We are trying to achieve SSO for WEB GUI, we have "SPNEGO based single Sign-On using Secure Login Server X.509 Client Certificate" Working Setup in our environment.

And to achieve Webgui we have executed all the required steps on Backend system.

Now for some reason WEBGUI /SSO is not working because my credentials are not being sent to the Browser (Secure Login Server certificate is not present there and only your microsoft certificate store is present).

Additional SAPGUI logon which is working is using the SAPSSOD SAP ca certificate but that certificate is is not getting reflected in IE Browser.

Solution might be to import the SAPSSOD SAP certificate in your SSL Server PSE  in Strust tcode but i am not able to find where i can get SAPSSOD SAP certificate from? and how will i get the Certificate reflected in IE Browser certificate list.

Please help i am stuck , i know the setup is correct but some how i am not able to get SSL Certificate transferred to IE Browser.

Thanks in advance.

Hello,

We recently changed our authentication procedure for our SAP netweaver to authenticate user thanks to SAML2 + SAP ID provider.

So far so and all is working fine.

The minor issue we're facing is with the logout option.

When user is clicking on the [Log Off] button (top right corner of the webUi he logout from the system.

The problem is that if user re-open the browser and try to open the webui again then all behaves like if the user never log out.

I mean unless the user clear his broser cache of all cookies then IDP logon screen where he normaly has to provide credential is not dispalyed.

It behaves like if the [Log Off] is not deleting the cookies that was created when he initaly logged in.

Is our expectation wrong?

We would expect that [Log Off] would delete that cookie so user would not be automaticaly reauthenticated but would be redirected to the IDP logon screen.

If our expectation is correct then any idea why it's not behaving like this ?

please advise

thanks

Hello,

I have an issue with a RFC Destination, since the certificate was changed (on server side).

When I press "Connection Test" I get the following message:

SSL handshake with evatr.bff-online.de:443 failed

We have already uploaded the new certificate in transaction STRUST and still getting the same error.

I have noticed that the algorithm changed from SHA-1 to SHA-256.

Therefore I checked the SAPCRYPTOLIB version:

New enough...

Here is the RFC Destination in SM59:

SSL is active and the correct list is selected:

Also HTTPS is enabled in Services in transaction SMICM:

Also I spoke to the guys from the networking and they said that SSLv3 communication isn't blocked and the systems are allowed to connect to the internet. They are sure that the problem is not network related.

I have no clue what to do now.

In the attachments you can find a ICM-Trace, where I tried a "Connection Test".

Thanks in advance.

Best regards

Dennis

Dear Expert,

I am trying Single Sign-On configuration by using SSO2 logon ticket between gateway and HANA DB. As the trust relationship is single direction trust from gateway to HANA (only HANA trust gateway and gateway do not need to trust HANA), we have achieved that in our DEV system, but now it does not work in our AT system. We have checked out that all necessary configuration is completed from both gateway side and HANA side, just as we did in DEV system.

we used the SAPSSOEXE method to verify the logon ticket issued from gateway, but failed that way, which means the logon ticket issued from gateway cannot be accepted by HANA. Here are the level 2 trace file details below,

---------------------------------------------------

trc file: "tracefile", trc level: 2, release: "720"

---------------------------------------------------

[Thr 6628] Wed Mar 19 19:26:56 2014

[Thr 6628]    Initializing SAPSSOEXT Version 8

[Thr 6628]    Built at Jul 10 2013 00:18:47 using release 720, patch 436

[Thr 6628]    PC with Windows NT on multithread environment with (SAP_CHAR/size_t/void* = 8/64/64)

[Thr 6628] DlLoadLib success: LoadLibrary("sapsecu.dll"), hdl 0, addr 0000000010000000

[Thr 6628]    using "C:\Users\C5180597.GLOBAL\Desktop\Xian‘ an Su\07_SAML+WEB Dispatcher\SAML 2.0 config\PSE test tool\windows64\ssosample\C\sapsecu.dll"

[Thr 6628]    Initializing SSF Library Version

[Thr 6628]    SAPSECULIB Version 5.4.28M-6

[Thr 6628] Ticket key as new PSE loaded

[Thr 6628] *** ERROR => SsfVerify failed (see note 1055856). [ssoxxsgn.c  144]

[Thr 6628]  SsfVerify returned 7 :: SSF_API_UNKNOWN_PAB :: Priv.Addr.Book (PSE file) not found.

[Thr 6628] MYSAPSSO2 ticket last error from SSF: ERROR in af_open: (4356) PSEFile

[Thr 6628] ERROR in secsw_open: (4356) PSEFile

[Thr 6628] ERROR in sec_parse_PSEInfo_cont: (4356) PSEFile

[Thr 6628] ERROR in d_PSEFile: (18) decoding error for : "PSEFile"

[Thr 6628]  .

[Thr 6628]  SsfVerify returned null for SignerList.

[Thr 6628] *** ERROR => ValidateTicket failed with rc = 20 and ssf_rc = 7. [ssoxxapi.c  235]

[Thr 6628] *** ERROR => Validate ticket failed with rc=458772. [ssoxxext.c  542]

[Thr 6628] *** ERROR => MySapEvalLogonTicketEx returns 458772. [ssoxxext.c  969]

The verify PSE file and logon ticket are both Ok.  Could you please help resolve this issue?

Best regards,

Xian' an

Our SAP server is supposed to call an external web service, which requires authentication via an SSL certificate. So in STRUST I have created a new client certificate, which has been imported on the external server. Also we have received the servers' certificate, which has been added to this new entry in STRUST.

In SOAMANAGER I have set this new STRUST entry to be used for authentication at the web service provider.

Now when our SAP machine calls the remote web service, authentication fails.

In the ICM logs the following error messages are given:

[Thr 140543812142848] SecuSSL_SessionStart: SSL_connnect() failed  (536875072/0x20001040)

[Thr 140543812142848]    => "SSL API error"

[Thr 140543812142848] >>            Begin of Secu-SSL Errorstack            >>

[Thr 140543812142848] 0x20001040   SAPCRYPTOLIB   SSL_connect

[Thr 140543812142848] SSL API error

[Thr 140543812142848] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 140543812142848] 0xa0600266   SSL   ssl3_read_bytes

[Thr 140543812142848] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 140543812142848] <<            End of Secu-SSL Errorstack

[Thr 140543812142848]   SSL_get_state()==0x21d0 "SSLv3 read finished A"

[Thr 140543812142848]   No certificate request received from Server

[Thr 140543812142848]   SSL NI-hdl 401: local=10.156.32.11:62224  peer=10.206.58.12:16101

[Thr 140543812142848] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x7fd2d0099410)==SSSLERR_SSL_CONNECT

Any ideas what we might be missing here?

hi All,

We have SSO 2.0 configured for ABAP and JAVA systems currently with SP4, and wanted to check what would be steps / any config changes to go to SP5 .

regards

Jonu Joy 

Dear Gurus

We are planning to use kerberos authentication SSO mechanism from Windows desktop where SAP gui (740) installed ,  to the SAP ERP servers ECC EHP7 installed on (PAS -HP-Ux) and all Apps on Linux server.

could you plsease shed some light on it. whether this solution is still acceptable,

is there any documentation for it.  and SSO2.0 reuires any license from SAP.

Thanks in advance

Hi.

I have read quite a lot of documentation regarding SAP SSO 2.0.

But, i am unable to find anything regarding availability etc.

Should the NW JAVA running secure login server be HA ?

What happens once we have integrated all our backend-systems and the SLS goes down ??

Will it only affect new users that have not logged on yet ?

BR Gerhard.

SSO friends,

We're currently in a TRIAL, testing NW SSO 2.0 SP04.

ECC 6.0 EHP6 ABAP AS w NW7.31 SP07

CRM 7.0 EHP2 ABAP AS w NW7.31 SP07

Pure JAVA AS w NW7.02 SP16

All 3 are AIX 6.1 with Kernel 7.21EXT #331

The 2 ABAP stacks have notes: 1832706 / 2010613 / 1819808

Following the GREAT Videos here: http://scn.sap.com/docs/DOC-40178

Our Windows7 PCs also have the corresponding SLC SP04, and a SAPGUI utilizing the changes needed for SNC.

SPnego for ABAP with SNC for SAPGUI is working.  No MAJOR problems there (yet).  We can reach and integrate the WEBGUI/NWBC/BSPs between the systems and not need a password once we log into AD.

But....we want to go to SP05!  Not a big deal in terms of pushing out a new SLC SP05 to the PCs..but what about the Secure Logon Library at the UNIX OS LEVEL??

I mean, my real question is....If I "un-SAR" the newest library into my /usr/sap/SID/INSTANCE/SLL directory, MUST I restart the SAP instance entirely in order to get the SP05 functionality/patch????

I hope that makes sense.  You guys are great, I have really enjoyed all the great information in the SSO space!!

--NICK

Hi,

Client requiremen is to configure  SSO using windows logon to access the solution manager system.

I have configured SSO with Kerebos and its working fine with SAPGUI logon pad using windows  login.

When I try to use tcode CRM_UI, its asking for credentials again. Kindly suggest how to proceed or what information is missing from my side.

Regards

HM

Dear All,

We have recently obtained a trial SAPSSO 2.0 license and would like to test SSO for SAP GUI in our ERP environment which is based on ECC 6.0 SPS 15 (Basis Release 700 - No EHP yet). Reference to SAP Note 1798979, the minimum level to obtain SPNEGO for ABAP is NW 7.02 SP9. Since we are much below this level, we do not have SPNEGO for ABAP. Can we still go ahead and implement SSO for SAP GUI?

Any advice would be greatly appreciated.

Kind regards,

Amer.

We have a JAVA AS with two Java instances.

Also it uses Logon Ticket as authentication method. The SSO sever is IBM Tivoli which will does the user authentication.

My understanding is that the Java AS which receive the user ID in http header will generate logon ticket / cookie MYSAPSSO2 to the browser, so that next time request can go through without further authentication.

My question is, what might happen if this Java instance that the user is connecting to goes down? Will another Java instance be able to validate this cookie information or the user will be forced to log on again?

Gurus,

We have a trial license for NW SSO 2.0 SP05

We have these versions of SAP:

ECC 6.0 EHP6 ABAP AS w NW7.31 SP07

CRM 7.0 EHP2 ABAP AS w NW7.31 SP07

Pure JAVA AS w NW7.02 SP16

All 3 are AIX 6.1 with Kernel 7.21EXT #331

Our PCs are all Windows7 32-bit Enterprise SP1

We use IE10 browser

We use Microsoft AD to authenticate our PCs

Our AD login ID matches our SAP ID

I feel really good about having correctly setup SPnego for ABAP.  I think we followed all the steps very closely and correctly:

Not to go into too much detail, but I followed the videos, applied the notes:

1.  Install/config Secure Login Library for ABAP (at the AIX server/OS SAP level)

2.  Created our AD service user with the setSPN per the video

3. enabled all the SNC/SPnego stuff in RZ10

4. followed all the steps to gen the keytab and PIN, credV2..just like in the video

5. restarted the SAP instance

6. TCODE SPNEGO...added the entry to reflect our AD user / domain that matches our keytab command

7. Installed the secure logon client

8.  Rebooted the PC

9.  Edited SU01 for our users to add the SNC entry...matching the Kerberos ticket to their SU01...looks good

10. edited SAPGUI logon pad to use SNC

So Logon pad is great...SNC always works.

SPnego for ABAP works awesome in terms of getting me to WEBGUI via IE browser...as well as NWBC via IE browser.  No password.  SWEET!

But ICWEB...aka Interaction Center webclient is a whole other issue.

when I hit the URL:

I use our typical URL to get direct to our CRM QA instance of ICWEB:
http://ourSAPhostname:ourSAPICM-HTTPport/sap/crm_logon

And I get right to the part where I can select my business role.  And that is cool, because normally, before we did SSO, I would have been presented with a typical logon screen.

So I select my business role...just a custom role based off of an Utilities interaction center agent (since we are IS-U)

And them it hits me with a logon screen!

In case you can't read that , it says:

the server XXXX at SAP application server SID/CLIENT requires a username and password

Now, I can keep clicking "cancel" and get to the main screen, where I can work...but that isn't correct.  It should just let me in!

And I swear this was all working a few days ago!  But now I get this screen and so do all my other users who are testing.

This happens to all the folks, regardless of what PC they use, etc

Sounds crazy but this was working...and now I get this every time!

Help!  what do you guys think?

thanks!  NICK

My understanding is the accepting SAP Java AS will retrieve cookie information from MYSAPSSO2 and using the certificate from issuing system to authenticate the session.

My question is, is JSESSIONID and other HTTP information used together with MYSAPSSO2 information for session authentication?

What we've observed is, if we delete JSESSIONID from the client cookie, the session is invalid right away, although we don't touch any MYSAPOSS2 information.  -> But we're not sure whether this is a behavior of SAP NW Java AS or the IBM Tivoli SSO server which authenticates the access at the first place.

Also, if MYSAPSSO2 is the only information used for authentication, can the session be hijacked if this information is captured by other session?

Looking to set up SSO from BOE to HANA using SAML and coming up short on what is hopefully just some missing configuration. If anyone has experience getting this running, I'd be grateful for feedback or links to more comprehensive documentation.

We are running BOE 4.1 SP5 and HANA rev 92 (on a multiple node installation). The plan is to 1) enable SSL logins on HANA, 2) set up BOE as the IdP, 3) create the SAML provider in HANA and establish trust between the two systems.

1. HANA is accepting Open SSL connections thanks to this very helpful document. Confirmed via HANA Studio login.
2. On the BOE side, an IdP Base64 certificate was generated in the CMC via the HANA Authenitcation dialog.
3. The IdP cert was appended to the trust.pem file (on the master node) as per this blog post. The SAML provider has been created in HANA with the Subject/Issuer set to match the BOE cert. We also used sapgenpse to add the cert to saplogon.pse and sapsrv.pse in $SECUDIR (again on the master node).

Everything has been restarted after the last configuration change.

A test user has been set up in HANA with the SAML provider enabled, user name matching a BOE enterprise account. When testing from the CMC, we see the following error message: Connection Failed: The test of the HANA SSO ticket used to log onto the HANA DB has failed due to: [10]: invalid username or password. (FWM 02133)

The HANA tracelog, set to debug, shows some errors in SAMLAuthenticator (ERROR in libxmlsec) before it culminates in this block:

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.882796 i Authentication   SAMLAuthenticator.cpp(00400) : Unable to verify XML signature

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.882934 d Authentication   ManagerAcceptor.cpp(00273) : Injecting logon name into method:

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.882986 d Authentication   SAPLogonManager.cpp(00360) : Store chosen for assertion ticket validation: saplogon.pse

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883114 w Authentication   SAPLogonManager.cpp(00504) : The base64 decode of the received ticket failed. SSO_RC return value: 1281

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883121 d Authentication   SAPLogonManager.cpp(00513) : Use SSO Validation PSE >>>saplogon.pse<<<

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883123 d Authentication   SAPLogonManager.cpp(00514) : Received Base64 Ticket >>>SAML 2.0 assertion ticket...<<<

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883167 i Authentication   MethodSAPLogon.cpp(00275) : unsuccessful login attempt with SAPLogon/SAPAssertion ticket!

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883181 d Authentication   ManagerAcceptor.cpp(00273) : Injecting logon name into method:

[22277]{-1}[63/-1] 2015-02-02 20:10:23.884313 d Authentication   Connection.cc(03617) : [PRE AUTHENTICATION] logon name:

[22277]{-1}[63/-1] 2015-02-02 20:10:23.884359 d Authentication   Connection.cc(03684) : [POST AUTHENTICATION] logon name:

It looks like the ticket is received but not being parsed. It's not clear to me if this is related to the certificate or some other configuration element, or exactly what the missing piece is.

All,

We have all the settings needed for SPnego on ABAP.  I don't want to go into them here, but as the discussion moves forward I can explain all that!

SOMETIMES.....SOMETIMES when trying to log in via NWBC / WEBGUI and CRM ICWEB, users are presented with login screens.

When NWBC/WEBGUI presents a login screen, it's the typical login screen you would see as if no SSO was setup.

And if I refresh the URL a few times, I will end up getting in without actually putting in any user/pass.

When they see the ICWEB login screen, it's really just a pop up in the browser.  Saying "Windows Security" (at the top) then, in the window, it says:

"The server myCRMhostname.MyDomain.com at SAP Netweaver Application server [SID/CLIENT] requires a username and password."

Then you see a box for the username/password.

Again, just hit 'cancel' a few times and you will get in....

Sooooo strange.  SSO will work great for all users across all PCs for a few hours at a time.  Then it will stop working and we'll get those errors I noted above.

I've done TONS of research on this.  I highly suspect our Microsoft AD network...KDC has a problem, but I know nothing about that side of the house.

There are a few notes out in SAP, and threads out of google searches that talk about the KDC, instead of sending a Kerberos token, will send something called a NTLM token.  And when that happens, you can't login.  But it all comes down to why/how the Kerberos KDC is sending that.

How do you prove / disprove that the KDC is sending a Kerberos token (or a NTLM token) from an SAP ABAP perspective?

Or how else could I effectively trouble-shoot this issue?

I really believe that NW SSO could be great for our environment, but because of all these moving parts it is proving very difficult to troubleshoot when it breaks.

Thanks

NICK

All,

The details given in the setup of SPnego for ABAP from this series videos assumes one APP/CI server:

http://scn.sap.com/docs/DOC-40178

The videos Only assumes one APP/CI server, and puts all the SNC/SPnego profile params in the INSTANCE profile.  It also puts the Secure Login Library files in the /usr/sap/{SID}/{INSTANCE}/SLL directory.

So what if you have one CI/app and one pure app server?  so would it be OK to put them in /sapmnt/{SID}/SLL?  that is shared across CI/APP, of course the profile param would have to reflect that.  or does it even matter when app servers are involved?

Would it be OK to put all the SNC/SPnego profile params in the DEFAULT.PFL ?  SO then you would not have to enter them multiple times?

Also, when you execute the commands to create the keytab

{SLLDIR}/sapgenpse keytab -p SAPSNCSKERB.pse -a MYAD-ID@MYDOMAIN.COM

MUST you do the keytab stuff at the OS level twice?  once for the APP/CI OS/server and once again on each pure app server?

our $SECUDIR is different depending on the CI and APP server:

/usr/sap/{SID}/DVEBMGS00/sec

/usr/sap/{SID}/D00/sec

Or would one time, for the CI/APP do this trick?

Hope that makes sense.

NICK

Friends,

I'm still having fun with SPnego on ABAP, trying to get it working consistently.  I came across an interesting note today:

2010596   SICF: "SPNEGO Authentication" disappears from "Alternative Logon Procedure"

besides the note corrections and the recommendation to be a certain kernel level, it mentions some errors that might happen if you mess with the logon procedures.  That got me thinking.

if you want to implement SPnego for ABAP, and you have certain specific services such as:

/sap/crm_logon

/sap/bc/nwbc

/sap/bc/gui/sap/its/webgui

if you click on them in SICF --> Logon Data (tab) --> Procedure = " Standard"

but if you go into change mode, you can change it to "Alternative Logon Procedure".  Then scroll to the bottom and there is a list of order:

1 Logon Through HTTP Fields

2 Logon Through SSL Certificate

3 SAP Logon/Assertion Ticket

4 SAP Assertion Ticket

5 Basic Authentication

6 SAP RFC Logon

7 SPNego Logon

8 SAML Logon

9 Logon Through Service Data

So, my question is, if you want to SPnego for ABAP, do we need to mess with this?  Should we change to "Alternative Logon Procedure". and move SPnego up above "Basic Authentication"?

Or maybe just check the box that says "Use all Logon Procedures"?

Anyway, I could not find any notes / threads specifically on this and was wondering if you guys had any ideas?

Thanks,

NICK

Hi Experts,

I need implement in a customer the SAP NetWeaver Single Sign-On 2.0 using X.509 Certificate and NetWeaver 7.4. Here in SCN there are five videos about this subject, but to SSO version 1.0 and old NetWeaver. (SAP ECC and HCM)

Someone can help me with documentation, comments or even videos?

Thanks a lot to everybody.

Hello ,

Recently, I had raised an query related to SSO issue and was able to solve it using below two notes

1467488 - Start WebClient UI with user credentials of SAP GUI

352295 - Microsoft Windows Single Sign-On options

Now, as an extension of this, when I create an incident ticket in Solman. I receive an email notification which contains Incident number and status along with ticket link.

When I click on the link, it should directly take me to the ticket without login credentials, but I get an pop-up for username and password.

Kindly let me know on what I am missing in the configuration so that it takes me to the ticket directly.

Regards

HM