Hi,

I have set quite a few servers to connect with SSO to ABAP Stacks. It is not a problem when it is a single instance system but I struggle with distributed systems. The central instance will start without a problem but the additional dialogue instances (on different servers) do not start and I have to disable snc on those servers. The error is always

SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N        GetUserName()="<SID>adm"  NetWkstaUser="<SID>ADM"

N  SncInit():  found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():  found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():  found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=\\sapprod\sapmnt\P01\sys\global\sll\secgss.dll

N    File "\\servername\sapmnt\SID\sys\global\sll\secgss.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x

N    FileVersionInfo: InternalName= CryptoLib, FileVersion= 8.3.7.7

N  SncInit():  found snc/identity/as=p:CN=<…>

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

N        GSS-API(maj): No credentials were supplied

N      Could't acquire ACCEPTING credentials for

N 

N      name="p:CN=<….>"

N      FATAL SNCERROR -- Accepting Credentials not available!

N      (debug hint: default acceptor = "p:CN=DummyCredential")

N  <<- SncInit()==SNCERR_GSSAPI

N          sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    237]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    239]

We have several distributed systems and it is the same problem on all systems. Only the central instance can use SNC.

I have added screenshots of the snc.exe from the central instance and the app server to this post. Irrespective of using the (replicated) pse on the app server or using the one on the central instance (via SECUDIR variable), snc cannot log in to the pse.

Does anyone know how what the problem might be?

Regards

Andreas

Hi,

I would like to have the portal users who logged into the company network will access portal with no sign-on.

To achieve my goal, I think I have a couple of ways of implementation:

1. Use CA SiteMinder for user authentication of portal. Question 1: do I need to have a web server for SiteMinder web agent in front of portal? Can the web agent be installed directly on the NW WAS where portal installed?

2. Use Integrated Windows authentication on portal. Question 2: I will definitely need a web server in this case, am I right?

Question 3: if I use CA SiteMinder as user authentication in portal, then what UME (e.g. LDAP, Portal UME, or ABAP UME) is not matter, as SiteMinder will handle it via HTTP Header, am I right?

Question 4: I read about the history discussion, it seems there is an issue for portal admin to login, do content admin, system admin, user admin if use SiteMinder. What is the solution for it?

Thanks in advance.

Hi,

I am involved in a project where it is required to deploy SAP HCM and hosting self service portal for all colleagues in the organization. The requirement is the portal application will be deployed in forest abc.123.com but users are spread across 4 forests i.e. abc.123.com,   efg.456.ad,   hij.789.net and xyz.012.co. There is a two way trust established from abc.123.com to each of other 3 domains.

Is it possible to configure SSO using SPNego?

Thanks & Regards

Sreedhar Gadamsetty

Hi All,

Any one have the document for Sign-On Between NW 7.0 and NW 7.3. Please share.

Regards,

Surendra.

Hi Experts

We are trying to implement SAP NetWeaver Single Sign-on X.509 Certificate Based Authentication.

We have followed the Best Practice Guide and also the Secure Login Server, Secure Login Library and Secure Login Client guides.

We have the follwoing scenario:

Windows Domain "A" contains:

MS Active Directory (just to manage SAP Servers)

SAP ABAP Servers with Secure Login Library installed

NO Secure Login Clients

Windows Domain "B" contains:

MS Active Directory (managing users and computers / servers etc)

SAP Java Secure Login Server

SAP ABAP Servers with Secure Login Library installed

SAP Java Servers

PC's with Secure Login Client installed

There is no trust relationship between the Windows Domains.

Secure Login Clients need to single sign on to SAP systems in both Windows Domain "A" and "B"

So far we have have Secure Login Clients being able to single sign-on to SAP Servers in Domain "B" - this is working fine.

However we have not been able to configure Secure Login Clients to be able to single sign-on to the SAP systems in Domain "A"

We have setup SPNego with a realm for each Domain and we have a service account in each Domain  with Service Principla Name both referencing the Java Secure Login Server.

When we configure SNC on SAP ABAP servers in Domain "A" with certificate exported from Secure Login Server into SNC node of STRUST and set the snc/identity/as to the CN, the servers do not start?

Please could you advise how we can get the above scenario working?

Thanks in advance

Mark

Hi Guys,

I have doubts about setting LDAP as data source for Netweaver Portal 7.3, with this configuration windows users can log on to sap portal without writting their password again? do I have to set kerberos, also?

if you have some guides could you send me please.

My LDAP will be Active Directory Windows, also if a I choose read only means that Portal only will read users from AD (including new users after configuration?)

Regards,

Andy

Hello,

I have set up X.509 to ABAP systems using the secure login client, X.509 for access to Web Dynpros (EXTID_DN) and X.509 certifiation to AS Java several times and it worked so far.

We have decided to change the BI Portal to use the ABAP datasource, so that users can log on with the ABAP Passwort to the portal. The logon works but I the certificate authentication does not work anymore. When I start the portal in the browser using http, the logon page comes up with username and password and a link to certificate logon below that. When I click on the certificate link, the browser switches to https but only displays username and password and not the usual "...the user ID needs to be mapped to certificate...".

When I log at the trace it shows this:

Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false      false                
        #1 trusteddn1 = CN=XXX

        ....

        #6 trustediss1 = CN=XXX

        ....
        #11 trustedsys1 = XXX,000
        #16 ume.configuration.active = true
2. com.sap.engine.services.security.server.jaas.ClientCertLoginModule      OPTIONAL    ok          false      false                
        #1 Rule1.getUserFrom = wholeCert
3. com.sap.security.core.server.jaas.CreateTicketLoginModule               SUFFICIENT  ok          false      false                
        #1 ume.configuration.active = true
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          true       true                 
5. com.sap.security.core.server.jaas.CertPersisterLoginModule              OPTIONAL    ok          true       true                 
6. com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok          true       true                 
        #1 ume.configuration.active = true
Central Checks                                                                                                true                 
Logon policies are disabled

But it is informational, no warning or errors appear in the trace.

I tried to set the ume.usermapping.x509_mapping.attribute to uniquename in the configuration (expert mode) of the Identity Management but to no avail.

I tried to find more information on the web and SMP but did not succeed.

Could anyone give me some ideas what needs to be changed? Obviously the main cause is that the users do not exist in the portal anymore and hence no certificates can be mapped to them. The certificates are maintained in SAP transaction EXTID_DN but the AS Java does not make use of them.

Regards

Andreas

Hi,

I need to setup SSO in my SAP systems, using Kerberos, so that users from Windows terminals can login to a system using SAPGUI without giving a user/password.

I know it is possible because I have seen it somewhere in the past.

However, despite searching on SAP Help, I still cannot find the steps for it. I checked the following links, but they all talked about setup where SAP system is on Windows platform, but I cant find anything for AIX (or any other Unix/Linux flavor).

http://scn.sap.com/community/netweaver-sso/blog/2012/08/17/how-to-configure-sap-netweaver-single-sign-on-for-sap-gui-for-windows-with-kerberos-integration

http://help.sap.com/saphelp_nwpi711/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm

Please help.

Regards,

Shitij

Hi Experts,

we integrated the SAP Portal 7.3 with Microsoft Share Point 2010(we are showing SAP Portal pages in the share point) . SAP Portal is using AD as UME (LDAP).  we configured SPNego successfully. we are able to access SAP Portal pages from Share point without providing user authentication. 

But Client wants to call the Portal using SAP Portal provided "NAVIGATION WEBSERVICE". This part of integration has been done.

Now we are calling SAP portal from share point using Navigational webservice, when we call this service it is prompting for user id and password.

we believe SPNego configuration does not support for SOAP protocol (i believe Webservices use SOAP protocol).

is there any way to call the portal using navigational webservice without providing authentication?

We were trying to download SAP NW SSO as per instructions at http://www.sdn.sap.com/irj/sdn/security?rid=/webcontent/uuid/70d49577-5863-2e10-20a8-f6cd79adf434[original link is broken]

However, we could not identify the installation url. Can someone provide the link if you have it?

Thanks,

Melwin

Hi Experts,

I want to configure SSO Kerberos..I got guides for 7.00 but not for 7.3 version

There are differences since visual adm is not part of it.

Regards.

Hi All,

               I would like to configure SNC enable single sign on sap  in linux environment .

Please help me what are the steps to proceed in configuring.

Thanks

Srikanth

Hi all,

we configure SAP NetWeaver AS Java 7.31 with Enterprise Portal as Service Provider (SP). The Identity Provider (IdP) is a java-based third-party application. The scenario is an IdP initiated Single Sign-On using SAML2.

If we try to login in, the following error message is shown in SecurityTroubleshooting Wizard SAML 2.0 (Debug): Service Provider cannot load SAML2 configuration.

Some notes to the Scenario:

• IdP endpoints: Artifact, Single Sign-On
• SP is configured for direct Server communication
• Default application path: /irj/portal
• SAML2 Login module is stored in login-stack: ticket
  • the login-module-option "provider" is configured with created SP
• IdP is added to list trusted providers and activated

If you have any idea, let me know it.
Thanks a lot.

Kind regards,
Fabian

Hello Community,

get stuck while configuring SSO for two seperate Domains.

Problem: integrated ABAP backend Applications do not SSO

We had one Domain and used Active Directory as UME Datasource and SSO to Portal AND to the integrated Portal Applications, which reside on ABAP Systems, worked fine.

Now we get a new Domain and Active Directory but for the next 1 or 2 years we will use both domain's and Active Directory's. So I configured a new datasource.xml (multidomain) and added the second REALM in SPNEGO Wizard AND changed mapping mode from "Principal only" to "Principal@REALM" to get SSO working again with two Domains. Portal SSO does work now but SSO for the integrated ABAP iviews does not.

I think the Problem is that Portal uses Principal@REALM but ABAP Backend needs only the Principal. Is there a way to only hand over the Principal to this Applications? Or am I on the wrong track with this "Principal@REALM" configuration?

more Info:

User in AD and in ABAP System are the same and it worked in the one Domain scenario.

Portal is 7.02 SP11.

AD is 2003 and 2008

thank you in advance

best regards

Christoph Schmitz

As I did not receive any reply on my earlier post, re-posting my question in simplified way.

Dear All,

I have to configure SSO for SAPGUI for html from client browser. I have read the blogs and notes but still have some questions.

First of all, our environment is ECC 6.0 on HP-UX 11.31 and client PCs are usually running windows 7. Ref to note 1257108, we have two options:

• SAP logon tickets
• X.509 client certificates

Questions: SSO between Web AS running on HP-UX 11.31 and Client PC on Win 7 using X.509 certificates would be possible without any third party product?

I will be following the SAP Help documentation
http://help.sap.com/saphelp_nwpi71/helpdata/en/b1/07dd3aeedb7445e10000000a114084/content.htm to configure SSO for SAPGUI for html, any other resource/blog that could help in this?

Thanks in advance for your help and support.

Regards,

Yasir.

Hello,

I got an issue with SAP Security library.

I'm trying to validate a SSO Ticket. It seems the SAP Security library cannot find the certificate for a space issue.

Indeed, the issuer of my certificate is "OU=J2EE, CN=TEST" and the issuer from SSO ticket seems to be "OU=J2EE,CN=TEST".

For the issuer from SSO ticket, I'm not really sure because SAP Security library doesn't provide method to extract issuer field.

In fact, I'm using the same ticket and library in Production environment.

And I'm trying to reproduce the ticket validation in Java.

My questions are:

- Can we force the issuer value to use on SAP Security library side ?

- Do this issue is known bug ? If yes, which SAP Security library version I should use ?

- Is there a workaround ?

===== Ticket.toString() =====

Ticket Version  = 2

Ticket Codepage = 1100 (Encoding=ISO8859_1)

User = Z99999990742

Issuing System ID     = TEST

Issuing System Client = 000

Creation Time = 201307230729

Valid Time    = 8 h 0 min

Valid from   Tue Jul 23 09:29:00 CEST 2013   until   Tue Jul 23 17:29:00 CEST 2013

Signature (length=261 bytes)

InfoUnit 32, length=19

InfoUnit 136, length=19

InfoUnit 10, length=12

===== Some Test =====

com.sap.security.core.ticket.imp.Ticket.findCertificates(certificates, "OU=J2EE, CN=TEST", BigInteger.ZERO); --> Found

com.sap.security.core.ticket.imp.Ticket.findCertificates(certificates, "OU=J2EE,CN=TEST", BigInteger.ZERO);  --> Didn't find

====== Certificate.toString() ======

[

  Version: V1

  Subject: OU=J2EE, CN=TEST

  Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3

  Key:  Sun DSA Public Key

    Parameters:DSA

    p:     X

    q:     X

    g:     X

    y:     X

  Validity: [From: Fri Mar 23 14:54:28 CET 2007,

               To: Tue Mar 23 14:54:28 CET 2027]

  Issuer: OU=J2EE, CN=TEST

  SerialNumber: [    00]

]

====== Certificate Importation ======

> keytool -import -alias certificate -file TEST_000.crt -keypass password -keystore storekey.jks -storepass password

Propriétaire : OU=J2EE, CN=TEST

Emetteur : OU=J2EE, CN=TEST Numéro de série : 0

Valide du : Mon Sep 24 11:12:42 CEST 2007 au : Fri Sep 24 11:12:42 CEST 2027

Empreintes du certificat :

MD5:            X

SHA1 :         X

SHA256 :     X

Nom de l'algorithme de signature : SHA1withDSA

Version : 1

Faire confiance à ce certificat ? [non] : oui

Certificat ajouté au fichier de clés

===== Error raised =====

Caused by: java.security.SignatureException: Certificate (Issuer="OU=J2EE,CN=TEST", S/N=0) not found.

  at com.sap.security.core.ticket.imp.Ticket.verify(Ticket.java:1016)

  at org.eurocopter.sap.security.impl.SAPTicketValidation.verifyTicket(SAPTicketValidation.java:231)

==== Java version ======

java version "1.7.0_25"

Java(TM) SE Runtime Environment (build 1.7.0_25-b17)

Java HotSpot(TM) 64-Bit Server VM (build 23.25-b01, mixed mode)

==== SAP Security version ======

environment: com.sap.security.api

Implementation-Vendor-Id: sap.com

Implementation-Version: 7.0107.20120601132146.0000

environment: com.sap.security.core

Implementation-Vendor-Id: sap.com

Implementation-Version: 7.0107.20120601132146.0000

Hi,

We have a SAP EP (7.3) system integrated and SSO configured with backend SAP R/3 (ehp4).

Now we need to allow the customer to open our SAP portal  from within their portal. Means that We need to establish SSO with their portal. They use standard SSO techniques, including SAML on their portals.

What method I can implement for this?

Regards,

Eben Joyson

Wanted your expert opinion on something. We have using NWBC 4 and got Portal 7.3 in our landscape. We have established SPNego for IE single single on for Portal. We also have SNC entries with SAPGui to manage ECC SSO using SAPGui.

We want to extend NWBC to ECC SSO. But this been a massive hunt for right solution.

SAP Netweaver SSO is obvious solutions, but seems it involves some licence cost. Other option was to redirect NWBC to Portal and then back using redirect app as described in this note.

Question is, what is best way forward, and if we can achieve NWBC ECC SSO with this redirect method. With all the effort we put in we are able to see web page of /nwbc page instead of launching ECC on NWBC 4.0.

Thanks a lot for your time.

Note 1250795 - Redirect appliction.pdf

Regards,

Sudhir

Hi,

I have set quite a few servers to connect with SSO to ABAP Stacks. It is not a problem when it is a single instance system but I struggle with distributed systems. The central instance will start without a problem but the additional dialogue instances (on different servers) do not start and I have to disable snc on those servers. The error is always

SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N        GetUserName()="<SID>adm"  NetWkstaUser="<SID>ADM"

N  SncInit():  found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():  found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():  found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=\\sapprod\sapmnt\P01\sys\global\sll\secgss.dll

N    File "\\servername\sapmnt\SID\sys\global\sll\secgss.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x

N    FileVersionInfo: InternalName= CryptoLib, FileVersion= 8.3.7.7

N  SncInit():  found snc/identity/as=p:CN=<…>

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

N        GSS-API(maj): No credentials were supplied

N      Could't acquire ACCEPTING credentials for

N 

N      name="p:CN=<….>"

N      FATAL SNCERROR -- Accepting Credentials not available!

N      (debug hint: default acceptor = "p:CN=DummyCredential")

N  <<- SncInit()==SNCERR_GSSAPI

N          sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    237]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    239]

We have several distributed systems and it is the same problem on all systems. Only the central instance can use SNC.

I have added screenshots of the snc.exe from the central instance and the app server to this post. Irrespective of using the (replicated) pse on the app server or using the one on the central instance (via SECUDIR variable), snc cannot log in to the pse.

Does anyone know how what the problem might be?

Regards

Andreas

Hi

The questions concern SSO/SNC for ‘SAPGUI for Windows’ with 2 different SAP SSO/SNC implementations for Windows and UNIX. 

(SAP SSO/SNC will hereafter be referred to as SSO)

Situation

We have for years used SSO for all our Windows based SAP systems (the NTLM flavor) and it works just fine.

Now we plan to configure SSO for all our UNIX based SAP systems using SAP NetWeaver Single Sign-On (the ‘Secure Login Client’ and ‘Secure Login Library’ components).

Requirement

The end-users should be able to access all SAP systems using SSO, that is, typically a mixture of both Windows and UNIX based SAP systems.

Proof-of-concept

We have implemented the SAP NetWeaver Single Sign-On scenario ‘SAPGUI for Windows’ on one of our UNIX based SAP systems and performed a preliminary test.

The test indeed suggests that the current Windows and the new UNIX SSO implementation are conflicting.

When the Secure Login Client is installed on the end-user’s PC the new UNIX SSO implementation works just fine BUT when logging on a Windows based SAP systems with the existing SSO implementation an error message is returned (SNC name could not be decoded). 

Questions

The questions are caused by the fact that we will try to avoid a ‘big bang’ roll-out of the SAP NetWeaver Single Sign-On implementation.

Q1: Is a mixed SSO implementation at all possible? (i.e. only the ‘big bang’ roll-out approach is feasible)

Q2: If yes - which rules and conditions apply?

              e.g. the optimal solution - if  possible - for the Windows based SAP systems would be to dedicate one logon group to support the existing SSO          implementation (already in place) and to dedicate another logon group* to support the new SAP NetWeaver Single Sign-On implementation thus          only end-users with Secure Login Client installed would be subject to changes.

*) application servers where Secure Login Library is installed and configured

Brgds

Erling