Quantcast
Channel: SCN : Popular Discussions - SAP Single Sign-On
Viewing all 1248 articles
Browse latest View live

SM59 Authorization test (SNC required for this connection)

November 14, 2014, 2:51 am
$
0
0

Hello,

 

I have just recently setup SSO in our test systems and received some intermittent error when checking the authorization test of RFC ABAP Connection. We have specific job that's connecting to our EWM test to ERP test system via RFC ABAP Connection. The job sometimes successfully finished and sometimes not. It is giving error "SNC required for this connection" and when I checked the target system in SM59 and check the authorization test it is giving the same error. But after some minutes the authorization test went successfully and the job was successfully finished also.

 

For SSO this are the parameters I set:

parameters.JPG

 

Any idea on this error?

Additionally, I checked sm21 and st22 but I didn't find anything related to the error. Also in our development systems where SSO is also setup, we didn't received the same issue.

 

 

Regards,

Florence

Search

Import of SAP Server Certifiacte in SNC X.509 method

July 13, 2012, 9:17 am
$
0
0

Hello,

 

We are in proces of implemeneting SAP NW SSO for SAP GUI with SAP ECC Systems.

As per the Secure Login Library Guide, we have extracted Secure Login Library file in desired locatoin and set the profile parameters as mentioned in Guide.

 

Now we are configuring the SNC X.509 Configuartion, and it says to import the SAP Sever Cerificate using Tx : STRUST.

 

Form where to get the SAP Server Certificate, we have created PSE suing Tx : STRUST which apprears in OS level in structure /usr/sap/SID/DVEBMGS<>/sec .

 

We are stuck in this step, we are not able to import the SAP Server Certifiacte.

 

After the completion of X.59 Certificate, we would be going ahead with SNC Kerberos Configuration.

 

 

Please provide suggestions an inputs.

 

Regards,
Deepak

Is it possible to login into the Java instance without password's input, using only my Windows workstation authorization?

October 30, 2014, 7:14 am
$
0
0

Dear Sirs,

 

 

I try to do an authorization to my NW 7.3 Java instance through my Windows domain authorization.

I done:

1) Create connection to LDAP-server and tested it.

2) Add windows domain certificate to TrustedCAs

3) Configure SPnego

 

Now, I can to login in my NW7.3 Java instance with my windows password, but however I must to input password when I open NW7.3 Java homepage.

Is it possible to login into the Java instance without password's input, using my windows workstation login/password?

What I have to do for that?

 

I use Windows XP on my workstation and IE 8.0.6 & Chrome 38.0.2125.

 

 

Best regards,

Alexey Lugovskoy

SSO using Kerberos for AIX - How?

November 9, 2012, 3:24 am
$
0
0

Hi,

I need to setup SSO in my SAP systems, using Kerberos, so that users from Windows terminals can login to a system using SAPGUI without giving a user/password.

 

I know it is possible because I have seen it somewhere in the past.

 

However, despite searching on SAP Help, I still cannot find the steps for it. I checked the following links, but they all talked about setup where SAP system is on Windows platform, but I cant find anything for AIX (or any other Unix/Linux flavor).

http://scn.sap.com/community/netweaver-sso/blog/2012/08/17/how-to-configure-sap-netweaver-single-sign-on-for-sap-gui-for-windows-with-kerberos-integration

http://help.sap.com/saphelp_nwpi711/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm

 

Please help.

 

Regards,

Shitij

SAML 2.0 and AD Security Group Membership

November 5, 2014, 10:30 am
$
0
0

In ADFS 2.0, as a part of the token, I can pass the AD
security groups the user is in. Does SAP SSO have the ability to send and
receive SAML 2.0 tokens with AD security group membership?

"GSS-API(maj): No credential were supplied"

November 6, 2014, 10:44 pm
$
0
0

Hi all,

 

 

We are making a proof of concept on SSO on ABAP (SAP-GUI + web) via SAP Secure Login Client and SPNEGO for ABAP.

All youtube-video configrations have been performed . You know: Implementing SAP NetWeaver Single Sign-On 2.0 Based on Kerberos Tokens 2/4 - YouTube (and so on ).

 

 

When I try to logon on via SAP-GUI I get a: "GSS-API(maj): No credential were supplied Unable to establish the security context target="p:CN=SL-service-user@xyz.com"

 

 

The SNCAX_TEST programs works fine on the above service-user (defined in SPNEGO).

Service-user defined in SAP-GUI (SNC)

The end user in SU01 has been updated on SNC with the token name from the SAP Secure Login Client

 

Method: SncPEstablishContext

System call gss_init_sec_context

 

I have looked into SAP notes (error codes etc.) + googling this and other comminties without luck .

 

All your input/help is very welcome.

 

Thanks in advance

Peter

Assistance with SingleSignOn for BusinessObjects BI Platform 4.0

October 6, 2014, 9:18 am
$
0
0


I am workinig on setting up SSO for BO4.0 in the following environment:

Windows 2008 Server

Apache Tomcat 7.0

BusinessObjects BI Platform 4.0

 

The instructions from http://scn.sap.com/docs-DOC-26314 have been followed along with the instructions at http://scn.sap.com/blogs/josh_fletcher/2012/06/11/active-directory-sso-for-sap-businessobjects-bi4 AND Steve Fredell's document referenced at http://alteksolutions.com/sp/index.php/2012/02/active-directory-andsso-bi4/.

 

I receive an error when testing the manual logon to the BI Launchpad (step 8 on the first two documents, section 6 of the S. Fredell document).  When trying to navigate to the BI Launchpad, the logon page displays but it automatically displays the error:

 

Account Information Note Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a vald mapped group and try again.  If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006).

 

And, I do not get a 'commit succeeded' entry in the tomcat7-stdout log.  Instead, I get:

 

Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false                    [Krb5LoginModule] user entered username:  @ABC.ABC

                    [Krb5LoginModule] authentication failed Generic error (description in e-text) (60)

 

(NOTE:  ABC.ABC is in place of the actual domain info.)

 

However, it will allow me to manually tupe in my AD credentials.  Once I do this, even though I got the FWM 0006 error, then I get the 'commit succeeded' entry in the tomcat7-stdout log file.

 

I have also tried continuing on with the instruction with step 9, however, I continue to get the FWM 00006 error on the BI Launchpad logon screen and I do not get the 'credentials obtained' in the stdout log file.  At this point after implementing the items in step 9, since the Tomcat (java tab) now knows the service account password, it should log me on automatically and it does not.  I can't help but think it is related back to the FWM 00006 error.

 

I've, along with coworkers, have checked the syntax of the krb5.ini, bscLogin.conf, and global.properties files and all are good.  The spns on the AD service account also appear to be good.

 

Any suggestions or recommendations?  I'm under a time crunch, so if I can't get this working, I may be looking at a SiteMinder soultion for SSO in BO.

 

Thanks!

SSO for fiori apps

March 13, 2014, 2:15 am
$
0
0

Hi ,

 

I would like to configure SSO for fiori apps based on windows authentication , what things are required to do so .

 

like any changes on users settings , fiori launchpage .

 

Also i want to map several windows user id to single sap user id , it this possible ?

 

 

Regards

Yashpal

Search

Configure SSO on SAPGUI for html (webgui, no portal)

September 3, 2012, 11:47 pm
$
0
0

As I did not receive any reply on my earlier post, re-posting my question in simplified way.

 

Dear All,

 

I have to configure SSO for SAPGUI for html from client browser. I have read the blogs and notes but still have some questions.

 

First of all, our environment is ECC 6.0 on HP-UX 11.31 and client PCs are usually running windows 7. Ref to note 1257108, we have two options:

    • SAP logon tickets
    • X.509 client certificates

 

Questions: SSO between Web AS running on HP-UX 11.31 and Client PC on Win 7 using X.509 certificates would be possible without any third party product?

 

I will be following the SAP Help documentation
http://help.sap.com/saphelp_nwpi71/helpdata/en/b1/07dd3aeedb7445e10000000a114084/content.htm to configure SSO for SAPGUI for html, any other resource/blog that could help in this?

 

Thanks in advance for your help and support.

 

Regards,

 

Yasir.

CA SiteMinder, Portal and LDAP

July 12, 2013, 3:07 pm
$
0
0

Hi,

 

I would like to have the portal users who logged into the company network will access portal with no sign-on.

 

To achieve my goal, I think I have a couple of ways of implementation:

 

1. Use CA SiteMinder for user authentication of portal. Question 1: do I need to have a web server for SiteMinder web agent in front of portal? Can the web agent be installed directly on the NW WAS where portal installed?

2. Use Integrated Windows authentication on portal. Question 2: I will definitely need a web server in this case, am I right?

 

Question 3: if I use CA SiteMinder as user authentication in portal, then what UME (e.g. LDAP, Portal UME, or ABAP UME) is not matter, as SiteMinder will handle it via HTTP Header, am I right?

 

Question 4: I read about the history discussion, it seems there is an issue for portal admin to login, do content admin, system admin, user admin if use SiteMinder. What is the solution for it?

 

Thanks in advance.

How to trace browser logon process (ABAP, SPNEGO, SNC)

November 18, 2014, 4:56 am
$
0
0

Hi all,

 

We are currently trying out the SAP Single Sign-On client using SPNEGO on the ABAP application server.

Everything works fine (most of the time ) on both: SAP-GUI, bsp's, its, web dynpro for ABAP, etc.

 

But sometimes in the browser I am presented a logon screen instead.

 

Can anyone of you experts point out a trace method that shows me the logon procedure/sequence going on between the browser client and the backend? Perhaps an existing trace tool on the ABAP side?

 

Thanks in advance

Peter

SAML 2.0 and AD Security Group Membership

November 5, 2014, 10:30 am
$
0
0

In ADFS 2.0, as a part of the token, I can pass the AD
security groups the user is in. Does SAP SSO have the ability to send and
receive SAML 2.0 tokens with AD security group membership?

SAP GUI SSO with MSADS

November 20, 2014, 7:28 am
$
0
0

Hi,

We have ECC 6.0 on NW 7.31 on Linux platform. End-users use Windows 7 and SAP Gui to login to ECC. At present users log-into their desktops and then again login to SAP though GUI using there respective passwords.

I am looking for some solution to configure SSO on SAP Gui with MSADS. So that once the user logs on the desktop, he does not have to re-authenticate on sap gui to connect ECC. I want some solution where we don't have to install any tool/library on user desktop and there is minimum foot prints on user machines.

I heard that NW 7.31 SP-15, SAP Gui can have SSO with MSADS using SPNEGO etc.

Please suggest some solution.

 

Thanks

Vik

Single Sign-On with Kerberos

June 17, 2014, 2:42 am
$
0
0

Hi,

Trying to configure sso with kerberos[NW SSO 2.0], followed the steps 1. Create service user in ADS 2.Copy Secure login library files to ABAP System [Unix]3.Configure SNC Profile parameters.

 

After the profile parameter changes, we did the application restart, but the system is not coming up and we found the following error in the trace file

 

  *** ERROR => DlLoadLib()==DLENOACCESS - dlopen("sncgss.so") FAILED

  "Unable to find library 'sncgss.so'."  [dlux.c       445]

N  *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter #1 (sncgss.so) not loaded [sncxxdl.c  731]

 

Yes, the file is not available in the system, how to get the snc related files/libraries?

 

Regards,
Sam

SAP Portal 7.3 SPNego and NWBC SSO with ECC

May 1, 2013, 7:49 pm
$
0
0

Wanted your expert opinion on something. We have using NWBC 4 and got Portal 7.3 in our landscape. We have established SPNego for IE single single on for Portal. We also have SNC entries with SAPGui to manage ECC SSO using SAPGui.

We want to extend NWBC to ECC SSO. But this been a massive hunt for right solution.

 

SAP Netweaver SSO is obvious solutions, but seems it involves some licence cost. Other option was to redirect NWBC to Portal and then back using redirect app as described in this note.

Question is, what is best way forward, and if we can achieve NWBC ECC SSO with this redirect method. With all the effort we put in we are able to see web page of /nwbc page instead of launching ECC on NWBC 4.0.

 

Thanks a lot for your time.

 

Note 1250795 - Redirect appliction NWBC.pdfNote 1250795 - Redirect appliction.pdf

 

 

Regards,

Sudhir

Search

Secure Login Web Client - SPNegoLoginModule

February 15, 2013, 8:48 am
$
0
0

Hi Experts

 

We are trying to use the Secure Login Web Client to provide authentication to our MS Active Directory using the SPNegoLoginModule

 

We are receiving an authentication error.

 

SAP have informed us that the above is not supported although it is detailed in the Secure Login Server guide?

 

Can you clarify please?...has anyone got this working?

 

Thanks

Mark

SSO 2.0 SP04 Assistance

November 25, 2014, 2:35 am
$
0
0

Dear Guru,

 

We have been trying to configure Secure Login Client (SSO 2.0 SP04).

 

Upon installation of the Secure Login Client, we were able to acquire Kerberos Tokens, but none for SPNEGO (X.509 Certificates). We have been getting errors like "Supplied credentials not accepted by server".

 

Installation Reference: scn.sap.com/docs/DOC-40179

 

Issue was encountered during phase 3 of the reference. We followed the instructions to a tee, and got lost due to some SP differences. Although, we did manage to extract the Root CA and Registry Entries.

 

Any thoughts or advise on where to check. Thank you.

 

Regards,

 

 

Tom

How to implement SSO / SSL / X.509 / SAML based Authentication for SAP UI5 based Apache Cordova/PhoneGap App using JavaScript?

April 22, 2014, 4:35 am
$
0
0

Hello,

 

I have developed a Mobile App using SAP UI 5 framework, HTML, JavaScript and Apache Cordova / PhoneGap.

 

The app is completed, but I am still stuck with the Login Authentication task. The code which I have written, pertains to OData Service based BASIC Authentication using Username and Password(which the user enters through the app's UI). The code works fine for Valid Login credentials, but doesn't work at all, when the user enters Invalid credentials.

 

I came to know that instead of using BASIC Authentication (with Username and Password), either of SSO / SSL / X.509 or SAML based Authentication mechanisms needs to be used for SAP UI5 mobile app.

 

I Researched and found some links which speak about SSO Authentication but are either for Java EE or Microsoft .Net applications(and they are irrelevant in my context).

 

I am looking for code, which is in JavaScript, as I my entire app is HTML, JavaScript with SAP UI5 framework and I have also used Apache Cordova/PhoneGap to transform my HTML and related project files into an iOS app( and later will be morphed into an Android app as well).

 

It would be of great help, if I could get any sort of help, either in the form of sample code or some leads.

 

PLEASE NOTE ->

  1. For the rest of the app's Business Logic, I have used OData services and " OData.read(...); " statements to fetch the data and store them in  "sap.ui.model.json.JSONModel(); "model, for further manipulations and binding them to the UI controls.
  2. In case the SSO / SSL or any such implementation needs any additional setup or any kind of modification in the code to fetch the data, kindly highlight that as well.
  3. And at this instant, we do not intend to use SAP HANA Cloud Platform, as it does not fall under our project scope and requirements.

 

Thanks and Regards,

Suraj Kumar Y Midgay

SSO (MSAD PKI) X.509 certificate attributes for user mapping in Secure Login Client

November 4, 2014, 3:16 am
$
0
0

Hello Experts,

 

Need some help on how to force SAP Secure Login Client to use X.509 user certificate's 'Subject Alternative Name' attribute as a mapping field for SSO instead of using 'Subject Name' field as it does out of the box.

 

 

Problem description:

 

We have configured NW SSO 2.0 SP04 test solution on our ERP 6.04/NW7.01 ABAP system using SAP CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.30 pl40 (Sep 25 2014) MT-safe. We are using X.509 user certificates generated by our own MSAD PKI.

 

Secure Login Client takes certificate's 'Subject Name' attribute field as a user's mapping field for establishing trust and allowing user to logon using SSO to SAP system, but the problem is that our 'Subject Name' contains Common Name attribute which is NON-unique and with special characters.

 

Having that in mind, SNC User mapping is hard to define and maintain.

 

Question: Is it possible to use X.509's 'Subject Alternative Name' attribute within Secure Login Client application? That field is unique for each user.

 

 

Regards,

Stanislaw Przytulski

JCo connector connection test is failing in all Portal systems

November 21, 2014, 7:28 am
$
0
0

Hi,

We are getting the error in JCO connector connection test. The first and second connection test i.e. SAP WEB AS connection& ITS connection are working fine but the third connection test->connection test for connector is failing in all the EP system.

 

in the test result its showing Connection failed. Make sure SSO is configured correctly.

 

We tried all the possible solutions modifying object details checking in portal, re-configuring SSO but nothing works.

 

Also we tried checking the error in DIAG tool as per sap Note. but the diag tool doesn't give any specific logs for this particular error.

 

The error that we get in dev_jrfc.trc when we do the connection test is-

 

Error> occured  >Fri Nov 21 20:17:31,982<    >RfcGetException rc (7) message: Name or password is incorrect (repeat logon)

<RfcGetException

 

 

 

Important Point to note:

The logon method that we use in the object is "SAPLOGONTICKET" when we change this to "UIDPW" and maintain the user details in user administration for this connection ,the connection test seems to work fine. but we cannot proceed with UIDPW option.

 

Now the issue stands here that we are not getting which user is maintained and where it is maintained when we use the logon method SAPLOGONTICKET in object details.

 

Please advice and help us on this as due to this our production EP migration is getting delayed, it is a big show stopper and issue needs to be fixed immediately.

 

Thanks & Regard,

Rajdeep

Viewing all 1248 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>