Login testing the service WebGUi
1. SICF->Default_Host->sap->bc->gui->sap->its->webgui –test the service
Getting this Prompt for first AD user ID and Password and then SAP user ID and Password.
2. Same thing happens with NWBC and BW-Portal Login- it Prompts for AD ID and then SAP ID and passowrd.
Where as ABAP SSO work perfect.
Here are my configuration steps.
- Our OS: Windows Server 2012
- DB: MSSQL 2012
- AD: Microsoft Active Directory
- SAP NW7.4 with SPS5
- SAP Installation – Central System
- SSO product- SAP NW SSO2.0 SP03
- SID – SB1, SE1 ….
- DOMAIN: MYCOMPANYNAME.COM ( Just an example, not the real name)
NWSSO Configuration Steps.
1. Service User in the MSADfor AS-ABAP or AS-JAVA/Portal with following information
• User ID: SAPService<SID>(existing individual<SID> Service user id)
• Set the User cannot change the password
• Set Password never expire
2. Created SPN for this Service User
• For ABAP -SAP/SAPService<SID>
• Web (HTTP/ Hostname for ABAP apps server)
3. Installed Secure Login Library on SAP Server
• Created a folder name (SLL)in /user/sap/<SID>/DVEBMGS00 ($(DIR_INSTANCE)\SLL)
• Verified SLLibrary:(Version - 8.4.18.0)
(Starting NW7.4 sapcrypto library is coming and check the version is same at SLL directory and in the Kernel Dir.
4. Define the following SNC parameters using RZ10
snc/identity/as = p:CN=SAPServiceSB1@mycompany.com
snc/enable = 1
snc/accept_insecure_cpic = 1
snc/accept_insecure_rfc = 1
snc/accept_insecure_gui = 1
snc/data_protection/min = 3
snc/data_protection/max = 3
snc/data_protection/use = 3
snc/permit_insecure_start = 1
snc/r3int_rfc_qop = 8
snc/r3int_rfc_secure = 0
snc/force_login_screen = 0
spnego/enable = 1
spnego/krbspnego_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll
snc/gssapi_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll
5. Kerberos KeyTab was generated successfully for SPNEGO/SNC and verified
#sapgenpse seclogin -l –v
6. Configured Credential file and verified
7. Install Secure Login Client and defined SNC name as p:CN=SAPServiceSB1@mycompany.com
8. Configure User Mapping in SAP AS ABAP – SNC name – p:CN=<USERID>@MYCOMPANY.COM
9. Restarted the SAP server and my ABAP SSO is working perfectly.
10. SPNEGO Configuration:
a. Define Kerberos KeyTab for SPNEGO using tcode – SPNEGO
b. Created UPN - SAPServiceSB1@MYCOMPANY.COM with the password of this server ID.
For WebGui all the required Service are activate and published via SICF and also per http://scn.sap.com/docs/DOC-29485
Created SAP Message and SAP also confirmed all your setting looks and Kerbros being case sensitive but since my ABAP SSO is working so that possibility is also ruled out.
Are there any different steps or know issue with above setting for SPNEGO. I have not mention the steps for Portal because first lets get the Webgui or NWBC resolve which usages the SPNEGO configuration.