Login testing the service WebGUi

1. SICF->Default_Host->sap->bc->gui->sap->its->webgui –test the service

Getting this Prompt for first AD user ID and Password and then SAP user ID and Password.

2. Same thing happens with NWBC and BW-Portal Login- it Prompts for AD ID and then SAP ID and passowrd.

Where as ABAP SSO work perfect.

Here are my configuration steps.

• Our OS: Windows Server 2012
• DB: MSSQL 2012
• AD: Microsoft Active Directory
• SAP NW7.4 with SPS5
• SAP Installation – Central System
• SSO product- SAP NW SSO2.0 SP03
• SID – SB1, SE1 ….
• DOMAIN: MYCOMPANYNAME.COM ( Just an example, not the real name)

NWSSO Configuration Steps.

1.  Service User in the MSADfor AS-ABAP or AS-JAVA/Portal with following information

  • User ID: SAPService<SID>(existing individual<SID> Service user id)

  • Set the User cannot change the password

  • Set Password never expire

2.  Created SPN for this Service User

  • For ABAP -SAP/SAPService<SID>

  • Web (HTTP/ Hostname for ABAP apps server)

3.  Installed Secure Login Library on SAP Server

  •  Created a folder name (SLL)in /user/sap/<SID>/DVEBMGS00 ($(DIR_INSTANCE)\SLL)

   • Verified SLLibrary:(Version - 8.4.18.0)

(Starting NW7.4 sapcrypto library is coming and check the version is same at SLL directory and in the Kernel Dir.

4.  Define the following SNC parameters using RZ10

   snc/identity/as = p:CN=SAPServiceSB1@mycompany.com

   snc/enable  = 1

   snc/accept_insecure_cpic = 1

   snc/accept_insecure_rfc = 1

   snc/accept_insecure_gui = 1

   snc/data_protection/min = 3

   snc/data_protection/max = 3

   snc/data_protection/use = 3

   snc/permit_insecure_start = 1

   snc/r3int_rfc_qop = 8

   snc/r3int_rfc_secure = 0

   snc/force_login_screen = 0

   spnego/enable = 1

   spnego/krbspnego_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll

   snc/gssapi_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll

5.  Kerberos KeyTab was generated successfully for SPNEGO/SNC and verified 

        #sapgenpse seclogin -l –v

6.  Configured Credential file and verified

7.  Install Secure Login Client and defined SNC name as p:CN=SAPServiceSB1@mycompany.com

8.  Configure User Mapping in SAP AS ABAP – SNC name – p:CN=<USERID>@MYCOMPANY.COM

9.  Restarted the SAP server and my ABAP SSO is working perfectly.

10.     SPNEGO Configuration:

     a.  Define Kerberos KeyTab for SPNEGO using tcode – SPNEGO

     b.  Created UPN - SAPServiceSB1@MYCOMPANY.COM with the password of this server ID.

For WebGui all the required Service are activate and published via SICF and also per http://scn.sap.com/docs/DOC-29485

Created SAP Message and SAP also confirmed all your setting looks and Kerbros being case sensitive but since my ABAP SSO is working so that possibility is also ruled out.

Are there any different steps or know issue with above setting for SPNEGO. I have not mention the steps for Portal because first lets get the Webgui or NWBC resolve which usages the SPNEGO configuration.

Hi all,

We currently have SUP, Afaria and Relay servers on our environment.

We want to implement SAP Fiori but we have not found much information/documentation on how devices connect from the internet to Fiori.

We have the understanding of the installation and configuration for Fiori and the backend(ECC) but we are still puzzled on how we can get devices to communicate with Fiori server.

Our goal is to have SSO for Fiori (See below: Ref: Security aspects of SAP Fiori (Authentication, SSO, etc.))

We have seen some Architectural diagrams that mension using a Web Dispatcher in the DMZ but we wanted to try reuse existing mobile platfrom resources such as the Afaria and Relay server.

Is it possible to use the Afaria as the MDM and Relay server as a reverse proxy for a NetWeaver stack (Fiori)?

Thank you in advance

Keo

Hi All,

We are configuring SPNego Authentication to SAP NW 7.4 portla and Windows AD.

SAP NW 7.4 is on SP08 in AIX 7.1 and Windows AD on Windows 2012 server. As described in help.sap.com documentation we have done below steps.

1. Created service user in Windows AD with no expire and no password change.

2. Created REALM as explained.

3. Created and configured SPNegoLoginModule in NWA.

But still we are not able to login to NW 7.4 with kerberos authentication. We found below errors and warnings in security troubleshooting wizard in NWA.

Error:

Invalid ticket endtime: 20150309155820Z

11:42:14:338 Error Guest HTTP Worker [@907185622],5,D... ....core.server.jaas.SPNegoLoginModule

Could not validate SPNEGO token.

Warnig:

Can't map exception.

[EXCEPTION] com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.

Kindly Suggest,

Regards,

Sree

Hi  good morning every one

I have entered a wrong password in my log in id

now i am not able to log in can any one help me out]

thank you

Hello,

Due a recent requirement on our site to move from a Single Domain to a one-way trust multi domain user base. We are moving from the Standard SPNEGO Kerberos Product and have installed the Secure Login Server, this works fantastically well and we can login use both domain users in to the SAP GUI / NWBC and Personas.

I now need to move over from AD Authentication in BusinessObjects to Trusted Authentication but there seems to be a total lack of documentation in the area, surely SAP would want BO to work with it's own SSO technologies?

So far I have done the following with Business Objects, Enable trusted authentication and enabled HTTPS with client authentication and created and Enterprise user with the same name as my CN.

I have tested using a customer JSP that tomcat is receiving my client certificate and have read out the Username.

I know there is more configuration to do but I don't know what more there is? SAP can you comment?

Kindest Regards

Mike

Hi Experts,

I need implement in a customer the SAP NetWeaver Single Sign-On 2.0 using X.509 Certificate and NetWeaver 7.4. Here in SCN there are five videos about this subject, but to SSO version 1.0 and old NetWeaver. (SAP ECC and HCM)

Someone can help me with documentation, comments or even videos?

Thanks a lot to everybody.

Login testing the service WebGUi

1. SICF->Default_Host->sap->bc->gui->sap->its->webgui –test the service

Getting this Prompt for first AD user ID and Password and then SAP user ID and Password.

2. Same thing happens with NWBC and BW-Portal Login- it Prompts for AD ID and then SAP ID and passowrd.

Where as ABAP SSO work perfect.

Here are my configuration steps.

• Our OS: Windows Server 2012
• DB: MSSQL 2012
• AD: Microsoft Active Directory
• SAP NW7.4 with SPS5
• SAP Installation – Central System
• SSO product- SAP NW SSO2.0 SP03
• SID – SB1, SE1 ….
• DOMAIN: MYCOMPANYNAME.COM ( Just an example, not the real name)

NWSSO Configuration Steps.

1.  Service User in the MSADfor AS-ABAP or AS-JAVA/Portal with following information

  • User ID: SAPService<SID>(existing individual<SID> Service user id)

  • Set the User cannot change the password

  • Set Password never expire

2.  Created SPN for this Service User

  • For ABAP -SAP/SAPService<SID>

  • Web (HTTP/ Hostname for ABAP apps server)

3.  Installed Secure Login Library on SAP Server

  •  Created a folder name (SLL)in /user/sap/<SID>/DVEBMGS00 ($(DIR_INSTANCE)\SLL)

   • Verified SLLibrary:(Version - 8.4.18.0)

(Starting NW7.4 sapcrypto library is coming and check the version is same at SLL directory and in the Kernel Dir.

4.  Define the following SNC parameters using RZ10

   snc/identity/as = p:CN=SAPServiceSB1@mycompany.com

   snc/enable  = 1

   snc/accept_insecure_cpic = 1

   snc/accept_insecure_rfc = 1

   snc/accept_insecure_gui = 1

   snc/data_protection/min = 3

   snc/data_protection/max = 3

   snc/data_protection/use = 3

   snc/permit_insecure_start = 1

   snc/r3int_rfc_qop = 8

   snc/r3int_rfc_secure = 0

   snc/force_login_screen = 0

   spnego/enable = 1

   spnego/krbspnego_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll

   snc/gssapi_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll

5.  Kerberos KeyTab was generated successfully for SPNEGO/SNC and verified 

        #sapgenpse seclogin -l –v

6.  Configured Credential file and verified

7.  Install Secure Login Client and defined SNC name as p:CN=SAPServiceSB1@mycompany.com

8.  Configure User Mapping in SAP AS ABAP – SNC name – p:CN=<USERID>@MYCOMPANY.COM

9.  Restarted the SAP server and my ABAP SSO is working perfectly.

10.     SPNEGO Configuration:

     a.  Define Kerberos KeyTab for SPNEGO using tcode – SPNEGO

     b.  Created UPN - SAPServiceSB1@MYCOMPANY.COM with the password of this server ID.

For WebGui all the required Service are activate and published via SICF and also per http://scn.sap.com/docs/DOC-29485

Created SAP Message and SAP also confirmed all your setting looks and Kerbros being case sensitive but since my ABAP SSO is working so that possibility is also ruled out.

Are there any different steps or know issue with above setting for SPNEGO. I have not mention the steps for Portal because first lets get the Webgui or NWBC resolve which usages the SPNEGO configuration.

Hi all,

We are making a proof of concept on SSO on ABAP (SAP-GUI + web) via SAP Secure Login Client and SPNEGO for ABAP.

All youtube-video configrations have been performed . You know: Implementing SAP NetWeaver Single Sign-On 2.0 Based on Kerberos Tokens 2/4 - YouTube (and so on ).

When I try to logon on via SAP-GUI I get a: "GSS-API(maj): No credential were supplied Unable to establish the security context target="p:CN=SL-service-user@xyz.com"

The SNCAX_TEST programs works fine on the above service-user (defined in SPNEGO).

Service-user defined in SAP-GUI (SNC)

The end user in SU01 has been updated on SNC with the token name from the SAP Secure Login Client

Method: SncPEstablishContext

System call gss_init_sec_context

I have looked into SAP notes (error codes etc.) + googling this and other comminties without luck .

All your input/help is very welcome.

Thanks in advance

Peter

Hello,

I have developed a Mobile App using SAP UI 5 framework, HTML, JavaScript and Apache Cordova / PhoneGap.

The app is completed, but I am still stuck with the Login Authentication task. The code which I have written, pertains to OData Service based BASIC Authentication using Username and Password(which the user enters through the app's UI). The code works fine for Valid Login credentials, but doesn't work at all, when the user enters Invalid credentials.

I came to know that instead of using BASIC Authentication (with Username and Password), either of SSO / SSL / X.509 or SAML based Authentication mechanisms needs to be used for SAP UI5 mobile app.

I Researched and found some links which speak about SSO Authentication but are either for Java EE or Microsoft .Net applications(and they are irrelevant in my context).

I am looking for code, which is in JavaScript, as I my entire app is HTML, JavaScript with SAP UI5 framework and I have also used Apache Cordova/PhoneGap to transform my HTML and related project files into an iOS app( and later will be morphed into an Android app as well).

It would be of great help, if I could get any sort of help, either in the form of sample code or some leads.

PLEASE NOTE ->

1. For the rest of the app's Business Logic, I have used OData services and " OData.read(...); " statements to fetch the data and store them in  "sap.ui.model.json.JSONModel(); "model, for further manipulations and binding them to the UI controls.
2. In case the SSO / SSL or any such implementation needs any additional setup or any kind of modification in the code to fetch the data, kindly highlight that as well.
3. And at this instant, we do not intend to use SAP HANA Cloud Platform, as it does not fall under our project scope and requirements.

Thanks and Regards,

Suraj Kumar Y Midgay

Hi,

Trying to configure sso with kerberos[NW SSO 2.0], followed the steps 1. Create service user in ADS 2.Copy Secure login library files to ABAP System [Unix]3.Configure SNC Profile parameters.

After the profile parameter changes, we did the application restart, but the system is not coming up and we found the following error in the trace file

  *** ERROR => DlLoadLib()==DLENOACCESS - dlopen("sncgss.so") FAILED

  "Unable to find library 'sncgss.so'."  [dlux.c       445]

N  *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter #1 (sncgss.so) not loaded [sncxxdl.c  731]

Yes, the file is not available in the system, how to get the snc related files/libraries?

Regards,
Sam

As I did not receive any reply on my earlier post, re-posting my question in simplified way.

Dear All,

I have to configure SSO for SAPGUI for html from client browser. I have read the blogs and notes but still have some questions.

First of all, our environment is ECC 6.0 on HP-UX 11.31 and client PCs are usually running windows 7. Ref to note 1257108, we have two options:

• SAP logon tickets
• X.509 client certificates

Questions: SSO between Web AS running on HP-UX 11.31 and Client PC on Win 7 using X.509 certificates would be possible without any third party product?

I will be following the SAP Help documentation
http://help.sap.com/saphelp_nwpi71/helpdata/en/b1/07dd3aeedb7445e10000000a114084/content.htm to configure SSO for SAPGUI for html, any other resource/blog that could help in this?

Thanks in advance for your help and support.

Regards,

Yasir.

Hi  good morning every one

I have entered a wrong password in my log in id

now i am not able to log in can any one help me out]

thank you

Hi All,

We are planning to implement Kerberos authentication using our Window AD. I have below queries regarding the same.

1. Our ERP is ECC 5.0 with SAP_BASIS 640 patch 31, will this support Kerberos authentication.

2. If supports, we have different user id's in Windows AD and ECC for the same user. Will this supports. (For example in Windows AD we      have SSOTEST, same user has TESTSSO in ERP)

3. Is Kerberos authentication required separate license.

If possible provide links for the same.

Regards,

Sree

Dear Colleagues,

We are using Secure Login Kerberos Token for our SSO in the SAP GUI. SAP GUI Version is 7.30 Patch 5 and Secure Login is Version 2, Support Package 3, Patch level 2.

In rare cases endusers are not able to login via SSO. When we check the PC and open SAP Secure Login Client we detect that there is no Kerberos Token to select. At the moment our solution is to reinstall the whole SAP Secure Login Client with the SAP GUI for the user.

We are not sure why a kerberos token would suddently not be available in the sap secure login client. Any idea in which area to look?

Regards,

Alexander

Hello,

we've succesfully implemented SSO authentication processes with our kerberos token for SAP Gui.

Now we'd like to unify the authentication process for all SAP applications, not only SAP Logon for SAP Gui.

Is there a way to have for example the Business Explorer tools like Query Designer to use SSO authentication? I couldn't find an option for that.

And is it possible to use Kerberos authentication when calling up the ICM addresses of our SAP systems? With SAP Portal it's no problem, we are already using that as a pre-authentication step with Logon tickets, but the ICM address itself without using the SAP Portal before doesn't offer SSO processes, am I right?

Thank you for your help.

Hi experts,

we have implemented SSO2 in our BW system and its working fine. The problem is on our BO (4.1, SP3). when i start a webi report, using the scheduling, we always receive the error message:

Database error: Unable to connect to SAP BW server Incomplete logon data.. (IES 10901)

I've read 1 million notes, but till now, no luck. I saw the light after reading this treath:

Re: Issues with SNC SSO after upgrade to 4.1 sp05 patch 1

but no luck. even after deploying gx64krb5.dll, in our BO server (CMC and SNC_LIB) we still have the same error.

I have this parameters on BW side:

profile:

spnego/krbspnego                            /usr/sap/XXX/SLL/libsapcrypto.so

spnego/krbspnego_lib                        /usr/sap/XXX/SLL/libsapcrypto.so

spnego/enable                               1

snc/force_login_screen                      0

snc/r3int_rfc_secure                        0

snc/r3int_rfc_qop                           8

snc/data_protection/use                     3

login/password_max_idle_productive          120

login/min_password_lowercase                1

login/min_password_uppercase                1

login/password_compliance_to_current_policy 1

snc/permit_insecure_start                   1

ssf/name                                    SAPSECULIB

snc/identity/as                             p:CN=SAP/KerberosXXX@XXXXXXXXXXXXXXXXXXXX

snc/enable                                  1

snc/data_protection/min                     2

SNC0 - its GREEN

strust and strustsso2 - certificates of (BO server) are in, with both clients (000 and 100)

BO user has the correct permissions and SNC is activated with SNC DATA (GREEN)

BO SIDE:

CMC:

   Entitlement Systems  : ok

role import: ok

SNC settings:

Enable Secure Network Communication [SNC]  - checked

Prevent insecure incoming RFC connections - checked

SNC library settings : C:\sapcrypto\gx64krb5.dll

SNC name of SAP system: p:CN=SAP/KerberosXXX@XXXXXXXXXXXXXXXXXXXX

SNC name of Enterprise system : p:CN=XX, OU =XXX, O=XXX, L=XXXXXXXXX, C=XX

OPTIONS:

SAP SSO Service : Keystore was uploaded

OS:

SNC_LIB environment variable to point to C:\sapcrypto\gx64krb5.dll

Please help

thx in advance

Nuno

Hi All,

I am having EHP1 for NW 7.3 installed on windows 2008 R2 and I am trying to do SSO with ADS.

I am following the steps as below :

1. Created administrator user user1 and disabled "Use Kerberos DES encryption type for this Account" and checked "Password never expire option"
2. setspn -a HTTP/javahost.mydomain.com user1
3. Logged into javahost:port/nwa

1. Generated Keytab file in Domain server:

ktab -a user1@MYDOMAIN.COM -k keytab

1. Imported the keytab into the JAVA system :

http://javahost:port/spnegoKerberos Realm--> edit --> Keys--> Update Keys -> uploading keytab file --> browse --> selected file and IMPORT --> Save.

1. Activate the REALM.
2. Adjusted the authentication stack:

EvaluateTicketLoginModule SUFFICIENTSPNegoLoginModule              OPTIONALCreateTicketLoginModule SUFFICIENTBasicPasswordLoginModule REQUIREDCreateTicketLoginModule REQUIRED-->Save.

1. Did the necessary settings in the browser.When tried to open the URL http://<server>:<port>/XMII/Menu.jsp

I get a Windows security and "Upload Protected Area" message to enter credentials as shown in pictures.

I am able to Login through LDAP User credentials.

It skips SAP login page and but it shows the windows security prompts.How to skip SAP Login page as well as Windows Security Prompts??

Please Help out to resolve this Issue.

Thanks in advance!!!

Hello,

We are in proces of implemeneting SAP NW SSO for SAP GUI with SAP ECC Systems.

As per the Secure Login Library Guide, we have extracted Secure Login Library file in desired locatoin and set the profile parameters as mentioned in Guide.

Now we are configuring the SNC X.509 Configuartion, and it says to import the SAP Sever Cerificate using Tx : STRUST.

Form where to get the SAP Server Certificate, we have created PSE suing Tx : STRUST which apprears in OS level in structure /usr/sap/SID/DVEBMGS<>/sec .

We are stuck in this step, we are not able to import the SAP Server Certifiacte.

After the completion of X.59 Certificate, we would be going ahead with SNC Kerberos Configuration.

Please provide suggestions an inputs.

Regards,
Deepak

Hi All,

We have implemented the SAP Netweaver Single Sign-On 2.0 in our SAP HR system, configured the SPNEGO and SNC parameters, created a user in the AD etc. and the configuration is working fine.

We are able to logon into ABAP side through SSO (With Secure login client installed on the PC).

We are using SAP HR renewal in our SAP HR system so a high number of users access to the system through the SAP Netweaver Business client and not through SAP GUI.

We know that we can logon into the abap side with a different user that logged on the domain with secure login client so a new token is generated and the "new user" can be log on into SAP with SSO.

The question is, is there any way in order to do the same behaviour with SAP Netweaver Business client?

The http SSO with NBWC is done with the service principal names created in the AD:

HTTP/hostname.xxx.ddd

So we are not able to logon into the system (with NWBC) with a different user than logged in the domain and we would like to do that to resolve the incidents in the users PCs.

How can we do that?

Many thanks and best regards,

As I did not receive any reply on my earlier post, re-posting my question in simplified way.

Dear All,

I have to configure SSO for SAPGUI for html from client browser. I have read the blogs and notes but still have some questions.

First of all, our environment is ECC 6.0 on HP-UX 11.31 and client PCs are usually running windows 7. Ref to note 1257108, we have two options:

• SAP logon tickets
• X.509 client certificates

Questions: SSO between Web AS running on HP-UX 11.31 and Client PC on Win 7 using X.509 certificates would be possible without any third party product?

I will be following the SAP Help documentation
http://help.sap.com/saphelp_nwpi71/helpdata/en/b1/07dd3aeedb7445e10000000a114084/content.htm to configure SSO for SAPGUI for html, any other resource/blog that could help in this?

Thanks in advance for your help and support.

Regards,

Yasir.