Quantcast
Channel: SCN : Discussion List - SAP Single Sign-On
Viewing all 862 articles
Browse latest View live

HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException

June 28, 2013, 1:40 am
$
0
0
Hi,

 

We are In the process of configuring SSO on BO server with the “Windows AD authentication"

 

Manually we are able to login but SSO we are unable to login, window authentication window popup but when i will provide user is and
password manually it will give below mention error:

 

 

ERROR

 

Type Status report

 

HTTP Status 500- 

 

message com.wedgetail.idm.sso.ProtocolException:
com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure
unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException:
Successfully matched service principal "sapbotservicesso@ROOT.LOCAL"
but not key type (18) + KVNO (3) in this entry: Principal: [1]
SAPBOTServiceSSO@ROOT.LOCAL TimeStamp: Thu Jan 01 01:00:00 CET 1970 KVNO: -1 EncType:
23 Key: 16 bytes, fingerprint = [af a2 4a 14 6a d7 b8 10 ea 16 ab 1c 48 52 d0
74] )

 

 

description The
server encountered an internal error (com.wedgetail.idm.sso.ProtocolException:
com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure
unspecified at GSS-API level (Mechanism level:
com.dstc.security.kerberos.KerberosException: Successfully matched service
principal "sapbotservicesso@ROOT.LOCAL" but not key type (18) + KVNO
(3) in this entry: Principal: [1] SAPBOTServiceSSO@ROOT.LOCAL TimeStamp: Thu
Jan 01 01:00:00 CET 1970 KVNO: -1 EncType: 23 Key: 16 bytes, fingerprint = [af
a2 4a 14 6a d7 b8 10 ea 16 ab 1c 48 52 d0 74] )) that prevented it from
fulfilling this

 

 

Apache Tomcat 6.0.35

 

if any one face same problem please share the solution.

 

Regards

Arpan Saini

Search

SAP EP 7.4 integrated with SAML2 with ADFS

September 23, 2014, 1:11 am
$
0
0

Hello Experts,

 

We would like to connect our SAP EP7.4 to our ADFS IdP.

Could you please give me information on how to do this please ?

 

regards

Password for the service account created for Windows AD Configuration in BO server

September 23, 2014, 7:16 am
$
0
0

Hi all,

 

We are about to implement Single sign-on feature in our BO Production server (4.0).

I have found the Service account created for Windows AD Configuration in the BO server.

But, i am not able to find the password for this Service account. It is not visible in the SIA properties. Is there any way to find out the password for this service account? (This has to be embedded in the Java tab of Tomcat Properties)

I checked with our Client network team, but they dont know about it.

They suggest to reset the password. But, i am not sure if it will affect the ongoing Windows AD authentication.

Can anyone please let me know if resetting the password of the Service account will affect any service?

 

Thanks,

Manju

Single Sign On to SAP from 3rd party IdP

September 25, 2014, 12:02 pm
$
0
0

Hello Everyone,

I'm looking for some good documentation on how to integrate Netweaver with 3rd party SAML 2.0 and configure mutual trust.

The idea is to make Netweaver to accept SAML artifacts from 3rd party solution.

Anyone can point me to some good lecture ?

Generate CSR in SAP SSO 2.0

September 26, 2014, 2:39 am
$
0
0

Hi,

 

We are working on a POC for SAP SSO 2.0

I need to know whether the Secure Login Server can generate Certificate SIgning Request. (.CSR)

 

I am aware of its capability to sign certificates.

I am looking at options for SAP SSO 2.0 to generate Certificate Signing Request (.CSRs)

 

Please note : - I am aware that the Secure Login Client is capable of Connecting to Secure Login Server and generate an X.509 Certificate.

I am looking at options , where I am not going to Install the Client.

 

Consider it some what similar to SAP Passports used at https://service.sap.com

 

 

Regards,

Ashish .A. Poojary

No user exists with SNC name

September 28, 2014, 10:30 pm
$
0
0

Hi,

We have configured the SSO with kerberos, while trying to login getting the below error

 

snc.png

 

Please advice.

 

 

Regards,

Sam

SNC Encryption using X.509 certificates without Single Sign-On

September 30, 2014, 1:10 am
$
0
0

Hi Experts,

 

got a question today for you to keep you busy 

 

Is it possible to have X.509 based SNC but without Single Sign-On? This scenario is currently requested by one of my customers who has some external users accessing their SAP system, but this needs to be encrypted. The SAP system is already configured with NW SSO 2.0 for SNC (only Certificate based) and the other side also has client authentication certificates available. The appropriate bi-directional trust to the Root certificates is also done.

 

We like to avoid a SNC-Name user mapping for those external users but want to have SNC encryption. We also don't want to install SNC Client Encryption.

 

Is there a way to provide the normal SAP Logon user experience (login with SAP userID and password) but have only the Encryption? I don't mean the "SNC without Single Sign-On" context menu which a user has to explicitly choose.

 

Please let me know, thanks a lot.

 

Regards,

Carsten

Minimum supported NW/ECC release (SNC)

September 29, 2014, 5:21 am
$
0
0

Hi SAP PM,

 

i have a customer who likes to setup SAP SSO for his older SAP landscape. Can you please let me know, if the following ECC versions are supported by the SAP CommonCryptoLib/SecureLoginLibrary:

  • ECC 6.00 (ERP)
  • ECC 6.03 (ERP)
  • ECC 6.06 (HCM)
  • ECC 6.17 (ERP)

 

The SAP SSO PAM says 4.6c, 6.20, 6.40 and 7.x+. Just want to make sure, if this was ever tested or is anyhow supported by SAP.

 

Thanks for your answer.

 

Regards,

Carsten

Search

SSO for success factor using SAML2.0 error

October 1, 2014, 4:44 am
$
0
0

Hi,

I am trying to configure SSO for success factors using SAML2.0

 

Our Portal version is 7.3 and I have done all the required settings for SAML2.0 .

 

I have created URL iview as required in portal, but when I launch it gives me an error shown in screenshot below:

error.PNG

Also the HTTP Trace is attached for the same

HTTP trace.png

 

Please share the solution if anyone has come across this and resolved it.

Thanks in advance !!!

 

Regards,

Benita

Single sign on using windows user id to SAP Enterprise portal (with different user id)

September 16, 2014, 12:35 pm
$
0
0

We would like to do single sign between windows user id and SAP enterprise portal (with different user id). Is that possible using standard SAP ? or do we have to use third party tools to achieve the same? If the above is not possible, we could potentially use the same user id's on portal / window (but our backend SAP systems will have different user ids).

 

We are on enterprise portal version 7.01 SP11.

Connection with SNC not working (SSO 2.0)

October 2, 2014, 1:17 am
$
0
0

Dear Community,

 

We've been working for many years with SSO on ABAP working fine using library gx64krb5.dll.

Since we ugraded to EHP7 for SAP ERP 6.0 (Stack 04) we would like to take the opportunity to also connect in SSO on ABAP web and JAVA.

I have have followed the implementation for SPNEGO on ABAP side on our SandBox as described in the videos http://scn.sap.com/docs/DOC-40178 but half success.

The good news is that the ABAP stack starts well, no shouting.

So we went from

snc/gssapi_lib = $(DIR_EXECUTABLE)\gx64krb5.dll

snc/identity/as = p:SAPServiceSBX@MYCOMPANY.NET

to

snc/gssapi_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll

snc/identity/as = p:SAPServiceSBX

(I replaced my company name with MYCOMPANY.NET)

 

The SAP GUI can connect without SNC

The bad news is that the SAP GUI does connect in SNC. The SNC filed up my previous connections automatically with p:CN=SAPServiceSBX.

But I am getting the following error message attached.

Can somebody help please ?

SSO between SAP NWBC and Successfactors

April 24, 2014, 1:10 am
$
0
0

Hi All,

 

Customer want to configure SSO between SAP HCM and Successfactos. Client dont have Netweaver Portal, ESS is in NWBC HTML client. Can any one help me the process to configure SSO between HCM NWBC and Successfactors?

 

I have gone thru the documents in scn but all are referring to netweaver portal and successfactors, I could not able to fine info on NWBC and SF integration. It would be a great help if you can provide the process.

 

Regards,

Chandra

configure SAP Screen Personas for SSO

July 24, 2014, 7:12 pm
$
0
0

Hi All,

 

Problems:

We have the SAP Screen Personas, an UI product based on WebGui(ITS),  installed on our internal box.

Presently , we have to enter username and password every time we open SAP Screen Personas, and since there will be another logon at the backend, there will be another entering of username and password .

 

Requirements:

we hope that, instead of entering username and password, we could logon using SAP security logon client and SSO for later logon.

 

 

the present landscape:

we have a netweaver  ABAP server 7.41 installed (no java),

no https connections activated

no other security settings made till now

 

 

could you please tell me a configuration path to meet our requirements.

 

thanks,

Torren

Assistance with SingleSignOn for BusinessObjects BI Platform 4.0

October 6, 2014, 9:18 am
$
0
0


I am workinig on setting up SSO for BO4.0 in the following environment:

Windows 2008 Server

Apache Tomcat 7.0

BusinessObjects BI Platform 4.0

 

The instructions from http://scn.sap.com/docs-DOC-26314 have been followed along with the instructions at http://scn.sap.com/blogs/josh_fletcher/2012/06/11/active-directory-sso-for-sap-businessobjects-bi4 AND Steve Fredell's document referenced at http://alteksolutions.com/sp/index.php/2012/02/active-directory-andsso-bi4/.

 

I receive an error when testing the manual logon to the BI Launchpad (step 8 on the first two documents, section 6 of the S. Fredell document).  When trying to navigate to the BI Launchpad, the logon page displays but it automatically displays the error:

 

Account Information Note Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a vald mapped group and try again.  If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006).

 

And, I do not get a 'commit succeeded' entry in the tomcat7-stdout log.  Instead, I get:

 

Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false                    [Krb5LoginModule] user entered username:  @ABC.ABC

                    [Krb5LoginModule] authentication failed Generic error (description in e-text) (60)

 

(NOTE:  ABC.ABC is in place of the actual domain info.)

 

However, it will allow me to manually tupe in my AD credentials.  Once I do this, even though I got the FWM 0006 error, then I get the 'commit succeeded' entry in the tomcat7-stdout log file.

 

I have also tried continuing on with the instruction with step 9, however, I continue to get the FWM 00006 error on the BI Launchpad logon screen and I do not get the 'credentials obtained' in the stdout log file.  At this point after implementing the items in step 9, since the Tomcat (java tab) now knows the service account password, it should log me on automatically and it does not.  I can't help but think it is related back to the FWM 00006 error.

 

I've, along with coworkers, have checked the syntax of the krb5.ini, bscLogin.conf, and global.properties files and all are good.  The spns on the AD service account also appear to be good.

 

Any suggestions or recommendations?  I'm under a time crunch, so if I can't get this working, I may be looking at a SiteMinder soultion for SSO in BO.

 

Thanks!

How to default a trusted SAML 2.0 identity provider

October 6, 2014, 9:54 am
$
0
0

Is there a way to default a trusted SAML 2.0 identity provider so that users are not presented with the inital screen where they are forced to choose a(the only) provider and click continue?

Search

Steps required to change password of SPN account supporting NW SSO Client solution?

October 7, 2014, 10:28 am
$
0
0


Hello Experts,

We are using SAP NetWeaver Single Sign-On to enable SAP GUI SSO.  Our configuration uses Kerberos integration (SAP GUI for Window, Secure network communications - SNC).

 

I've been ask to change the password of the Kerberos service account as part of a yearly security task but it is not clear what all the steps that are needed to ensure Kerberos authentication is not interupted

 

Certainly I can change the pwd for the SPN account in Windows but I am not clear on what steps need to be taken on the SAP side to maintain the Kerberos authentication.  From what I have read, a new keytab needs to be created but how exactly is this done?  I also read there is a command line utility SAPGENPSE that is used to generate PSE file and Kerberos keytab when initially configuring the setup.  Would this be used again to generate a new keytab file?  Is there any other method that can be accessed from SAPGUI instead of a command line utility program?

 

Would very much appreciate your help to get a clear picture of the steps required to successfully update the SPN account password.

 

Regards,

Stephen Brewer

HANA to ECC SSO Configuration

October 8, 2014, 4:16 am
$
0
0

Hi Experts,

 

We have a SAP HANA XS Application which has a drill down link to an ECC Web Application. When this link is clicked the User is prompted for the Login Screen by the ECC System.

 

The requirement is to have SSO configured for this ECC System such that if the user is coming from HANA XS Application, then the user should be automatically logged in with the required user into the ECC system.

 

Is there a way that this can be achieved?

 

--

Thanks and Regards,

Shreepad Patil

Single Sign-On Not Working

October 8, 2014, 8:18 am
$
0
0

Today I updated my Gui instalation from GUI730 to GUI740 with NWBC5.0 and afterwords the SSO is not working anymore.

 

Is there another update that is required to make in order for this functionality to work?

 

Thanks in advance.

How to replace X509 by SAML2

October 9, 2014, 5:56 am
$
0
0


Hello,

As of today we are connecting to CRM 7.0 system using X509 certificate and assuming all is done properly user can login without having to enter any credentials.

In near future we want to basicaly replace X509 by a SAML2 authentication process.

In order to achieve this we have configured a trusted provider (type Identity provider) in SAML2 tcode.

 

 

 

It seems to work fine for SAML2 process (a collagues trace the process) BUT still user is getting a prompt to confirm usage of X509 certificate.

 

In addition if the user doesn't want to use the certificate (= click "Cancel") then starts a long chain of windows security popup:

the server ... at SAP NetWeaver Application Server [...] requires a username and password

At the end of that long chain of windows security popup the SAP CRM netweaver Web AS logon page opens

 

I tried to play with CRM_LOGON Service config but no effect.

 

What is missing between SAML2 which seems to return the token and CRM netweaver not able to get it (and thus ptompting for credentials)

 

thanks for your help

 

SAP SSO does not work for Remote systems accessing with Windows AD

October 13, 2014, 3:53 am
$
0
0

Dear All,

I have a problem with SSO accessing the remote systems defined following the instructions of those blogs

http://scn.sap.com/community/netweaver-business-client/blog/2014/02/24/simplify-secure-data-access-nwbc-meets-single-sign-on

http://scn.sap.com/docs/DOC-52929.

 

 

The SSO works perfectly with SPNEGO and the user can connect to NWBC without user and password. But once he is in the role containing the transaction of the remote system prompts for username and password.

The same scenario tested logging normally at the beginning in NWBC with username and password works perfectly.

Just to give you a complete overview of the scenario

ERP issuing the ticket and with SPNEGO active is ERP 6.0 EHP6

ERP receiving the ticket is and ERP 6.0 EHP4 where SPNEGO cannot be activated due to low release. We tried to implement SNC in order to have the same canonical name in SU01 for both the user but no success.

Both two systems are trusted with SMT1 / SMT2. The RFC created are one for normal GUI and one with the same name but with the suffix _HTTP.

Any suggestion?

Someone had the same symptom?

Viewing all 862 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>