Hi,

I have set quite a few servers to connect with SSO to ABAP Stacks. It is not a problem when it is a single instance system but I struggle with distributed systems. The central instance will start without a problem but the additional dialogue instances (on different servers) do not start and I have to disable snc on those servers. The error is always

SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N        GetUserName()="<SID>adm"  NetWkstaUser="<SID>ADM"

N  SncInit():  found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():  found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():  found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=\\sapprod\sapmnt\P01\sys\global\sll\secgss.dll

N    File "\\servername\sapmnt\SID\sys\global\sll\secgss.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x

N    FileVersionInfo: InternalName= CryptoLib, FileVersion= 8.3.7.7

N  SncInit():  found snc/identity/as=p:CN=<…>

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

N        GSS-API(maj): No credentials were supplied

N      Could't acquire ACCEPTING credentials for

N 

N      name="p:CN=<….>"

N      FATAL SNCERROR -- Accepting Credentials not available!

N      (debug hint: default acceptor = "p:CN=DummyCredential")

N  <<- SncInit()==SNCERR_GSSAPI

N          sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    237]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    239]

We have several distributed systems and it is the same problem on all systems. Only the central instance can use SNC.

I have added screenshots of the snc.exe from the central instance and the app server to this post. Irrespective of using the (replicated) pse on the app server or using the one on the central instance (via SECUDIR variable), snc cannot log in to the pse.

Does anyone know how what the problem might be?

Regards

Andreas

How can I get the Bex Broadcasting to work using single sign on in BI Java Netweaver 7.3?

From BEx a user brings up a workbook and then chooses Tools and Bex Broadcaster.  Although they already had to enter user id and password to login to the ABAP BW system, they have to enter the same credentials again in the IE window for the Java system before viewing BEx Broadcaster settings.  The BI Java system has a UME data source of the ABAP BW system.  I think that by default the system is set up to use logon tickets, the systems are trusted, sso2 profile parameters are set, but I don't see any evidence that it is attempting to use logon tickets.  In fact, when the IE logon prompt appears, there is nothing in the logs on the Java side so therefore no errors in the logs.   What have I missed or what documentation can point me in the right direction?    Is it even possible to do single sign on using an ABAP data source in the UME?

Warm regards,
Clifton

We are In the process of configuring SSO on BO server with the “Windows AD authentication"

Manually we are able to login but SSO we are unable to login, window authentication window popup but when i will provide user is and
password manually it will give below mention error:

ERROR

Type Status report

HTTP Status 500- 

message com.wedgetail.idm.sso.ProtocolException:
com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure
unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException:
Successfully matched service principal "sapbotservicesso@ROOT.LOCAL"
but not key type (18) + KVNO (3) in this entry: Principal: [1]
SAPBOTServiceSSO@ROOT.LOCAL TimeStamp: Thu Jan 01 01:00:00 CET 1970 KVNO: -1 EncType:
23 Key: 16 bytes, fingerprint = [af a2 4a 14 6a d7 b8 10 ea 16 ab 1c 48 52 d0
74] )

description The
server encountered an internal error (com.wedgetail.idm.sso.ProtocolException:
com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure
unspecified at GSS-API level (Mechanism level:
com.dstc.security.kerberos.KerberosException: Successfully matched service
principal "sapbotservicesso@ROOT.LOCAL" but not key type (18) + KVNO
(3) in this entry: Principal: [1] SAPBOTServiceSSO@ROOT.LOCAL TimeStamp: Thu
Jan 01 01:00:00 CET 1970 KVNO: -1 EncType: 23 Key: 16 bytes, fingerprint = [af
a2 4a 14 6a d7 b8 10 ea 16 ab 1c 48 52 d0 74] )) that prevented it from
fulfilling this

Apache Tomcat 6.0.35

if any one face same problem please share the solution.

Regards

Arpan Saini

Hello,

We are in proces of implemeneting SAP NW SSO for SAP GUI with SAP ECC Systems.

As per the Secure Login Library Guide, we have extracted Secure Login Library file in desired locatoin and set the profile parameters as mentioned in Guide.

Now we are configuring the SNC X.509 Configuartion, and it says to import the SAP Sever Cerificate using Tx : STRUST.

Form where to get the SAP Server Certificate, we have created PSE suing Tx : STRUST which apprears in OS level in structure /usr/sap/SID/DVEBMGS<>/sec .

We are stuck in this step, we are not able to import the SAP Server Certifiacte.

After the completion of X.59 Certificate, we would be going ahead with SNC Kerberos Configuration.

Please provide suggestions an inputs.

Regards,
Deepak

Hi all experts,

Really need your help in configuring SAP SSO between Windows 2008 R2 ADS & SAP Users.

I followed all the steps provided in SAP NW SSO SP4 SLL document from SAP.

But, I stuck up at couple of steps, the major is part is our ADS Administrator does'nt want to edit SPN for Kerberos user,

instead he suggested to use either RC4 or AES256.

During the SNC setup, I am facing  a below error in dev_w0 file:

SncInit(): found  snc/gssapi_lib=E:\usr\sap\SID\SLL\windows-x86-64\sapcrypto.dll

N    File "E:\usr\sap\SID\SLL\windows-x86-64\sapcrypto.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2

N  SncInit():   found snc/identity/as=p:CN=SAP/SAPServiceSID@<FQDN>.com

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1439]

N        GSS-API(maj): No credentials were supplied

N        GSS-API(min): No credentials found for this name (not logged on) (USER=SAPServiceAES)

N      Could't acquire ACCEPTING credentials for

N 

N      name="p:CN=SAP/SAPServiceSED@<FQDN>.com"

N  SncInit(): Fatal -- Accepting Credentials not available!

N  <<- SncInit()==SNCERR_GSSAPI

N           sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    237]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    239]

M  in_ThErrHandle: 1

M  *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c   11321]

Below is SNC Status:

E:\usr\sap\SID\SLL\windows-x86-64>snc.exe

Using command 'status -v', call with -h to see more commands

------------------------------------------------------------------------------

------------ status -------------------------------------------------------

------------------------------------------------------------------------------

Product version      : Secure Login Library 1.0 SP 4:
CryptoLib                 : 8.3.7.5

                                  : windows-x86-64

GSS library               : available

GSS library name    : secgss.dll

PSE directory           : (existing) E:\usr\sap\SID\DVEBMGS00\sec

PSE file                     : (existing) E:\usr\sap\SID\DVEBMGS00\sec\pse.zip

STRUST cred file     : (existing) E:\usr\sap\SID\DVEBMGS00\sec\cred_v2

SNC config file        : (existing) E:\usr\sap\SID\SLL\windows-x86-64\gss.xml

PSE accessible        : yes

PSE logged in          : yes

PSE credentials      : MasterPassword SystemDefault

Kerberos keyTab    : 12 entries

SAP/ServiceSID@<fqdn>.com (KeyType DES)

SAP/ServiceSID@<fqdn>.com(KeyType AES128)

SAP/ServiceSID@<fqdn>.com(KeyType AES256)

SAP/ServiceSID@<fqdn>.com(KeyType RC4)

SAP/ServiceSID@<fqdn>.com(KeyType DES)

SAP/ServiceSID@<fqdn>.com(KeyType AES128)

SAP/ServiceSID@<fqdn>.com (KeyType AES256)

SAP/ServiceSID@<fqdn>.com (KeyType RC4) 

SAP/ServiceSID@<fqdn>.com  (KeyType DES)

SAP/ServiceSID@<fqdn>.com  (KeyType AES128)

SAP/ServiceSID@<fqdn>.com(KeyType AES256)

SAP/ServiceSID@<fqdn>.com(KeyType RC4)

SNC keys registered :  0 entries

Trusted certificates:

in PSE CN=SID, OU=<Cust. No.>, OU=SAP Web AS, O=SAP Trust Community, C=DE

Quick responce really needed as pressure increased.

Thanks and Regards

Ahsan.

Hi experts,

I want configure SAP Netweaver Single Sign-On but I have not the link in the marketplace.

How can contact with SAP for obtain the correct license? Is not included with SAP Netweaver?

Thanks in advance,

Regards,

Hi all,

we installed  SSO aplicattion on IDD system, and the Secure Login Client on notebook using Active Directory Microsoft Network with Kerberos integration.

When this notebook startup outside Microsoft Network, the login on Secure Login Server doesn´t work and a error message appear (see
bellow). We receive some  complains about this message.

We need that this message doesn´t appear when notebook startup outside of microsoft network. Is this possible ?

Thank you in advance,

Rodrigo

Hi Experts,

I have a requirement in my company related to single sign on terminology but little different compared to other environments. The requirement is described below:

When the user is logged in windows by using user id and password then when clicking to the sap BI Portal link which is available on the desktop of all the end users he should login automatically with out providing any user ID and password. Right now we are using SAP Netweaver 7.0 SPS 14.

Am not sure how exactly this can be configured, i tried to find the documentation but no results as i see documents with SNC config are easily available.

Even i thought to configure SAP Net Weaver Single sign on 1.0 but my company is not entitled for this download.

Experts i need immediate help on this! Many thanks in advance..

Regards,

Mohammed Imran

Currently PAM lists only Linux Red Hat as the OS supporting SSO 2.0 on Linux IA64 platform.  Considering the product is still in ramp-up, this is reasonable.

PAM also lists GA on 2013 Q3. Any information when SUSE Linux SLES will be supported on IA64, and which versions?

Thank you.

We were trying to download SAP NW SSO as per instructions at http://www.sdn.sap.com/irj/sdn/security?rid=/webcontent/uuid/70d49577-5863-2e10-20a8-f6cd79adf434[original link is broken]

However, we could not identify the installation url. Can someone provide the link if you have it?

Thanks,

Melwin

Wanted your expert opinion on something. We have using NWBC 4 and got Portal 7.3 in our landscape. We have established SPNego for IE single single on for Portal. We also have SNC entries with SAPGui to manage ECC SSO using SAPGui.

We want to extend NWBC to ECC SSO. But this been a massive hunt for right solution.

SAP Netweaver SSO is obvious solutions, but seems it involves some licence cost. Other option was to redirect NWBC to Portal and then back using redirect app as described in this note.

Question is, what is best way forward, and if we can achieve NWBC ECC SSO with this redirect method. With all the effort we put in we are able to see web page of /nwbc page instead of launching ECC on NWBC 4.0.

Thanks a lot for your time.

Note 1250795 - Redirect appliction.pdf

Regards,

Sudhir

Hi,

We have a SAP EP (7.3) system integrated and SSO configured with backend SAP R/3 (ehp4).

Now we need to allow the customer to open our SAP portal  from within their portal. Means that We need to establish SSO with their portal. They use standard SSO techniques, including SAML on their portals.

What method I can implement for this?

Regards,

Eben Joyson

Dear Experts,

yesterday I tried to enable error tracing for new Secure Login Library 2.0 SP1 on a Windows x64 based SAP AS ABAP 7.31. I was not able to do so. During this I faced several issues, which I like to share with you and maybe someone can help me? :-)

In SP1 sources of SLL I have taken the windows-x86-64. Confusing for me is the fact, that after extraction (SAPCAR -xvf <Archive>) there are several sub directories, compared to SP0 this seems to be new?! In the root the sapgenpse executable and SNC library are is located (sapcrypto.dll or libsapcrypto.*) then there is a subdirectory called "sll" which contains lots of resource files and libraries like SSF etc. as well as the crl executable. Within this directory there are additional two directories "fips" and "defaults". First contains the FIP140-2 crypto-kernel and second the xml configuration files as well as the sectrace.ini which is the trace configuration file.

Result after extraction of SECURELOGINLIB.SAR for windows-x86-64 to /usr/sap/<SID>/DVEBMGS<xx>/SLL

. = sapcrypto* / libsapcrypto.*

./sll = crl.exe, secssf.dll/libs*

./sll/fips = fips libs

./sll/defaults = xml and ini config files

If I do the same for SECURELOGINLIB.SAR from the SP0 package all files e.g. executables, libraries and configuration files (base.xml, sectrace.ini etc.) are in the same directory and there is only one subdirectory "fips". Is there any documentation available about this?

QUESTION1:

At the moment i must assume SAP has changed its directory structure since SP1. Maybe i need to copy the files out from ./defaults into the "sll" subdirectory, but as this isn't documented anywhere (?) i only guess. Please let me know how this will work and where the library does expect its configuration files??

QUESTION2:

According to the documentation there is no need to restart SAP service after enabling traces. Is this correct?

QUESTION3:

Is it required to create the Trace directory "SLLTrace" or will this directory be created automatically?

My sectrace.ini looks like this:

[trace]

Directory          = %.BINDIR.%/../SLLTrace (also tried with full path e.g. /usr/sap/<SID>/DVEBMGS<xx>/SLLTrace)

Level              = 3

RotateFileSize     = 10000000

RotateFileNumber   = 10

Hope my questions are clear, if not please let me know. Thanks for your support!

Kind regards,

Carsten

Good afternoon - I have a question regarding NW SSO. We are considering buying a number of licenses, but perhaps not enough for every user to be able to logon using single sign-on. So some users would have the Secure Login Client on their PCs and others would not. For the ones who don't have the client installed, they would still be able to login to a system with SAPGui by entering their username and password, right? The reason for my question is that I know that during the setup of NW SSO we will make changes in the saplogon.ini file to indicate the SNC name of the application server, and then also have to make entries in tcode SU01 for the user's SNC name. I see on the SNC tab in SU01 that there is an option to allow password logon for SAPGui, so for the users who we have not purchased a license for, could we just check that box so that they could still enter their ID and Password in SAPGui as usual?

I would appreciate any help with this!

Regards,

Blair Towe

Hi all,

we installed  SSO aplicattion on IDD system, and the Secure Login Client on notebook using Active Directory Microsoft Network with Kerberos integration.

When this notebook startup outside Microsoft Network, the login on Secure Login Server doesn´t work and a error message appear (see
bellow). We receive some  complains about this message.

We need that this message doesn´t appear when notebook startup outside of microsoft network. Is this possible ?

Thank you in advance,

Rodrigo

Hello All,

Can I configure the SSO between the two sap portals with different userid's?

So far SSO is happening between the two sap portals by creating the trust between them and have the same userid's. But for one of the portal we have the the userid as username and the other portal has the userid as email(username@xxxx.com). Can we configure SSO between them?

Regards,

Sriram.

Hi,

I need to setup SSO in my SAP systems, using Kerberos, so that users from Windows terminals can login to a system using SAPGUI without giving a user/password.

I know it is possible because I have seen it somewhere in the past.

However, despite searching on SAP Help, I still cannot find the steps for it. I checked the following links, but they all talked about setup where SAP system is on Windows platform, but I cant find anything for AIX (or any other Unix/Linux flavor).

http://scn.sap.com/community/netweaver-sso/blog/2012/08/17/how-to-configure-sap-netweaver-single-sign-on-for-sap-gui-for-windows-with-kerberos-integration

http://help.sap.com/saphelp_nwpi711/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm

Please help.

Regards,

Shitij

Hi there,

We have a system with two clients: 101 and 202 and part of the users logon via webgui: https://..../sap/bc/gui/sap/its/webgui. Currently without SSO they choose the URL, select client, provide username/password and logon.

Now we want to implement SSO via X.509 certificates. When a user with SSO starts the same URL https://..../sap/bc/gui/sap/its/webgui he automatically logs on to the default client (login/system_client, which in this case is 101). He is not given the chance to select the client anymore.

I know that I can manipulate the URL, adding ?sap-client=XXX, but in that case I need to provide the user commmunity the new URL's (at a minimum the users who do not logon to the default system client). My experience is, that changing URLs is very cumbersome.

I have thought of the following 2 options:

- using a portal to provide the links (via iviews pointing to the different clients)

- adding ?sap-client=101 and ?sap-client=202 to the URL and communicate those to the users

In both options, the users need to change their way of logging on.

Is there an option to provide the user the choice of client he wants to logon to (when logging on via SSO) and still use the normal URL for the webgui? I have tried all settings in the webgui webservice, but nothing worked (the user just logs on to the webgui immediately).

Thanks a lot in advance for your input!!

Cheers,

Sander.

Hi,

We have a SAP EP (7.3) system integrated and SSO configured with backend SAP R/3 (ehp4).

Now we need to allow the customer to open our SAP portal  from within their portal. Means that We need to establish SSO with their portal. They use standard SSO techniques, including SAML on their portals.

What method I can implement for this?

Regards,

Eben Joyson

Hi

The questions concern SSO/SNC for ‘SAPGUI for Windows’ with 2 different SAP SSO/SNC implementations for Windows and UNIX. 

(SAP SSO/SNC will hereafter be referred to as SSO)

Situation

We have for years used SSO for all our Windows based SAP systems (the NTLM flavor) and it works just fine.

Now we plan to configure SSO for all our UNIX based SAP systems using SAP NetWeaver Single Sign-On (the ‘Secure Login Client’ and ‘Secure Login Library’ components).

Requirement

The end-users should be able to access all SAP systems using SSO, that is, typically a mixture of both Windows and UNIX based SAP systems.

Proof-of-concept

We have implemented the SAP NetWeaver Single Sign-On scenario ‘SAPGUI for Windows’ on one of our UNIX based SAP systems and performed a preliminary test.

The test indeed suggests that the current Windows and the new UNIX SSO implementation are conflicting.

When the Secure Login Client is installed on the end-user’s PC the new UNIX SSO implementation works just fine BUT when logging on a Windows based SAP systems with the existing SSO implementation an error message is returned (SNC name could not be decoded). 

Questions

The questions are caused by the fact that we will try to avoid a ‘big bang’ roll-out of the SAP NetWeaver Single Sign-On implementation.

Q1: Is a mixed SSO implementation at all possible? (i.e. only the ‘big bang’ roll-out approach is feasible)

Q2: If yes - which rules and conditions apply?

              e.g. the optimal solution - if  possible - for the Windows based SAP systems would be to dedicate one logon group to support the existing SSO          implementation (already in place) and to dedicate another logon group* to support the new SAP NetWeaver Single Sign-On implementation thus          only end-users with Secure Login Client installed would be subject to changes.

*) application servers where Secure Login Library is installed and configured

Brgds

Erling