Hi,

Trying to configure sso with kerberos[NW SSO 2.0], followed the steps 1. Create service user in ADS 2.Copy Secure login library files to ABAP System [Unix]3.Configure SNC Profile parameters.

After the profile parameter changes, we did the application restart, but the system is not coming up and we found the following error in the trace file

  *** ERROR => DlLoadLib()==DLENOACCESS - dlopen("sncgss.so") FAILED

  "Unable to find library 'sncgss.so'."  [dlux.c       445]

N  *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter #1 (sncgss.so) not loaded [sncxxdl.c  731]

Yes, the file is not available in the system, how to get the snc related files/libraries?

Regards,
Sam

Wanted your expert opinion on something. We have using NWBC 4 and got Portal 7.3 in our landscape. We have established SPNego for IE single single on for Portal. We also have SNC entries with SAPGui to manage ECC SSO using SAPGui.

We want to extend NWBC to ECC SSO. But this been a massive hunt for right solution.

SAP Netweaver SSO is obvious solutions, but seems it involves some licence cost. Other option was to redirect NWBC to Portal and then back using redirect app as described in this note.

Question is, what is best way forward, and if we can achieve NWBC ECC SSO with this redirect method. With all the effort we put in we are able to see web page of /nwbc page instead of launching ECC on NWBC 4.0.

Thanks a lot for your time.

Note 1250795 - Redirect appliction.pdf

Regards,

Sudhir

Dear Members,

Need valuable comments and solutions with regards to my question below.

My requirement is to configure Single sign on for ABAP application server. I have 2 requirements

1.) This is my SRM server (EHP2 FOR SAP SRM 7.0) where in ABAP SNC configured based on below document 2 video

http://scn.sap.com/docs/DOC-40178

--> Successfully configured and single sign on working based on AD user id and password.

2.) secondly I want to configure a solution for /sap/bc/nwbc/srm based on 8001 or 8000 ports. Let me make one thing clear this is only ABAP based server.

Always I am getting a pop-up for user id and password. But the problem is now the authentication is done from AD not from the ABAP user master record.

How can I achieve this? I tried the 2 video step by step but still I am facing issue, I traced from SPNEGO transaction and found the below:

SPNegoValidateToken: Error when parsing received SPNego token via sec_kerberos_spnego_ParseToken with error return code:

I am not clear what is missed by me and what yet had to be implemented.

Basically how can I achieve single sign on for 8000 ports on ABAP system.

Appreciate quick response.

Thanks & Regards,

Mohammed Imran

Dear Experts,

I am looking for a way to access the userid from a SAP Logon Ticket in a Java web application deployed on Netweaver AS Java server.  How can I extract the userid from the SAP Logon Ticket cookie using Java or Javascript?

Thanks,

Hi All,

We are implementing SSL for AS ABAP with the certificate signed by Secure Login Server 2.0. After the root CA certificate is exported from the secure login server and distributed to clients using Microsoft Group Policies, the certificate cannot be accessed with Firefox, resulting in the warning about the "invalid security certificate" (The certificate is not trusted because the issuer certificate is unknown). IE and Chrome can access the certificate in certificate store so there is no warning shows.

According to the requirement:

• The manual installation of the root CA certificate in Firefox certificate store on each individual clients is not possible
• No add-on should be installed in the browser, including Firefox Secure Login Security Module Plug-in (downloaded from Secure Login Server)

What are other available options to import the root CA certificate to Firefox browser on many workstations on the same domain?

I would be very grateful for any contribution regarding this issue.

Best regards,

Duy

Hi,

I already have CUA configured to synchronize users with my LDAP Server. I'd to use authenticate SAP users at my LDAP Server. I saw the note 793191 - FAQ: User master synchronization with LDAP directories informing that is not possible to synchronize userPassword attribute. Is there a way to achieve LDAP Authentication? With Enterprise SSO is it possible?

Thank you.

Hi All,

We have 3 different SAP servers, with sids: ECD, BWD, HRD.

for each user, a user with the same username is created in all three systems.

the user does not want to maintain 3 different passwords, instead only single password to be used in all systems. i.e. when he changes the password in system ECD, the changed password should work in other systems BWD and HRD as well.

if we were using SAP EP, we checked the possiblity of username based SSO and having portal login using only on system ECD.

but we are not using the portal, and all the users will access 3 sap systems using SAPGUI.

is there any way, where one system's password will work to login to other systems.

thanks in advance,

Madhu_1980

Hello,

I have the requirement no to use single sign on for some systems with sensitive data, but  would like to check during sap logon procedure the  from our central active directory password.

is there any best practice configuration or SAP / AD Win Addon solution available to connect SAP NW abap 7.40 at Win2012 sever with our active directory. Nearly all win based applications can handle a PW check from application to AD. Is there any SAP or Partner implementation helpful to expand the SAP client internal User-PW check?

Thanks in advanced for alternatives to the standard client SSO or any idea in the direction using active directory password within sap-logon.

Please give me a short feedback if you need more details.

regards,

Bernhard Mair

Goethe-Institut München

Login testing the service WebGUi

1. SICF->Default_Host->sap->bc->gui->sap->its->webgui –test the service

Getting this Prompt for first AD user ID and Password and then SAP user ID and Password.

2. Same thing happens with NWBC and BW-Portal Login- it Prompts for AD ID and then SAP ID and passowrd.

Where as ABAP SSO work perfect.

Here are my configuration steps.

• Our OS: Windows Server 2012
• DB: MSSQL 2012
• AD: Microsoft Active Directory
• SAP NW7.4 with SPS5
• SAP Installation – Central System
• SSO product- SAP NW SSO2.0 SP03
• SID – SB1, SE1 ….
• DOMAIN: MYCOMPANYNAME.COM ( Just an example, not the real name)

NWSSO Configuration Steps.

1.  Service User in the MSADfor AS-ABAP or AS-JAVA/Portal with following information

  • User ID: SAPService<SID>(existing individual<SID> Service user id)

  • Set the User cannot change the password

  • Set Password never expire

2.  Created SPN for this Service User

  • For ABAP -SAP/SAPService<SID>

  • Web (HTTP/ Hostname for ABAP apps server)

3.  Installed Secure Login Library on SAP Server

  •  Created a folder name (SLL)in /user/sap/<SID>/DVEBMGS00 ($(DIR_INSTANCE)\SLL)

   • Verified SLLibrary:(Version - 8.4.18.0)

(Starting NW7.4 sapcrypto library is coming and check the version is same at SLL directory and in the Kernel Dir.

4.  Define the following SNC parameters using RZ10

   snc/identity/as = p:CN=SAPServiceSB1@mycompany.com

   snc/enable  = 1

   snc/accept_insecure_cpic = 1

   snc/accept_insecure_rfc = 1

   snc/accept_insecure_gui = 1

   snc/data_protection/min = 3

   snc/data_protection/max = 3

   snc/data_protection/use = 3

   snc/permit_insecure_start = 1

   snc/r3int_rfc_qop = 8

   snc/r3int_rfc_secure = 0

   snc/force_login_screen = 0

   spnego/enable = 1

   spnego/krbspnego_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll

   snc/gssapi_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll

5.  Kerberos KeyTab was generated successfully for SPNEGO/SNC and verified 

        #sapgenpse seclogin -l –v

6.  Configured Credential file and verified

7.  Install Secure Login Client and defined SNC name as p:CN=SAPServiceSB1@mycompany.com

8.  Configure User Mapping in SAP AS ABAP – SNC name – p:CN=<USERID>@MYCOMPANY.COM

9.  Restarted the SAP server and my ABAP SSO is working perfectly.

10.     SPNEGO Configuration:

     a.  Define Kerberos KeyTab for SPNEGO using tcode – SPNEGO

     b.  Created UPN - SAPServiceSB1@MYCOMPANY.COM with the password of this server ID.

For WebGui all the required Service are activate and published via SICF and also per http://scn.sap.com/docs/DOC-29485

Created SAP Message and SAP also confirmed all your setting looks and Kerbros being case sensitive but since my ABAP SSO is working so that possibility is also ruled out.

Are there any different steps or know issue with above setting for SPNEGO. I have not mention the steps for Portal because first lets get the Webgui or NWBC resolve which usages the SPNEGO configuration.

Hello All

Using   this   URL  for  configuration  time                              

http://scn.sap.com/community/sso/blog/2012/08/17/how-to-configure-sap-netweaver-single-sign-on-for-sap-gui-for-windows-with-kerberos-integration

Implementing  SAP  ERP 6 SR3 ABAP Stack  with  SSO 1.0

SNC Configuration   done successfully   here it is attach  screen  shots

While using   SAP  GUI 7.30    with SNC   it shows  error

Thanks

Tejas Gandhi

Wanted your expert opinion on something. We have using NWBC 4 and got Portal 7.3 in our landscape. We have established SPNego for IE single single on for Portal. We also have SNC entries with SAPGui to manage ECC SSO using SAPGui.

We want to extend NWBC to ECC SSO. But this been a massive hunt for right solution.

SAP Netweaver SSO is obvious solutions, but seems it involves some licence cost. Other option was to redirect NWBC to Portal and then back using redirect app as described in this note.

Question is, what is best way forward, and if we can achieve NWBC ECC SSO with this redirect method. With all the effort we put in we are able to see web page of /nwbc page instead of launching ECC on NWBC 4.0.

Thanks a lot for your time.

Note 1250795 - Redirect appliction.pdf

Regards,

Sudhir

Dear Experts,

We have configured SAP NW SSO with Using Kerberos Authentication.

• LDAP server is connected
• Active directory users got imported to SAP NW
• Users are able to access SAP MII

Everything went fine, left with an issue

The requirement is on loading the SAP MII URL: http://<hostname>:<port>/XMII/Menu.jsp in Internet Explorer, It should auto-authenticate and display SAP MII Menu page directly.

But it gives a windows security logon prompt as shown below:

When I enter the User (LDAP) credentials it logs in successfully.

Log Viewer diagnosis:

On loading the http://<hostname>:<port>/XMII/Menu.jsp in Internet Explorer, I see the logs as given below:

When I enter the User (LDAP) credentials it logs in successfully and the logs are as shown below:

The same set of logs occur for the Authentication stack:sap.com/tc~wd~dispwda*webdynpro_dispatcher

Just an additional info,When we run nslookup command as in the note: 1313880    SPNego with DNS aliases,we get the below output:

Any help would be appreciated with points

Dear Colleagues,

We have configured secure login client to allow sso to our abap systems. The configuration is working, but the first time the user logs in to an abap system he needs to select certificate in the secure login client. Besides the kerberos token we have a microsoft certificate. As soon as you select the right entry (kerberos) sso will work. As we are rolling the sap gui out to tousands of users I would like to prevent this pop-up. Any idea if this is possible?

Regards,

Alexander

Hi All -

We are experiencing an issue which someone may have had.

We are logging on to the AS ABAP system with SAML 2.0, and the nameID is the personnel number, which is in turn our user master ID.

To be clear:

User ID in SAP = PERNR

Personnel Nr    = PERNR

Infotype 0105/0001 = PERNR

The Identity Provider system reaches out to Active Directory and gets the personnel number for the logged on user, this is in turn what is presented back to the SAP ECC System. As you can see we have our user ID's created the same as the PERNR, so the infotype 0105/0001 is also set up to be the pernr.

The problem we face is that sometimes the user's personnel number is incorrectly keyed into the Active directory system. In this case the user is logged in to Self-Service with an incorrect user, and this is therefore a data breach. I would like to do some additional validation to address this issue.

I have set break-points in most of the SAML classes, and tried a number of different options, but am running out of ideas. We have also thought about using the email address, but found that not all employees have an email, and so this option was not selected.

Any input here will be appreciated.

I know SAP releases the SSO products but is it possible to achieve SSO via x.509/SAML certificates for free? Or are the SSO products absolutely required for this?

Would really appreciate some insight, thanks!

Joe

Hello,

We recently changed our authentication procedure for our SAP netweaver to authenticate user thanks to SAML2 + SAP ID provider.

So far so and all is working fine.

The minor issue we're facing is with the logout option.

When user is clicking on the [Log Off] button (top right corner of the webUi he logout from the system.

The problem is that if user re-open the browser and try to open the webui again then all behaves like if the user never log out.

I mean unless the user clear his broser cache of all cookies then IDP logon screen where he normaly has to provide credential is not dispalyed.

It behaves like if the [Log Off] is not deleting the cookies that was created when he initaly logged in.

Is our expectation wrong?

We would expect that [Log Off] would delete that cookie so user would not be automaticaly reauthenticated but would be redirected to the IDP logon screen.

If our expectation is correct then any idea why it's not behaving like this ?

please advise

thanks

Login testing the service WebGUi

1. SICF->Default_Host->sap->bc->gui->sap->its->webgui –test the service

Getting this Prompt for first AD user ID and Password and then SAP user ID and Password.

2. Same thing happens with NWBC and BW-Portal Login- it Prompts for AD ID and then SAP ID and passowrd.

Where as ABAP SSO work perfect.

Here are my configuration steps.

• Our OS: Windows Server 2012
• DB: MSSQL 2012
• AD: Microsoft Active Directory
• SAP NW7.4 with SPS5
• SAP Installation – Central System
• SSO product- SAP NW SSO2.0 SP03
• SID – SB1, SE1 ….
• DOMAIN: MYCOMPANYNAME.COM ( Just an example, not the real name)

NWSSO Configuration Steps.

1.  Service User in the MSADfor AS-ABAP or AS-JAVA/Portal with following information

  • User ID: SAPService<SID>(existing individual<SID> Service user id)

  • Set the User cannot change the password

  • Set Password never expire

2.  Created SPN for this Service User

  • For ABAP -SAP/SAPService<SID>

  • Web (HTTP/ Hostname for ABAP apps server)

3.  Installed Secure Login Library on SAP Server

  •  Created a folder name (SLL)in /user/sap/<SID>/DVEBMGS00 ($(DIR_INSTANCE)\SLL)

   • Verified SLLibrary:(Version - 8.4.18.0)

(Starting NW7.4 sapcrypto library is coming and check the version is same at SLL directory and in the Kernel Dir.

4.  Define the following SNC parameters using RZ10

   snc/identity/as = p:CN=SAPServiceSB1@mycompany.com

   snc/enable  = 1

   snc/accept_insecure_cpic = 1

   snc/accept_insecure_rfc = 1

   snc/accept_insecure_gui = 1

   snc/data_protection/min = 3

   snc/data_protection/max = 3

   snc/data_protection/use = 3

   snc/permit_insecure_start = 1

   snc/r3int_rfc_qop = 8

   snc/r3int_rfc_secure = 0

   snc/force_login_screen = 0

   spnego/enable = 1

   spnego/krbspnego_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll

   snc/gssapi_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll

5.  Kerberos KeyTab was generated successfully for SPNEGO/SNC and verified 

        #sapgenpse seclogin -l –v

6.  Configured Credential file and verified

7.  Install Secure Login Client and defined SNC name as p:CN=SAPServiceSB1@mycompany.com

8.  Configure User Mapping in SAP AS ABAP – SNC name – p:CN=<USERID>@MYCOMPANY.COM

9.  Restarted the SAP server and my ABAP SSO is working perfectly.

10.     SPNEGO Configuration:

     a.  Define Kerberos KeyTab for SPNEGO using tcode – SPNEGO

     b.  Created UPN - SAPServiceSB1@MYCOMPANY.COM with the password of this server ID.

For WebGui all the required Service are activate and published via SICF and also per http://scn.sap.com/docs/DOC-29485

Created SAP Message and SAP also confirmed all your setting looks and Kerbros being case sensitive but since my ABAP SSO is working so that possibility is also ruled out.

Are there any different steps or know issue with above setting for SPNEGO. I have not mention the steps for Portal because first lets get the Webgui or NWBC resolve which usages the SPNEGO configuration.

Hi All,

We are planning to implement Kerberos authentication using our Window AD. I have below queries regarding the same.

1. Our ERP is ECC 5.0 with SAP_BASIS 640 patch 31, will this support Kerberos authentication.

2. If supports, we have different user id's in Windows AD and ECC for the same user. Will this supports. (For example in Windows AD we      have SSOTEST, same user has TESTSSO in ERP)

3. Is Kerberos authentication required separate license.

If possible provide links for the same.

Regards,

Sree

Dear all,

Hope you all are doing well.

Production issue :

When an user tries to login with his username and password. He is getting error message "INTERNAL ERROR OCCURED".

And the standard RFC which i'm using for authenticating user is  SUSR_LOGIN_CHECK_RFC

CALL FUNCTION 'SUSR_LOGIN_CHECK_RFC'

  EXPORTING

       bname                                 = ip_empid

       password                             = ip_password

EXCEPTIONS

       wait                                     = 1

       user_locked                          = 2

       user_not_active                    = 3

       password_expired                 = 4

       wrong_password                   = 5

       no_check_for_this_user         = 6

       password_attempts_limited    = 7

       internal_error                         = 8

OTHERS                                    = 9.

I want to know what is the meaning of this internal error ? something is going wrong with the standard RFC which I am referring to ? Some one please help me out..

Thanks in advance.

hello

I would like to know whether it is possible with NW SSO to send an automated mail with a randomly generated code as part of the 2 factor authentication scheme

thanks in advance and best regards

Michele