HEllo experts,we have enabled desktop SSO using spnego on portal(nw7.3 ehp1 sp7),but could not find authentication logs in security audit log if user has succesfully logon or not.

where to check if user has succesfully logon using sso .if we rlogin with password we can find an entry with login ok for the user id but for sso no entry.

Thanks,

Siddharth

Wanted your expert opinion on something. We have using NWBC 4 and got Portal 7.3 in our landscape. We have established SPNego for IE single single on for Portal. We also have SNC entries with SAPGui to manage ECC SSO using SAPGui.

We want to extend NWBC to ECC SSO. But this been a massive hunt for right solution.

SAP Netweaver SSO is obvious solutions, but seems it involves some licence cost. Other option was to redirect NWBC to Portal and then back using redirect app as described in this note.

Question is, what is best way forward, and if we can achieve NWBC ECC SSO with this redirect method. With all the effort we put in we are able to see web page of /nwbc page instead of launching ECC on NWBC 4.0.

Thanks a lot for your time.

Note 1250795 - Redirect appliction.pdf

Regards,

Sudhir

Hi,

We have a SAP EP (7.3) system integrated and SSO configured with backend SAP R/3 (ehp4).

Now we need to allow the customer to open our SAP portal  from within their portal. Means that We need to establish SSO with their portal. They use standard SSO techniques, including SAML on their portals.

What method I can implement for this?

Regards,

Eben Joyson

Hello,

we want to configure our SAP IDM 7.2 system with SSO via Keberos/SPnego.

I have configured SPnego accordingly as described here:

http://help.sap.com/saphelp_nw73ehp1/helpdata/EN/4a/3fc8279c09044fe10000000a421937/content.htm

However SSO is not working - it still prompts for username and password.

I have made exactly the same steps for our PI system's JAVA stack and there it is working as designed. The only difference I see is that for PI there was a PI specific configuration required how to enable SSO for PI.

I cannot find this information for SAP IDM 7.2.

My question is: In order to configure SSO for SAP IDM 7.2 is there anything else required but configuring SPnego?

Help is highly appreciated.

Kind regards,

Sebastian

Hi,

I have set quite a few servers to connect with SSO to ABAP Stacks. It is not a problem when it is a single instance system but I struggle with distributed systems. The central instance will start without a problem but the additional dialogue instances (on different servers) do not start and I have to disable snc on those servers. The error is always

SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N        GetUserName()="<SID>adm"  NetWkstaUser="<SID>ADM"

N  SncInit():  found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():  found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():  found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=\\sapprod\sapmnt\P01\sys\global\sll\secgss.dll

N    File "\\servername\sapmnt\SID\sys\global\sll\secgss.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x

N    FileVersionInfo: InternalName= CryptoLib, FileVersion= 8.3.7.7

N  SncInit():  found snc/identity/as=p:CN=<…>

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

N        GSS-API(maj): No credentials were supplied

N      Could't acquire ACCEPTING credentials for

N 

N      name="p:CN=<….>"

N      FATAL SNCERROR -- Accepting Credentials not available!

N      (debug hint: default acceptor = "p:CN=DummyCredential")

N  <<- SncInit()==SNCERR_GSSAPI

N          sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    237]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    239]

We have several distributed systems and it is the same problem on all systems. Only the central instance can use SNC.

I have added screenshots of the snc.exe from the central instance and the app server to this post. Irrespective of using the (replicated) pse on the app server or using the one on the central instance (via SECUDIR variable), snc cannot log in to the pse.

Does anyone know how what the problem might be?

Regards

Andreas

Hi,

Can anybody provide full steps for SSO (Single-sign On) configuration between Enterprise Portal and  Business Object.

We have a

Portal - Version Installed  : NW 7.3 SP 7 and

BO - Version Installed : BOBJ 4 SP 4

Appreciate quick response.

Thanks,

Kundan

Our objective :

I am using a clientCertficate to identify a proxy server to the SAP Portal.  The SAP ClientCertLoginModule does this, but it uses it to identify the user. I just want to use a clientcertificate in order to lockdown access from a proxy server to the Portal(7.3).

The SAP module works, but it assumes the user identity is part of the certificate and won't let me change the user to a header variable that is on the request. I've created a custom login module based on the ClientCertLoginModule that currently exists in the SAP Portal (7.3) as per our other requirements.

When calling the callbackHandler, I'm not getting the client certificate from the request. When I use the SAP provided login module ( ClientCertLoginModule ), it brings back the client certificate from the request.

Here is sample code:

-----

X509CertificateChainCallback clientChainCallback = new X509CertificateChainCallback();

callbackHandler.handle(new Callback[] { clientChainCallback });

tempCerts = clientChainCallback.getCertificateChain();

-----

tempCerts comes back null. It should have a client certificate.

I know that there is a client certificate in the request. When I use my code it comes back without the client certificate in the request. Does anybody have any idea why I'm not getting the client certificate in the request? Below is the result of the SAP ClientCertLoginModule.

1. com.sap.engine.services.security.server.jaas.ClientCertLoginModule      OPTIONAL    ok          true                  true    

#1 Rule1.AttributeName = O

#2 Rule1.filterSubject = CN=wssoproxytest, O=CompanyName

#3 Rule1.getUserFrom = SubjectName

It finds the client certificate when using the SAP ClientCertLoginModue.

When I try my custom ClientCertLoginModuleTest code, it doens't find the certificate.

I have looked in to SCN forums , I did not find how to check Certificate available or not?

Thanks Mark

As I did not receive any reply on my earlier post, re-posting my question in simplified way.

Dear All,

I have to configure SSO for SAPGUI for html from client browser. I have read the blogs and notes but still have some questions.

First of all, our environment is ECC 6.0 on HP-UX 11.31 and client PCs are usually running windows 7. Ref to note 1257108, we have two options:

• SAP logon tickets
• X.509 client certificates

Questions: SSO between Web AS running on HP-UX 11.31 and Client PC on Win 7 using X.509 certificates would be possible without any third party product?

I will be following the SAP Help documentation
http://help.sap.com/saphelp_nwpi71/helpdata/en/b1/07dd3aeedb7445e10000000a114084/content.htm to configure SSO for SAPGUI for html, any other resource/blog that could help in this?

Thanks in advance for your help and support.

Regards,

Yasir.

We have mixed setup of IIS webservers and SAP systems that our users need to access through a browser. We would like to give our desktop users a single sign on experience so that they do not have to logon to SAP systems when they access it through the browser, as they are already accustomed to this on the Microsoft side through the setup of Kerberos. We have found that the best way to implement this scenario is to use the SAP logon ticket as logon mechanism on the SAP side. Basically the users should click on a link which points to the redirect application from SAP note 1250795 which should allow them to logon, and once they are logged once, should issue a SAP logon ticket.

The part mentioned above works flawlessly. We then thought we could give the users an even better experience by allowing them to get authenticated to the system that issues the SAP logon ticket by setting up SAML and using ADFS as an Identity Provider.This can be achieved in various ways but with a lot of help from Desislava Petkovas guide here we managed to set it up, so that it also works very well. End result is that the users click on a link, which points to the SAP logon ticket issuing server, that refers to ADFS for authentication and once authenticated, issues a SAP logon ticket and redirects to the actual link on the requested SAP server. A lot of redirecting takes place behind the scenes, but since the IIS on the ADFS server is setup to use integrated authentication, the Kerberos ticket that the users already have, is automatically translated to a SAML assertion, which is accepted on the SAP logon ticket issuing system.

For desktop users this works fine. We do however also have a number of users that access SAP from a thin client where the desktop is started with an AD user that has no match in the SAP systems. We would like to have a setup that will make ADFS decide that these particular users will need to use forms login. This does not seem to be trivial to setup, so I would like to know if any of you have a similar use case?

Researching a bit with Google it looks like ADFS may be customized to use an incoming parameter in the HTTP request to decide which type of authentication can be used. I found the following two articles that may support this idea on the ADFS side. The first is this one and the second is this one. Assuming some development could solve the problem on the ADFS side, the only question that remains is, whether it is possible by configuration on the SAP side to send a parameter, an authentification context or something similar that could cause ADFS to behave differently for certain users. Would any of you have any suggestions?

Very best regards,

Anders

Hello,

We are in proces of implemeneting SAP NW SSO for SAP GUI with SAP ECC Systems.

As per the Secure Login Library Guide, we have extracted Secure Login Library file in desired locatoin and set the profile parameters as mentioned in Guide.

Now we are configuring the SNC X.509 Configuartion, and it says to import the SAP Sever Cerificate using Tx : STRUST.

Form where to get the SAP Server Certificate, we have created PSE suing Tx : STRUST which apprears in OS level in structure /usr/sap/SID/DVEBMGS<>/sec .

We are stuck in this step, we are not able to import the SAP Server Certifiacte.

After the completion of X.59 Certificate, we would be going ahead with SNC Kerberos Configuration.

Please provide suggestions an inputs.

Regards,
Deepak

Hello, I think this is in the right place. Does anyone know if there is a way to bypass the end-user having to select the cert/token the first time they use SSO? We have scripted the install of the SLC-2.x as well as moving over a new saplogon.ini that enables SSO. However its not fully unattended as the first time they open it, they get a prompt to pick a cert. We have about 30 on the list, they have to scroll all the way down to click the kerbros token with their user name.

Thanks!

Dear Experts,

We have gone-live with SSO 1.0 for NW AS ABAP using Kerberos technology on 20+ landscapes this year.Next year we are planning to upgrade to SSO 2.0 suite.

Now we have a question posted by our customers "Is there any way to restrict the incorrect password locked users to do SSO to AS ABAP?"

The reason behind this to make sure that an account is not a victim of an attack.If the users continue to SSO even though their account is locked due to incorrect password that means there is a possibility to oversee that their accounts are being attacked.

SAP has already treated this as a vulnerability on J2EE servers and released a note to fix this.Is there any possibility to achieve this on AS ABAP server as well?

Hope to hear soon!

Regards,

Karthik

Hello,

I have installed Secure Login Sever and using it for SSO with sapgui.

On the secure login client, i get the profile but i need to login everytime for it to work.

I am looking to automate this, so that when i login to windows... the Secure login client profile is ready for me to use sapgui.

These are the steps i have done:-

Install Secure Login Server

Perform Initial configuration

Generate Root & server certificates (X509)

Install SAPCRYPTOLIB on Target SAP server

Import the PSE into STRUSTSSO2

configure NWA & Secure Login Admin Console to use AD as my authentication server

Change SNC settings on SU01

Change SNC settings on sapgui entry for my target ABAP system.

Now i am able to SSO to my target ABAP system. But, when i log off windows and login back, The SSO profile says "You are not Logged in".

So now everytime i login to windows, i need to login to the Secure login profile too - (I am trying to do away with this).

Here are a few profile changes i tried, but none work

pseType

reAuthentication

AutoEnroll

Every time i generate the CustomerALL.reg file and import it into my registry, but to no avail...

Can someone please let me know how to attain the behavior im looking for?

Thanks in advance.

Regards,

Shanser

Hi,

I have set quite a few servers to connect with SSO to ABAP Stacks. It is not a problem when it is a single instance system but I struggle with distributed systems. The central instance will start without a problem but the additional dialogue instances (on different servers) do not start and I have to disable snc on those servers. The error is always

SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N        GetUserName()="<SID>adm"  NetWkstaUser="<SID>ADM"

N  SncInit():  found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():  found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():  found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=\\sapprod\sapmnt\P01\sys\global\sll\secgss.dll

N    File "\\servername\sapmnt\SID\sys\global\sll\secgss.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x

N    FileVersionInfo: InternalName= CryptoLib, FileVersion= 8.3.7.7

N  SncInit():  found snc/identity/as=p:CN=<…>

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

N        GSS-API(maj): No credentials were supplied

N      Could't acquire ACCEPTING credentials for

N 

N      name="p:CN=<….>"

N      FATAL SNCERROR -- Accepting Credentials not available!

N      (debug hint: default acceptor = "p:CN=DummyCredential")

N  <<- SncInit()==SNCERR_GSSAPI

N          sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    237]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    239]

We have several distributed systems and it is the same problem on all systems. Only the central instance can use SNC.

I have added screenshots of the snc.exe from the central instance and the app server to this post. Irrespective of using the (replicated) pse on the app server or using the one on the central instance (via SECUDIR variable), snc cannot log in to the pse.

Does anyone know how what the problem might be?

Regards

Andreas

Dear All,

Our requirement is to enable SSO for the below applications.

We have SAP apps - ERP, GRC, HCM, MDM & SRM.

Non-SAP apps - AD, MS Exchange, Sharepoint, Lotus notes

With the wiki content, videos available, it seemed that I'm supposed to go with SAP NW SSO 2.0 with X.509 certificates

I.e, Install SAP NW SSO 2.0 using AD as communication method and let NW SSO system issue X.509 certificates for authentication.

I was reading blogs and found links for SSO between Sharepoint & Portal using SAML 2.0.

My question, with SAP NW SSO 2.0(create X.509 certificates), is it possible to integrate all these components? Am I missing something?

Also, the user IDs are different for different apps. So does mapping support for different apps?

Could you please guide me the right direction?

Thanks

RB

We have mixed setup of IIS webservers and SAP systems that our users need to access through a browser. We would like to give our desktop users a single sign on experience so that they do not have to logon to SAP systems when they access it through the browser, as they are already accustomed to this on the Microsoft side through the setup of Kerberos. We have found that the best way to implement this scenario is to use the SAP logon ticket as logon mechanism on the SAP side. Basically the users should click on a link which points to the redirect application from SAP note 1250795 which should allow them to logon, and once they are logged once, should issue a SAP logon ticket.

The part mentioned above works flawlessly. We then thought we could give the users an even better experience by allowing them to get authenticated to the system that issues the SAP logon ticket by setting up SAML and using ADFS as an Identity Provider.This can be achieved in various ways but with a lot of help from Desislava Petkovas guide here we managed to set it up, so that it also works very well. End result is that the users click on a link, which points to the SAP logon ticket issuing server, that refers to ADFS for authentication and once authenticated, issues a SAP logon ticket and redirects to the actual link on the requested SAP server. A lot of redirecting takes place behind the scenes, but since the IIS on the ADFS server is setup to use integrated authentication, the Kerberos ticket that the users already have, is automatically translated to a SAML assertion, which is accepted on the SAP logon ticket issuing system.

For desktop users this works fine. We do however also have a number of users that access SAP from a thin client where the desktop is started with an AD user that has no match in the SAP systems. We would like to have a setup that will make ADFS decide that these particular users will need to use forms login. This does not seem to be trivial to setup, so I would like to know if any of you have a similar use case?

Researching a bit with Google it looks like ADFS may be customized to use an incoming parameter in the HTTP request to decide which type of authentication can be used. I found the following two articles that may support this idea on the ADFS side. The first is this one and the second is this one. Assuming some development could solve the problem on the ADFS side, the only question that remains is, whether it is possible by configuration on the SAP side to send a parameter, an authentification context or something similar that could cause ADFS to behave differently for certain users. Would any of you have any suggestions?

Very best regards,

Anders

Hi Guys,

I have doubts about setting LDAP as data source for Netweaver Portal 7.3, with this configuration windows users can log on to sap portal without writting their password again? do I have to set kerberos, also?

if you have some guides could you send me please.

My LDAP will be Active Directory Windows, also if a I choose read only means that Portal only will read users from AD (including new users after configuration?)

Regards,

Andy

Hi all,

As I know, HTTPS is necessary for both Idp and Sp service for SAML interfaction.

In my infrastructure, I have web dispatcher + Enterprise Portal (7.3). the HTTPS will go to web dispatcher and terminated on it. Webdispatcher will call backend ep via HTTP. 

So is it possible to use EP as a SAML sp ?

Hello Experts,

for our ABAP systems I have configured SSO via standard MIT Kerberos on Linux/Intel (RHEL5) as well as Solaris/SPARC and Solaris/Intel  - works like a charm.

Now when I upgrade the Linux servers to RHEL6, the OS part of SSO still works, I get a TGT, klist shows me the correct credentials, etc., but the ABAP stack does no longer authenticate via SSO. All I get is a funny error popup "SAP System Message: S".

Is there any known change of the API from RHEL5 to RHEL6 and ideally a way to work around it?

The entry in dev_wx for the log attempt is:

N  *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3357]

N        GSS-API(maj): No credentials were supplied, or the credentials were unavailable or inaccessible

N      Unable to establish the security context

N  <<- SncProcessInput()==SNCERR_GSSAPI

M  *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c    1034]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

M  *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c    1039]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

M  in_ThErrHandle: 1

M  *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c   11313]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

The parameters (which are working just fine under RHEL5) are:

snc/enable = 1

snc/gssapi_lib = /usr/lib64/sasl2/libgssapiv2.so

ssl/ssl_lib = $(DIR_EXECUTABLE)/libsapcrypto.so (this is the current PL 43)

sec/libsapsecu = $(DIR_EXECUTABLE)/libsapcrypto.so

ssf/ssfapi_lib =$(DIR_EXECUTABLE)/libsapcrypto.so

login/accept_sso2_ticket = 1

login/create_sso2_ticket = 2

snc/accept_insecure_cpic = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_rfc = 1

snc/extid_login_diag = 1

snc/permit_insecure_start = 1

ssf/name = SAPSECULIB

Installed packages on RHEL5 (all x86_64):

cyrus-sasl-gssapi-2.1.22-7.el5_8.1

krb5-libs-1.6.1-70.el5

krb5-libs-1.6.1-70.el5

krb5-workstation-1.6.1-70.el5

libgssapi-0.10-2

pam_krb5-2.2.14-18.el5

and on RHEL6:

cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64

krb5-libs-1.10.3-10.el6.x86_64

krb5-workstation-1.10.3-10.el6.x86_64

libgssglue-0.1-11.el6.x86_64

pam_krb5-2.3.11-9.el6.x86_64

Any info is much appreciated.

Andreas Niewerth