Hi,

We have configured kerberos only authentication (NW SSO) for all our SAP systems. The single sign-on works perfectly fine. But in our production systems there are 9 app servers. We have activated SNC as per procedure and we use logon groups for signing in to SAP. The SSO works fine, but sporadically it does not work and it prompts for user name and password in the login screen.We have tested SSO for each individual app servers including CI and it works fine. Even with logon groups it works fine most of the times but at times it prompts for login screen. We use Secure Login client 2.0 SP3.

Thanks

Thilip Kumar

Hello

We are in the middle to configure SSL in SAP ECC 6.0.

I have couple of questions for Common Name (CN) that needs to be define while creating the SSL server PSE.

  a. Should we use server name or SID name or * in CN field? SAP is not supporting * but some non-sap sites

     are suggesting to use *.

  b. In our enviornment, we have CI and more than one dialog instances. If we need to define server name

     in the CN field, do we need to create SSL server PSE for CI and DI's separately (mean multiple SSL

     for one SID).

or is there another option instead to use multiple SSL for one SID.

Pls suggest.

Thanks

Amar

Hi guys,

after installing the SSO client for the first time, we have intermittently noticed a profile selection dialog popping up when a user tries to connect to an SNC-enabled SAP system using SAP GUI. The dialog asks the user to select a profile (in our case we have two SLS profiles). The selection is then remembered from that point going forward, same as if the user would make the selection in the client directly (via right-click).

The question is what exactly triggers that dialog from appearing since we have not been able to reproduce it - even if no profile is selected as "use for secure login".

Is there a registry key maybe that we're missing? We played around with allowFavorite, but that didn't help.

Thanks

Michael

Hi,

We are configuring SSO with an external service provider and plan to use SAML 2.0 for this purpose.

We installed IDMFEDERATION on a NW Java 7.4 machine and configured IdP there. Installed the certificate from the service provider into the keystore and created the URL iView and maintained the parameters.

Service Provider is requesting a SAML 2.0 sample response file to configure the extraction part at his end. How do I create a SAML sample response file. Please let me know.

Thanks!!

BR,

Sanjeev

Hello,

we have a Problem with the SAP Password Manager and Internet Explorer 11.

After the Upgrade from IE9 to IE11 the Add-On wouldn't start in the IE11. I can see that the Add-On is active but there is no active Tool Bar, also the Passwrod Manager ist wihtout any function.

Have any other the same Problem?

Thanks for your assistance.

Dear Sirs,

I try to do an authorization to my NW 7.3 Java instance through my Windows domain authorization.

I done:

1) Create connection to LDAP-server and tested it.

2) Add windows domain certificate to TrustedCAs

3) Configure SPnego

Now, I can to login in my NW7.3 Java instance with my windows password, but however I must to input password when I open NW7.3 Java homepage.

Is it possible to login into the Java instance without password's input, using my windows workstation login/password?

What I have to do for that?

I use Windows XP on my workstation and IE 8.0.6 & Chrome 38.0.2125.

Best regards,

Alexey Lugovskoy

Hello All,

We have recently (successfully) configured SAML2.0 on AS ABAP (ERP 6.05/NW7.02) for authenticating Web Applications (Web Dynpros, Fiori Apps...etc) via a Web Browser internediary, and using ADFS as the Identity Provider.

We would now like to extend this configuration for Message Based Authentication for Webservices being consumed by other (non-web browser) intermediaries (such as SharePoint, Project Server, Software AG (ESB)...etc).

The configuration completed so far is detailed as follows:

• SAP SSL
  • SAP Crypto Library (Version 8.4.25, SSF 1.840.40)
  • SAP PSE's and Certificates (all certs are self signed and not verified by a CA)
    • System PSE
    • SSL Sever Standard
    • SSL Client Standard (SSL Root Certificate of ADFS)
    • SSF SAML2 Service Provider - Encryption
    • SSF SAML2 Service Provider - Signing (ADFS Signing Certificate)
    • WS Security
  • Session Security Activation (Client Activated)
• SAP SAML2 Configuration
  • Local Provider
  • Local Provider Metadata exported and imported in to ADFS
  • Trusted Provider (ADFS Metadata and Signing Cert imported into SAP)
  • Endpoints default = HTTP Post, Binding = HTTP Artefact, Supported Name Format = Unspecified/Logon ID
• SAP SAML2 Message Based Authentication Configuration:
  • Secure Token Service (ADFS Metadata and Signing Cert imported into SAP, Supported Name Format = Unspecified/Logon ID (no users mappings maintained))
  • Web Service Policy - SAML 1.1 (Asymmetric consumer key, STS as attester. Authentication Contexts Alias = unspecified)
  • Web Service Policy - SAML 2.0 (Asymmetric consumer key, STS as attester. Authentication Contexts Alias = unspecified)
  • Service User DELAY_L_<SID> (WSS_SETUP), SAML 1.1 Trust
• Web Service (SOA Manager) Configuration:
  • Transport Guarantee/Communication Security = SSL (though we have also tried; No Authentication and both Symmetric/Asymmetric Message Signature/Encryption)
  • Authentication = SSO using SAML
  • Secure Token Service = Web Service Policy - SAML 1.1 (Asymmetric consumer key, STS as attester. Authentication Contexts Alias = unspecified)

Test Results/Errors:

We have used SOAP UI to make the webservice calls in our tests, with the following results:

• When using a username/password authentication at the message level the service call works
• When sending a signed message with SAML authentication with sender vouches subject confirmation, it fails:
  • ​If we use a certificate added to the truststore we get an encryption-related error
  • If we use an arbitrary, non-trusted certificate, we get a different error saying that the signature is not recognized.

Questions:

1. Is it mandatory to have the certificates in the SAP Trust Store (STRUST) signed by a verified Certificate Authority (CA) ?

2. If so, which Certificates need to be signed by the CA ?

3. Referring to the configuration detailed above, Is there any configuration or specific settings that have been missed ?

4. For the Web Service (SOA Manager) config, what is the recommended Transport Guarantee/Communication Security method ?

Your time and guidance on this discussion is greatly appreciated.

Thank you and regards,

James Curran

SAP Technical Consultant

Dear All,

In chapter "4.7.3.1.6 Using Kerberos for SNC with Users in Different

Domains" of the SAP SSO Implementation guide it is mentioned that it

might also be possible to setup SNC for users in different domains

without having a trust relationship for the different domains.

"Since it is not so easy to configure trust relationship for different

domains, the Secure Login Library also supports another option."

1. Is the CommonCryptoLib really supporting SNC for different donains without a trust?
2. Where can I get further information for this option?

BASIC PARAMETERS:

CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.30 pl40

SAP GUI 7.30 PL 10 used on Windows 7 Client for testing

We are currently getting errors when trying to use SNC in another domain which has no trust to the main domain. That's the reason for this post.

I have attached the trace file of the secure login client.

Thanks & Best Regards

Matthias

Hi

We have APW Third party application installed on Enterprise portal  7.4.

When we tried to login APW portal through SSO it forces Java stack services to restart.If we use APW directly without SSO it works fine.

Can you help me tto resolve the issue.

Hello Experts,

Need some help on how to force SAP Secure Login Client to use X.509 user certificate's 'Subject Alternative Name' attribute as a mapping field for SSO instead of using 'Subject Name' field as it does out of the box.

Problem description:

We have configured NW SSO 2.0 SP04 test solution on our ERP 6.04/NW7.01 ABAP system using SAP CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.30 pl40 (Sep 25 2014) MT-safe. We are using X.509 user certificates generated by our own MSAD PKI.

Secure Login Client takes certificate's 'Subject Name' attribute field as a user's mapping field for establishing trust and allowing user to logon using SSO to SAP system, but the problem is that our 'Subject Name' contains Common Name attribute which is NON-unique and with special characters.

Having that in mind, SNC User mapping is hard to define and maintain.

Question: Is it possible to use X.509's 'Subject Alternative Name' attribute within Secure Login Client application? That field is unique for each user.

Regards,

Stanislaw Przytulski

In ADFS 2.0, as a part of the token, I can pass the AD
security groups the user is in. Does SAP SSO have the ability to send and
receive SAML 2.0 tokens with AD security group membership?

Hi all,

We are calling third party java application inside sap portal using iView.Both portal and java applications are same Domain but we are using HTTPS protocol for sap portal and HTTP protocol for third party java application.Is sso possible between these two protocols?

Regards.

Narendar

Hi all,

We are making a proof of concept on SSO on ABAP (SAP-GUI + web) via SAP Secure Login Client and SPNEGO for ABAP.

All youtube-video configrations have been performed . You know: Implementing SAP NetWeaver Single Sign-On 2.0 Based on Kerberos Tokens 2/4 - YouTube (and so on ).

When I try to logon on via SAP-GUI I get a: "GSS-API(maj): No credential were supplied Unable to establish the security context target="p:CN=SL-service-user@xyz.com"

The SNCAX_TEST programs works fine on the above service-user (defined in SPNEGO).

Service-user defined in SAP-GUI (SNC)

The end user in SU01 has been updated on SNC with the token name from the SAP Secure Login Client

Method: SncPEstablishContext

System call gss_init_sec_context

I have looked into SAP notes (error codes etc.) + googling this and other comminties without luck .

All your input/help is very welcome.

Thanks in advance

Peter

Dear SAP Community,

We are running a website where users need to be authenticated from the Portal.

Scenario:

User logs in into SAP portal via SAML Authentication. This user can view a link in the Portal he can click the link and will be transferred to a website on another domain. This domain will receive the a "ticket" and the user will be able to login.

Information from a friend:

If you have a setup that uses SAML, there are mechanisms to transfer that session between domains that basically rely on passing a ticket through the URL to the client from the authentication server, and that ticket is then passed to the site you want to authenticate against, which can use that to establish the identity of the user with the authentication server and establish the session.

Question:

Is this possible in SAP, if so can anyone provide me some documentation for this?

Kind regards,
Vincent

Hi,

We have ECC 6.0 on NW 7.31 on Linux platform. End-users use Windows 7 and SAP Gui to login to ECC. At present users log-into their desktops and then again login to SAP though GUI using there respective passwords.

I am looking for some solution to configure SSO on SAP Gui with MSADS. So that once the user logs on the desktop, he does not have to re-authenticate on sap gui to connect ECC. I want some solution where we don't have to install any tool/library on user desktop and there is minimum foot prints on user machines.

I heard that NW 7.31 SP-15, SAP Gui can have SSO with MSADS using SPNEGO etc.

Please suggest some solution.

Thanks

Vik

Hi,

We are getting the error in JCO connector connection test. The first and second connection test i.e. SAP WEB AS connection& ITS connection are working fine but the third connection test->connection test for connector is failing in all the EP system.

in the test result its showing Connection failed. Make sure SSO is configured correctly.

We tried all the possible solutions modifying object details checking in portal, re-configuring SSO but nothing works.

Also we tried checking the error in DIAG tool as per sap Note. but the diag tool doesn't give any specific logs for this particular error.

The error that we get in dev_jrfc.trc when we do the connection test is-

Error> occured  >Fri Nov 21 20:17:31,982<    >RfcGetException rc (7) message: Name or password is incorrect (repeat logon)

<RfcGetException

Important Point to note:

The logon method that we use in the object is "SAPLOGONTICKET" when we change this to "UIDPW" and maintain the user details in user administration for this connection ,the connection test seems to work fine. but we cannot proceed with UIDPW option.

Now the issue stands here that we are not getting which user is maintained and where it is maintained when we use the logon method SAPLOGONTICKET in object details.

Please advice and help us on this as due to this our production EP migration is getting delayed, it is a big show stopper and issue needs to be fixed immediately.

Thanks & Regard,

Rajdeep

Dear Guru,

We have been trying to configure Secure Login Client (SSO 2.0 SP04).

Upon installation of the Secure Login Client, we were able to acquire Kerberos Tokens, but none for SPNEGO (X.509 Certificates). We have been getting errors like "Supplied credentials not accepted by server".

Installation Reference: scn.sap.com/docs/DOC-40179

Issue was encountered during phase 3 of the reference. We followed the instructions to a tee, and got lost due to some SP differences. Although, we did manage to extract the Root CA and Registry Entries.

Any thoughts or advise on where to check. Thank you.

Regards,

Tom

Hi All,

I'm having some issue on starting my ABAP instance due to tryout of the SSO.

the error as such

how do I configure this credential SAPKerberosABC in my ABAP instance?

My environment is ECC6 EPH7, steps that I done as such:

1. copy gx64krb5.dll to system32 folder (note 353395)

2. created an username in my AD and accept Kerberos e.g. SAPKerberosABC

3. set the profile

snc/enable = 1

snc/gssapi_lib = c:\Windows\System32\gx64krb5.dll

now I need to disable manually the snc/enable from the work directory in order for me to start up the ABAP instance.

any clue on how to configure SSO?

Thank you,

Regards,,

Ura

Hello,

We are trying to setup SAPGUI SSO using SAP Netweaver SSO2.0 sp4 based on Kerberos tokens. Our SAP system is hosted in a cloud and we have created a service user SL-ABAP-ED1 in the domain "abc.xyz.domainA.com". The spn has also been registered and can be viewed as SAP/SL-ABAP-ED1. Our users are trying to login into SAPGUI installed on a Win 2012R2 terminal server. We have installed Secure login client 2.0 SP4 on the terminal server. For the end user, we can see the Kerberos token in the secure login client profiles as firstname.lastname@domainB.org. There is no domain trust between domain.com and domainB.org as we have been told that when using SSO2, trust is not required between different domains.

On the server, keytab has been created

    Version  Time stamp                 KeyType   Kerberos name

          1  Wed Nov 26 17:14:47 2014   DES       SL-ABAP-ED1@abc.xyz.domainA.com
          1  Wed Nov 26 17:14:47 2014   AES128    SL-ABAP-ED1@abc.xyz.domainA.com
          1  Wed Nov 26 17:14:47 2014   AES256    SL-ABAP-ED1@abc.xyz.domainA.com
          1  Wed Nov 26 17:14:47 2014   RC4       SL-ABAP-ED1@abc.xyz.domainA.com

T:\usr\sap\ED1\DVEBMGS00\SLL>sapgenpse seclogin -l -O domainA\SAPServiceED1
running seclogin with USER="ed1adm"
listing credentials for user "domain\SAPServiceED1" ...

0 (LPS:OFF):
         (LPS:OFF): T:\usr\sap\ED1\DVEBMGS00\Sec\SAPSNCSKERB.pse

1 readable SSO-Credentials available

In the profiles, we have the parameter snc/identity/as = p:CN=SL-ABAP-ED1

In the SAPGUI, we have enabled SNC option and SNC name is p:CN=SL-ABAP-ED1@abc.xyz.domainA.com. Here, we have tried all different combinations - p:CN=SL-ABAP-ED1, p:CN=SAP/SL-ABAP-ED1; p:CN=SAP/SL-ABAP-ED1@abc.xyz.domainA.com. None of them work.

Every time we get the same error message

"GSS-API(mai): No credentials were supplied. Unable to establish the

security context target= "p:CN=SL-ABAP-ED1" Error in SNC

In the Secure login client trace files, we see the following errors

[2014.11.26 20:16:07.376000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm 18 returned error

[2014.11.26 20:16:07.376000][WARN ][sbus.exe            ][Kerberos    ][  4732]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.11.26 20:16:07.377000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm 17 returned error

[2014.11.26 20:16:07.377000][WARN ][sbus.exe            ][Kerberos    ][  4732]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.11.26 20:16:07.378000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm 23 returned error

[2014.11.26 20:16:07.378000][WARN ][sbus.exe            ][Kerberos    ][  4732]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.11.26 20:16:07.378000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm  3 returned error

[2014.11.26 20:16:07.378000][WARN ][sbus.exe            ][Kerberos    ][  4732]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.11.26 20:16:07.379000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' failed (user name is Firstname.Lastname@domainB.org)

[2014.11.26 20:16:07.379000][TRACE][sbus.exe            ][sbus.dll    ][  4732] } 80004005

In another trace file, we have following messages

[2014.11.26 20:16:07.379000][TRACE][saplogon.exe        ][sbusps.dll  ][  4164] { PSEProxy::getOwnCertificate

[2014.11.26 20:16:07.379000][TRACE][saplogon.exe        ][sbusps.dll  ][  4164] }        0

[2014.11.26 20:16:07.379000][TRACE][saplogon.exe        ][sbusps.dll  ][  4164] { PSEProxy::getOwnCertificate

[2014.11.26 20:16:07.379000][TRACE][saplogon.exe        ][sbusps.dll  ][  4164] }        0

[2014.11.26 20:16:07.379000][INFO ][saplogon.exe        ][GSS         ][  4164] Cli-40000000: No own key found

[2014.11.26 20:16:07.379000][ERROR][saplogon.exe        ][GSS         ][  4164] Have no certificate and got no kerberos ticket

[2014.11.26 20:16:07.379000][ERROR][saplogon.exe        ][GSS         ][  4164] Cli-40000000: --> Msg ClientHello         create  failed : errval=70000, minor_status=0

Can someone provide any information as to what is missing?

Thanks & regards,

Sid

Hallo Is it possible to use any of SSO methods between web browser from desktop or android mobile device and ABAP without product SSO 1 and sso 2 installed?