We were trying to download SAP NW SSO as per instructions at http://www.sdn.sap.com/irj/sdn/security?rid=/webcontent/uuid/70d49577-5863-2e10-20a8-f6cd79adf434[original link is broken]
However, we could not identify the installation url. Can someone provide the link if you have it?
Thanks,
Melwin
Hi,
I am trying to configure sso for gui and web through speno transaction (abap) and secure login client installation on workstations.
Steps I folllowed:
abap profile parameters:
snc/data_protection/max = 1
snc/data_protection/min = 1
snc/data_protection/use = 1
snc/enable = 1
snc/gssapi_lib = E:\usr\sap\DEV\DVEBMGS00\SSL\sapcrypto.dll
snc/identity/as = p:CN=SAPServiceSID@domain
snc/accept_insecure_cpic = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_rfc = 1
snc/permit_insecure_start = 1
snc/permit_insecure_comm = 1
spnego/enable = 1
spnego/krbspnego_lib = E:\usr\sap\SID\DVEBMGS00\SSL\sapcrypto.dll
sapgenpse creation commands:
sapgenpse get_pse -p e:\usr\sap\SID\DVEBMGS00\sec\SID_SNC.pse -noreq -x passwordnew "CN=SAPServiceSID@domain"
sapgenpse seclogin -p e:\usr\sap\SID\dvebmgS00\sec\SID.pse -x passwornew -O sidadm@domain
sapgenpse seclogin -p e:\usr\sap\SID\dvebmgS00\sec\SID_SNC.pse -x passwordnew -O SAPServiceSID@domain
then spnego transaction to add credentials for SAPServiceSID@domain user
and strustsso2 to add SID_SNC pse as SNC pse (and add to certificate list)
Then map username from (su01) to domain user.
On workstation installed secure login client 2 (latest patch) and change sapgui to use snc
However I get error for SAPgui logon: gss-api (maj:No credentials were supplied. unable to establish the security context target="p:CN=SAPServiceSID@domain"
and also either web sso is working.
Please assist.
Best Regards.
Hello, I think this is in the right place. Does anyone know if there is a way to bypass the end-user having to select the cert/token the first time they use SSO? We have scripted the install of the SLC-2.x as well as moving over a new saplogon.ini that enables SSO. However its not fully unattended as the first time they open it, they get a prompt to pick a cert. We have about 30 on the list, they have to scroll all the way down to click the kerbros token with their user name.
Thanks!
Hello,
I have succesfully configured the Secure Login Server to authenticate users via Windows Login / SPNEGO. Unfortunatelly the enrollment does NOT work for users in different domains, but only one domain AT A TIME. So the Secure Login Server SPN sits within the Kerberos Realm that allows users in exactly this Realm to login via SPNEGO. (Of course all users from all domains are visible in dthe Secure Login Servers UME)
But we have 4 domains in a forrest..So, according to note 994791 that states:
..I have configured SPNEGO only for the realm that hosts the SPN.
Unfortunatelly it doesn't work. Please help me if you have experience with cross domain SPNEGO authentication via Secure Login Server.
Thank You,
Philippe
Good Morning,
we have this problem with Netweaver Single-Sign-On(1.0 SP4 PL4):
1)Secure Login Client receives kerberos ticket but doesn't download X.509 certificate from server(and we don't know why)
2)In Secure Login Client Notification Viewer there are no apparent errors(view screenshot)
3)Our scenario is this:
Secure login Server on an AS JAVA installed on SLES11(64bit) with SPNEGOLoginModule
Secure Login Client installed with a SAP Gui on a windows server 2008 R2 (64bit)
AS ABAP installed on a Red Hat Enterprise Linux Server 6.3(64bit)
Microsoft Active Directory Server installed on windows Server 2008 R2(64bit)
We installed ROOT_CA and customer.reg from Secure Login Server in the client host. We used https with “Secure Login Server FQDN” and port 50001.
We tried to listen on the Secure Login Server with tcpdump to see if some request was coming from it but nothing appeared.
I am trying to get some official documentation around support of NW SSO 1.0 / 2.0 with windows 8.1. On the PAM for NW SSO 1.0/2.0, i can see support for windows 8. Considering that windows 8.1 was offcially released recently, will it be supported as well and when?
Thanks in advance.
Dear All.
We have a requirement were in we want a SSO between a custom .NET web application and our SAP Enterprise Portal.
Here user would be able to directly login to the EP from web Application.
Is it possible to do so?? If yes Then How??
Thanks
Sumit
Hello,
we want to configure our SAP IDM 7.2 system with SSO via Keberos/SPnego.
I have configured SPnego accordingly as described here:
http://help.sap.com/saphelp_nw73ehp1/helpdata/EN/4a/3fc8279c09044fe10000000a421937/content.htm
However SSO is not working - it still prompts for username and password.
I have made exactly the same steps for our PI system's JAVA stack and there it is working as designed. The only difference I see is that for PI there was a PI specific configuration required how to enable SSO for PI.
I cannot find this information for SAP IDM 7.2.
My question is: In order to configure SSO for SAP IDM 7.2 is there anything else required but configuring SPnego?
Help is highly appreciated.
Kind regards,
Sebastian
Hi all experts,
Really need your help in configuring SAP SSO between Windows 2008 R2 ADS & SAP Users.
I followed all the steps provided in SAP NW SSO SP4 SLL document from SAP.
But, I stuck up at couple of steps, the major is part is our ADS Administrator does'nt want to edit SPN for Kerberos user,
instead he suggested to use either RC4 or AES256.
During the SNC setup, I am facing a below error in dev_w0 file:
SncInit(): found snc/gssapi_lib=E:\usr\sap\SID\SLL\windows-x86-64\sapcrypto.dll
N File "E:\usr\sap\SID\SLL\windows-x86-64\sapcrypto.dll" dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2
N SncInit(): found snc/identity/as=p:CN=SAP/SAPServiceSID@<FQDN>.com
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1439]
N GSS-API(maj): No credentials were supplied
N GSS-API(min): No credentials found for this name (not logged on) (USER=SAPServiceAES)
N Could't acquire ACCEPTING credentials for
N
N name="p:CN=SAP/SAPServiceSED@<FQDN>.com"
N SncInit(): Fatal -- Accepting Credentials not available!
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 237]
M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 239]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 11321]
Below is SNC Status:
E:\usr\sap\SID\SLL\windows-x86-64>snc.exe
Using command 'status -v', call with -h to see more commands
------------------------------------------------------------------------------
------------ status -------------------------------------------------------
------------------------------------------------------------------------------
Product version : Secure Login Library 1.0 SP 4:
CryptoLib : 8.3.7.5
: windows-x86-64
GSS library : available
GSS library name : secgss.dll
PSE directory : (existing) E:\usr\sap\SID\DVEBMGS00\sec
PSE file : (existing) E:\usr\sap\SID\DVEBMGS00\sec\pse.zip
STRUST cred file : (existing) E:\usr\sap\SID\DVEBMGS00\sec\cred_v2
SNC config file : (existing) E:\usr\sap\SID\SLL\windows-x86-64\gss.xml
PSE accessible : yes
PSE logged in : yes
PSE credentials : MasterPassword SystemDefault
Kerberos keyTab : 12 entries
SAP/ServiceSID@<fqdn>.com (KeyType DES)
SAP/ServiceSID@<fqdn>.com(KeyType AES128)
SAP/ServiceSID@<fqdn>.com(KeyType AES256)
SAP/ServiceSID@<fqdn>.com(KeyType RC4)
SAP/ServiceSID@<fqdn>.com(KeyType DES)
SAP/ServiceSID@<fqdn>.com(KeyType AES128)
SAP/ServiceSID@<fqdn>.com (KeyType AES256)
SAP/ServiceSID@<fqdn>.com (KeyType RC4)
SAP/ServiceSID@<fqdn>.com (KeyType DES)
SAP/ServiceSID@<fqdn>.com (KeyType AES128)
SAP/ServiceSID@<fqdn>.com(KeyType AES256)
SAP/ServiceSID@<fqdn>.com(KeyType RC4)
SNC keys registered : 0 entries
Trusted certificates:
in PSE CN=SID, OU=<Cust. No.>, OU=SAP Web AS, O=SAP Trust Community, C=DE
Quick responce really needed as pressure increased.
Thanks and Regards
Ahsan.
Hello Experts,
for our ABAP systems I have configured SSO via standard MIT Kerberos on Linux/Intel (RHEL5) as well as Solaris/SPARC and Solaris/Intel - works like a charm.
Now when I upgrade the Linux servers to RHEL6, the OS part of SSO still works, I get a TGT, klist shows me the correct credentials, etc., but the ABAP stack does no longer authenticate via SSO. All I get is a funny error popup "SAP System Message: S".
Is there any known change of the API from RHEL5 to RHEL6 and ideally a way to work around it?
The entry in dev_wx for the log attempt is:
N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3357]
N GSS-API(maj): No credentials were supplied, or the credentials were unavailable or inaccessible
N Unable to establish the security context
N <<- SncProcessInput()==SNCERR_GSSAPI
M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 1034]
M {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0
M *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c 1039]
M {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0
M in_ThErrHandle: 1
M *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c 11313]
M {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0
The parameters (which are working just fine under RHEL5) are:
snc/enable = 1
snc/gssapi_lib = /usr/lib64/sasl2/libgssapiv2.so
ssl/ssl_lib = $(DIR_EXECUTABLE)/libsapcrypto.so (this is the current PL 43)
sec/libsapsecu = $(DIR_EXECUTABLE)/libsapcrypto.so
ssf/ssfapi_lib =$(DIR_EXECUTABLE)/libsapcrypto.so
login/accept_sso2_ticket = 1
login/create_sso2_ticket = 2
snc/accept_insecure_cpic = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_rfc = 1
snc/extid_login_diag = 1
snc/permit_insecure_start = 1
ssf/name = SAPSECULIB
Installed packages on RHEL5 (all x86_64):
cyrus-sasl-gssapi-2.1.22-7.el5_8.1
krb5-libs-1.6.1-70.el5
krb5-libs-1.6.1-70.el5
krb5-workstation-1.6.1-70.el5
libgssapi-0.10-2
pam_krb5-2.2.14-18.el5
and on RHEL6:
cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64
krb5-libs-1.10.3-10.el6.x86_64
krb5-workstation-1.10.3-10.el6.x86_64
libgssglue-0.1-11.el6.x86_64
pam_krb5-2.3.11-9.el6.x86_64
Any info is much appreciated.
Andreas Niewerth
Dear Portal Gurus,
I humbly come to you with a question that I know has been asked repeatedly, but I have spent days wading through SCN and Notes to no avail.
Our requirement is for users to login into their Windows workstation with their Microsoft Active Directory 2008 userid and password, clickon a url to the SAP Enterprise Portal 7.3 Enhancement pack 1 support stack 004 , and be automatically authenticated to the portalm, backend BW 7.3.1.4.
Still, when we specify http://server:50000/irj the portal is still requiring users to login. Again, the user can login automaticlaly to the BW ABAP system in Sapgui, but the requirement is for them to be automatically logged into the SAP portal.
Is this possible? I am beginning to wornder. If you have accomplished this and can share what we may be missing, I would be so grateful and wish much good karma to you!
Lee Lewis
Hello,
I have a Microsoft Server Windows Server 2003 Enterprise x64 Edition. IIS v 6.0 is installed on this server. I installed SAP Web Dispatcher x64 version (sapwebdisp_sp_519-20004013.sar), created and started a service for it. The results are that I get are:
The Page cannot be found
HTTP Error 404 - File or Directory not found
Internet Information Services (IIS).
If I look at the logs it shows that I am getting a 404.3, which means that it cannot find the MIME type for the URL that I am using. This is:
http://<server_name>/sap/crm_logon (where crm_logon is an alias to the location of the crm_ui_start service on the SAP server.
Within IIS I have created a new MIME type *, application/octet-stream, as I have read, for the website. I have restarted WWW Publiching service. It still does not work.
I would like to know what MIME type this could be looking for, or, if in fact, you cannot have IIS and web dispatcher on the same server.
I am ultimately trying to have an HTTPS URL arrive at the web dispatcher, switch protocol to HTTP and then carry on to the backend SAP system.
I am not well versed in Internet security etc, but all I am reading is telling me that I cannot enable SSL on a server to begin with unless I have IIS or Apache etc.
Any help would be appreciated,
Thanks
Stuart Banner
Our objective :
I am using a clientCertficate to identify a proxy server to the SAP Portal. The SAP ClientCertLoginModule does this, but it uses it to identify the user. I just want to use a clientcertificate in order to lockdown access from a proxy server to the Portal(7.3).
The SAP module works, but it assumes the user identity is part of the certificate and won't let me change the user to a header variable that is on the request. I've created a custom login module based on the ClientCertLoginModule that currently exists in the SAP Portal (7.3) as per our other requirements.
When calling the callbackHandler, I'm not getting the client certificate from the request. When I use the SAP provided login module ( ClientCertLoginModule ), it brings back the client certificate from the request.
Here is sample code:
-----
X509CertificateChainCallback clientChainCallback = new X509CertificateChainCallback();
callbackHandler.handle(new Callback[] { clientChainCallback });
tempCerts = clientChainCallback.getCertificateChain();
-----
tempCerts comes back null. It should have a client certificate.
I know that there is a client certificate in the request. When I use my code it comes back without the client certificate in the request. Does anybody have any idea why I'm not getting the client certificate in the request? Below is the result of the SAP ClientCertLoginModule.
1. com.sap.engine.services.security.server.jaas.ClientCertLoginModule OPTIONAL ok true true
#1 Rule1.AttributeName = O
#2 Rule1.filterSubject = CN=wssoproxytest, O=CompanyName
#3 Rule1.getUserFrom = SubjectName
It finds the client certificate when using the SAP ClientCertLoginModue.
When I try my custom ClientCertLoginModuleTest code, it doens't find the certificate.
I have looked in to SCN forums , I did not find how to check Certificate available or not?
Thanks Mark
Hi,
We have a SAP EP (7.3) system integrated and SSO configured with backend SAP R/3 (ehp4).
Now we need to allow the customer to open our SAP portal from within their portal. Means that We need to establish SSO with their portal. They use standard SSO techniques, including SAML on their portals.
What method I can implement for this?
Regards,
Eben Joyson
Hello,
Our customer has existing PKI (client certificates) which they want to use to logon to Secure Login Server using “heavy” Secure Login Client (not web client) for employees.
Their reasons are:
Based on documentation I’ve told them, that UME authentication is possible. Finally I’ve found in installation guide, that only basic authentication is supported with UME and Secure Login Client which is installed locally on the PC.
I think that following questions are for developer of Secure Login Client.
PS: I’m currently trying to configure workaround using Kerberos (SPNego) configuration but with Authentication configured for X.509 certificate.
Best Regards,
Honza Vrzak
I have noticed that SAP GUI users seem to be able to continue to single sign on through the GUI even after their users have been locked. This could be due to the fact that the client certificate issued by the server to the secure login client is still valid, but my question is whether the behaviour is intended or whether it is a bug?
When the secure logon client is facilitating the logon to the SAP server, is it using the RFC gateway directly to the SAP system? Does this mean that this should be considered in the ACL for the RFC gateway?
Best regards,
Anders
Hi Experts,
We have a problem in configuring sap portal as identity provider. We are using SSO with SAML 2.0 method in our scenario to configure the SAP portal as identity provider. During the configuration of identity provider with SAML 2.0 enabling, I found there is no selection for our configuration of this portal as identity provider and it only defaults the configuration as service provider after saving. You should see the difference from the two screenshots below.
Screenshot 1: there is no selection of identity provider or service provider selection on the initial screen in our portal. After configuration, it will default as service provider and will not be modifiable.
Screenshot 2: I found the different configuration page in another place, which contains the operational mode selection.
Our portal version is NW 7.31. With pre-requisites, we have installed identity management with federation software. My user is also assigned with ADMINSTRATOR role and SAML2_SUPERADMIN role. Do you have any idea of what is going wrong or missed checking?
thanks,
Best regards,
Xian' an
Hi Guys,
I have doubts about setting LDAP as data source for Netweaver Portal 7.3, with this configuration windows users can log on to sap portal without writting their password again? do I have to set kerberos, also?
if you have some guides could you send me please.
My LDAP will be Active Directory Windows, also if a I choose read only means that Portal only will read users from AD (including new users after configuration?)
Regards,
Andy
Hi,
I need to setup SSO in my SAP systems, using Kerberos, so that users from Windows terminals can login to a system using SAPGUI without giving a user/password.
I know it is possible because I have seen it somewhere in the past.
However, despite searching on SAP Help, I still cannot find the steps for it. I checked the following links, but they all talked about setup where SAP system is on Windows platform, but I cant find anything for AIX (or any other Unix/Linux flavor).
http://help.sap.com/saphelp_nwpi711/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm
Please help.
Regards,
Shitij
Hi all,
I am trying to configure a cenario using SAP NW SSO 2.0 in which users authenticate using SNC with kerberos tokens to system A, and system A communicates with system B using SNC RFC.
As described in the implementation guide:
SNC with kerberos on system A works perfectly. I've configured the SNC identity as described in the guide - CN=SAPServiceABC, OU....
On system B, I've configured snc with identity CN=SID, OU....
On system A gssapi_lib is set to the secure login library, and on system B it is set to the SAPCRYPTOLIB.
I've imported system A certificate from SNC SapCryptolib PSE into trusted certificates of system B SNC SapCryptolib PSE. I've also added system A to SNC ACL table of system B.
Eventually, I created an RFC destination with SNC from system A to System B. But when I the RFC I get the following error:
A2200210: Peer certificate verification failed.
In SLLTrace, I see the following:
[KERBEROS] [6808] ERROR(0xA2600202) in KERBEROS-> sec_kerberos_ClientGetTicket(): No kerberos ticket for requested service
[GSS][6808] Cli-40000003: Server certificate not trusted
[GSS][6808] Cli-40000003: <- Msg 1993ServerHello process failed: errval=d0000, minor_status=a2200210
Seems like I'm missing something with configuring the trust between the systems, But I can't seem to find it.
I would really appreciate your help on this.
Thanks,
Ilia Medvedev.