Has anyone installed the SAP Secure Login Client on a MAC and used x.509 certificates instead of Kerberos?  According to the SAP help documentation this is possible as follows.  Are there any work arounds that need to be implemented when using the SAP GUI Java Client for MAC with SAP Secure Login Client?

Configuring Secure Login Client on a Mac Client

By default, Secure Login Client uses Kerberos to authentication at an SAP GUI with an SNC connection. Nevertheless you can also configure your Mac client to use X.509 certificates.

Procedure

1. Open the Secure Login Client in your Applications folder or in the System Preferences window.
2. In the parameter Select your SSO method of the Single Sign-On section, switch to Use your selected certificate.
3. Go to the parameter Select your certificate and choose the certificate you want to use for certificate-based authentication to SAP GUI with an SNC connection.

    

   Note

   Another option is configuring authentication with X.509 certificates in the Keychain view of OS X. You find the preferred certificate as a Secure Login identity preference.

   CautionDo not switch certificates in the Secure Login preference pane while changing the settings in the Secure Login Identity Preference of the OS X Keychain. You risk getting an inconsistent configuration.

    

Looking to set up SSO from BOE to HANA using SAML and coming up short on what is hopefully just some missing configuration. If anyone has experience getting this running, I'd be grateful for feedback or links to more comprehensive documentation.

We are running BOE 4.1 SP5 and HANA rev 92 (on a multiple node installation). The plan is to 1) enable SSL logins on HANA, 2) set up BOE as the IdP, 3) create the SAML provider in HANA and establish trust between the two systems.

1. HANA is accepting Open SSL connections thanks to this very helpful document. Confirmed via HANA Studio login.
2. On the BOE side, an IdP Base64 certificate was generated in the CMC via the HANA Authenitcation dialog.
3. The IdP cert was appended to the trust.pem file (on the master node) as per this blog post. The SAML provider has been created in HANA with the Subject/Issuer set to match the BOE cert. We also used sapgenpse to add the cert to saplogon.pse and sapsrv.pse in $SECUDIR (again on the master node).

Everything has been restarted after the last configuration change.

A test user has been set up in HANA with the SAML provider enabled, user name matching a BOE enterprise account. When testing from the CMC, we see the following error message: Connection Failed: The test of the HANA SSO ticket used to log onto the HANA DB has failed due to: [10]: invalid username or password. (FWM 02133)

The HANA tracelog, set to debug, shows some errors in SAMLAuthenticator (ERROR in libxmlsec) before it culminates in this block:

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.882796 i Authentication   SAMLAuthenticator.cpp(00400) : Unable to verify XML signature

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.882934 d Authentication   ManagerAcceptor.cpp(00273) : Injecting logon name into method:

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.882986 d Authentication   SAPLogonManager.cpp(00360) : Store chosen for assertion ticket validation: saplogon.pse

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883114 w Authentication   SAPLogonManager.cpp(00504) : The base64 decode of the received ticket failed. SSO_RC return value: 1281

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883121 d Authentication   SAPLogonManager.cpp(00513) : Use SSO Validation PSE >>>saplogon.pse<<<

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883123 d Authentication   SAPLogonManager.cpp(00514) : Received Base64 Ticket >>>SAML 2.0 assertion ticket...<<<

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883167 i Authentication   MethodSAPLogon.cpp(00275) : unsuccessful login attempt with SAPLogon/SAPAssertion ticket!

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883181 d Authentication   ManagerAcceptor.cpp(00273) : Injecting logon name into method:

[22277]{-1}[63/-1] 2015-02-02 20:10:23.884313 d Authentication   Connection.cc(03617) : [PRE AUTHENTICATION] logon name:

[22277]{-1}[63/-1] 2015-02-02 20:10:23.884359 d Authentication   Connection.cc(03684) : [POST AUTHENTICATION] logon name:

It looks like the ticket is received but not being parsed. It's not clear to me if this is related to the certificate or some other configuration element, or exactly what the missing piece is.

Hi ,

I would like to configure SSO for fiori apps based on windows authentication , what things are required to do so .

like any changes on users settings , fiori launchpage .

Also i want to map several windows user id to single sap user id , it this possible ?

Regards

Yashpal

Hi

I've configured the secure login sever and downloaded the root CA certificated and group policy for the client machine, however when I try to connect the secure login client show the message internal server error

I have already restart the local machine and the sso server

the service user on AD is created with the serviceprincipalname

anyidea?

Arivind

We have a requirement for users who are on our network to launch a web client from their PCs, like IE, and go to a URL (ssl) which is a web dynpro application on our HCM ABAP system to view paystubs.  They want to have this configured to use SSO. 

So which of the SSO options would be easiest configuration for this?  Would SSO using Logon tokens work?

Thank you in advance...I'm not an SSO expert and this all very confusing! 

Hello,

I have an issue with a RFC Destination, since the certificate was changed (on server side).

When I press "Connection Test" I get the following message:

SSL handshake with evatr.bff-online.de:443 failed

We have already uploaded the new certificate in transaction STRUST and still getting the same error.

I have noticed that the algorithm changed from SHA-1 to SHA-256.

Therefore I checked the SAPCRYPTOLIB version:

New enough...

Here is the RFC Destination in SM59:

SSL is active and the correct list is selected:

Also HTTPS is enabled in Services in transaction SMICM:

Also I spoke to the guys from the networking and they said that SSLv3 communication isn't blocked and the systems are allowed to connect to the internet. They are sure that the problem is not network related.

I have no clue what to do now.

In the attachments you can find a ICM-Trace, where I tried a "Connection Test".

Thanks in advance.

Best regards

Dennis

Hi All,

We have 2 (ldap directories for each domains) domains connected to our SAP SSO systems.Recently we changed

the password for one of the domain and updated the password in congif tool in

ume.ldap.access.additional_password1 for -We changed the password and

updated.

ume.ldap.access.additional_password2 for other domain users we did not

change the password and not updated.

When password2 domain user tried to login they are getting below error:

Caused by: com.sap.security.api.NoSuchUserAccountException:

USER_AUTH_FAILED: User account for logonid "saptest" not found.

Please let us know how to fix the issue Urgent.

Thanks In Advance.

Regards

Santhosh

Hi experts,

I have configured the SSO 2.0 based on X.509 and with the secure login client now on the abap and java its sign on automaticcly, however I want that the user can use NWBC without asking the password, when the user open the html weblink on the browser such as its done on java application, or even on nwbc for desktop that even change the nwbcoptions.xml

Arivind

Hello,

I have developed a Mobile App using SAP UI 5 framework, HTML, JavaScript and Apache Cordova / PhoneGap.

The app is completed, but I am still stuck with the Login Authentication task. The code which I have written, pertains to OData Service based BASIC Authentication using Username and Password(which the user enters through the app's UI). The code works fine for Valid Login credentials, but doesn't work at all, when the user enters Invalid credentials.

I came to know that instead of using BASIC Authentication (with Username and Password), either of SSO / SSL / X.509 or SAML based Authentication mechanisms needs to be used for SAP UI5 mobile app.

I Researched and found some links which speak about SSO Authentication but are either for Java EE or Microsoft .Net applications(and they are irrelevant in my context).

I am looking for code, which is in JavaScript, as I my entire app is HTML, JavaScript with SAP UI5 framework and I have also used Apache Cordova/PhoneGap to transform my HTML and related project files into an iOS app( and later will be morphed into an Android app as well).

It would be of great help, if I could get any sort of help, either in the form of sample code or some leads.

PLEASE NOTE ->

1. For the rest of the app's Business Logic, I have used OData services and " OData.read(...); " statements to fetch the data and store them in  "sap.ui.model.json.JSONModel(); "model, for further manipulations and binding them to the UI controls.
2. In case the SSO / SSL or any such implementation needs any additional setup or any kind of modification in the code to fetch the data, kindly highlight that as well.
3. And at this instant, we do not intend to use SAP HANA Cloud Platform, as it does not fall under our project scope and requirements.

Thanks and Regards,

Suraj Kumar Y Midgay

Hi, I am configuring an SAP Single Sign-On 2.0 Based on Kerberos Tokens. I have already done every step mainly based on the videos that SAP provides to implement a SSO with Kerberos and following as well the implementation guide. However when I turn the parameter snc/enable from 0 to 1 and restart the server it gives me an error which I traced from the file dev_w0.

The error is the following:

N  SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N        GetUserName()="SAPServiceDG1"  NetWkstaUser="SAPServiceDG1"

N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():   found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():   found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=E:\usr\sap\DG1\DVEBMGS00\SLL\sapcrypto.dll

N    File "E:\usr\sap\DG1\DVEBMGS00\SLL\sapcrypto.dll" dynamically loaded as GSS-API v2 library.

N    SECUDIR="E:\usr\sap\DG1\DVEBMGS00\sec" (from $SECUDIR)

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.1) to SAPCRYPTOLIB 5.x

N    Product Version = SAPCRYPTOLIB  5.5.5C pl35  (Mar 21 2013) MT-safe

N  SncInit():   found snc/identity/as=p:CN=SL-ABAP-DG1@<DOMAIN>.COM

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [D:/depot/bas/74 1445]

N        GSS-API(maj): No credentials were supplied

N      Could't acquire ACCEPTING credentials for

N 

N      name="p:CN=SL-ABAP-DG1@<DOMAIN>.COM"

N      FATAL SNCERROR -- Accepting Credentials not available!

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [D:/depot/bas/74 1445]

N        GSS-API(maj): No credentials were supplied

N 

N Thu Oct 15 12:05:51 2015

N      Could't acquire DEFAULT ACCEPTING credentials

N 

N  *** ERROR =>     (debug hint: no default acceptor cred available)

N   [D:/depot/b 737]

N  <<- SncInit()==SNCERR_GSSAPI

N           sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    272]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    274]

M  in_ThErrHandle: 1

M  *** ERROR => SncInitU (step TH_INIT, thRc ERROR-SNC-OTHER ERROR IN SNC LAYER, action STOP_WP, level 1) [thxxhead.c   2422]

NOTE:Where is <DOMAIN> I replaced for the correct domain.

The parameters that I used are these:

snc/enable = 1

snc/gssapi_lib = E:\usr\sap\DG1\DVEBMGS00\SLL\sapcrypto.dll

snc/identity/as = p:CN=SL-ABAP-DG1

snc/data_protection/min = 2

snc/data_protection/max = 3

snc/data_protection/use = 3

snc/accept_insecure_gu = 1

snc/accept_insecure_rfc = 1

snc/accept_insecure_cpic = 1

snc/permit_insecure_start = 1

snc/r3int_rfc_qop = 8

snc/r3int_rfc_secure = 0

snc/force_login_screen = 0

Anyone have a clue about how to solve this error? I thought that it was due to the command to create file cred_v2 "sapgenpse seclogin -p SAPSNCSKERB.pse -O SAPServiceDG1" which SAP warning us about a possible conflict in Windows environment. However I tried to solve that by adding -N in the end of the command as SAP told us to do, but my Command Prompt says that the command with -N is unknown.

Hi All,

We have 2 (ldap directories for each domains) domains connected to our SAP SSO systems.Recently we changed

the password for one of the domain and updated the password in congif tool in

ume.ldap.access.additional_password1 for -We changed the password and

updated.

ume.ldap.access.additional_password2 for other domain users we did not

change the password and not updated.

When password2 domain user tried to login they are getting below error:

Caused by: com.sap.security.api.NoSuchUserAccountException:

USER_AUTH_FAILED: User account for logonid "saptest" not found.

Please let us know how to fix the issue Urgent.

Thanks In Advance.

Regards

Santhosh

Hi ,

I would like to configure SSO for fiori apps based on windows authentication , what things are required to do so .

like any changes on users settings , fiori launchpage .

Also i want to map several windows user id to single sap user id , it this possible ?

Regards

Yashpal

Hi Everyone,

We have created a UI application with the following application URL and hosted it an Extranet portal used within the organization.

https://xxx.xxx.xxx.org:8050/sap/bc/ui5_ui5/sap/zui_tool/index.html#/

We used ng-route (Angular JS routing) such that users will be able to access

https://xxx.xxx.xxx.org:8050/sap/bc/ui5_ui5/sap/zui_tool/index.html#/create

to go in create mode and,

https://xxx.xxx.xxx.org:8050/sap/bc/ui5_ui5/sap/zui_tool/index.html#/view

to go in view mode.

The tool is integrated with the backend system and triggers a workflow. The workflow will send out an email to certain agents with the 'view' link embedded in the email content.

However, when the user clicks on the link (in SAML enabled environment), then the user goes to the site,

https://xxx.xxx.xxx.org:8050/sap/bc/ui5_ui5/sap/zui_tool/index.html#/

instead of going to the 'view' page. The weird part is, when they click on the same link again(without closing the first instance of the application), the page opens correctly in 'view' mode.

We also tried another scenario wherein we opened the Intranet irj/portal link and then clicked on our application view link from the email content. The page opens correctly in the 'view' mode at the first instance of clicking the link.

It looks like some issue with authentication. However, we are not able to ascertain why the tool opens correctly when the same link is clicked only twice and not once.

Request your advise.

Thanks.

I've got a NW 7.4 ABAP Stack for Fiori.  I wanted to see if I could enable SAML 2.0 to authenticate against Active Directory Federation Services as an Identity Provider.

1. Successfully setup SSL (Note 510007) on this server with Certificates signed by our CA here at my company.
2. Followed the SAML 2.0 for Fiori to configure SAML with our ADFS.

I modified the webgui service in sicf to use an Alternate Logon Method with SAML Logon as the second in the list behind HTTP, as the docs say to do.  But I haven't been able to get it to work.  It never redirects to ADFS to identify credentials.  It just logs on to the local ABAP Datasource.

So it has me trying to confirm that this is a viable option for authentication.  In the Thread below, there was a suggestion that JAVA is needed to produce the logon tickets.  But the SAML 2.0 for Fiori document doesn't suggest that anywhere.

http://scn.sap.com/thread/3231649

The Wiki for SSO with SAML 2.0 lists three SAML 2.0 Identity Providers:

1. Netweaver Single Sign-On
2. Netweaver Identity Management
3. Netweaver AS Java

Does this mean that Microsoft ADFS is not a valid Identity Provider?

Hi,

I have set quite a few servers to connect with SSO to ABAP Stacks. It is not a problem when it is a single instance system but I struggle with distributed systems. The central instance will start without a problem but the additional dialogue instances (on different servers) do not start and I have to disable snc on those servers. The error is always

SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N        GetUserName()="<SID>adm"  NetWkstaUser="<SID>ADM"

N  SncInit():  found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():  found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():  found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=\\sapprod\sapmnt\P01\sys\global\sll\secgss.dll

N    File "\\servername\sapmnt\SID\sys\global\sll\secgss.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x

N    FileVersionInfo: InternalName= CryptoLib, FileVersion= 8.3.7.7

N  SncInit():  found snc/identity/as=p:CN=<…>

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

N        GSS-API(maj): No credentials were supplied

N      Could't acquire ACCEPTING credentials for

N 

N      name="p:CN=<….>"

N      FATAL SNCERROR -- Accepting Credentials not available!

N      (debug hint: default acceptor = "p:CN=DummyCredential")

N  <<- SncInit()==SNCERR_GSSAPI

N          sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    237]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    239]

We have several distributed systems and it is the same problem on all systems. Only the central instance can use SNC.

I have added screenshots of the snc.exe from the central instance and the app server to this post. Irrespective of using the (replicated) pse on the app server or using the one on the central instance (via SECUDIR variable), snc cannot log in to the pse.

Does anyone know how what the problem might be?

Regards

Andreas

Hello,

I have an issue with a RFC Destination, since the certificate was changed (on server side).

When I press "Connection Test" I get the following message:

SSL handshake with evatr.bff-online.de:443 failed

We have already uploaded the new certificate in transaction STRUST and still getting the same error.

I have noticed that the algorithm changed from SHA-1 to SHA-256.

Therefore I checked the SAPCRYPTOLIB version:

New enough...

Here is the RFC Destination in SM59:

SSL is active and the correct list is selected:

Also HTTPS is enabled in Services in transaction SMICM:

Also I spoke to the guys from the networking and they said that SSLv3 communication isn't blocked and the systems are allowed to connect to the internet. They are sure that the problem is not network related.

I have no clue what to do now.

In the attachments you can find a ICM-Trace, where I tried a "Connection Test".

Thanks in advance.

Best regards

Dennis

Hi all,

We are making a proof of concept on SSO on ABAP (SAP-GUI + web) via SAP Secure Login Client and SPNEGO for ABAP.

All youtube-video configrations have been performed . You know: Implementing SAP NetWeaver Single Sign-On 2.0 Based on Kerberos Tokens 2/4 - YouTube (and so on ).

When I try to logon on via SAP-GUI I get a: "GSS-API(maj): No credential were supplied Unable to establish the security context target="p:CN=SL-service-user@xyz.com"

The SNCAX_TEST programs works fine on the above service-user (defined in SPNEGO).

Service-user defined in SAP-GUI (SNC)

The end user in SU01 has been updated on SNC with the token name from the SAP Secure Login Client

Method: SncPEstablishContext

System call gss_init_sec_context

I have looked into SAP notes (error codes etc.) + googling this and other comminties without luck .

All your input/help is very welcome.

Thanks in advance

Peter

Our SAP server is supposed to call an external web service, which requires authentication via an SSL certificate. So in STRUST I have created a new client certificate, which has been imported on the external server. Also we have received the servers' certificate, which has been added to this new entry in STRUST.

In SOAMANAGER I have set this new STRUST entry to be used for authentication at the web service provider.

Now when our SAP machine calls the remote web service, authentication fails.

In the ICM logs the following error messages are given:

[Thr 140543812142848] SecuSSL_SessionStart: SSL_connnect() failed  (536875072/0x20001040)

[Thr 140543812142848]    => "SSL API error"

[Thr 140543812142848] >>            Begin of Secu-SSL Errorstack            >>

[Thr 140543812142848] 0x20001040   SAPCRYPTOLIB   SSL_connect

[Thr 140543812142848] SSL API error

[Thr 140543812142848] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 140543812142848] 0xa0600266   SSL   ssl3_read_bytes

[Thr 140543812142848] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 140543812142848] <<            End of Secu-SSL Errorstack

[Thr 140543812142848]   SSL_get_state()==0x21d0 "SSLv3 read finished A"

[Thr 140543812142848]   No certificate request received from Server

[Thr 140543812142848]   SSL NI-hdl 401: local=10.156.32.11:62224  peer=10.206.58.12:16101

[Thr 140543812142848] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x7fd2d0099410)==SSSLERR_SSL_CONNECT

Any ideas what we might be missing here?

As I did not receive any reply on my earlier post, re-posting my question in simplified way.

Dear All,

I have to configure SSO for SAPGUI for html from client browser. I have read the blogs and notes but still have some questions.

First of all, our environment is ECC 6.0 on HP-UX 11.31 and client PCs are usually running windows 7. Ref to note 1257108, we have two options:

• SAP logon tickets
• X.509 client certificates

Questions: SSO between Web AS running on HP-UX 11.31 and Client PC on Win 7 using X.509 certificates would be possible without any third party product?

I will be following the SAP Help documentation
http://help.sap.com/saphelp_nwpi71/helpdata/en/b1/07dd3aeedb7445e10000000a114084/content.htm to configure SSO for SAPGUI for html, any other resource/blog that could help in this?

Thanks in advance for your help and support.

Regards,

Yasir.

Hi Experts,

with Secure Login Server you have two choices how to deploy the client policy. One is to use „dynamic“ policy download by only distributing the PolicyURL to the Secure Login Client, where the client can then download the latest Secure Login Client profiles (ProfileDownloadPolicy). An other way is to use the "static" policy contained in the ProfileGroup registry file you can download from the SLS.

To achieve high availability/failover we recommend our customers to use at least two Secure Login Severs. Given the fact now I have two Secure Login Servers, in the Client Authentication Profile -> Secure Login Client Settings I have to add two enrollURLs. I would assume on each SLS there is an different GUID or Policy ID generated, right? This is the failover configuration for the Secure Login Client. If the first Enroll URL cannot be established, the Secure Login Client tries the next Enroll URL, defined.

Example: One enrollURL0 (primary SLS) and enrollURL1 (second SLS).

While adding an enrollURL i am only able to set Protocol, Hostname, Port and Version of the Secure Login Client. Where i can define the ID of the Profile?

One first need to setup the second SLS, get the Profile ID and add this to the policy configuration on the primary server, but there is no way to do so.

Example in the ProfileGroup_<ProfileGroupName>.reg (or after downloading the Policy from the primary server - will be contained):

"enrollURL0"="https://<server1>:<port>/SecureLoginServer/slc2/doLogin?profile=a584209c-5de8-4bf7-85da-58d1cf3b1072"
"enrollURL1"="https://<server2>:<port>/SecureLoginServer/slc2/doLogin?profile=a584209c-5de8-4bf7-85da-58d1cf3b1072"

Now I have the change the Profile ID (GUID) of the enrollURL1 manually to match the correct Profile ID of the second Secure Login Server.

My question is, have I missed something or is a failover configuration only possible by manually modifing the registry file downloaded from the SLS and replacing the GUID with the right value?

Please let me know.

Regards,

Carsten