Active Directory Windows, also if a I choose read only means that Portal only will read users from AD (including new users after configuration?)

Regards,

Andy

Dear All,

Our requirement is to enable SSO for the below applications.

We have SAP apps - ERP, GRC, HCM, MDM & SRM.

Non-SAP apps - AD, MS Exchange, Sharepoint, Lotus notes

With the wiki content, videos available, it seemed that I'm supposed to go with SAP NW SSO 2.0 with X.509 certificates

I.e, Install SAP NW SSO 2.0 using AD as communication method and let NW SSO system issue X.509 certificates for authentication.

I was reading blogs and found links for SSO between Sharepoint & Portal using SAML 2.0.

My question, with SAP NW SSO 2.0(create X.509 certificates), is it possible to integrate all these components? Am I missing something?

Also, the user IDs are different for different apps. So does mapping support for different apps?

Could you please guide me the right direction?

Thanks

RB

Hello,

I have succesfully configured the Secure Login Server to authenticate users via Windows Login / SPNEGO. Unfortunatelly the enrollment does NOT work for users in different domains, but only one domain AT A TIME. So the Secure Login Server SPN sits within the Kerberos Realm that allows users in exactly this Realm to login via SPNEGO. (Of course all users from all domains are visible in dthe Secure Login Servers UME)

But we have 4 domains in a forrest..So, according to note 994791 that states:

• Domain Forest
  • Create and configure a J2EE service user in one of the domains part of  the forest # it doesn#t matter if this domain will be the root domain or any of the child domains
  • Configure UME to use multiple ADS data sources (for each domain in the forest)
  • In the #Kerberos Realm# step of the wizard you should provide  information only for the domain where you have created the service user for the J2EE Engine

..I have configured SPNEGO only for the realm that hosts the SPN.

Unfortunatelly it doesn't work. Please help me if you have experience with cross domain SPNEGO authentication via Secure Login Server.

Thank You,

Philippe

Good Morning,

we have this problem with Netweaver Single-Sign-On(1.0 SP4 PL4):

1)Secure Login Client receives kerberos ticket but doesn't download X.509 certificate from server(and we don't know why)

2)In Secure Login Client Notification Viewer there are no apparent errors(view screenshot)

3)Our scenario is this:

                Secure login Server on an AS JAVA installed on SLES11(64bit) with SPNEGOLoginModule

                Secure Login Client installed with a SAP Gui on a windows server 2008 R2 (64bit)

                AS ABAP installed on a Red Hat Enterprise Linux Server 6.3(64bit)

                Microsoft Active Directory Server installed on windows Server 2008 R2(64bit)

We installed ROOT_CA and customer.reg from Secure Login Server in the client host. We used https with “Secure Login Server FQDN” and port 50001.

We tried to listen on the Secure Login Server with tcpdump to see if some request was coming from it but nothing appeared.

Hello.

we're facing an issue with Secure Login Client on WinXP/64bit.

On most of our XP Client the Secure Login Client runs fine but on

WinXP/64bit we're getting the following error. ( i attached the log file )

----

01/08 13:47:07.631 0 2892 640 sbus BASE ERROR in CRYPT->check_padding_PKCS_BT(): Signature verification failed, wrong key or encoding method

01/08 13:47:07.631 0 2892 640 sbus BASE -Parameter 1: ASN.1 alg and hash not decodable

01/08 13:47:07.662 0 2892 640 sbus BASE ERROR in CRYPT->check_padding_PKCS_BT(): Signature verification failed, wrong key or encoding method

01/08 13:47:07.662 0 2892 640 sbus BASE -Parameter 1: Decrypted RSA block

01/08 13:47:07.662 0 2892 640 sbus BASE -Parameter 2: 4C75E25760F50DABC23BAAEA39C674D5E10394682D3BD985117F1933FA7269B9ABAA7DC710C31C06D0A41F4D7B4BA4CF77C0302DAFC5B9006CF7D827491F29F72EC9B1C8AF6256C3B7EC42BFE3F6305B3CA84E6E6D0C8EFDD4C4AE741CBDA0184090234350AC3C2F228D7B421D0B5A00BF0FA692DAC778BF58B12113BEA3C3C13A955FECCC287EDF0F811A19BCB1EAB120440ECE71F62BAE9C7D2529E80637359DF772DD1614B03E50142EBFC96CC550FDAE8393CF89028B83C72DD04AAB29FC8722FF63DEFFE179E7C6B10F59022CFE2C7BAF3CF90EFBC54C156AC6FE549F60E788FFDB213E16B905C657282CAF4F9A15B177A7863DA400900FE658EAD3E049699298A2496868E4C2A33D994E0AD3D23D291CDEBDCF6559181B22BD3ACABE1FB1F6C3372DC5573805E4674BD955D342F16DBBD3A3C3F75356535A4A01E75E54FCB173CB0442686E2F94465857E17A39876BCB29DCEF6F12BD8F05F672BB09534E35FFEDDD6C963706FC196962089719EFA21CD54F843D4719AC87AA518F6EF1A729616DE805E07431692AC6065B4F063CC2286C6E4C47A3A76F7E45DE436EF21D3935B4FA7B66DCB393BD1E29453CC572075A9A63ED7C72D44A21AEB0D94BA46444C79D7B8282602B07F9D8BC27C84620A858F4B9D206F8D5FB0877812249443C839C3DD950B9D0D66304D0A6A78C9FBB15A59D7925E10D9

01/08 13:47:07.662 0 2892 640 sbus BASE ERROR in CRYPT->check_padding_PKCS_BT(): Signature verification failed, wrong key or encoding method

01/08 13:47:07.662 0 2892 640 sbus BASE -Parameter 1: Calculated digest 

01/08 13:47:07.662 0 2892 640 sbus BASE -Parameter 2: 88121B1AF3DC89D30DE526C57857FAD87E9C9026

01/08 13:47:07.724 0 2892 640 sbus BASE ERROR in CRYPT->verify_rsa(): Signature verification failed, wrong key or encoding method

01/08 13:47:07.724 0 2892 640 sbus BASE ERROR in CRYPT->sec_crypt_verify_end(): Signature verification failed, wrong key or encoding method

01/08 13:47:07.724 0 2892 640 sbus BASE ERROR in CRYPT->sec_crypt_verify_all(): Signature verification failed, wrong key or encoding method

01/08 13:47:07.724 0 2892 640 sbus PKIX     Signature error

------

Did anyone got the same error ?

Are there any hints where to start research of the root cause ?

Thanks a lot,

Sebastian

Hi,

I have set quite a few servers to connect with SSO to ABAP Stacks. It is not a problem when it is a single instance system but I struggle with distributed systems. The central instance will start without a problem but the additional dialogue instances (on different servers) do not start and I have to disable snc on those servers. The error is always

SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N        GetUserName()="<SID>adm"  NetWkstaUser="<SID>ADM"

N  SncInit():  found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():  found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():  found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=\\sapprod\sapmnt\P01\sys\global\sll\secgss.dll

N    File "\\servername\sapmnt\SID\sys\global\sll\secgss.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x

N    FileVersionInfo: InternalName= CryptoLib, FileVersion= 8.3.7.7

N  SncInit():  found snc/identity/as=p:CN=<…>

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

N        GSS-API(maj): No credentials were supplied

N      Could't acquire ACCEPTING credentials for

N 

N      name="p:CN=<….>"

N      FATAL SNCERROR -- Accepting Credentials not available!

N      (debug hint: default acceptor = "p:CN=DummyCredential")

N  <<- SncInit()==SNCERR_GSSAPI

N          sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    237]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    239]

We have several distributed systems and it is the same problem on all systems. Only the central instance can use SNC.

I have added screenshots of the snc.exe from the central instance and the app server to this post. Irrespective of using the (replicated) pse on the app server or using the one on the central instance (via SECUDIR variable), snc cannot log in to the pse.

Does anyone know how what the problem might be?

Regards

Andreas

Hi all,

I am trying to configure a cenario using SAP NW SSO 2.0 in which users authenticate using SNC with kerberos tokens to system A, and system A communicates with system B using SNC RFC.

As described in the implementation guide:

SNC with kerberos on system A works perfectly. I've configured the SNC identity as described in the guide - CN=SAPServiceABC, OU....

On system B, I've configured snc with identity CN=SID, OU....

On system A gssapi_lib is set to the secure login library, and on system B it is set to the SAPCRYPTOLIB.

I've imported system A certificate from SNC SapCryptolib PSE into trusted certificates of system B  SNC SapCryptolib PSE. I've also added system A to SNC ACL table of system B.

Eventually, I created an RFC destination with SNC from system A to System B. But when I the RFC I get the following error:

A2200210: Peer certificate verification failed.

In SLLTrace, I see the following:

[KERBEROS] [6808] ERROR(0xA2600202) in KERBEROS-> sec_kerberos_ClientGetTicket(): No kerberos ticket for requested service

[GSS][6808] Cli-40000003: Server certificate not trusted

[GSS][6808] Cli-40000003: <- Msg 1993ServerHello     process failed: errval=d0000, minor_status=a2200210

Seems like I'm missing something with configuring the trust between the systems, But I can't seem to find it.

I would really appreciate your help on this.

Thanks,

Ilia Medvedev.

Hello,

We are in proces of implemeneting SAP NW SSO for SAP GUI with SAP ECC Systems.

As per the Secure Login Library Guide, we have extracted Secure Login Library file in desired locatoin and set the profile parameters as mentioned in Guide.

Now we are configuring the SNC X.509 Configuartion, and it says to import the SAP Sever Cerificate using Tx : STRUST.

Form where to get the SAP Server Certificate, we have created PSE suing Tx : STRUST which apprears in OS level in structure /usr/sap/SID/DVEBMGS<>/sec .

We are stuck in this step, we are not able to import the SAP Server Certifiacte.

After the completion of X.59 Certificate, we would be going ahead with SNC Kerberos Configuration.

Please provide suggestions an inputs.

Regards,
Deepak

Dear Gurus,

We have decided to use NWBC 3.0, we would like to connect it to ABAP system.

In SAPGUI we are using SNC for sso, how do we configure sso with NWBC to ABAP system ?

what are the options ?

Please advise,

Dimitry Haritonov

Hello,

I have implemented SSO to AS Java (SAP Portal) using X.509 Client Certificate.

When I try to logon without passing through the Web Dispatcher (direct call to the SAP Portal in Intranet) my SSO works properly and I'm able to logon without writing any user and password, thanks to my X.509 Client Certificate.

Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details

1. com.sap.engine.services.security.server.jaas.ClientCertLoginModule      SUFFICIENT  ok          true       true

        \#1 Rule1.AttributeName = CN

        \#2 Rule1.getUserFrom = subjectName

2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok                     true

Central Checks                                                                                                   true                  #

My problem arises when I try to call my SAP Portal from the Internet passing through my SAP Web Dispatcher, so I've got the following error:

LOGIN.FAILED
User: N/A

Authentication Stack: ticket

Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
1. com.sap.engine.services.security.server.jaas.ClientCertLoginModule      SUFFICIENT  ok          exception             true       Authentication did not succeed.
        \#1 Rule1.AttributeName = CN
        \#2 Rule1.getUserFrom = subjectName
2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          false                 false      #

How could I manage my X.509 Client Certicate when I have to pass through my Web Dispatcher?

Thanks!

Fabrizio

Hi all,

we are implementing a Single Sign-On 1.0  using kerberos token from Microsoft AD, it work fine by saplogon (AS ABAP- ECC, Solman, GRC NF-e and AC ) and by browser NW CE 7.2 ( AS JAVA- IdM7.2 and SSO 1.0) .

During logon by NWBC or other called ICF services by browser, the SSO doesn't work requiring a logon screen . We expected that a SSO working fine and login without require user and password on this cases .

If we are enter a user and password on this problem case, the https is  working fine, but we need an automatic login by SSO using kerberos as we set by spnego, SU01 tab SNC and EXTID_DN .

Are there any parameter that we have to set on icf services or RZ10 to provide SSO login to solve this issue ? 

Thanks in advance,
Rodrigo

Hi Experts,

I have a requirement in my company related to single sign on terminology but little different compared to other environments. The requirement is described below:

When the user is logged in windows by using user id and password then when clicking to the sap BI Portal link which is available on the desktop of all the end users he should login automatically with out providing any user ID and password. Right now we are using SAP Netweaver 7.0 SPS 14.

Am not sure how exactly this can be configured, i tried to find the documentation but no results as i see documents with SNC config are easily available.

Even i thought to configure SAP Net Weaver Single sign on 1.0 but my company is not entitled for this download.

Experts i need immediate help on this! Many thanks in advance..

Regards,

Mohammed Imran

Hi Everyone,

We have been trying to roll out SAP Single Sign on 2.0 for non-SAP web sites, unfortunately when we tried a small pilot the user feedback was that they would rather not have the SSO functionality.

The poor user experience all came down to one problem: performance.

After adding SSO 2.0 this adds the IE plugins to handle entering the credentials, unfortunately the speed and responsiveness of IE 10 was unusable, it can add an extra 2-5 seconds depending on the web-sites visited.

I have tried this first hand and can replicate the issues, we are running very up to date software and hardware: Win 7 X64, IE10, i7, 8GB RAM, SSD HDD etc, as soon as you disable the SSO add on then web-sites start reacting normally again.

A support ticket is open at SAP and we have updated to SP2 however the problem is not going away.

Has anybody successfully deployed this aspect of SSO 2.0 and if so please can you share your experiences?

Is there anybody out there how has/is experiencing this slow down after enabling the SSO 2.0 IE add-on, what have/are you doing to address this?

many thanks

Rob

Wanted your expert opinion on something. We have using NWBC 4 and got Portal 7.3 in our landscape. We have established SPNego for IE single single on for Portal. We also have SNC entries with SAPGui to manage ECC SSO using SAPGui.

We want to extend NWBC to ECC SSO. But this been a massive hunt for right solution.

SAP Netweaver SSO is obvious solutions, but seems it involves some licence cost. Other option was to redirect NWBC to Portal and then back using redirect app as described in this note.

Question is, what is best way forward, and if we can achieve NWBC ECC SSO with this redirect method. With all the effort we put in we are able to see web page of /nwbc page instead of launching ECC on NWBC 4.0.

Thanks a lot for your time.

Note 1250795 - Redirect appliction.pdf

Regards,

Sudhir

Hi,

I have set quite a few servers to connect with SSO to ABAP Stacks. It is not a problem when it is a single instance system but I struggle with distributed systems. The central instance will start without a problem but the additional dialogue instances (on different servers) do not start and I have to disable snc on those servers. The error is always

SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N        GetUserName()="<SID>adm"  NetWkstaUser="<SID>ADM"

N  SncInit():  found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():  found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():  found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=\\sapprod\sapmnt\P01\sys\global\sll\secgss.dll

N    File "\\servername\sapmnt\SID\sys\global\sll\secgss.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x

N    FileVersionInfo: InternalName= CryptoLib, FileVersion= 8.3.7.7

N  SncInit():  found snc/identity/as=p:CN=<…>

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

N        GSS-API(maj): No credentials were supplied

N      Could't acquire ACCEPTING credentials for

N 

N      name="p:CN=<….>"

N      FATAL SNCERROR -- Accepting Credentials not available!

N      (debug hint: default acceptor = "p:CN=DummyCredential")

N  <<- SncInit()==SNCERR_GSSAPI

N          sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    237]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    239]

We have several distributed systems and it is the same problem on all systems. Only the central instance can use SNC.

I have added screenshots of the snc.exe from the central instance and the app server to this post. Irrespective of using the (replicated) pse on the app server or using the one on the central instance (via SECUDIR variable), snc cannot log in to the pse.

Does anyone know how what the problem might be?

Regards

Andreas

Experts,

Please advise  the best process to create SSO Login for SAP Webgui for operating system Windows 2008 R2. Currently using Widows Active Directory or LDAP.

Hi Everyone

I'm working for a large banking organization that would finally like to enable SSO on the ABAP stacks. At other companies in the past, I've done this using kerberos and gssapi libraries- utilizing keytabs and the SNC parameters for SAP. However, in this environment, I don't think it will work- we are using KEON to secure the AIX servers. To my understanding KEON and Kerberos do not mix well.

My question- Has anyone had success setting up SSO for ABAP running on a keonized AIX server? If so, I would appreciate any feedback you have to offer.

I know SAP has SAP NW SSO 2.0 available now- which they state will help us with our issue. The licensing costs for this are far to outrageous for us to consider at this time ($600+/user).

Any thoughts or suggestions would be greatly appreciate!

Jeff