Hello,

We are in proces of implemeneting SAP NW SSO for SAP GUI with SAP ECC Systems.

As per the Secure Login Library Guide, we have extracted Secure Login Library file in desired locatoin and set the profile parameters as mentioned in Guide.

Now we are configuring the SNC X.509 Configuartion, and it says to import the SAP Sever Cerificate using Tx : STRUST.

Form where to get the SAP Server Certificate, we have created PSE suing Tx : STRUST which apprears in OS level in structure /usr/sap/SID/DVEBMGS<>/sec .

We are stuck in this step, we are not able to import the SAP Server Certifiacte.

After the completion of X.59 Certificate, we would be going ahead with SNC Kerberos Configuration.

Please provide suggestions an inputs.

Regards,
Deepak

Hi all,

we are implementing a Single Sign-On 1.0  using kerberos token from Microsoft AD, it work fine by saplogon (AS ABAP- ECC, Solman, GRC NF-e and AC ) and by browser NW CE 7.2 ( AS JAVA- IdM7.2 and SSO 1.0) .

During logon by NWBC or other called ICF services by browser, the SSO doesn't work requiring a logon screen . We expected that a SSO working fine and login without require user and password on this cases .

If we are enter a user and password on this problem case, the https is  working fine, but we need an automatic login by SSO using kerberos as we set by spnego, SU01 tab SNC and EXTID_DN .

Are there any parameter that we have to set on icf services or RZ10 to provide SSO login to solve this issue ? 

Thanks in advance,
Rodrigo

Hello Experts,

for our ABAP systems I have configured SSO via standard MIT Kerberos on Linux/Intel (RHEL5) as well as Solaris/SPARC and Solaris/Intel  - works like a charm.

Now when I upgrade the Linux servers to RHEL6, the OS part of SSO still works, I get a TGT, klist shows me the correct credentials, etc., but the ABAP stack does no longer authenticate via SSO. All I get is a funny error popup "SAP System Message: S".

Is there any known change of the API from RHEL5 to RHEL6 and ideally a way to work around it?

The entry in dev_wx for the log attempt is:

N  *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3357]

N        GSS-API(maj): No credentials were supplied, or the credentials were unavailable or inaccessible

N      Unable to establish the security context

N  <<- SncProcessInput()==SNCERR_GSSAPI

M  *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c    1034]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

M  *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c    1039]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

M  in_ThErrHandle: 1

M  *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c   11313]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

The parameters (which are working just fine under RHEL5) are:

snc/enable = 1

snc/gssapi_lib = /usr/lib64/sasl2/libgssapiv2.so

ssl/ssl_lib = $(DIR_EXECUTABLE)/libsapcrypto.so (this is the current PL 43)

sec/libsapsecu = $(DIR_EXECUTABLE)/libsapcrypto.so

ssf/ssfapi_lib =$(DIR_EXECUTABLE)/libsapcrypto.so

login/accept_sso2_ticket = 1

login/create_sso2_ticket = 2

snc/accept_insecure_cpic = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_rfc = 1

snc/extid_login_diag = 1

snc/permit_insecure_start = 1

ssf/name = SAPSECULIB

Installed packages on RHEL5 (all x86_64):

cyrus-sasl-gssapi-2.1.22-7.el5_8.1

krb5-libs-1.6.1-70.el5

krb5-libs-1.6.1-70.el5

krb5-workstation-1.6.1-70.el5

libgssapi-0.10-2

pam_krb5-2.2.14-18.el5

and on RHEL6:

cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64

krb5-libs-1.10.3-10.el6.x86_64

krb5-workstation-1.10.3-10.el6.x86_64

libgssglue-0.1-11.el6.x86_64

pam_krb5-2.3.11-9.el6.x86_64

Any info is much appreciated.

Andreas Niewerth

Hi Experts,

I am trying to configure my EP NW 7.3 to use LDAP as data source instead UME but in nwa -- Identity Management the fields are empty and shows following message

Cannot read configuration properties.: The specified service name com.sap.security.core.ume.service does not belong to any of the available services

Attached image.

Additional AS is right but I don´t want to take changes there until I find the reason for this.

Any clue?

Hi,

I need to setup SSO in my SAP systems, using Kerberos, so that users from Windows terminals can login to a system using SAPGUI without giving a user/password.

I know it is possible because I have seen it somewhere in the past.

However, despite searching on SAP Help, I still cannot find the steps for it. I checked the following links, but they all talked about setup where SAP system is on Windows platform, but I cant find anything for AIX (or any other Unix/Linux flavor).

http://scn.sap.com/community/netweaver-sso/blog/2012/08/17/how-to-configure-sap-netweaver-single-sign-on-for-sap-gui-for-windows-with-kerberos-integration

http://help.sap.com/saphelp_nwpi711/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm

Please help.

Regards,

Shitij

Hi Team,

We have recently deployed SAP NW SSO v1.0 on AS JAVA system and configured SSO for SAP applications( ABAP instance as well as JAVA instance) and it is working fine. I found the Best practice document is very useful for configuring SSO  - SAP applications.

Similarly do we have any document which explains about SSO configuration for Non-SAP applications( Ticketing tools, HPQC etc).

What is the difference between configuring SSO for SAP applications and Non-SAP applications?

Thanks,

Gopi L

Hello,

I have implemented SSO to AS Java (SAP Portal) using X.509 Client Certificate.

When I try to logon without passing through the Web Dispatcher (direct call to the SAP Portal in Intranet) my SSO works properly and I'm able to logon without writing any user and password, thanks to my X.509 Client Certificate.

Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details

1. com.sap.engine.services.security.server.jaas.ClientCertLoginModule      SUFFICIENT  ok          true       true

        \#1 Rule1.AttributeName = CN

        \#2 Rule1.getUserFrom = subjectName

2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok                     true

Central Checks                                                                                                   true                  #

My problem arises when I try to call my SAP Portal from the Internet passing through my SAP Web Dispatcher, so I've got the following error:

LOGIN.FAILED
User: N/A

Authentication Stack: ticket

Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
1. com.sap.engine.services.security.server.jaas.ClientCertLoginModule      SUFFICIENT  ok          exception             true       Authentication did not succeed.
        \#1 Rule1.AttributeName = CN
        \#2 Rule1.getUserFrom = subjectName
2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          false                 false      #

How could I manage my X.509 Client Certicate when I have to pass through my Web Dispatcher?

Thanks!

Fabrizio

Wanted your expert opinion on something. We have using NWBC 4 and got Portal 7.3 in our landscape. We have established SPNego for IE single single on for Portal. We also have SNC entries with SAPGui to manage ECC SSO using SAPGui.

We want to extend NWBC to ECC SSO. But this been a massive hunt for right solution.

SAP Netweaver SSO is obvious solutions, but seems it involves some licence cost. Other option was to redirect NWBC to Portal and then back using redirect app as described in this note.

Question is, what is best way forward, and if we can achieve NWBC ECC SSO with this redirect method. With all the effort we put in we are able to see web page of /nwbc page instead of launching ECC on NWBC 4.0.

Thanks a lot for your time.

Note 1250795 - Redirect appliction.pdf

Regards,

Sudhir

Hi,

I would like to have the portal users who logged into the company network will access portal with no sign-on.

To achieve my goal, I think I have a couple of ways of implementation:

1. Use CA SiteMinder for user authentication of portal. Question 1: do I need to have a web server for SiteMinder web agent in front of portal? Can the web agent be installed directly on the NW WAS where portal installed?

2. Use Integrated Windows authentication on portal. Question 2: I will definitely need a web server in this case, am I right?

Question 3: if I use CA SiteMinder as user authentication in portal, then what UME (e.g. LDAP, Portal UME, or ABAP UME) is not matter, as SiteMinder will handle it via HTTP Header, am I right?

Question 4: I read about the history discussion, it seems there is an issue for portal admin to login, do content admin, system admin, user admin if use SiteMinder. What is the solution for it?

Thanks in advance.

Hi Experts,

I am trying to configure my EP NW 7.3 to use LDAP as data source instead UME but in nwa -- Identity Management the fields are empty and shows following message

Cannot read configuration properties.: The specified service name com.sap.security.core.ume.service does not belong to any of the available services

Attached image.

Additional AS is right but I don´t want to take changes there until I find the reason for this.

Any clue?

Hello Experts,

I am novice.

I want to connect nwbc 3.5 by sso to my sap environnement (without password) using the method x.509 Client Certificate.

I followed the instruction giving by SAP : http://help.sap.com/erp2005_ehp_05/helpdata/en/49/236897bf5a1902e10000000a42189c/content.htm

I have an issue on the transaction SM59 for RFC => icm_http_ssl_error

I can connect to the nwbc browser and the SSL is accepted.

Maybe there are some issues in the CA.

Somebody, can help me please?

My company has recently decided to use NW SSO as our IdP.  We have SAP Java systems that reside in different domains (company.com and company.lan).  We are hoping to be able to use SAML 2.0 for SSO between these SAP systems in a Federated Portal environment.  As of right now I am testing it in our test environment and running into some problems.  I have two Service Providers and one Identity and Service Provider.  I would like to use either email or logon ID as our Identity Provider since our user's IDs and email address will be identical in the systems on both domains.  For right now, I have set our IdF to use E-mail.  Now when I go to Name ID Management in the service providers, I am able to see that it locates a matching E-mail address for the user ID provided on our IdP.  This works from both Service Providers.  However, when trying to perform the same test from the IdP, I get ZERO results from our Service Providers and I see the message "Current user is not federated with any trusted providers using the selected NameID format or filter pattern."  Am I missing something or is there a better way to do this that I am not understanding?

Regards,

Jon

Hi SSO and SAML2 experts,

We have several SAP Enterprise Portal systems. The SSO configuration is setup using SAML2, with the Portal as SAML2 service provider
and Touchstone as identity provider. When users click on link https://<server>:port#/irj/portal, they will see the SAP Netweaver Login screen with an Identity Provider box (which is Touchstone in our case). Once the user click on "continue" button at the signup screen, he/she will be redirected to the Identify Provider (Touchstone) , which is another screen. At that point (the touchstone screen), the user has options either to use a certificate or a Kerberos id, before signing up into the portal.

My question is this: Is it possible to bypass the initial SAP Netweaver Sign-up screen? In other words, can some thing be done(configurations/custom codes/other creative methods) so users would not be presented with the SAP logon screen, instead go directly to IdP Touchtone screen? The issue here is "user experience". Users need to click on "continue" on the SAP Netweaver login, then being redirected to IdP Touch stone screen, click again, finally land into portal.

Any feedbacks would be greatly appreciated!

Best regards,

Qian Kang

qiankang@mit.edu

qiankang@mit.edu

Hello,
I have a problem to configure SSO in ECC 6.0 Ep5 with Microsoft AD.
Every part of the LDAP is working, I'm already mapped the users in AD and update the SAP running without problem.

When active in the CNS (snc / enable = 1), SAP does not start.
The Next error I received the file dev_w:Hello,
I have a problem to configure SSO in ECC 6.0 Ep5 with Microsoft AD.
Every part of the LDAP is working, I'm already mapped the users in AD and update the SAP running without problem.

When active in the SNC (snc / enable = 1), SAP does not start.
The Next error I received the file dev_w:

*************************************************************************************
SncInit(): found snc/gssapi_lib=C:\Windows\System32\gx64krb5.dll
N File "C:\Windows\System32\gx64krb5.dll" dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N SncInit(): found snc/identity/as=p:svc-sapprd\localiza.corp
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1439]
N GSS-API(maj): No valid credentials provided (or available)
N GSS-API(min): SSPI::IniSctx#1()==Specified target is unknown or unreachable
N Could't acquire ACCEPTING credentials for
N
N name="p:svc-sapprdlocaliza.corp@LOCALIZA.CORP"
N SncInit(): Fatal -- Accepting Credentials not available!
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 237]
M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 239]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 11329]
***************************************************************************************************

This configuration is being performed in the environment:
Instacia Central - Windows 2008R2 - SqlServer 2008R2
Workstation - Windows 7

Thank you.
Ederson Meneses

Hello,

I've not found a suitable answer in the documentation yet, so I wanted to ask this question here.

I have a requirement to use SAP NetWeaver Single Sign-On to authenticate two separate user groups. One group is via Windows AD and the other would be via SiteMinder to a second Windows AD.

The environment includes: ECC6, CRM2007, BW3.5

Questions:

1) is it possible to setup mixed authentication for the two user groups I've listed above?

2) does anyone have experience with this to share?

3) would SiteMinder require a separate application server to handle the user groups behind it?

Appreciate your input.

Paul

Hello,

I have mixed authentications on my BI4.0 platforms:

* some users authenticate with Enterprise

* some users authenticate with their SAP account

We would like to put in place the SSO and unify the login workflow.

This is pretty clear to me concerning "standard users", the one that authenticate today via Enterprise:

* I will configure  Windows AD authentication/aliases and then kerberos SSO

Concerning "SAP" accounts, can I do the same?

Is it possible for a BO user to have a windows AD alias AND a SAP alias ... Will Windows AD SSO work and enable SAP access too?

If I configure Windows AD+BO SSO, will I get access to report needing special SAP authorization?

Thanks

Hi Community

Have any SAP NW SSO members had this issue?:

We have installed SAP NW SSO Secure Login X.509 Based Solution according to the Best Practice Guide and it is working fine.

However we rolled out the Secure Login Client to +4000 client computers and as soon as we did, we had hundreds of users reporting that 80% of the time that they run Internet Explorer it crashed stating:

Internet Explorer has stopped working

Windows can check online for a solution to the problem

* Check online for a solution and close the program

* Close the program

Looking at the problem in detail:

Problem Event Name:      APPCRASH

Application name:           iexplore.exe

Fault Module Name:        ntdll.dll

If a user chooses to check online for a solution, Internet Explorer recovers the browser tab and continues ok, or the same error happens. This is not a situation we can continue with.

This is happening 80% of the time to our users when they run Internet Explorer, and we have analysed the Windows Event Viewer logs to verify this.

As soon as we remove the Secure Login Client from the client computers this error does not occur at all - again we can see straight away from analysing the Windows Event Viewer Logs.

Currently we have had to remove the Secure Login Client from our +4000 client computers so as to ensure this error does not occur - but this means SAP NW SSO does not work for us (we use SAP NWBC and IE to access SAP ABAP systems).

Have any other members experienced this issue?

Thanks for your help

Mark

Hi all experts,

Really need your help in configuring SAP SSO between Windows 2008 R2 ADS & SAP Users.

I followed all the steps provided in SAP NW SSO SP4 SLL document from SAP.

But, I stuck up at couple of steps, the major is part is our ADS Administrator does'nt want to edit SPN for Kerberos user,

instead he suggested to use either RC4 or AES256.

During the SNC setup, I am facing  a below error in dev_w0 file:

SncInit(): found  snc/gssapi_lib=E:\usr\sap\SID\SLL\windows-x86-64\sapcrypto.dll

N    File "E:\usr\sap\SID\SLL\windows-x86-64\sapcrypto.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2

N  SncInit():   found snc/identity/as=p:CN=SAP/SAPServiceSID@<FQDN>.com

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1439]

N        GSS-API(maj): No credentials were supplied

N        GSS-API(min): No credentials found for this name (not logged on) (USER=SAPServiceAES)

N      Could't acquire ACCEPTING credentials for

N 

N      name="p:CN=SAP/SAPServiceSED@<FQDN>.com"

N  SncInit(): Fatal -- Accepting Credentials not available!

N  <<- SncInit()==SNCERR_GSSAPI

N           sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    237]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    239]

M  in_ThErrHandle: 1

M  *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c   11321]

Below is SNC Status:

E:\usr\sap\SID\SLL\windows-x86-64>snc.exe

Using command 'status -v', call with -h to see more commands

------------------------------------------------------------------------------

------------ status -------------------------------------------------------

------------------------------------------------------------------------------

Product version      : Secure Login Library 1.0 SP 4:
CryptoLib                 : 8.3.7.5

                                  : windows-x86-64

GSS library               : available

GSS library name    : secgss.dll

PSE directory           : (existing) E:\usr\sap\SID\DVEBMGS00\sec

PSE file                     : (existing) E:\usr\sap\SID\DVEBMGS00\sec\pse.zip

STRUST cred file     : (existing) E:\usr\sap\SID\DVEBMGS00\sec\cred_v2

SNC config file        : (existing) E:\usr\sap\SID\SLL\windows-x86-64\gss.xml

PSE accessible        : yes

PSE logged in          : yes

PSE credentials      : MasterPassword SystemDefault

Kerberos keyTab    : 12 entries

SAP/ServiceSID@<fqdn>.com (KeyType DES)

SAP/ServiceSID@<fqdn>.com(KeyType AES128)

SAP/ServiceSID@<fqdn>.com(KeyType AES256)

SAP/ServiceSID@<fqdn>.com(KeyType RC4)

SAP/ServiceSID@<fqdn>.com(KeyType DES)

SAP/ServiceSID@<fqdn>.com(KeyType AES128)

SAP/ServiceSID@<fqdn>.com (KeyType AES256)

SAP/ServiceSID@<fqdn>.com (KeyType RC4) 

SAP/ServiceSID@<fqdn>.com  (KeyType DES)

SAP/ServiceSID@<fqdn>.com  (KeyType AES128)

SAP/ServiceSID@<fqdn>.com(KeyType AES256)

SAP/ServiceSID@<fqdn>.com(KeyType RC4)

SNC keys registered :  0 entries

Trusted certificates:

in PSE CN=SID, OU=<Cust. No.>, OU=SAP Web AS, O=SAP Trust Community, C=DE

Quick responce really needed as pressure increased.

Thanks and Regards

Ahsan.

Hello Experts,

for our ABAP systems I have configured SSO via standard MIT Kerberos on Linux/Intel (RHEL5) as well as Solaris/SPARC and Solaris/Intel  - works like a charm.

Now when I upgrade the Linux servers to RHEL6, the OS part of SSO still works, I get a TGT, klist shows me the correct credentials, etc., but the ABAP stack does no longer authenticate via SSO. All I get is a funny error popup "SAP System Message: S".

Is there any known change of the API from RHEL5 to RHEL6 and ideally a way to work around it?

The entry in dev_wx for the log attempt is:

N  *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3357]

N        GSS-API(maj): No credentials were supplied, or the credentials were unavailable or inaccessible

N      Unable to establish the security context

N  <<- SncProcessInput()==SNCERR_GSSAPI

M  *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c    1034]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

M  *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c    1039]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

M  in_ThErrHandle: 1

M  *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c   11313]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

The parameters (which are working just fine under RHEL5) are:

snc/enable = 1

snc/gssapi_lib = /usr/lib64/sasl2/libgssapiv2.so

ssl/ssl_lib = $(DIR_EXECUTABLE)/libsapcrypto.so (this is the current PL 43)

sec/libsapsecu = $(DIR_EXECUTABLE)/libsapcrypto.so

ssf/ssfapi_lib =$(DIR_EXECUTABLE)/libsapcrypto.so

login/accept_sso2_ticket = 1

login/create_sso2_ticket = 2

snc/accept_insecure_cpic = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_rfc = 1

snc/extid_login_diag = 1

snc/permit_insecure_start = 1

ssf/name = SAPSECULIB

Installed packages on RHEL5 (all x86_64):

cyrus-sasl-gssapi-2.1.22-7.el5_8.1

krb5-libs-1.6.1-70.el5

krb5-libs-1.6.1-70.el5

krb5-workstation-1.6.1-70.el5

libgssapi-0.10-2

pam_krb5-2.2.14-18.el5

and on RHEL6:

cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64

krb5-libs-1.10.3-10.el6.x86_64

krb5-workstation-1.10.3-10.el6.x86_64

libgssglue-0.1-11.el6.x86_64

pam_krb5-2.3.11-9.el6.x86_64

Any info is much appreciated.

Andreas Niewerth

Hi Guys,

I have doubts about setting LDAP as data source for Netweaver Portal 7.3, with this configuration windows users can log on to sap portal without writting their password again? do I have to set kerberos, also?

if you have some guides could you send me please.

My LDAP will be Active Directory Windows, also if a I choose read only means that Portal only will read users from AD (including new users after configuration?)

Regards,

Andy