Quantcast
Channel: SCN : Popular Discussions - SAP Single Sign-On
Viewing all 1248 articles
Browse latest View live

Cross Domain Authentication via SPNEGO

May 21, 2012, 6:36 am
$
0
0

Hello,

 

I have succesfully configured the Secure Login Server to authenticate users via Windows Login / SPNEGO. Unfortunatelly the enrollment does NOT work for users in different domains, but only one domain AT A TIME. So the Secure Login Server SPN sits within the Kerberos Realm that allows users in exactly this Realm to login via SPNEGO. (Of course all users from all domains are visible in dthe Secure Login Servers UME)

 

But we have 4 domains in a forrest..So, according to note 994791 that states:

 

  • Domain Forest
    • Create and configure a J2EE service user in one of the domains part of  the forest # it doesn#t matter if this domain will be the root domain or any of the child domains
    • Configure UME to use multiple ADS data sources (for each domain in the forest)
    • In the #Kerberos Realm# step of the wizard you should provide  information only for the domain where you have created the service user for the J2EE Engine

..I have configured SPNEGO only for the realm that hosts the SPN.

 

Unfortunatelly it doesn't work. Please help me if you have experience with cross domain SPNEGO authentication via Secure Login Server.

 

Thank You,

Philippe

Search

Import of SAP Server Certifiacte in SNC X.509 method

July 13, 2012, 9:17 am
$
0
0

Hello,

 

We are in proces of implemeneting SAP NW SSO for SAP GUI with SAP ECC Systems.

As per the Secure Login Library Guide, we have extracted Secure Login Library file in desired locatoin and set the profile parameters as mentioned in Guide.

 

Now we are configuring the SNC X.509 Configuartion, and it says to import the SAP Sever Cerificate using Tx : STRUST.

 

Form where to get the SAP Server Certificate, we have created PSE suing Tx : STRUST which apprears in OS level in structure /usr/sap/SID/DVEBMGS<>/sec .

 

We are stuck in this step, we are not able to import the SAP Server Certifiacte.

 

After the completion of X.59 Certificate, we would be going ahead with SNC Kerberos Configuration.

 

 

Please provide suggestions an inputs.

 

Regards,
Deepak

SPNego ABAP

April 1, 2013, 9:27 am

SPNego on Abap

May 31, 2013, 12:17 pm
$
0
0

Is SPNego for Abap available without purchasing  the Netweaver Single Signon product?  

 

Thanks,

Rob Wagener

SNC does not work on additional application servers

June 13, 2013, 7:33 am
$
0
0

Hi,

 

I have set quite a few servers to connect with SSO to ABAP Stacks. It is not a problem when it is a single instance system but I struggle with distributed systems. The central instance will start without a problem but the additional dialogue instances (on different servers) do not start and I have to disable snc on those servers. The error is always

 

SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N        GetUserName()="<SID>adm"  NetWkstaUser="<SID>ADM"

N  SncInit():  found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():  found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():  found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=\\sapprod\sapmnt\P01\sys\global\sll\secgss.dll

N    File "\\servername\sapmnt\SID\sys\global\sll\secgss.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x

N    FileVersionInfo: InternalName= CryptoLib, FileVersion= 8.3.7.7

N  SncInit():  found snc/identity/as=p:CN=<…>

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

N        GSS-API(maj): No credentials were supplied

N      Could't acquire ACCEPTING credentials for

N      name="p:CN=<….>"

N      FATAL SNCERROR -- Accepting Credentials not available!

N      (debug hint: default acceptor = "p:CN=DummyCredential")

N  <<- SncInit()==SNCERR_GSSAPI

N          sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    237]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    239]

 

We have several distributed systems and it is the same problem on all systems. Only the central instance can use SNC.

I have added screenshots of the snc.exe from the central instance and the app server to this post. Irrespective of using the (replicated) pse on the app server or using the one on the central instance (via SECUDIR variable), snc cannot log in to the pse.

 

Does anyone know how what the problem might be?

 

Regards

Andreas

SAP NetWeaver Single Sign-On Between NW 7.0 and NW 7.3

July 22, 2013, 11:51 pm
$
0
0

Hi All,

 

Any one have the document for Sign-On Between NW 7.0 and NW 7.3. Please share.

 

Regards,

Surendra.

SSO Implementation using SAPNEGO with X.509 certificates

January 9, 2013, 12:53 am
$
0
0

Hi,

We are trying to implement sso for portal using SAPNEGO method with X.509 certificates,All configuration is done but after installing secure login client along with installing certificate and profiles from secure login server,We do not see any X.509 certificate option in Secure login client,We see only Kerberos certificate option?

Can someone please help us with it?

How to bypass the standard SAP Netweaver Logon screen?

August 29, 2013, 11:04 am
$
0
0

Hi SSO and SAML2 experts,

 

 

We have several SAP Enterprise Portal systems. The SSO configuration is setup using SAML2, with the Portal as SAML2 service provider
and Touchstone as identity provider. When users click on link https://<server>:port#/irj/portal, they will see the SAP Netweaver Login screen with an Identity Provider box (which is Touchstone in our case). Once the user click on "continue" button at the signup screen, he/she will be redirected to the Identify Provider (Touchstone) , which is another screen. At that point (the touchstone screen), the user has options either to use a certificate or a Kerberos id, before signing up into the portal.

 

 

My question is this: Is it possible to bypass the initial SAP Netweaver Sign-up screen? In other words, can some thing be done(configurations/custom codes/other creative methods) so users would not be presented with the SAP logon screen, instead go directly to IdP Touchtone screen? The issue here is "user experience". Users need to click on "continue" on the SAP Netweaver login, then being redirected to IdP Touch stone screen, click again, finally land into portal.

 

 

Any feedbacks would be greatly appreciated!

 

 

Best regards,

Qian Kang

qiankang@mit.edu

 

qiankang@mit.edu

Search

SSO using Kerberos for AIX - How?

November 9, 2012, 3:24 am
$
0
0

Hi,

I need to setup SSO in my SAP systems, using Kerberos, so that users from Windows terminals can login to a system using SAPGUI without giving a user/password.

 

I know it is possible because I have seen it somewhere in the past.

 

However, despite searching on SAP Help, I still cannot find the steps for it. I checked the following links, but they all talked about setup where SAP system is on Windows platform, but I cant find anything for AIX (or any other Unix/Linux flavor).

http://scn.sap.com/community/netweaver-sso/blog/2012/08/17/how-to-configure-sap-netweaver-single-sign-on-for-sap-gui-for-windows-with-kerberos-integration

http://help.sap.com/saphelp_nwpi711/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm

 

Please help.

 

Regards,

Shitij

SSO login failed by NWBC or ICF services

August 23, 2013, 10:24 am
$
0
0

Hi all,

we are implementing a Single Sign-On 1.0  using kerberos token from Microsoft AD, it work fine by saplogon (AS ABAP- ECC, Solman, GRC NF-e and AC ) and by browser NW CE 7.2 ( AS JAVA- IdM7.2 and SSO 1.0) .

 

During logon by NWBC or other called ICF services by browser, the SSO doesn't work requiring a logon screen . We expected that a SSO working fine and login without require user and password on this cases .

 

If we are enter a user and password on this problem case, the https is  working fine, but we need an automatic login by SSO using kerberos as we set by spnego, SU01 tab SNC and EXTID_DN .

 

Are there any parameter that we have to set on icf services or RZ10 to provide SSO login to solve this issue ? 

 

Thanks in advance,
Rodrigo

Import of SAP Server Certifiacte in SNC X.509 method

July 13, 2012, 9:17 am
$
0
0

Hello,

 

We are in proces of implemeneting SAP NW SSO for SAP GUI with SAP ECC Systems.

As per the Secure Login Library Guide, we have extracted Secure Login Library file in desired locatoin and set the profile parameters as mentioned in Guide.

 

Now we are configuring the SNC X.509 Configuartion, and it says to import the SAP Sever Cerificate using Tx : STRUST.

 

Form where to get the SAP Server Certificate, we have created PSE suing Tx : STRUST which apprears in OS level in structure /usr/sap/SID/DVEBMGS<>/sec .

 

We are stuck in this step, we are not able to import the SAP Server Certifiacte.

 

After the completion of X.59 Certificate, we would be going ahead with SNC Kerberos Configuration.

 

 

Please provide suggestions an inputs.

 

Regards,
Deepak

Secure Login Client X.509 causing Internet Explorer to crash

February 12, 2013, 4:40 am
$
0
0

Hi Community

 

Have any SAP NW SSO members had this issue?:

 

We have installed SAP NW SSO Secure Login X.509 Based Solution according to the Best Practice Guide and it is working fine.

 

However we rolled out the Secure Login Client to +4000 client computers and as soon as we did, we had hundreds of users reporting that 80% of the time that they run Internet Explorer it crashed stating:

 

 

Internet Explorer has stopped working

 

Windows can check online for a solution to the problem

 

* Check online for a solution and close the program

 

* Close the program

 

 

Looking at the problem in detail:

 

Problem Event Name:      APPCRASH

Application name:           iexplore.exe

Fault Module Name:        ntdll.dll

 

 

If a user chooses to check online for a solution, Internet Explorer recovers the browser tab and continues ok, or the same error happens. This is not a situation we can continue with.

 

This is happening 80% of the time to our users when they run Internet Explorer, and we have analysed the Windows Event Viewer logs to verify this.

 

As soon as we remove the Secure Login Client from the client computers this error does not occur at all - again we can see straight away from analysing the Windows Event Viewer Logs.

 

Currently we have had to remove the Secure Login Client from our +4000 client computers so as to ensure this error does not occur - but this means SAP NW SSO does not work for us (we use SAP NWBC and IE to access SAP ABAP systems).

 

Have any other members experienced this issue?

 

Thanks for your help

 

Mark

Cannot read configuration properties.: The specified service name com.sap.security.core.ume.service does not belong to any of the available services

August 16, 2012, 9:45 am
$
0
0

Hi Experts,

 

I am trying to configure my EP NW 7.3 to use LDAP as data source instead UME but in nwa -- Identity Management the fields are empty and shows following message

 

 

Cannot read configuration properties.: The specified service name com.sap.security.core.ume.service does not belong to any of the available services

 

Attached image.

 

Additional AS is right but I don´t want to take changes there until I find the reason for this.

 

Any clue?

 


X.509 Certificate is not available in Brower

September 12, 2013, 10:52 pm
$
0
0

Hello All,

 

For few users X.509 Certificate in not available in Internet Explore due to that they are not able to use WebGui. Though they can use SAP GUI using SSO. Because in Secure Login Client they are enrolled automatically. But the same certificate in not coming up in Brower .

 

Does anybody know the solution? What could be the reason behind this?

 

Kind Regards

Manna Das

How to configure SSO(Single Sign On) in BI?

September 12, 2013, 10:04 pm
$
0
0

Dear Expert,

 

Now I'm using BI 7.x of SAPGUI(7.30).

Please show me the step. How to configure SSO(Single Sign On) in BI?

 

With best regards,

 

Chenna

Search

Configure SSO on SAPGUI for html (webgui, no portal)

September 3, 2012, 11:47 pm
$
0
0

As I did not receive any reply on my earlier post, re-posting my question in simplified way.

 

Dear All,

 

I have to configure SSO for SAPGUI for html from client browser. I have read the blogs and notes but still have some questions.

 

First of all, our environment is ECC 6.0 on HP-UX 11.31 and client PCs are usually running windows 7. Ref to note 1257108, we have two options:

    • SAP logon tickets
    • X.509 client certificates

 

Questions: SSO between Web AS running on HP-UX 11.31 and Client PC on Win 7 using X.509 certificates would be possible without any third party product?

 

I will be following the SAP Help documentation
http://help.sap.com/saphelp_nwpi71/helpdata/en/b1/07dd3aeedb7445e10000000a114084/content.htm to configure SSO for SAPGUI for html, any other resource/blog that could help in this?

 

Thanks in advance for your help and support.

 

Regards,

 

Yasir.

Secure Login Client X.509 causing Internet Explorer to crash

February 12, 2013, 4:40 am
$
0
0

Hi Community

 

Have any SAP NW SSO members had this issue?:

 

We have installed SAP NW SSO Secure Login X.509 Based Solution according to the Best Practice Guide and it is working fine.

 

However we rolled out the Secure Login Client to +4000 client computers and as soon as we did, we had hundreds of users reporting that 80% of the time that they run Internet Explorer it crashed stating:

 

 

Internet Explorer has stopped working

 

Windows can check online for a solution to the problem

 

* Check online for a solution and close the program

 

* Close the program

 

 

Looking at the problem in detail:

 

Problem Event Name:      APPCRASH

Application name:           iexplore.exe

Fault Module Name:        ntdll.dll

 

 

If a user chooses to check online for a solution, Internet Explorer recovers the browser tab and continues ok, or the same error happens. This is not a situation we can continue with.

 

This is happening 80% of the time to our users when they run Internet Explorer, and we have analysed the Windows Event Viewer logs to verify this.

 

As soon as we remove the Secure Login Client from the client computers this error does not occur at all - again we can see straight away from analysing the Windows Event Viewer Logs.

 

Currently we have had to remove the Secure Login Client from our +4000 client computers so as to ensure this error does not occur - but this means SAP NW SSO does not work for us (we use SAP NWBC and IE to access SAP ABAP systems).

 

Have any other members experienced this issue?

 

Thanks for your help

 

Mark

SAP Portal 7.3 SPNego and NWBC SSO with ECC

May 1, 2013, 7:49 pm
$
0
0

Wanted your expert opinion on something. We have using NWBC 4 and got Portal 7.3 in our landscape. We have established SPNego for IE single single on for Portal. We also have SNC entries with SAPGui to manage ECC SSO using SAPGui.

We want to extend NWBC to ECC SSO. But this been a massive hunt for right solution.

 

SAP Netweaver SSO is obvious solutions, but seems it involves some licence cost. Other option was to redirect NWBC to Portal and then back using redirect app as described in this note.

Question is, what is best way forward, and if we can achieve NWBC ECC SSO with this redirect method. With all the effort we put in we are able to see web page of /nwbc page instead of launching ECC on NWBC 4.0.

 

Thanks a lot for your time.

 

Note 1250795 - Redirect appliction NWBC.pdfNote 1250795 - Redirect appliction.pdf

 

 

Regards,

Sudhir

How to create SSO Login for SAP Webgui HTML based on Windows

September 4, 2013, 3:02 pm
$
0
0

Experts,

 

Please advise  the best process to create SSO Login for SAP Webgui for operating system Windows 2008 R2. Currently using Widows Active Directory or LDAP.

[SPNego] 401 - Unauthorized

October 13, 2011, 7:24 am
$
0
0

Hi,

 

We're currently in the process of enabling SSO using SPNego on our 7.02 SP07 Portal.

We are using the new SPNego wizard that commes with the SP06.

 

Let's say our portal has of the following address: DEVPORTAL.SYSTEMS.GROUP.CORP

The Portal has an UME pointing to an ABAP backend system.

 

As our users come from another Ms Active Directory (there is 1 AD for users, 1 other for systems), the service user we created is: j2ee_portal @USERS.GROUP.CORP

 

After activation of the Kerberos Realms USERS.GROUP.CORP and the set up of the LoginModuleStack in Visual Administrator, I can see the Negotiate Header using Firebug but the SSO won't work (401 Error - Not authorized), the logon plays is displayed instead.

 

The log shows the following:

 

doLogon failed 
[EXCEPTION]
 com.sap.security.core.logon.imp.UMELoginException     at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:912)     at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:367)     at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:126)     at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)     at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:545)       ...

 

 

Could you, please, advise?

Many thanks in advance.

 

Best regards,

Guillaume

Viewing all 1248 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>