Quantcast
Channel: SCN : Discussion List - SAP Single Sign-On
Viewing all 862 articles
Browse latest View live

SSO2.0 SP4 Kerberos token - different domain setup issue

November 26, 2014, 8:01 pm
$
0
0


Hello,

 

We are trying to setup SAPGUI SSO using SAP Netweaver SSO2.0 sp4 based on Kerberos tokens. Our SAP system is hosted in a cloud and we have created a service user SL-ABAP-ED1 in the domain "abc.xyz.domainA.com". The spn has also been registered and can be viewed as SAP/SL-ABAP-ED1. Our users are trying to login into SAPGUI installed on a Win 2012R2 terminal server. We have installed Secure login client 2.0 SP4 on the terminal server. For the end user, we can see the Kerberos token in the secure login client profiles as firstname.lastname@domainB.org. There is no domain trust between domain.com and domainB.org as we have been told that when using SSO2, trust is not required between different domains.

 

On the server, keytab has been created

    Version  Time stamp                 KeyType   Kerberos name

          1  Wed Nov 26 17:14:47 2014   DES       SL-ABAP-ED1@abc.xyz.domainA.com
          1  Wed Nov 26 17:14:47 2014   AES128    SL-ABAP-ED1@abc.xyz.domainA.com
          1  Wed Nov 26 17:14:47 2014   AES256    SL-ABAP-ED1@abc.xyz.domainA.com
          1  Wed Nov 26 17:14:47 2014   RC4       SL-ABAP-ED1@abc.xyz.domainA.com

 

 

T:\usr\sap\ED1\DVEBMGS00\SLL>sapgenpse seclogin -l -O domainA\SAPServiceED1
running seclogin with USER="ed1adm"
listing credentials for user "domain\SAPServiceED1" ...

0 (LPS:OFF):
         (LPS:OFF): T:\usr\sap\ED1\DVEBMGS00\Sec\SAPSNCSKERB.pse


1 readable SSO-Credentials available

 

 

In the profiles, we have the parameter snc/identity/as = p:CN=SL-ABAP-ED1

In the SAPGUI, we have enabled SNC option and SNC name is p:CN=SL-ABAP-ED1@abc.xyz.domainA.com. Here, we have tried all different combinations - p:CN=SL-ABAP-ED1, p:CN=SAP/SL-ABAP-ED1; p:CN=SAP/SL-ABAP-ED1@abc.xyz.domainA.com. None of them work.

 

Every time we get the same error message

 

"GSS-API(mai): No credentials were supplied. Unable to establish the

security context target= "p:CN=SL-ABAP-ED1" Error in SNC

 

In the Secure login client trace files, we see the following errors

 

[2014.11.26 20:16:07.376000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm 18 returned error

[2014.11.26 20:16:07.376000][WARN ][sbus.exe            ][Kerberos    ][  4732]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.11.26 20:16:07.377000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm 17 returned error

[2014.11.26 20:16:07.377000][WARN ][sbus.exe            ][Kerberos    ][  4732]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.11.26 20:16:07.378000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm 23 returned error

[2014.11.26 20:16:07.378000][WARN ][sbus.exe            ][Kerberos    ][  4732]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.11.26 20:16:07.378000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm  3 returned error

[2014.11.26 20:16:07.378000][WARN ][sbus.exe            ][Kerberos    ][  4732]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.11.26 20:16:07.379000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' failed (user name is Firstname.Lastname@domainB.org)

[2014.11.26 20:16:07.379000][TRACE][sbus.exe            ][sbus.dll    ][  4732] } 80004005

 

 

In another trace file, we have following messages

 

[2014.11.26 20:16:07.379000][TRACE][saplogon.exe        ][sbusps.dll  ][  4164] { PSEProxy::getOwnCertificate

[2014.11.26 20:16:07.379000][TRACE][saplogon.exe        ][sbusps.dll  ][  4164] }        0

[2014.11.26 20:16:07.379000][TRACE][saplogon.exe        ][sbusps.dll  ][  4164] { PSEProxy::getOwnCertificate

[2014.11.26 20:16:07.379000][TRACE][saplogon.exe        ][sbusps.dll  ][  4164] }        0

[2014.11.26 20:16:07.379000][INFO ][saplogon.exe        ][GSS         ][  4164] Cli-40000000: No own key found

[2014.11.26 20:16:07.379000][ERROR][saplogon.exe        ][GSS         ][  4164] Have no certificate and got no kerberos ticket

[2014.11.26 20:16:07.379000][ERROR][saplogon.exe        ][GSS         ][  4164] Cli-40000000: --> Msg ClientHello         create  failed : errval=70000, minor_status=0

 

 

Can someone provide any information as to what is missing?

 

 

 

Thanks & regards,

Sid

Search

"GSS-API(maj): No credential were supplied"

November 6, 2014, 10:44 pm
$
0
0

Hi all,

 

 

We are making a proof of concept on SSO on ABAP (SAP-GUI + web) via SAP Secure Login Client and SPNEGO for ABAP.

All youtube-video configrations have been performed . You know: Implementing SAP NetWeaver Single Sign-On 2.0 Based on Kerberos Tokens 2/4 - YouTube (and so on ).

 

 

When I try to logon on via SAP-GUI I get a: "GSS-API(maj): No credential were supplied Unable to establish the security context target="p:CN=SL-service-user@xyz.com"

 

 

The SNCAX_TEST programs works fine on the above service-user (defined in SPNEGO).

Service-user defined in SAP-GUI (SNC)

The end user in SU01 has been updated on SNC with the token name from the SAP Secure Login Client

 

Method: SncPEstablishContext

System call gss_init_sec_context

 

I have looked into SAP notes (error codes etc.) + googling this and other comminties without luck .

 

All your input/help is very welcome.

 

Thanks in advance

Peter

Unable to Start Up ABAP Instance due to snc/enable=1

November 26, 2014, 2:02 am
$
0
0

Hi All,

 

I'm having some issue on starting my ABAP instance due to tryout of the SSO.

the error as such

ERROR SSO.JPG

 

how do I configure this credential SAPKerberosABC in my ABAP instance?

My environment is ECC6 EPH7, steps that I done as such:

1. copy gx64krb5.dll to system32 folder (note 353395)

2. created an username in my AD and accept Kerberos e.g. SAPKerberosABC

3. set the profile

 

snc/enable = 1

snc/gssapi_lib = c:\Windows\System32\gx64krb5.dll

 

now I need to disable manually the snc/enable from the work directory in order for me to start up the ABAP instance.

 

any clue on how to configure SSO?

 

Thank you,

 

Regards,,

Ura

Is it possible to use SSO between web browser and ABAP without SSO 1 and sso 2 installed

November 27, 2014, 9:45 am
$
0
0

Hallo Is it possible to use any of SSO methods between web browser from desktop or android mobile device and ABAP without product SSO 1 and sso 2 installed?

SSO for Personas embedded in Oracle WebCenter Portal

November 30, 2014, 2:17 pm
$
0
0

Hello All,

 

We have a requirement to implement the SSO (single sign-on) for Personas 2 for NW 7.4 AS-ABAP ECC 6 EhP 7. (abap stack only)

The Personas will be embedded as a link in the Portal [oracle webcenter portal].

The end user firstly logs in to the oracle webcenter portal with user credentials which are maintained by Oracle IDAM (oracle identity and access manager) which provides user authentication. User ids will be same across Oracle Portal, Oracle IDAM, and SAP ECC ABAP.

 

i have gone through several threads in SCN forums, but could not able to get a sense of approach discussed anywhere.

Personas 2.0 by default tries to authenticate using X.509 certificates if present in the system.

Also we can set up web SSO using SAML .

 

What should be the ideal approach for my above problem statement....pls let me know.

Do we have any setup guide in SMP for this?

 

BR,

shyam

SSO based on Kerberos Token

November 30, 2014, 2:16 pm
$
0
0

Hi All,

 

I have configured an ABAP system to re-use my Windows authentication.

My system is starting fine but SAPGUI is giving me the following issue:

 

Screen Shot 2014-11-30 at 23.02.24.png

Any clues?

 

Thanks very much.

 

Regards,

Ridouan

SSL enabling for Portal system.

December 1, 2014, 10:01 am
$
0
0

HI Guru's,

 

SAP AS Java server has to be configured for SSL, So what steps i need to execute?


Method i am using for configuration of SSL is "By using the SSL configuration tool in the SAP NetWeaver Administrator."


Using the the above method i trying to configure  step "Adding New SSL Access Points"


First step in Adding the SSL Access Point is to select the nstance in which we need SSL to be configured ( ie AS Java System in this case)


When i try to configure SSL Connection i get SSN errors , please find the attachment for the error screen shot.


Please help me out in solving the errors and configuring SSL for Portal System.


error.png

SAP GUI to Authenticate with LDAP without SSO License?

December 3, 2014, 8:07 pm
$
0
0

Hi All,

 

I would like to ask is there an alternative way to configure SAP GUI to authenticate with our LDAP (MS AD) via SNC without NW SSO license?

I have done some reading on note 793191 and 603208, it seems not possible for it.

 

any free Kerberos SNC library for SAP system on Windows just to achieve SAP GUI SSO?

 

 

Thank you,

 

Regards,

Ura

Search

Secure Login Client does not bring SL Server Certificate

December 4, 2014, 1:48 am
$
0
0

Hello,

 

We want to implement NW Single Sign-On for our SAP systems. We have done the implementations as follows; (with the help of Implementation Guide and http://scn.sap.com/docs/DOC-40179 Implementing Single Sign-On with X.509 Certificates)

 

Secure Login Server

  • We installed NW 7.4 and Secure Login Server 2.0 SP4
  • Configured UME for MS AD
  • Initialized the Secure Login Server
  • Activated SSL
  • Activated SPNEGO
  • Configured Apache Reverse Proxy

 

Secure Login Client

  • Imported Root CA to client
  • Applied Policy Registry files (ProfileDownloadPolicy_xxx.reg)
  • Installed SL Client
  • Inserted “ShowUserPoliciesPage” with the value 1 in the registry path

 

System Info is as follows;

SL Server FQDN          : mycmnwsso.mycmp.com.tr

SPNEGO User              : SL-JAVA-SSO (SPNs: HTTP/mycmnwsso.mycmp.com.tr, HTTP/sso.mycmp.com

SLA Console URL        : https://sso.mycmp.com/slac           

Enroll URL                    : https://sso.mycmp.com:443/SecureLoginServer/slc/getProfiles?grouppolicy...

 

I login to one of the client with domain user. I donot see the SLServer Root Certificate on SL Client. I opened trace. There is “[2014.12.03 17:08:50.754000][WARN ][sbus.exe            ][LOADER      ][ 6300] ERROR(0xA0800200) in sec_get_SEC_DLL: Failed to load library sbusslogin” error.

 

Why I cannot get SL Certificate on SL Client?

Although I entered ShowUserPoliciesPage registry entry I cannot see Profile tab page on SL Client Tool?

 

Any recommendation about the issue?

 

Can you help, please?

 

Thanks and Regards,

Yuksel AKCINAR

SAP Portal 7.3 SPNego and NWBC SSO with ECC

May 1, 2013, 7:49 pm
$
0
0

Wanted your expert opinion on something. We have using NWBC 4 and got Portal 7.3 in our landscape. We have established SPNego for IE single single on for Portal. We also have SNC entries with SAPGui to manage ECC SSO using SAPGui.

We want to extend NWBC to ECC SSO. But this been a massive hunt for right solution.

 

SAP Netweaver SSO is obvious solutions, but seems it involves some licence cost. Other option was to redirect NWBC to Portal and then back using redirect app as described in this note.

Question is, what is best way forward, and if we can achieve NWBC ECC SSO with this redirect method. With all the effort we put in we are able to see web page of /nwbc page instead of launching ECC on NWBC 4.0.

 

Thanks a lot for your time.

 

Note 1250795 - Redirect appliction NWBC.pdfNote 1250795 - Redirect appliction.pdf

 

 

Regards,

Sudhir

Sap sso using kerbros constrained delgation

December 15, 2014, 1:08 am
$
0
0

   We are getting SSO error Miscellaneous failure GSS-API(min) Kerbros SSPI not usable with this User-account Stop! initial call togs_indicate_mechs() failed Time.

 

We have mapped our sap service user to the spn and when we select the option in AD to delegate authority to any application it works but when we select delegation to particular spn it gives above error.

 

Anyone suggest?

Secure Login Server and SSL Certificates

December 12, 2014, 6:04 am
$
0
0

Dear All,

 

I am trying to use an SSL certificate created in Secure Login Server (SSO 2.0) for an ABAP system.

I have exported the the certificate as an PSE file and imported the certificate into the Server SSL node.

 

I noticed that the issuer will be removed as soon as I save the certificate into the SSL node.

I have done the same in an AS Java system and here all worked fine.

 

I know I need a third party PKI but can this not be achieved by the SSO 2.0 product?

 

Regards,

Ridouan

SAP GUI SSO with MSADS

November 20, 2014, 7:28 am
$
0
0

Hi,

We have ECC 6.0 on NW 7.31 on Linux platform. End-users use Windows 7 and SAP Gui to login to ECC. At present users log-into their desktops and then again login to SAP though GUI using there respective passwords.

I am looking for some solution to configure SSO on SAP Gui with MSADS. So that once the user logs on the desktop, he does not have to re-authenticate on sap gui to connect ECC. I want some solution where we don't have to install any tool/library on user desktop and there is minimum foot prints on user machines.

I heard that NW 7.31 SP-15, SAP Gui can have SSO with MSADS using SPNEGO etc.

Please suggest some solution.

 

Thanks

Vik

(Kerberos Authentication) Windows AD id and SAP GUI id's are different

December 15, 2014, 11:26 pm
$
0
0

Hi All,

 

We are planning to implement Kerberos authentication using our Window AD. I have below queries regarding the same.

 

1. Our ERP is ECC 5.0 with SAP_BASIS 640 patch 31, will this support Kerberos authentication.

2. If supports, we have different user id's in Windows AD and ECC for the same user. Will this supports. (For example in Windows AD we      have SSOTEST, same user has TESTSSO in ERP)

3. Is Kerberos authentication required separate license.

 

If possible provide links for the same.

 

Regards,

Sree

SAP GUI authentication through MSAD (LDAP)

December 16, 2014, 6:57 am
$
0
0

Hi,

How do i achieve user authentication on SAP Gui through MSAD (LDAP). Please note, i do not want Single Sign On (SSO). I want following:

1, User login to Windows 7/MAC desktop authenticated from Microsoft Active Directory account

2, User opens SAP Gui client and logs on to ECC instance once again using the user/ID password of corporate active directory.

 

I do not want SSO where user  clicks on sap gui connection and it automatically connects to instance without asking user credentials.

 

Please let me know how could i achieve this.

 

 

Thanks

Vik

Search

Implementing Single Sign-On from .NET Application to SAP System, using SAP.NET Connector 3.0

December 10, 2014, 5:31 am
$
0
0

We are trying to use SAP.NET NCo 3.0 to implement single sign on from .net application to SAP System. In the configuration set up method we are fetching user name and password along with other configuration information from configuration file. E.g. -

 

RfcConfigParameters rfcConfig = new RfcConfigParameters();            rfcConfig.Add(RfcConfigParameters.User, ConfigurationSettings.AppSettings["SAP_USRNAME"]);            rfcConfig.Add(RfcConfigParameters.Password, ConfigurationSettings.AppSettings["SAP_PWD"]);            rfcConfig.Add(RfcConfigParameters.Client, ConfigurationSettings.AppSettings["SAP_CLIENT"]);

......and so on for other parameters

 

We are looking for a way that we can implement SSO with windows authentication where will ne NO need to pass user id and password explicitly. We also have SNC configuration and other required file available with us.

Any relevant code snippet or pointer addressing this will be of great help.

 

Thanks in advance

A221021F Server refuses certificate based key exchange.

December 17, 2014, 1:18 am
$
0
0

Dear All,

 

We have implemented SSO , almost every user is connected without problem. Only 3 users having below error logging.

1.png2.png

 

Can You Please let me know what would be the problem and How to solve issue.

 

Regards,

Phani

SAP Netweaver SSO 2.0 - keytab lifetime

December 16, 2014, 4:01 am
$
0
0

Hi,

 

just a short question.

 

Do we need to update the keytab file ( SAPSNCSKERB.pse ) with ( crontab )

 

../SLL/sapgenpse keytab -p SAPSNCSKERB.pse -a USER@DOMAIN.ORG -nopsegen -y " "

 

like we have to do it in the old SNC connection method ( kinit -k planned in the crontab ) ? or is it enough to build the pse one time.

 

 

Are there tickets that will expire ?

 

 

 

sapgenpse keytab -p SAPSNCSKERB.pse -nopsegen

 

#############################################################################

License Disclaimer SAP NetWeaver Single Sign-On

You are about to configure trust for single sign-on or SNC Client Encryption.

Please note that for single sign-on you require a license for

SAP NetWeaver Single Sign-On.

As exception, the usage of SNC Client Encryption only without SSO is free

as described in SAP Note 1643878.

#############################################################################

 

keytab: Found keyTab entries in PSE.

keytab: KeyTab content stored:

 

    Version  Time stamp                 KeyType   Kerberos name

 

          1  Fri Dec 12 09:43:16 2014   DES       USER@DOMAIN.ORG

          1  Fri Dec 12 09:43:16 2014   AES128    USER@DOMAIN.ORG

          1  Fri Dec 12 09:43:16 2014   AES256    USER@DOMAIN.ORG

          1  Fri Dec 12 09:43:16 2014   RC4       USER@DOMAIN.ORG

 

 

greetings

 

Oliver

Getting error when connecting SAP from WCF service "Kerberos SSPI not usable with this User account"

December 17, 2014, 3:15 am

PI Java only 7.4 SSO to Solman 7.1 for CTS browser

December 19, 2014, 10:42 am
$
0
0

In PI 7.4 Java only - via ESR -> open CTS transport browser I receive the logon popup for our Solman system (for charm). I am trying to implement SSO.

 

I have exported the SAPLogonTicketKeypair-cert (from PI NWA Keystorage) and imported in Solman (7.1 SP11) client 000. I have exported the Solman x.509 crt and imported into PI Ticketkeystore.

 

I still get the popup to supply login details. My id exists in both systems.

 

Has anyone done and can share details? Not sure what I missed. ..thanks in advance.

Viewing all 862 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>