Quantcast
Channel: SCN : Discussion List - SAP Single Sign-On
Viewing all 862 articles
Browse latest View live

Password Manager - can you create an "ignored list" prior to pushing out the software?

July 23, 2015, 7:52 am
$
0
0

SCN pals,

 

BACKGROUND


We have SAP Password Manager 2.0 SP 5.
We are on Windows7 enterprise SP1 on both 32bit and 64bit OS.
We have IE10 as our primary browser.

I have read the SAP Password manager guide here:
http://scn.sap.com/docs/DOC-40109
http://help.sap.com/download/sapsso/pwdmngr_impl_guide_en.pdf


ISSUE

When I push the Password Manager to the users, I'd like for the "Ignored List" to contain some internal URLs.

By default right now, the list is blank of course and the users have to add them manually.

 

The Password Manager guide does give an example of a similar scenario.  So if you wanted to edit the default security questions, you can do that!
I've done that and it does work.  But within all those XML files, I can't find any that give reference to the Ignored List.

 

So does anyone know how (or if it is even possible) to include some URLs in the "Ignored List" when you push out the Password Manager?

 

Thanks

 

NICK

Search

SAPGUI login without SSO

July 21, 2015, 6:52 pm
$
0
0

Hi,

 

We have setup SSO for our ABAP systems and when users try to login when the SLS becomes unavailable , they dont get a login screen , they just get an error, is there someway when SLS becomes unavailable the users can get a login page where theyt can login with their userid/passwd .

 

Thank you

Jonu Joy 

How can I define a logon mask language for users with several clients?

July 21, 2015, 6:39 am
$
0
0

Hello community,

 

do you know how I can define the logon language of a user who has several clients (user in several clients) in a SSO system?

Our standard is DE, in the client su01 configs he always has EN as a defined standard language.

Is it possible to configure languages per user or only for one global config file?

Kerberos token verify error

July 27, 2015, 12:37 am
$
0
0

Hi All,

 

I have configured SSO based on Kerberos with SAP Single-Sign On 2.0, the solution used to work before with both web browsers and SAP Logon (Windows). However, recently when I recheck, the SSO does not work anymore for browser authentication. I can log into SAP GUI (for Desktop) with SSO, but when I checked SPNego configuration, the Token Check has error with the following message.

 

 

I tried to check the system lock of our KDC, SAP Application Server, as well as my workstation and synchronize the system clocks. However, this does not solve the problem. As you can see from the above screenshot, Kerberos token expires after 5 minutes, so I tried to extend the Maximum tolerance for computer clock synchronization in to 10 minutes, but the situation is still the same, the token still expires after 5 minutes. Could you please provides some hints to troubleshoot the error.

 

I'm not sure if it's the root cause for SSO on web browser but SSO for SAP GUI does work. I checked the note 1732610, but I guess I need to solve the token verification error first.

 

I would be very grateful for any contribution.

 

Best regards,

Duy

get userid script

August 5, 2015, 10:18 pm
$
0
0

Hi,

 

I'm having trouble with getting user ID form .NET Infoview session because I've never done vbscript to extract this kind of information before.  Can someone give me some guidance on this matter.  I see plenty of information about create logon token but my setting does not need this.  I only need to get the user id from the .NET Infoview session so it can be passed into my java Infoview.  I also tried the java connector but I cannot get it to work as described in these documents.

 

Thank you,

Phan

Lincense for sap single sign on

August 5, 2015, 9:36 pm
$
0
0

Hi Experts,

 

We have license for sap business suite, do we still require to get license for sap nw single sign on, as we are not able to see single sign on at sap market place??

SAP SSO integration with SAP Hybris

August 6, 2015, 8:58 am
$
0
0

Wanted to know if any of us have implemented SAP SSO for Hybris application. Is it possible to do so? Any thoughts will help.

Valid passcode provided by client without valid cookie?

August 6, 2015, 6:54 pm
$
0
0

Hi

 

I am testing the SAP Authenticator to logon to a SAP JAVA system. The clock on both the mobile device and the server are synchronized. But about one out of two or three times, I've got this authentication error message.

 

Valid passcode provided by client without valid cookie

 

What could be the reason for this issue?


Thanks

Chenyang Xiong

Search

Error after doing SSL and SSO configuration

August 6, 2015, 5:31 am
$
0
0

Hi All,

 

We have done the SSL and SSO configuration for our Sandbox system.

 

 

Everything works fine with internet explorer but when we try to open the link: https://<hostname URL>/irj/portal with Google Chrome and firefox we get error saying:

 

"The certificate chain for this website contains at least one certificate that was signed using a deprecated signature using SHA-1"

 

As per SAP Note: 2094598 mentioned in SAP Note: 2088755, we deployed patch 14 for the component SAP-JEECOR after which we were able to see the two new properties in visual admin:

SSL_VERSION_MIN TLS10

SSL_VERSION_MAX TLS11

 

But after doing these changes also we are getting the same error. Our portal system is on Netweaver 701 patch 15.


Can someone please let me know what changes needs to be made in order to resolve the issue which is occuring in Google Chrome and Firefox.


Regards,

Nitin

Successfactors SSO login without SAP portal

August 10, 2015, 6:18 am
$
0
0

Hello All,

 

Currently, we are using Success factor in our production environment and we are planning to perform SSO integration with our Active directory.

 

Kindly help me with pre requisite and procedure document to implement the same.

 

Regards,

Malar.

SSO for successfactors

August 4, 2015, 4:39 am
$
0
0

Dear All,

 

We have implemented SSO for enterprise portal with Windows Active directory in our landscape. The flow will be like, user will login to his laptop with Active directory user. With sharepoint concept, URL to access PI JAVA will be assigned to a link - when the user clicks the link, it will automatically login to PI system without prompting for any user name/password.

 

Wondering, if we could do the SSO configuration to access our Successfactors instance with windows active directory user. Kindly help me with the procedure and details.

 

Regards,

Malar.

SAP Single Sign-On 2.0 Kerberos SNC-Error: The verifikation of the Kerbeos ticket failed

June 18, 2014, 11:45 am
$
0
0

Hallo,

 

I have implemented an SNC Kerberos enviroment on an SAP NetWeaver 7.3 Solutionmanager Double-Stack System.

 

I have Implemented the Secure Login Library for Kerberos with the Imlementation Guide for SAP NWSSO 2.0

Link: Password Manager Implementation Guide

 

After The Installation of the Secure Login Client, the Unser Mapping in the SU01 and the Changes in the SAP Logon Pad, i always get the following error massage.

 

 

It would be nice if someone could help me?

 

Thanks and Greatings

disable SPNEGO for pure Java AS 7.4 SP8 with redwood CPS

July 30, 2015, 11:40 am
$
0
0

SSO experts,

 

We have SPNEGO setup for one of our AS JAVA 7.4 SP8 systems  (NOT a portal!).  SSO works great!

 

SSO works great for things like:

 

NWA

http://hostnameFQDN:port/nwa

 

UME

http://hostnameFQDN:port/useradmin

 

RedwoodCPS  (v8.33.112) --> we have ETPRJSCHEDULER deployed and we pay for the full version.

http://hostnameFQDN:port/scheduler

 

 

My issue is that SOME users don't want to use their AD userID to SSO to the redwood URL above.  They want to put in a different username and a password.  I thought to myself, OK, no big deal, just add the ?spnego=disabled at the end of the URL right?

 

Well, that doesn't work on the redwood CPS URL above.  it just gets ignored and goes right into SSO!

 

Now, for the NWA, the ?spnego=disabled DOES work like it is supposed to!  Forcing the username/pass login.

http://hostnameFQDN:port/nwa?spnego=disabled

 

For the UME, http://hostnameFQDN:port/useradmin?spnego=disabled doesn't work either but it can see the URL gets extended to /webdynpro/dispatcher/sap.com/tc~sec~ume~wd~umeadmin/UmeAdminApp and if you stick ?spnego=disabled at the end of that, it will force username / password.

 

But at any rate, the point is I want RedwoodCPS to force a userID/pass screen using the http://hostnameFQDN:port/scheduler?spnego=disabled

but this does not work.

 

I also tried http://hostnameFQDN:port/scheduler/ui?spnego=disabled but still no good.

 

Any ideas?

 

thanks

NICK

Service Market Place Certificate alongwith SSO certificate

August 11, 2015, 6:30 am
$
0
0

Hello All,

 

I have two certificates in my Secure login client; one is for SAP Logon and the other one is for SAP Marketplace. If I remove SMP certificate, SAP certificate works properly. With this additional SMP certificate SAP logon is not working. The validity of SMP Certificate is okay.

 

This scenario was working earlier. I installed a new SMP certificate, since the old one was expired.

 

SPNego with X.509 Certificate

 

Untitled.png

 

The main points in the trace file:

 

ERROR(0xA2500208) in URL module. Function url_do_get_connected_socket failed: URL: Socket error

-Parameter 1: connect() failed

Connect failed with

 

Kind Regards

Manna Das

Using Kerberos and X.509 for SSO

August 13, 2015, 4:05 am
$
0
0

Hello,

 

I have set up our systems to use X.509 certificates for SSO. The certificates are issued by our enterprise PKI. There is no SLS installed. I came across the Kerberos authentication setup videos and tried that on one system and it worked.

 

If I create the SNC pse with the same name as the SPN, would I be able to logon via x.509 certificate and Kerberos at the same time, depending on the SNC Name in SU01? Or do I have to decide for one or the other authentication process?

 

Regarding Web Access: I would have to maintain SPNEGO for Kerberos authentification and EXTID_DN for certificate based logon. Am I right?

 

Regards

Andreas

Search

best way to configure SSO within SAP and third party portal

August 14, 2015, 4:47 am
$
0
0

Hi All,

 

We are using third party portal for invoicing which is linked with EP .could you please guide me the best way to configure SSO so that I can access third party portal from SAP system.

SSO Not working 4.1

July 29, 2015, 12:33 am
$
0
0

Hi,

I have spent quite a while now looking for a resolution so I decided to post finally.  I am trying SSO and am getting an error.  This is the error I am getting when going to BI Launchpad

 

HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Could not decrypt service ticket with Key type 18, KVNO 2, Principal "HTTP/biwebdev1.corp.domain.com@CORP.DOMAIN.COM" using key: Principal: [1] BOSSO/SVC_BOE_DEV.corp.domain.com@CORP.DOMAIN.COM TimeStamp: Wed Jul 29 02:16:16 CDT 2015 KVNO: -1 EncType: 18 Key: 32 bytes, fingerprint = [4f 2 e1 98 79 dd 53 1 92 45 6e 61 29 eb a8 fb] Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different; this may or may not be a problem] [Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?] )

 

This is the end of the stderr.log file

 

[DEBUG] Wed Jul 29 02:18:38 CDT 2015 jcsi.kerberos: GSS: Acceptor supports: KRB5

[DEBUG] Wed Jul 29 02:18:38 CDT 2015 jcsi.kerberos: Ticket service name is: HTTP/biwebdev1.corp.Domain.com@CORP.DOMAIN.COM

[DEBUG] Wed Jul 29 02:18:38 CDT 2015 jcsi.kerberos: GSS name is: BOSSO/SVC_BOE_DEV.corp.Domain.com@CORP.DOMAIN.COM

[DEBUG] Wed Jul 29 02:18:38 CDT 2015 jcsi.kerberos: Using keytab entry for: BOSSO/SVC_BOE_DEV.corp.Domain.com@CORP.DOMAIN.COM

[DEBUG] Wed Jul 29 02:18:38 CDT 2015 jcsi.kerberos: ** decrypting ticket .. **

  with key

 

  Principal: BOSSO/SVC_BOE_DEV.corp.domain.com@CORP.DOMAIN.COM

  Type: 1

  TimeStamp: Wed Jul 29 02:16:16 CDT 2015

  KVNO: -1

  Key: [18,  75 67 53 b4 8 b0 df 1b 4d 2f a0 8a 13 bc aa f a e7 ff bd 47 f7 6c 3c 38 2d 9e 4a ca 43 b2 70 ]

 

 

[DEBUG] Wed Jul 29 02:18:38 CDT 2015 jcsi.kerberos: Could not decrypt service ticket with Key type 18, KVNO 2, Principal "HTTP/biwebdev1.corp.domain.com@CORP.DOMAIN.COM" using key:

Principal: [1] BOSSO/SVC_BOE_DEV.corp.domain.com@CORP.DOMAIN.COM

  TimeStamp: Wed Jul 29 02:16:16 CDT 2015

  KVNO: -1

  EncType: 18

  Key: 32 bytes, fingerprint = [4f 2 e1 98 79 dd 53 1 92 45 6e 61 29 eb a8 fb]

Exception for this key was:  com.dstc.security.kerberos.CryptoException: Integrity check failure[Note:  principal names are different;  this may or may not be a problem]

[Note:  KVNO used wildcard match, not exact match;  perhaps the password used to generate this key is not the most recent password?]

 

 

[DEBUG] Wed Jul 29 02:18:38 CDT 2015 jcsi.kerberos: Caused by: com.dstc.security.kerberos.CryptoException, Integrity check failure

 

This is my global.properties file

 

sso.enabled=true

siteminder.enabled=false

vintela.enabled=true

idm.realm=CORP.DOMAIN.COM

idm.princ=BOSSO/SVC_BOE_DEV.corp.domain.com

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

idm.keytab=E:/WINNT/DEV-TESTSSO.KEYTAB

 

BILaunchpad.properties file

 

authentication.visible=true

authentication.default=secWinAD

cms.default=BIAPPDEV1:6400

 

 

 

These are my tomcat java options

 

-Djava.library.path=C:\Windows\SysWOW64\;E:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\

-Dcatalina.base=E:\Program Files (x86)\SAP BusinessObjects\tomcat\

-Dcatalina.home=E:\Program Files (x86)\SAP BusinessObjects\tomcat\

-Djava.endorsed.dirs=E:\Program Files (x86)\SAP BusinessObjects\tomcat\common\endorsed\

-Dbobj.enterprise.home=E:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\

-Xrs

-XX:MaxPermSize=384M

-Djava.awt.headless=true

-XX:+HeapDumpOnOutOfMemoryError

-Xloggc:E:\Program Files (x86)\SAP BusinessObjects\tomcat\logs\tomcat.gc.log

-XX:+PrintGCDetails

-XX:+UseParallelOldGC

-Djava.security.auth.login.config=E:\WINNT\bscLogin.conf

-Djava.security.krb5.conf=E:\WINNT\krb5.ini

-Djcsi.kerberos.debug=true

 

AD manual login is working great.  Someone please help!

SNC SSO configuration in Linux

August 18, 2015, 3:00 am
$
0
0

Dear All,

 

We want to achieve SNC with SSO from SUSE Linux servers.

 

Our Environment:

DB : HANA DB in Suselinux

APP Server : NW 7.4 SP06 in SuseLinux

SAPGUI : 740 Version

AD Domain : Windows 2008/2012 Servers

 

I have searched and got below link where it is speaks about SNC without SSO.

http://scn.sap.com/docs/DOC-45138

 

We want to configure SNC with SSO. Please share document if anyone have.

 

Thanks,

Kanne

SSO for MS outlook, OWA and Sharepoint using SSO 2.0

April 9, 2014, 4:51 am
$
0
0

  Hi,

 

 

We have installed the secure login server 2.0. And configured SSO for SAP (ABAP, JAVA) systems using X.509 certificate. it is working fine.

 

We want to configure SSO for some non SAP applications like MS outlook, Outlook Web Access, Sharepoint.

 

I dont see any documentation in the implememntation guide of NW SSO 2.0 for how to configure these non sap applications to accept X.509 certificates.

 

Anyone please share the details of how to configure SSO for MS outlook, OWA and Sharepoint

 

Regards,

Yogesh Kumar D

Error after doing SSL and SSO configuration

August 6, 2015, 5:31 am
$
0
0

Hi All,

 

We have done the SSL and SSO configuration for our Sandbox system.

 

 

Everything works fine with internet explorer but when we try to open the link: https://<hostname URL>/irj/portal with Google Chrome and firefox we get error saying:

 

"The certificate chain for this website contains at least one certificate that was signed using a deprecated signature using SHA-1"

 

As per SAP Note: 2094598 mentioned in SAP Note: 2088755, we deployed patch 14 for the component SAP-JEECOR after which we were able to see the two new properties in visual admin:

SSL_VERSION_MIN TLS10

SSL_VERSION_MAX TLS11

 

But after doing these changes also we are getting the same error. Our portal system is on Netweaver 701 patch 15.


Can someone please let me know what changes needs to be made in order to resolve the issue which is occuring in Google Chrome and Firefox.


Regards,

Nitin

Viewing all 862 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>