Hello,
i want to configure SPNEGO on a NW 731 and getting a warning message by generating the Keys during the configuration:
Error during generation of encryption key with type AES256-CTS-HMAC-SHA1-96: Illegal key size. Check the crypto policy file in use and also SAP Note 1240081
The sAPCryptolib and JVM is up to date.
Thanks
Steven
Hi all,
we installed SSO aplicattion on IDD system, and the Secure Login Client on notebook using Active Directory Microsoft Network with Kerberos integration.
When this notebook startup outside Microsoft Network, the login on Secure Login Server doesn´t work and a error message appear (see
bellow). We receive some complains about this message.
We need that this message doesn´t appear when notebook startup outside of microsoft network. Is this possible ?
Thank you in advance,
Rodrigo
We are In the process of configuring SSO on BO server with the “Windows AD authentication"
Manually we are able to login but SSO we are unable to login, window authentication window popup but when i will provide user is and
password manually it will give below mention error:
ERROR
Type Status report
HTTP Status 500-
message com.wedgetail.idm.sso.ProtocolException:
com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure
unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException:
Successfully matched service principal "sapbotservicesso@ROOT.LOCAL"
but not key type (18) + KVNO (3) in this entry: Principal: [1]
SAPBOTServiceSSO@ROOT.LOCAL TimeStamp: Thu Jan 01 01:00:00 CET 1970 KVNO: -1 EncType:
23 Key: 16 bytes, fingerprint = [af a2 4a 14 6a d7 b8 10 ea 16 ab 1c 48 52 d0
74] )
description The
server encountered an internal error (com.wedgetail.idm.sso.ProtocolException:
com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure
unspecified at GSS-API level (Mechanism level:
com.dstc.security.kerberos.KerberosException: Successfully matched service
principal "sapbotservicesso@ROOT.LOCAL" but not key type (18) + KVNO
(3) in this entry: Principal: [1] SAPBOTServiceSSO@ROOT.LOCAL TimeStamp: Thu
Jan 01 01:00:00 CET 1970 KVNO: -1 EncType: 23 Key: 16 bytes, fingerprint = [af
a2 4a 14 6a d7 b8 10 ea 16 ab 1c 48 52 d0 74] )) that prevented it from
fulfilling this
Apache Tomcat 6.0.35
if any one face same problem please share the solution.
Regards
Arpan Saini
Hi,
I need to setup SSO in my SAP systems, using Kerberos, so that users from Windows terminals can login to a system using SAPGUI without giving a user/password.
I know it is possible because I have seen it somewhere in the past.
However, despite searching on SAP Help, I still cannot find the steps for it. I checked the following links, but they all talked about setup where SAP system is on Windows platform, but I cant find anything for AIX (or any other Unix/Linux flavor).
http://help.sap.com/saphelp_nwpi711/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm
Please help.
Regards,
Shitij
Hi Guys,
I have doubts about setting LDAP as data source for Netweaver Portal 7.3, with this configuration windows users can log on to sap portal without writting their password again? do I have to set kerberos, also?
if you have some guides could you send me please.
My LDAP will be Active Directory Windows, also if a I choose read only means that Portal only will read users from AD (including new users after configuration?)
Regards,
Andy
As I did not receive any reply on my earlier post, re-posting my question in simplified way.
Dear All,
I have to configure SSO for SAPGUI for html from client browser. I have read the blogs and notes but still have some questions.
First of all, our environment is ECC 6.0 on HP-UX 11.31 and client PCs are usually running windows 7. Ref to note 1257108, we have two options:
Questions: SSO between Web AS running on HP-UX 11.31 and Client PC on Win 7 using X.509 certificates would be possible without any third party product?
I will be following the SAP Help documentation
http://help.sap.com/saphelp_nwpi71/helpdata/en/b1/07dd3aeedb7445e10000000a114084/content.htm to configure SSO for SAPGUI for html, any other resource/blog that could help in this?
Thanks in advance for your help and support.
Regards,
Yasir.
Hello,
I have succesfully configured the Secure Login Server to authenticate users via Windows Login / SPNEGO. Unfortunatelly the enrollment does NOT work for users in different domains, but only one domain AT A TIME. So the Secure Login Server SPN sits within the Kerberos Realm that allows users in exactly this Realm to login via SPNEGO. (Of course all users from all domains are visible in dthe Secure Login Servers UME)
But we have 4 domains in a forrest..So, according to note 994791 that states:
..I have configured SPNEGO only for the realm that hosts the SPN.
Unfortunatelly it doesn't work. Please help me if you have experience with cross domain SPNEGO authentication via Secure Login Server.
Thank You,
Philippe
We are In the process of configuring SSO on BO server with the “Windows AD authentication"
Manually we are able to login but SSO we are unable to login, window authentication window popup but when i will provide user is and
password manually it will give below mention error:
ERROR
Type Status report
HTTP Status 500-
message com.wedgetail.idm.sso.ProtocolException:
com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure
unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException:
Successfully matched service principal "sapbotservicesso@ROOT.LOCAL"
but not key type (18) + KVNO (3) in this entry: Principal: [1]
SAPBOTServiceSSO@ROOT.LOCAL TimeStamp: Thu Jan 01 01:00:00 CET 1970 KVNO: -1 EncType:
23 Key: 16 bytes, fingerprint = [af a2 4a 14 6a d7 b8 10 ea 16 ab 1c 48 52 d0
74] )
description The
server encountered an internal error (com.wedgetail.idm.sso.ProtocolException:
com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure
unspecified at GSS-API level (Mechanism level:
com.dstc.security.kerberos.KerberosException: Successfully matched service
principal "sapbotservicesso@ROOT.LOCAL" but not key type (18) + KVNO
(3) in this entry: Principal: [1] SAPBOTServiceSSO@ROOT.LOCAL TimeStamp: Thu
Jan 01 01:00:00 CET 1970 KVNO: -1 EncType: 23 Key: 16 bytes, fingerprint = [af
a2 4a 14 6a d7 b8 10 ea 16 ab 1c 48 52 d0 74] )) that prevented it from
fulfilling this
Apache Tomcat 6.0.35
if any one face same problem please share the solution.
Regards
Arpan Saini
Hello,
i am facing a problem by requesting a X.509 Certifacte.
After starting my computer and login with my domain User,i doubleclick on the Secure Login Client.
I can see a Kerberos Profile and a grey "You are not logged in (Secure-Login-Server) profile.
by clicking on the grey Secure-Login-Profile, it prompt with a disclaimer message and then stopped with the error message:
"Angegebene Credential werden vom Server nicht akzeptiert"
in English
"Specified Credentials not accepted from Server"
On the Domain Controller Event log i can not see an error.
do anybody have a solution ?
Thanks
Steven
Good afternoon - I have a question regarding NW SSO. We are considering buying a number of licenses, but perhaps not enough for every user to be able to logon using single sign-on. So some users would have the Secure Login Client on their PCs and others would not. For the ones who don't have the client installed, they would still be able to login to a system with SAPGui by entering their username and password, right? The reason for my question is that I know that during the setup of NW SSO we will make changes in the saplogon.ini file to indicate the SNC name of the application server, and then also have to make entries in tcode SU01 for the user's SNC name. I see on the SNC tab in SU01 that there is an option to allow password logon for SAPGui, so for the users who we have not purchased a license for, could we just check that box so that they could still enter their ID and Password in SAPGui as usual?
I would appreciate any help with this!
Regards,
Blair Towe
Hello Experts,
for our ABAP systems I have configured SSO via standard MIT Kerberos on Linux/Intel (RHEL5) as well as Solaris/SPARC and Solaris/Intel - works like a charm.
Now when I upgrade the Linux servers to RHEL6, the OS part of SSO still works, I get a TGT, klist shows me the correct credentials, etc., but the ABAP stack does no longer authenticate via SSO. All I get is a funny error popup "SAP System Message: S".
Is there any known change of the API from RHEL5 to RHEL6 and ideally a way to work around it?
The entry in dev_wx for the log attempt is:
N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3357]
N GSS-API(maj): No credentials were supplied, or the credentials were unavailable or inaccessible
N Unable to establish the security context
N <<- SncProcessInput()==SNCERR_GSSAPI
M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 1034]
M {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0
M *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c 1039]
M {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0
M in_ThErrHandle: 1
M *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c 11313]
M {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0
The parameters (which are working just fine under RHEL5) are:
snc/enable = 1
snc/gssapi_lib = /usr/lib64/sasl2/libgssapiv2.so
ssl/ssl_lib = $(DIR_EXECUTABLE)/libsapcrypto.so (this is the current PL 43)
sec/libsapsecu = $(DIR_EXECUTABLE)/libsapcrypto.so
ssf/ssfapi_lib =$(DIR_EXECUTABLE)/libsapcrypto.so
login/accept_sso2_ticket = 1
login/create_sso2_ticket = 2
snc/accept_insecure_cpic = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_rfc = 1
snc/extid_login_diag = 1
snc/permit_insecure_start = 1
ssf/name = SAPSECULIB
Installed packages on RHEL5 (all x86_64):
cyrus-sasl-gssapi-2.1.22-7.el5_8.1
krb5-libs-1.6.1-70.el5
krb5-libs-1.6.1-70.el5
krb5-workstation-1.6.1-70.el5
libgssapi-0.10-2
pam_krb5-2.2.14-18.el5
and on RHEL6:
cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64
krb5-libs-1.10.3-10.el6.x86_64
krb5-workstation-1.10.3-10.el6.x86_64
libgssglue-0.1-11.el6.x86_64
pam_krb5-2.3.11-9.el6.x86_64
Any info is much appreciated.
Andreas Niewerth
Dear Portal Gurus,
I humbly come to you with a question that I know has been asked repeatedly, but I have spent days wading through SCN and Notes to no avail.
Our requirement is for users to login into their Windows workstation with their Microsoft Active Directory 2008 userid and password, clickon a url to the SAP Enterprise Portal 7.3 Enhancement pack 1 support stack 004 , and be automatically authenticated to the portalm, backend BW 7.3.1.4.
Still, when we specify http://server:50000/irj the portal is still requiring users to login. Again, the user can login automaticlaly to the BW ABAP system in Sapgui, but the requirement is for them to be automatically logged into the SAP portal.
Is this possible? I am beginning to wornder. If you have accomplished this and can share what we may be missing, I would be so grateful and wish much good karma to you!
Lee Lewis
Hi,
We have a SAP EP (7.3) system integrated and SSO configured with backend SAP R/3 (ehp4).
Now we need to allow the customer to open our SAP portal from within their portal. Means that We need to establish SSO with their portal. They use standard SSO techniques, including SAML on their portals.
What method I can implement for this?
Regards,
Eben Joyson
Hi,
I have a scenario where the functional have configured SAP Success Factors Employee Central (EC) to communicate with ECC backend for payroll data. EC is a cloud based solution while the ECC backend is on premise.
While the users try to launch some sections in EC e.g superannuation, they are redirected to a link on the ECC backend (https://servername:port/nwbc/~canvas;window=app/nwbc/~canvas;window=app/wda/hrpao_paom_masterdata?OTYPE=EMPLOYEE_CENTRAL&SINGLE_ACTION=X&WDCONFIGURATIONID=HRPAO_PAOM_MASTERDATA&NO_COLLABORATION=X&sap-client=300&sap-language=en&CFG_ID=IT0220&OBJID=2%2C322%2C9001&WDTHEMEROOT=sap_corbu)
Now this is an embedded window in EC and when I've tried to enter the username and password, it prompts the error "Logon with URL parameter not possible; logon cookie is missing".
What I'm trying to achieve here is to have an SSO between EC calling the ECC backend for data without the need of setting up an Java stack as IDP using SAML2. Is that possible?
Thanks and BR,
Philip
Hello Community,
get stuck while configuring SSO for two seperate Domains.
Problem: integrated ABAP backend Applications do not SSO
We had one Domain and used Active Directory as UME Datasource and SSO to Portal AND to the integrated Portal Applications, which reside on ABAP Systems, worked fine.
Now we get a new Domain and Active Directory but for the next 1 or 2 years we will use both domain's and Active Directory's. So I configured a new datasource.xml (multidomain) and added the second REALM in SPNEGO Wizard AND changed mapping mode from "Principal only" to "Principal@REALM" to get SSO working again with two Domains. Portal SSO does work now but SSO for the integrated ABAP iviews does not.
I think the Problem is that Portal uses Principal@REALM but ABAP Backend needs only the Principal. Is there a way to only hand over the Principal to this Applications? Or am I on the wrong track with this "Principal@REALM" configuration?
more Info:
User in AD and in ABAP System are the same and it worked in the one Domain scenario.
Portal is 7.02 SP11.
AD is 2003 and 2008
thank you in advance
best regards
Christoph Schmitz
Hello,
I have succesfully configured the Secure Login Server to authenticate users via Windows Login / SPNEGO. Unfortunatelly the enrollment does NOT work for users in different domains, but only one domain AT A TIME. So the Secure Login Server SPN sits within the Kerberos Realm that allows users in exactly this Realm to login via SPNEGO. (Of course all users from all domains are visible in dthe Secure Login Servers UME)
But we have 4 domains in a forrest..So, according to note 994791 that states:
..I have configured SPNEGO only for the realm that hosts the SPN.
Unfortunatelly it doesn't work. Please help me if you have experience with cross domain SPNEGO authentication via Secure Login Server.
Thank You,
Philippe
dear all,
I was got some error due to sso ,, if i got close my portal again it asks Used id ,password in maintained sso systems.
Thanks in advance!!
BR/
basha
Hi,
I have set quite a few servers to connect with SSO to ABAP Stacks. It is not a problem when it is a single instance system but I struggle with distributed systems. The central instance will start without a problem but the additional dialogue instances (on different servers) do not start and I have to disable snc on those servers. The error is always
SncInit(): Initializing Secure Network Communication (SNC)
N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)
N GetUserName()="<SID>adm" NetWkstaUser="<SID>ADM"
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=\\sapprod\sapmnt\P01\sys\global\sll\secgss.dll
N File "\\servername\sapmnt\SID\sys\global\sll\secgss.dll" dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x
N FileVersionInfo: InternalName= CryptoLib, FileVersion= 8.3.7.7
N SncInit(): found snc/identity/as=p:CN=<…>
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1445]
N GSS-API(maj): No credentials were supplied
N Could't acquire ACCEPTING credentials for
N
N name="p:CN=<….>"
N FATAL SNCERROR -- Accepting Credentials not available!
N (debug hint: default acceptor = "p:CN=DummyCredential")
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 237]
M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 239]
We have several distributed systems and it is the same problem on all systems. Only the central instance can use SNC.
I have added screenshots of the snc.exe from the central instance and the app server to this post. Irrespective of using the (replicated) pse on the app server or using the one on the central instance (via SECUDIR variable), snc cannot log in to the pse.
Does anyone know how what the problem might be?
Regards
Andreas
Hello Experts,
for our ABAP systems I have configured SSO via standard MIT Kerberos on Linux/Intel (RHEL5) as well as Solaris/SPARC and Solaris/Intel - works like a charm.
Now when I upgrade the Linux servers to RHEL6, the OS part of SSO still works, I get a TGT, klist shows me the correct credentials, etc., but the ABAP stack does no longer authenticate via SSO. All I get is a funny error popup "SAP System Message: S".
Is there any known change of the API from RHEL5 to RHEL6 and ideally a way to work around it?
The entry in dev_wx for the log attempt is:
N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3357]
N GSS-API(maj): No credentials were supplied, or the credentials were unavailable or inaccessible
N Unable to establish the security context
N <<- SncProcessInput()==SNCERR_GSSAPI
M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 1034]
M {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0
M *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c 1039]
M {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0
M in_ThErrHandle: 1
M *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c 11313]
M {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0
The parameters (which are working just fine under RHEL5) are:
snc/enable = 1
snc/gssapi_lib = /usr/lib64/sasl2/libgssapiv2.so
ssl/ssl_lib = $(DIR_EXECUTABLE)/libsapcrypto.so (this is the current PL 43)
sec/libsapsecu = $(DIR_EXECUTABLE)/libsapcrypto.so
ssf/ssfapi_lib =$(DIR_EXECUTABLE)/libsapcrypto.so
login/accept_sso2_ticket = 1
login/create_sso2_ticket = 2
snc/accept_insecure_cpic = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_rfc = 1
snc/extid_login_diag = 1
snc/permit_insecure_start = 1
ssf/name = SAPSECULIB
Installed packages on RHEL5 (all x86_64):
cyrus-sasl-gssapi-2.1.22-7.el5_8.1
krb5-libs-1.6.1-70.el5
krb5-libs-1.6.1-70.el5
krb5-workstation-1.6.1-70.el5
libgssapi-0.10-2
pam_krb5-2.2.14-18.el5
and on RHEL6:
cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64
krb5-libs-1.10.3-10.el6.x86_64
krb5-workstation-1.10.3-10.el6.x86_64
libgssglue-0.1-11.el6.x86_64
pam_krb5-2.3.11-9.el6.x86_64
Any info is much appreciated.
Andreas Niewerth
Hi all experts,
Really need your help in configuring SAP SSO between Windows 2008 R2 ADS & SAP Users.
I followed all the steps provided in SAP NW SSO SP4 SLL document from SAP.
But, I stuck up at couple of steps, the major is part is our ADS Administrator does'nt want to edit SPN for Kerberos user,
instead he suggested to use either RC4 or AES256.
During the SNC setup, I am facing a below error in dev_w0 file:
SncInit(): found snc/gssapi_lib=E:\usr\sap\SID\SLL\windows-x86-64\sapcrypto.dll
N File "E:\usr\sap\SID\SLL\windows-x86-64\sapcrypto.dll" dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2
N SncInit(): found snc/identity/as=p:CN=SAP/SAPServiceSID@<FQDN>.com
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1439]
N GSS-API(maj): No credentials were supplied
N GSS-API(min): No credentials found for this name (not logged on) (USER=SAPServiceAES)
N Could't acquire ACCEPTING credentials for
N
N name="p:CN=SAP/SAPServiceSED@<FQDN>.com"
N SncInit(): Fatal -- Accepting Credentials not available!
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 237]
M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 239]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 11321]
Below is SNC Status:
E:\usr\sap\SID\SLL\windows-x86-64>snc.exe
Using command 'status -v', call with -h to see more commands
------------------------------------------------------------------------------
------------ status -------------------------------------------------------
------------------------------------------------------------------------------
Product version : Secure Login Library 1.0 SP 4:
CryptoLib : 8.3.7.5
: windows-x86-64
GSS library : available
GSS library name : secgss.dll
PSE directory : (existing) E:\usr\sap\SID\DVEBMGS00\sec
PSE file : (existing) E:\usr\sap\SID\DVEBMGS00\sec\pse.zip
STRUST cred file : (existing) E:\usr\sap\SID\DVEBMGS00\sec\cred_v2
SNC config file : (existing) E:\usr\sap\SID\SLL\windows-x86-64\gss.xml
PSE accessible : yes
PSE logged in : yes
PSE credentials : MasterPassword SystemDefault
Kerberos keyTab : 12 entries
SAP/ServiceSID@<fqdn>.com (KeyType DES)
SAP/ServiceSID@<fqdn>.com(KeyType AES128)
SAP/ServiceSID@<fqdn>.com(KeyType AES256)
SAP/ServiceSID@<fqdn>.com(KeyType RC4)
SAP/ServiceSID@<fqdn>.com(KeyType DES)
SAP/ServiceSID@<fqdn>.com(KeyType AES128)
SAP/ServiceSID@<fqdn>.com (KeyType AES256)
SAP/ServiceSID@<fqdn>.com (KeyType RC4)
SAP/ServiceSID@<fqdn>.com (KeyType DES)
SAP/ServiceSID@<fqdn>.com (KeyType AES128)
SAP/ServiceSID@<fqdn>.com(KeyType AES256)
SAP/ServiceSID@<fqdn>.com(KeyType RC4)
SNC keys registered : 0 entries
Trusted certificates:
in PSE CN=SID, OU=<Cust. No.>, OU=SAP Web AS, O=SAP Trust Community, C=DE
Quick responce really needed as pressure increased.
Thanks and Regards
Ahsan.