We have a NW Java 7.02 (SP17) system that, as I understand it, has limited SAML capabilities since it doesn't support SAML 2.0.

Our basic goal is to provide our users authentication against an MS ADFS by going to the same portal URL they've always gone to.  But now, we want them to be granted access using SAML from the ADFS.  They would be challenged for their domain credentials before proceeding and being taken to their portal desktop.

One other hitch is that our Portal currently is using ABAP as the UME which can't be changed.  Otherwise, we could switch to MS AD for the UME datasource.

So, is there a good method to initiate the authentication to an NW 7.02 Java app at the SP level?

What capabilities would NW SSO offer in the above scenario?

Hi

I am working on the SAP GUI SSO with Kerberos. We have decided to use SAP NW-SSO Secure library to support the Kerberos.
I am following the instruction from SDN Link - http://scn.sap.com/docs/DOC-40178

1.     Create Service Id and SPN

2.     Setup SAP Parameters

3.     Setup SAP SNC Parameters

4.     Setup KeyTab

5.     Restarted.. SNC is on with Service ID and I can confirm it is working from dev_wx trace.

We setup SNC parameters in User master record and Gui properties. But when I click to log-on , we get the error message " GSS-API(maj): No credentials were supplied. Unable to establish the security context. "

I am doing this on my POC environment.  With that being said, my Window machine is setup with same domain but my SAP environment on productive domain. Do you see this an issue?

I have attached the error message received.

Did I missed anything?

Thank you in advance.

Santosh Lad

could any one share some knowledge about configuring logon tickets. I have attempted to configure logon tickets on abap stack. after run tr. sso2 to check status of issuing logon tickets, it indicates everything is going perfect with green light. Unfortunately I observe the MYSAPSSO2 from fiddler. there is no MYSAPSSO2 show up on cookie on header. could anyone shed somelight on this issue I encoutered.

Hi,

We have configured the Secure login Server and enabled the SPNEGO. We are getting the certificates and able to fully get the features of X.509 and Kerberos functionallity in ABAP.

However in the case of JAVA stack it is not taking the windows authentication and logging in instead prompting to enter the user name and password.

Any help  on this is appreciated.

Regards

Mukunthan

Hi,

We have configured SSO between SAP portal and R/3 such that , the users windows login credentials are used to login to SAP portal. It works fine for all users except for one. This user (user 1)is able to seem other user (user 2) data. For all other users it works absolutely fine. Any inputs on what might be the reason?

Regards,

Navya

Dear Experts,

i try to configure SAP SSO using this Guide:

How to configure SAP NetWeaver Single Sign-On for SAP GUI for Windows with Kerberos integration

I followed the guide and now i stsuck on point

3. Ceate and Configure the Secure Store Environment (pse.zip) --> on the server

I execute the command

snc crtkeytab –s SAP/Kerberos<SID>@<DOMAIN-IN-UPPER-CASE> -p <PASSWORD-OF-AD-USER>

This command is not working.....

I asked google some times but it will not work. I tried different syntax versions and it will not work. I dont know why.

Any idea what can be wrong?

Best regards,

Klaus

We are implementing SSO in SAP BO BI4.1 SP5 environment with Windows AD integration using Kerberos. One of the customer requirement is to be able to run Scheduled Reports under Admin ID, even if the User creating the report is any user. Something like a Wallet concept needs to be implemented in this environment to achieve this ask? BO BI4.1 is on Windows 2008 CMS is on a separate Oracle 11g box.

Hey all,

We're testing the SAP Password Manager 2.0 SP3 (latest version out there).

It works OK....but now it seems we have a conflict/problem if the SAP Password Manager is running BEFORE our users start the SAP BCM CDT (now known as SAP Contact Center ) (that's the "softphone" software our reps use to connect to our IVR to answer calls / screen pops with SAP CRM).

So IF the SAP Password Manager is running first...and then the CSRs start the BCM CDT....SOMETIMES their BCM queues are grey'd out (not selectable).  Sometimes it works fine.

But the funny thing is that if I stop the SAP Password Manager, then start the BCM CDT, things work fine.  So it's easy to prove this is related to the SAP Password Manager, since we never had this problem before I started demo'ing the NW SSO software.

I can toggle back and forth (for the most part) to prove it is something to do with the SAP Password Manager.

Anyway, I did notice that SAP hasn't released any updates to the SAP Password Manager for about a year now, and there just are not that many notes at all regarding this software.

I'm sure this will turn into a SAP message but I was wondering if there are any folks out there that have run into this.

The most interesting thing to me is that we're not even using the NW SSO2.0 suite for SSO to BCM CDT.  it uses X.509 between our MS AD certs in the browser, and a config setting in the CDT.

Am also concerned that SAP hasn't released any updates to the SAP Password Manager in a while, so I wonder if this is even a product they plan on keeping up.  I will say that it does work fairly well for NON-SAP stuff, like external URLs and other applications.  it's helped fill in the blank for stuff I can't do via SNC / SPNEGO / X.509.

NICK

SCN pals,

We have SPnego / SNC setup on both our NW7.31SP07 and NW7.40SP07 systems.

We used the basic steps outlined in the videos:

http://scn.sap.com/docs/DOC-40178

But one thing that I have noticed, is that once I have established a connection into SAPGUI via SNC or WEBGUI via SPNEGO, my ticket in "klist" looks like this:

C:\Users\nwells>klist

Current LogonId is 0:0x5b639

Cached Tickets: (2)

#0>     Client: MY-ID @ MY-DOMAIN.COM
        Server: krbtgt/MY-DOMAIN.COM @ MY-DOMAIN.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x60a00000 -> forwardable forwarded renewable initial pre_authent
        Start Time: 5/20/2015 15:26:53 (local)
        End Time:   5/21/2015 1:26:53 (local)
        Renew Time: 5/27/2015 15:26:53 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96

#1>     Client: MY-ID @ MY-DOMAIN.COM

        Server: krbtgt/MY-DOMAIN.COM @ MY-DOMAIN.COM

        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96

        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent

        Start Time: 5/20/2015 15:26:53 (local)

        End Time:   5/21/2015 1:26:53 (local)

        Renew Time: 5/27/2015 15:26:53 (local)

        Session Key Type: AES-256-CTS-HMAC-SHA1-96

#2>     Client: MY-ID @ MY-DOMAIN.COM
        Server: SAP/SA-AGC-ABAP-SID@ MY-DOMAIN.COM
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
        Start Time: 5/20/2015 15:26:53 (local)
        End Time:   5/21/2015 1:26:53 (local)
        Renew Time: 5/27/2015 15:26:53 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)

#3>     Client: MY-ID @ MY-DOMAIN.COM

        Server: HTTP/my-hostname.my-domain.com@ MY-DOMAIN.COM

        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)

        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent

        Start Time: 5/20/2015 15:26:53 (local)

        End Time:   5/21/2015 1:26:53 (local)

        Renew Time: 5/27/2015 15:26:53 (local)

        Session Key Type: RSADSI RC4-HMAC(NT)

Does anyone know why my SAP Kerberos tokens come over as RSADSI RC4-HMAC(NT) ?

When I created the keytab at the OS level, I got this as part of the output:

keytab: KeyTab content stored:

    Version  Time stamp                 KeyType   Kerberos name

          1  Thu May  7 15:42:25 2015   DES       SA-AGC-ABAP-SID@MY-DOMAIN.COM
          1  Thu May  7 15:42:25 2015   AES128    SA-AGC-ABAP-SID@MY-DOMAIN.COM
          1  Thu May  7 15:42:25 2015   AES256    SA-AGC-ABAP-SID@MY-DOMAIN.COM
          1  Thu May  7 15:42:25 2015   RC4       SA-AGC-ABAP-SID@MY-DOMAIN.COM

and in the SPNEGO transaction, I have these listed:

DES-CBC-CRC

DES-CBC-MD5

AES128_CTS_HMAC_SHA1_96

AES256_CTS_HMAC_SHA1_96

RC4-HMAC-MD5

RC4-HMAC-MD5-56

So I would think that I'm covered.

I read this note and applied it in my NW7.31 but it was N/A on 7.40.  I meet the kernel requirements too for both.

1832706 - SPNego ABAP: Fixes for Algorithms AES128, AES256, DES

If I get my AD administrator to click the button for my user SA-AGC-ABAP-SID@MY-DOMAIN.COM that says "This account support Kerberos AES 256 bit encryption" in the account options....NOTHING works!  SPnego just goes back to username/pass, and SNC pops up a message when you try  to login that says "GSS-API(min): A2210217:the verification of the Kerberos ticket failed

target="p:CN=SA-AGC-ABAP-SID"

I also read this note:

1677641 - Kerberos authentication problem (SNG/GSS error a2210217)

but we already have the latest NWSSO2.0 SP05 login library and note 1832706.  I'm certain my user/pass for AD is correct.

Anyway..I know I said a lot....ANY thoughts?

thanks,

NICK

All,

We have all the settings needed for SPnego on ABAP.  I don't want to go into them here, but as the discussion moves forward I can explain all that!

SOMETIMES.....SOMETIMES when trying to log in via NWBC / WEBGUI and CRM ICWEB, users are presented with login screens.

When NWBC/WEBGUI presents a login screen, it's the typical login screen you would see as if no SSO was setup.

And if I refresh the URL a few times, I will end up getting in without actually putting in any user/pass.

When they see the ICWEB login screen, it's really just a pop up in the browser.  Saying "Windows Security" (at the top) then, in the window, it says:

"The server myCRMhostname.MyDomain.com at SAP Netweaver Application server [SID/CLIENT] requires a username and password."

Then you see a box for the username/password.

Again, just hit 'cancel' a few times and you will get in....

Sooooo strange.  SSO will work great for all users across all PCs for a few hours at a time.  Then it will stop working and we'll get those errors I noted above.

I've done TONS of research on this.  I highly suspect our Microsoft AD network...KDC has a problem, but I know nothing about that side of the house.

There are a few notes out in SAP, and threads out of google searches that talk about the KDC, instead of sending a Kerberos token, will send something called a NTLM token.  And when that happens, you can't login.  But it all comes down to why/how the Kerberos KDC is sending that.

How do you prove / disprove that the KDC is sending a Kerberos token (or a NTLM token) from an SAP ABAP perspective?

Or how else could I effectively trouble-shoot this issue?

I really believe that NW SSO could be great for our environment, but because of all these moving parts it is proving very difficult to troubleshoot when it breaks.

Thanks

NICK

Hi

We are running NW 731 and we have configured in the SAML Wizard SAP as both IdP and SP.

But we are going to be using SAP only as a SP. Our IdP is a 3rd party provider (PingFed) and we have imported the IdP's metadata in the SAP portal system under the list of Trusted Identity providers.

We modified the Authentication template(form) that is being used by the Biller direct applications, so that SAML is the second option as per help.sap.com

link:

Adjusting the Login Module Stacks for Using SAML - User Authentication and Single Sign-On - SAP Library

Now when we open the application URL using:

https://<hostname>/bd

We see the standard Biller direct logon page and not the redirection to the IdP's website to authenticate. What are we missing? How do we force the redirection of the URL to go the IdP's website/IdP logon page and then back to the Biller Direct application.

Any advise would be appreciated.

Thank you

Abhi

Dear colleagues, ask for help, I'm exhausted!

I spend setting Kerberos SSO means for system Solman 7.1 (NW 702). For abap part it succeeded. But for Java, Web GUI, and a window appears NWBC login and password. What could be wrong? I believe that spnego not work correctly.

Hi,

    I'm new with SNC.

Is there a document out there that show what is the difference between NW SSO SNC vs ABAP platform SNC?

What benefit does NW SSO SNC provide? Both uses the same CommonCryptoLib for crypto algorithm, so does NW SSO SNC have more function vs the one in ABAP platform?

Thanks in advance.

regards,

Laurence...

Hi all,

appreciate if you could help me with this topic. Is there a way to support HSMs for SLS key generation? Are there best practice guides about how to protect the SLS-UserCA in a best way? Maybe there are existing guides dealing with this issues. Thanks a lot.

Carsten

Hi,

We have Siteminder SSO configured for one of the custoimsed JAVA Application being deployed on the SAP NW portal 7.4.

As a part of the siteminder configuration we have configured the below

• Installed/configured Siteminder webagent, session linker, SAP WEBAS Agent
• Configred IIS 7.5 to act as front-end webserver to SAP
• Configured the policy server to protect the JAVA application URL
• Configured the Authentication templated as per the CA document below

        CA SSO Agent for SAP Integrated Documents - r12.51

While tring to test the application getting the 401 unauthorized error. Please find the captured the  security logs

We need your expert advice to reslove this issue.

Kindly advice.

Thanks & Regards,

Sowmya

Hi, I am using SAP ID Service in HANA cloud platform application.

Is there an API for SAP ID Service that lets us provision users, change passwords, etc.

Thanks in advance!

Hi,

I have set quite a few servers to connect with SSO to ABAP Stacks. It is not a problem when it is a single instance system but I struggle with distributed systems. The central instance will start without a problem but the additional dialogue instances (on different servers) do not start and I have to disable snc on those servers. The error is always

SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N        GetUserName()="<SID>adm"  NetWkstaUser="<SID>ADM"

N  SncInit():  found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():  found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():  found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=\\sapprod\sapmnt\P01\sys\global\sll\secgss.dll

N    File "\\servername\sapmnt\SID\sys\global\sll\secgss.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x

N    FileVersionInfo: InternalName= CryptoLib, FileVersion= 8.3.7.7

N  SncInit():  found snc/identity/as=p:CN=<…>

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

N        GSS-API(maj): No credentials were supplied

N      Could't acquire ACCEPTING credentials for

N 

N      name="p:CN=<….>"

N      FATAL SNCERROR -- Accepting Credentials not available!

N      (debug hint: default acceptor = "p:CN=DummyCredential")

N  <<- SncInit()==SNCERR_GSSAPI

N          sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    237]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    239]

We have several distributed systems and it is the same problem on all systems. Only the central instance can use SNC.

I have added screenshots of the snc.exe from the central instance and the app server to this post. Irrespective of using the (replicated) pse on the app server or using the one on the central instance (via SECUDIR variable), snc cannot log in to the pse.

Does anyone know how what the problem might be?

Regards

Andreas

Good afternoon - I have a question regarding NW SSO. We are considering buying a number of licenses, but perhaps not enough for every user to be able to logon using single sign-on. So some users would have the Secure Login Client on their PCs and others would not. For the ones who don't have the client installed, they would still be able to login to a system with SAPGui by entering their username and password, right? The reason for my question is that I know that during the setup of NW SSO we will make changes in the saplogon.ini file to indicate the SNC name of the application server, and then also have to make entries in tcode SU01 for the user's SNC name. I see on the SNC tab in SU01 that there is an option to allow password logon for SAPGui, so for the users who we have not purchased a license for, could we just check that box so that they could still enter their ID and Password in SAPGui as usual?

I would appreciate any help with this!

Regards,

Blair Towe

Good afternoon - Today, we currently can use X.509 certificates that exist in each user's internet browser to perform single sign-on to web-based SAP applications. Can NetWeaver Single Sign-On use the same certificates that have been generated using our internal Microsoft Certificate Server to perform single sign-on to AS ABAP via SAPGui? Or would we have to generate new certificates using Secure Login Server component of NW SSO and have these be the certificates that are used for both SAPGui logons and web-based SAP applications?

I'm trying to understand which way will be the easiest to manage the administrative tasks. The existing X.509 certificates are maintained automatically by our Windows server group, while the Secure Login Server will likely be maintained by the Basis team.

Any information would be appreciated!

Regards,

Blair Towe

Hi,

I have configured SP initiated SSO with Siteminder IDP for SAP FIORI Launchpad. The setup works well. We have 60mins ideal timeout for SAML sessions and SAP HTTP Sessions.

Everything works well but issue only occurs if anyone keep the Launchpad ideal for more than 60mins ( break for Lunch as usual the culprit).

How do we handle this timeout and request user to logon again?

Here is the Sec_diag logs.

SAML20 <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

SAML20

SAML20 <ns2:SubjectConfirmationData NotOnOrAfter="2015-06-26T16:01:57Z"

SAML20 Recipient="https://mysap.avaya.com:443/sap/saml2/sp/acs/110" />

SAML20 </ns2:SubjectConfirmation>

SAML20 </ns2:Subject>

SAML20 <ns2:Conditions NotBefore="2015-06-26T15:59:57Z"

SAML20 NotOnOrAfter="2015-06-26T16:01:57Z">

SAML20 <ns2:AudienceRestriction>

SAML20 <ns2:Audience>GWP-SP</ns2:Audience>

SAML20 </ns2:AudienceRestriction>

SAML20 <ns2:AudienceRestriction>

SAML20 <ns2:Audience>https://mysap.avaya.com</ns2:Audience>

SAML20 </ns2:AudienceRestriction>

SAML20 </ns2:Conditions>

SAML20 <ns2:AuthnStatement AuthnInstant="2015-06-26T16:00:26Z"

SAML20 SessionIndex="czjOI2bdNDR+NbqsraJGAsfLRV0=j+KycA=="

SAML20 SessionNotOnOrAfter="2015-06-26T16:01:57Z">

After 60mins, when user trying to use same sessions.. they get below error

SAML20 CX_SAML20_CORE: The validation of message 'Response' failed. Long text: The validation of message 'Response' failed.

SAML20     at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 57)

SAML20     at CL_SAML20_RESPONSE->VALIDATE(Line 60)

SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 87)

SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)

SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)

SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2517)

SAML20 Caused by: CX_SAML20_ASSERTION: All 'SubjectConfirmation' elements are invalid. Long text: All 'SubjectConfirmation' elements are invalid.

SAML20     at CL_SAML20_ASSERTION->VALIDATE_SUBJECT_SSO(Line 116)

SAML20     at CL_SAML20_ASSERTION->VALIDATE_ASSERTION(Line 27)

SAML20     at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 50)

SAML20     at CL_SAML20_RESPONSE->VALIDATE(Line 60)

SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 87)

SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)

SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)

SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2517)

SAML20 Caused by: CX_SAML20_ASSERTION: Attribute 'NotOnOrAfter' of element 'SubjectConfirmationData' is invalid. Long text: Attribute 'NotOnOrAfter' of element 'SubjectConfirmationData' is invalid.

SAML20     at CL_SAML20_ASSERTION->VALIDATE_SUBJECT_SSO(Line 92)

SAML20     at CL_SAML20_ASSERTION->VALIDATE_ASSERTION(Line 27)

SAML20     at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 50)

SAML20     at CL_SAML20_RESPONSE->VALIDATE(Line 60)

SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 87)

SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)

SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)

SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2517)

<ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

SAML20

SAML20 <ns2:SubjectConfirmationData NotOnOrAfter="2015-06-26T16:01:57Z"

SAML20 Recipient="https://mysap.avaya.com:443/sap/saml2/sp/acs/110" />

SAML20 </ns2:SubjectConfirmation>

SAML20 </ns2:Subject>

SAML20 <ns2:Conditions NotBefore="2015-06-26T15:59:57Z"

SAML20 NotOnOrAfter="2015-06-26T16:01:57Z">

SAML20 <ns2:AudienceRestriction>

SAML20 <ns2:Audience>GWP-SP</ns2:Audience>

SAML20 </ns2:AudienceRestriction>

SAML20 <ns2:AudienceRestriction>

SAML20 <ns2:Audience>https://mysap.avaya.com</ns2:Audience>

SAML20 </ns2:AudienceRestriction>

SAML20 </ns2:Conditions>

SAML20 <ns2:AuthnStatement AuthnInstant="2015-06-26T16:00:26Z"

SAML20 SessionIndex="czjOI2bdNDR+NbqsraJGAsfLRV0=j+KycA=="

SAML20 SessionNotOnOrAfter="2015-06-26T16:01:57Z">

SAML20 <ns2:AuthnContext>

SAML20 <ns2:AuthnContextClassRef>

SAML20 urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>

SAML20 </ns2:AuthnContext>

SAML20 </ns2:AuthnStatement>

SAML20 <ns2:AttributeStatement>

SAML20 <ns2:Attribute Name="uid"

SAML20 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

SAML20

SAML20 <ns2:AttributeValue>sAMAccountName</ns2:AttributeValue>

SAML20 </ns2:Attribute>

SAML20 </ns2:AttributeStatement>

Thanks in advance.

Santosh Lad