Hi Experts,

We'd like to use SAPGUI SSO with Kerberos.

ERP is installed under AD root domain (ROOT.COM) in the forest.

Users are belongs to AD sub domain (SUBDOM.COM) in the same forest.

ERP is installed under ROOT.COM, service user is SAPService<SID>@ROOT.COM.

SNC name in user profile (SU01) is p:testuser@SUBDOM.COM

SAP Logon entry for SSO has SNC name, p:SAPService<SID>@ROOT.COM.

Then user trys to log on via the entry for SSO, the error message "No user exists with SNC name "p:testuser@SUBDOM.COM""

I guess user's SNC name should be changed but I couldn't find what should be changed.

Kindly advise what setting is missing in our environment.

best regards,

Megumi

Hi,

I have set quite a few servers to connect with SSO to ABAP Stacks. It is not a problem when it is a single instance system but I struggle with distributed systems. The central instance will start without a problem but the additional dialogue instances (on different servers) do not start and I have to disable snc on those servers. The error is always

SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N        GetUserName()="<SID>adm"  NetWkstaUser="<SID>ADM"

N  SncInit():  found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():  found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():  found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=\\sapprod\sapmnt\P01\sys\global\sll\secgss.dll

N    File "\\servername\sapmnt\SID\sys\global\sll\secgss.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x

N    FileVersionInfo: InternalName= CryptoLib, FileVersion= 8.3.7.7

N  SncInit():  found snc/identity/as=p:CN=<…>

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

N        GSS-API(maj): No credentials were supplied

N      Could't acquire ACCEPTING credentials for

N 

N      name="p:CN=<….>"

N      FATAL SNCERROR -- Accepting Credentials not available!

N      (debug hint: default acceptor = "p:CN=DummyCredential")

N  <<- SncInit()==SNCERR_GSSAPI

N          sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    237]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    239]

We have several distributed systems and it is the same problem on all systems. Only the central instance can use SNC.

I have added screenshots of the snc.exe from the central instance and the app server to this post. Irrespective of using the (replicated) pse on the app server or using the one on the central instance (via SECUDIR variable), snc cannot log in to the pse.

Does anyone know how what the problem might be?

Regards

Andreas

Dear Experts,

I had requested basis to configure Fully Qualified Domain Name (FQDN) for SSO Transaction iView.

The steps found to configured:

However, in RZ10 default parameter we got error saying parameter name SAPFQDN is not known.

Any idea? I cannot find any other informations regarding this SAPFQDN elsewhere.

Please assist. Thanks in advance.

Hello,

Netweaber SSO document says that we can use smart card in order to sign on to sap based system. Unfortunately, I could not find any document about configuration. I wonder whether we can use smard card or not?

Our users have their own smartcard. They enter their pin when they put smart card in to their slot.

What we want to do is that ask user's pin code, when the user enteres his pin code correctly, we let user to login to the system (sso).

Is it possible to use netweaver-sso ?

Thank you.

Hi Community

Have any SAP NW SSO members had this issue?:

We have installed SAP NW SSO Secure Login X.509 Based Solution according to the Best Practice Guide and it is working fine.

However we rolled out the Secure Login Client to +4000 client computers and as soon as we did, we had hundreds of users reporting that 80% of the time that they run Internet Explorer it crashed stating:

Internet Explorer has stopped working

Windows can check online for a solution to the problem

* Check online for a solution and close the program

* Close the program

Looking at the problem in detail:

Problem Event Name:      APPCRASH

Application name:           iexplore.exe

Fault Module Name:        ntdll.dll

If a user chooses to check online for a solution, Internet Explorer recovers the browser tab and continues ok, or the same error happens. This is not a situation we can continue with.

This is happening 80% of the time to our users when they run Internet Explorer, and we have analysed the Windows Event Viewer logs to verify this.

As soon as we remove the Secure Login Client from the client computers this error does not occur at all - again we can see straight away from analysing the Windows Event Viewer Logs.

Currently we have had to remove the Secure Login Client from our +4000 client computers so as to ensure this error does not occur - but this means SAP NW SSO does not work for us (we use SAP NWBC and IE to access SAP ABAP systems).

Have any other members experienced this issue?

Thanks for your help

Mark

Dear All,

I need to enable identity provider ADFS2.0  to create users in the service provider  SAP EP 7.3 which is integrated and using SAP R/3 UME.

The scenario is we should allow to auto generate users through SSO from ADFS 2.0 to SAP EP 7.3.

I configured SAP portal as SAML 2.0 service provider and ADFS 2.0 as Identity Provider.

Now SSO is working with same and different User ID's between IdP and Sp.

Now how do I enable IdP (adfs 2.0)  to automatically create users in Sp ( sap nw 7.3).?

In SAML 2.0 Configuration Page on NWA , I selected "Identity Federation" tab and in the "Supported Name ID Formats " table list I added Unspecified Name of Federation type "Persistent Users (Advanced) " and selected Allow Automatic Creation of Accounts check box and maintained

User ID Source as Assertion Subject NameID and User Id Mapping Mode as LogonID.  Also I specified Assertion based attributes and Default Roles.

When I log in to the Service Provider, it redirects me to Identity provider. I logged in with the user in identity provider. It then redirects me to service providers application but didn't create user. It lands on login page with the warning message, "Your account on identity provider [ADFS 2.0] is not federated with any local account ". When I click on the link New Here?Register Now and Federate Accounts  , It creates the account and assigns the user default roles and user attributes I maintained.

How to federate ADFS 2.0 user account with local account in SAP EP 7.3?

Regards,

Eben Joyson

Hello SAP experts,

I am trying to configure SAP AS java 7.31 (Enterprise portal with system id  "SML")  as SAML2.0 service provider with Ping Federator as a Identity provider.

I have exchanged the metada files between them.

I have made a backend SSO connection between SML and CRM system.

In my Assertion Consumer Service  (ACS)  configuration of SML I forgot to type Default Application Path.

Now whenever I tried to access any portal page including my NWA page for modifying the SAML2 configuration, it is keep redirecting me to the

http://hostname:port/sap/saml2/sp/acs    page not found

Any help will be appreciated as how to access the SAML2 configuration page.

Regards

Basit

Dear Gurus,

We have decided to use NWBC 3.0, we would like to connect it to ABAP system.

In SAPGUI we are using SNC for sso, how do we configure sso with NWBC to ABAP system ?

what are the options ?

Please advise,

Dimitry Haritonov

Experts,

Please advise  the best process to create SSO Login for SAP Webgui for operating system Windows 2008 R2. Currently using Widows Active Directory or LDAP.

Hello,

I have succesfully configured the Secure Login Server to authenticate users via Windows Login / SPNEGO. Unfortunatelly the enrollment does NOT work for users in different domains, but only one domain AT A TIME. So the Secure Login Server SPN sits within the Kerberos Realm that allows users in exactly this Realm to login via SPNEGO. (Of course all users from all domains are visible in dthe Secure Login Servers UME)

But we have 4 domains in a forrest..So, according to note 994791 that states:

• Domain Forest
  • Create and configure a J2EE service user in one of the domains part of  the forest # it doesn#t matter if this domain will be the root domain or any of the child domains
  • Configure UME to use multiple ADS data sources (for each domain in the forest)
  • In the #Kerberos Realm# step of the wizard you should provide  information only for the domain where you have created the service user for the J2EE Engine

..I have configured SPNEGO only for the realm that hosts the SPN.

Unfortunatelly it doesn't work. Please help me if you have experience with cross domain SPNEGO authentication via Secure Login Server.

Thank You,

Philippe

Wanted your expert opinion on something. We have using NWBC 4 and got Portal 7.3 in our landscape. We have established SPNego for IE single single on for Portal. We also have SNC entries with SAPGui to manage ECC SSO using SAPGui.

We want to extend NWBC to ECC SSO. But this been a massive hunt for right solution.

SAP Netweaver SSO is obvious solutions, but seems it involves some licence cost. Other option was to redirect NWBC to Portal and then back using redirect app as described in this note.

Question is, what is best way forward, and if we can achieve NWBC ECC SSO with this redirect method. With all the effort we put in we are able to see web page of /nwbc page instead of launching ECC on NWBC 4.0.

Thanks a lot for your time.

Note 1250795 - Redirect appliction.pdf

Regards,

Sudhir

Hi Everyone,

We have been trying to roll out SAP Single Sign on 2.0 for non-SAP web sites, unfortunately when we tried a small pilot the user feedback was that they would rather not have the SSO functionality.

The poor user experience all came down to one problem: performance.

After adding SSO 2.0 this adds the IE plugins to handle entering the credentials, unfortunately the speed and responsiveness of IE 10 was unusable, it can add an extra 2-5 seconds depending on the web-sites visited.

I have tried this first hand and can replicate the issues, we are running very up to date software and hardware: Win 7 X64, IE10, i7, 8GB RAM, SSD HDD etc, as soon as you disable the SSO add on then web-sites start reacting normally again.

A support ticket is open at SAP and we have updated to SP2 however the problem is not going away.

Has anybody successfully deployed this aspect of SSO 2.0 and if so please can you share your experiences?

Is there anybody out there how has/is experiencing this slow down after enabling the SSO 2.0 IE add-on, what have/are you doing to address this?

many thanks

Rob

Hi All,

         We are a 3rd party vendor trying to implement single sign on with the client's SAP system.   Our client have provided us with  a SAPSSOEXT archive that contains the library files and a sample program to verify the ticket.  The application environment is running in 64bit linux OS.  After installing libraries and compiling the sample C program following the instructions, we are successfully able to decrypt/verify the sample ticket provided as part of the archive.

./ssosamp -i ticket.txt -p verify.pse

***********************************************

Output of program:

***********************************************

The ticket

AjExMDABAAdTQVBVU0VSAgADOTk5AwADRVhUBAAMMjAxMTA5MDcxMDQ2BQAEAAKsYAgAAQEgABFwb3J0YWw6UE9SVEFMVVNFUogAE2Jhc2ljYXV0aGVudGljYXRpb27/AT4wggE6BgkqhkiG9w0BBwKgggErMIIBJwIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYIBBjCCAQICAQEwVzBMMQswCQYDVQQGEwJERTEcMBoGA1UEChMTbXlTQVAuY29tIFdvcmtwbGFjZTERMA8GA1UECxMIU0FQIFRlc3QxDDAKBgNVBAMTA1NZUwIHIBEIJBVVSDAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTEwOTA3MTA0NjEzWjAjBgkqhkiG9w0BCQQxFgQU4lvc!J0ne0uWJDAlmYY2vGhfkq4wCQYHKoZIzjgEAwQvMC0CFCuCpBG10JDoxYQ/QgqlN!Zc7rxRAhUAiaj46GoR3Ayo2PgJFZlNwg2axL4=

was successfully validated.

User     : SAPUSER

Ident of ticket issuing system:

Sysid    : EXT

Client   : 999

External ident of user:

PortalUsr: PORTALUSER

Auth     : basicauthentication

Ticket validity in seconds:

Valid (s): 557661780

Certificate data of issuing system:

Subject  : CN=SYS, OU=SAP Test, O=mySAP.com Workplace, C=DE

Issuer   : CN=SYS, OU=SAP Test, O=mySAP.com Workplace, C=DE

However when we try a real ticket generated from client's SAP portal, I get the following error message: "The mySAP.com logon ticket couldn't be verified. The standard error code is 20. The SSF error code is 7."

I gather from the documentation that it means the private address book could not be loaded from the provided verify.pse file.   The client has confirmed it is the right key. 

Can you please help in troubleshooting this issue further?

Thanks,
Aravind.

We have mixed setup of IIS webservers and SAP systems that our users need to access through a browser. We would like to give our desktop users a single sign on experience so that they do not have to logon to SAP systems when they access it through the browser, as they are already accustomed to this on the Microsoft side through the setup of Kerberos. We have found that the best way to implement this scenario is to use the SAP logon ticket as logon mechanism on the SAP side. Basically the users should click on a link which points to the redirect application from SAP note 1250795 which should allow them to logon, and once they are logged once, should issue a SAP logon ticket.

The part mentioned above works flawlessly. We then thought we could give the users an even better experience by allowing them to get authenticated to the system that issues the SAP logon ticket by setting up SAML and using ADFS as an Identity Provider.This can be achieved in various ways but with a lot of help from Desislava Petkovas guide here we managed to set it up, so that it also works very well. End result is that the users click on a link, which points to the SAP logon ticket issuing server, that refers to ADFS for authentication and once authenticated, issues a SAP logon ticket and redirects to the actual link on the requested SAP server. A lot of redirecting takes place behind the scenes, but since the IIS on the ADFS server is setup to use integrated authentication, the Kerberos ticket that the users already have, is automatically translated to a SAML assertion, which is accepted on the SAP logon ticket issuing system.

For desktop users this works fine. We do however also have a number of users that access SAP from a thin client where the desktop is started with an AD user that has no match in the SAP systems. We would like to have a setup that will make ADFS decide that these particular users will need to use forms login. This does not seem to be trivial to setup, so I would like to know if any of you have a similar use case?

Researching a bit with Google it looks like ADFS may be customized to use an incoming parameter in the HTTP request to decide which type of authentication can be used. I found the following two articles that may support this idea on the ADFS side. The first is this one and the second is this one. Assuming some development could solve the problem on the ADFS side, the only question that remains is, whether it is possible by configuration on the SAP side to send a parameter, an authentification context or something similar that could cause ADFS to behave differently for certain users. Would any of you have any suggestions?

Very best regards,

Anders

I have Implemented SSO using SP nego and X.509 certificate, it is working fine for the abap side (including the web dynpro apps on abap side)

as per the videos and the guide for secure login server i have followed all the steps but still SSO is not working for Portal

I have deployed the secure login server on the same NW 7.3 Java system for which i am trying SSO using X.509 certificate,

I have already performed the below steps

go to NWA--> Configuration-->SSL-->Trusted CA's -->imported SLS-ROOT-CA certificate(secure login server root CA) -->later restarted ICM

For User Mapping Configuration for WEB Gui and SAP NW Business Client to AS Java-

NWA --> Configuration-->Authentication and SSO ->Authentication --> ticket--> added Login module ClientCertLoginModule(FLAG Optional. Moved to 2nd position as well)-->Rule1.getUserForm=Subject Name and Rule1.attributeName=CN

also

As a QuestionNo.2 how can i perform the above steps in the NW7.0 system through Visual Admin?

Any help will be appreciated. Let me know if i can provide more information on this,

Regards

Sid

Hi,

I would like to have the portal users who logged into the company network will access portal with no sign-on.

To achieve my goal, I think I have a couple of ways of implementation:

1. Use CA SiteMinder for user authentication of portal. Question 1: do I need to have a web server for SiteMinder web agent in front of portal? Can the web agent be installed directly on the NW WAS where portal installed?

2. Use Integrated Windows authentication on portal. Question 2: I will definitely need a web server in this case, am I right?

Question 3: if I use CA SiteMinder as user authentication in portal, then what UME (e.g. LDAP, Portal UME, or ABAP UME) is not matter, as SiteMinder will handle it via HTTP Header, am I right?

Question 4: I read about the history discussion, it seems there is an issue for portal admin to login, do content admin, system admin, user admin if use SiteMinder. What is the solution for it?

Thanks in advance.

Hello Experts,

I' m trying to setup SNC/SSO/SMARTCARD configuration;

At the end I get an error: Error in the Security Network Layer (SNC);

Could you please help me?

My environment:

OS = IBM/AIX 64

ORACLE = 9.0.2

SAP R3 = 4.7

Below what I did until now:

SERVER SIDE SETUP

Cryptolib is installed;

via STRUST tcode, Key is generated, file CRED_V2 exist;

Snc/enable is set to 1;

Snc/identity/as = p:CN=GS1, OU=SAP R3, O=TURBOCARE, C=IT

So, it seems SNC to be ready, since in SU01 appear SNC tab;

I created a test user (SU01) and I put the address found on my smartcard in SNC tab;

CLIENT SIDE SETUP

I changed the entry for my develop system GS1 in saplogon

Going in network tab

There I ticked the checkbox to activate snc connection

And assigned the address of SNC/IDENTITY/AS.

I installed the Secure Login Client x64.msi with these features and Set the variable LIB_SNC:

-SECURITY LOGIN CLIENT COMPONENTS

-SMARTCARD SUPPORT

LOGGING SERVICE

TEST LOGON

Now, trying to log-on,

The SECURE-LOGIN pop-up appear to choose the credential,

I choose it,

Then It ask to put the PIN

After that I get the error.

Thanks in advance

And Best regards

Ettore

Message was edited by: Ettore Brini Hi Experts again, additionally I get the following error in the file DEV_W1 of the sap system: N Mon Jun 18 11:11:25 2012 N  *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3357] N        GSS-API(maj): A token had an invalid signature N        GSS-API(min): Certification path incomplete N      Unable to establish the security context N  <<- SncProcessInput()==SNCERR_GSSAPI M  *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c    973] M  *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c    978] M  in_ThErrHandle: 1 M  *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c   9808] Best regards Ettore

Hello Experts,

for our ABAP systems I have configured SSO via standard MIT Kerberos on Linux/Intel (RHEL5) as well as Solaris/SPARC and Solaris/Intel  - works like a charm.

Now when I upgrade the Linux servers to RHEL6, the OS part of SSO still works, I get a TGT, klist shows me the correct credentials, etc., but the ABAP stack does no longer authenticate via SSO. All I get is a funny error popup "SAP System Message: S".

Is there any known change of the API from RHEL5 to RHEL6 and ideally a way to work around it?

The entry in dev_wx for the log attempt is:

N  *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3357]

N        GSS-API(maj): No credentials were supplied, or the credentials were unavailable or inaccessible

N      Unable to establish the security context

N  <<- SncProcessInput()==SNCERR_GSSAPI

M  *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c    1034]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

M  *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c    1039]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

M  in_ThErrHandle: 1

M  *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c   11313]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

The parameters (which are working just fine under RHEL5) are:

snc/enable = 1

snc/gssapi_lib = /usr/lib64/sasl2/libgssapiv2.so

ssl/ssl_lib = $(DIR_EXECUTABLE)/libsapcrypto.so (this is the current PL 43)

sec/libsapsecu = $(DIR_EXECUTABLE)/libsapcrypto.so

ssf/ssfapi_lib =$(DIR_EXECUTABLE)/libsapcrypto.so

login/accept_sso2_ticket = 1

login/create_sso2_ticket = 2

snc/accept_insecure_cpic = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_rfc = 1

snc/extid_login_diag = 1

snc/permit_insecure_start = 1

ssf/name = SAPSECULIB

Installed packages on RHEL5 (all x86_64):

cyrus-sasl-gssapi-2.1.22-7.el5_8.1

krb5-libs-1.6.1-70.el5

krb5-libs-1.6.1-70.el5

krb5-workstation-1.6.1-70.el5

libgssapi-0.10-2

pam_krb5-2.2.14-18.el5

and on RHEL6:

cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64

krb5-libs-1.10.3-10.el6.x86_64

krb5-workstation-1.10.3-10.el6.x86_64

libgssglue-0.1-11.el6.x86_64

pam_krb5-2.3.11-9.el6.x86_64

Any info is much appreciated.

Andreas Niewerth

Hi Experts,

is Multi-Factor Authentication (MFA) supported by NW SSO?

  What i've read is the Secure Login Server has a SecureLoginModule20RADIUS module which can use to integrate with the RSA Server.

  My query is

1.   Does the RSA token replace the need for a user to enter any passwords while he/she logons to SAP? or
2. The user enter his/her user id and password as usual, and there will be a pop-up for him/her to enter the code from the RSA token?

Thanks!

I am trying to install this product on a test system for the first time. I have install the Secure Login Library on my app server without issue (my app server is LINUX RHEL 6).  I am now trying to configure the app server for Kerboros authentication only and I am at step 3.5.2 of the installation instructions.  They are telling me to execute STRUST on my SAP system and to

Choose the Change button  (It does not exist on my system)

Select the SNC SAPCRYPTOLIB PSE (I do not see this option listed)

Can anyone please advise on how to proceed?

dennis beausoleil