Hi All,
I have configured an ABAP system to re-use my Windows authentication.
My system is starting fine but SAPGUI is giving me the following issue:
Any clues?
Thanks very much.
Regards,
Ridouan
↧
SSO based on Kerberos Token
↧
SSO for Personas embedded in Oracle WebCenter Portal
Hello All,
We have a requirement to implement the SSO (single sign-on) for Personas 2 for NW 7.4 AS-ABAP ECC 6 EhP 7. (abap stack only)
The Personas will be embedded as a link in the Portal [oracle webcenter portal].
The end user firstly logs in to the oracle webcenter portal with user credentials which are maintained by Oracle IDAM (oracle identity and access manager) which provides user authentication. User ids will be same across Oracle Portal, Oracle IDAM, and SAP ECC ABAP.
i have gone through several threads in SCN forums, but could not able to get a sense of approach discussed anywhere.
Personas 2.0 by default tries to authenticate using X.509 certificates if present in the system.
Also we can set up web SSO using SAML .
What should be the ideal approach for my above problem statement....pls let me know.
Do we have any setup guide in SMP for this?
BR,
shyam
↧
↧
SSL enabling for Portal system.
HI Guru's,
SAP AS Java server has to be configured for SSL, So what steps i need to execute?
Method i am using for configuration of SSL is "By using the SSL configuration tool in the SAP NetWeaver Administrator."
Using the the above method i trying to configure step "Adding New SSL Access Points"
First step in Adding the SSL Access Point is to select the nstance in which we need SSL to be configured ( ie AS Java System in this case)
When i try to configure SSL Connection i get SSN errors , please find the attachment for the error screen shot.
Please help me out in solving the errors and configuring SSL for Portal System.
↧
SAP GUI to Authenticate with LDAP without SSO License?
Hi All,
I would like to ask is there an alternative way to configure SAP GUI to authenticate with our LDAP (MS AD) via SNC without NW SSO license?
I have done some reading on note 793191 and 603208, it seems not possible for it.
any free Kerberos SNC library for SAP system on Windows just to achieve SAP GUI SSO?
Thank you,
Regards,
Ura
↧
Secure Login Client does not bring SL Server Certificate
Hello,
We want to implement NW Single Sign-On for our SAP systems. We have done the implementations as follows; (with the help of Implementation Guide and http://scn.sap.com/docs/DOC-40179 Implementing Single Sign-On with X.509 Certificates)
Secure Login Server
- We installed NW 7.4 and Secure Login Server 2.0 SP4
- Configured UME for MS AD
- Initialized the Secure Login Server
- Activated SSL
- Activated SPNEGO
- Configured Apache Reverse Proxy
Secure Login Client
- Imported Root CA to client
- Applied Policy Registry files (ProfileDownloadPolicy_xxx.reg)
- Installed SL Client
- Inserted “ShowUserPoliciesPage” with the value 1 in the registry path
System Info is as follows;
SL Server FQDN : mycmnwsso.mycmp.com.tr
SPNEGO User : SL-JAVA-SSO (SPNs: HTTP/mycmnwsso.mycmp.com.tr, HTTP/sso.mycmp.com
SLA Console URL : https://sso.mycmp.com/slac
Enroll URL : https://sso.mycmp.com:443/SecureLoginServer/slc/getProfiles?grouppolicy...
I login to one of the client with domain user. I donot see the SLServer Root Certificate on SL Client. I opened trace. There is “[2014.12.03 17:08:50.754000][WARN ][sbus.exe ][LOADER ][ 6300] ERROR(0xA0800200) in sec_get_SEC_DLL: Failed to load library sbusslogin” error.
Why I cannot get SL Certificate on SL Client?
Although I entered ShowUserPoliciesPage registry entry I cannot see Profile tab page on SL Client Tool?
Any recommendation about the issue?
Can you help, please?
Thanks and Regards,
Yuksel AKCINAR
↧
↧
Identity Provider could not process the authentication request received
Hello,
We are getting the following error when opening a weblink via SAP SSO.
I am not an SAML expert hence appreciate your inputs in fixing this issue.
The following document was followed to set SSO --> Use SAML to enable SSO for your SAP HANA XS App
We are using a HANA XS system and using Java script.
The following 400 Bad Request error details are as below.
- Request URL:https://accounts400.sap.com/saml2/idp/sso/accounts.sap.com?SAMLRequest=MIICEzCCAXygAwIBAgIETOp//zANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJERTEPMA0GA1UEBxMGQmVybGluMQwwCgYDVQQKEwNTQVAxDjAMBgNVBAsTBVdlYkttMQ8wDQYDVQQDEwZDUFMgUUEwIBcNMTAxMTIyMTQzNjQ3WhgPMjExMDEwMjkxNDM2NDdaME0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQHEwZCZXJsaW4xDDAKBgNVBAoTA1NBUDEOMAwGA1UECxMFV2ViS20xDzANBgNVBAMTBkNQUyBRQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjGCTddfUltkmYCpiB37R5r5TL0wqdm/DsrXt8CAExtygVfoQQM8avG+duIWqWJHD8K5qpeYRI5GTSSqSMgZfdoqvbfH3EnUd2r2V3E4Eh26JTu0YXYG16xwN9NSXcKhfzCdYeQgsiYPA03sprnTEanQy8KF8B4eRihNK8RhYN4MCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAk7eIJdFxiYLTUk4c/pW63k1L6QOVKgimR9RXDSeZwbP4gMytw3Eb6apyzd+QUbp3UPD2MSLLKsLKO3VWEjAFbzJSRzSneilQDIMMyc8MT/PUdyXyoqGlmKFnH/mboaQiCd1oMlEy1MvnP6TWY5xh97Vsv3wmdLzV4W+nFgW0gTQ==&Signature=MsZ06a/kUn0J15easoR+WouHwAB8FP5kQ3yNLDKBWnlt/jANxSYMwsuI5/TixZWqwCQ4YpbYXNniMpZZp8SP0nwhBkn1rvnZf+K95r/DDp7tB3WRHhpleBntsSf00L4IF3lgs/11hmdEaplqlejSET5DfZCoxnST1bR9WHzq7Ck=
- Request Method:GET
- Status Code:400 Bad Request
- Request Headersview source
- User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
- Query String Parametersview sourceview URL encoded
- Response Headersview source
↧
Secure Login Client 2.0 SP04 Silent Installtion
Hi Experts,
I would like to seek assistance with mass roll-out of the secure login client. Is it possible to perform silent installation of the secure login client?
Thank you.
Regards,
Tom
↧
SSO via Apache Reverse Proxy
Hello,
We are trying to implement NW Single Sign-On for our SAP systems.
We are also using Apache Reverse Proxy for our systems.
Some info for implementation;
All Users' Domain : mycomp.com.tr
SL Server FQDN : nwsso.mycomp.com.tr
Apache Proxy DNS for SLServer : sso.mycomp.com
SPNEGO User : SL-JAVA-SSO (SPNs: HTTP/nwsso.mycomp.com.tr, HTTP/sso.mycomp.com)
SLA Console URL : https://sso.mycomp.com/slac
We are using portal.mycomp.com, bo.mycomp.com, erp.mycomp com DNSs to reach SAP systems through Apache.
All systems are members of the "mycomp.com.tr" domain and all users are members of the same domain.
My question is:
Is it possible to implement SSO when we are using "*.mycomp.com" for URLs although our domain is "mycomp.com.tr"?
And if yes how?
Can you help, please?
Thanks and Regards,
Yuksel AKCINAR
↧
Implementing Single Sign-On from .NET Application to SAP System, using SAP.NET Connector 3.0
We are trying to use SAP.NET NCo 3.0 to implement single sign on from .net application to SAP System. In the configuration set up method we are fetching user name and password along with other configuration information from configuration file. E.g. -
RfcConfigParameters rfcConfig = new RfcConfigParameters(); rfcConfig.Add(RfcConfigParameters.User, ConfigurationSettings.AppSettings["SAP_USRNAME"]); rfcConfig.Add(RfcConfigParameters.Password, ConfigurationSettings.AppSettings["SAP_PWD"]); rfcConfig.Add(RfcConfigParameters.Client, ConfigurationSettings.AppSettings["SAP_CLIENT"]);
......and so on for other parameters
We are looking for a way that we can implement SSO with windows authentication where will ne NO need to pass user id and password explicitly. We also have SNC configuration and other required file available with us.
Any relevant code snippet or pointer addressing this will be of great help.
Thanks in advance
↧
↧
Secure Login Client - Kerberos Token disappeared
Dear Colleagues,
We are using Secure Login Kerberos Token for our SSO in the SAP GUI. SAP GUI Version is 7.30 Patch 5 and Secure Login is Version 2, Support Package 3, Patch level 2.
In rare cases endusers are not able to login via SSO. When we check the PC and open SAP Secure Login Client we detect that there is no Kerberos Token to select. At the moment our solution is to reinstall the whole SAP Secure Login Client with the SAP GUI for the user.
We are not sure why a kerberos token would suddently not be available in the sap secure login client. Any idea in which area to look?
Regards,
Alexander
↧
Secure Login Server and SSL Certificates
Dear All,
I am trying to use an SSL certificate created in Secure Login Server (SSO 2.0) for an ABAP system.
I have exported the the certificate as an PSE file and imported the certificate into the Server SSL node.
I noticed that the issuer will be removed as soon as I save the certificate into the SSL node.
I have done the same in an AS Java system and here all worked fine.
I know I need a third party PKI but can this not be achieved by the SSO 2.0 product?
Regards,
Ridouan
↧
Sap sso using kerbros constrained delgation
We are getting SSO error Miscellaneous failure GSS-API(min) Kerbros SSPI not usable with this User-account Stop! initial call togs_indicate_mechs() failed Time.
We have mapped our sap service user to the spn and when we select the option in AD to delegate authority to any application it works but when we select delegation to particular spn it gives above error.
Anyone suggest?
↧
(Kerberos Authentication) Windows AD id and SAP GUI id's are different
Hi All,
We are planning to implement Kerberos authentication using our Window AD. I have below queries regarding the same.
1. Our ERP is ECC 5.0 with SAP_BASIS 640 patch 31, will this support Kerberos authentication.
2. If supports, we have different user id's in Windows AD and ECC for the same user. Will this supports. (For example in Windows AD we have SSOTEST, same user has TESTSSO in ERP)
3. Is Kerberos authentication required separate license.
If possible provide links for the same.
Regards,
Sree
↧
↧
SAP Netweaver SSO 2.0 - keytab lifetime
Hi,
just a short question.
Do we need to update the keytab file ( SAPSNCSKERB.pse ) with ( crontab )
../SLL/sapgenpse keytab -p SAPSNCSKERB.pse -a USER@DOMAIN.ORG -nopsegen -y " "
like we have to do it in the old SNC connection method ( kinit -k planned in the crontab ) ? or is it enough to build the pse one time.
Are there tickets that will expire ?
sapgenpse keytab -p SAPSNCSKERB.pse -nopsegen
#############################################################################
License Disclaimer SAP NetWeaver Single Sign-On
You are about to configure trust for single sign-on or SNC Client Encryption.
Please note that for single sign-on you require a license for
SAP NetWeaver Single Sign-On.
As exception, the usage of SNC Client Encryption only without SSO is free
as described in SAP Note 1643878.
#############################################################################
keytab: Found keyTab entries in PSE.
keytab: KeyTab content stored:
Version Time stamp KeyType Kerberos name
1 Fri Dec 12 09:43:16 2014 DES USER@DOMAIN.ORG
1 Fri Dec 12 09:43:16 2014 AES128 USER@DOMAIN.ORG
1 Fri Dec 12 09:43:16 2014 AES256 USER@DOMAIN.ORG
1 Fri Dec 12 09:43:16 2014 RC4 USER@DOMAIN.ORG
greetings
Oliver
↧
SAP GUI authentication through MSAD (LDAP)
Hi,
How do i achieve user authentication on SAP Gui through MSAD (LDAP). Please note, i do not want Single Sign On (SSO). I want following:
1, User login to Windows 7/MAC desktop authenticated from Microsoft Active Directory account
2, User opens SAP Gui client and logs on to ECC instance once again using the user/ID password of corporate active directory.
I do not want SSO where user clicks on sap gui connection and it automatically connects to instance without asking user credentials.
Please let me know how could i achieve this.
Thanks
Vik
↧
Getting error when connecting SAP from WCF service "Kerberos SSPI not usable with this User account"
Hi,
[This is in continuation to Implementing Single Sign-On from .NET Application to SAP System, using SAP.NET Connector 3.0]
After hosting WCF service on IIS and accessing from client, it is giving error "Kerberos SSPI not usable with this User account". This error puzzled us.
Any help or pointer will be highly appreciated.
Markus Tolksdorf and Tim Alsop , I need your expertise again on this. 
Thanks in advance
Atul Sharma
↧
Secure Login Client does not bring SL Server Certificate
Hello,
We want to implement NW Single Sign-On for our SAP systems. We have done the implementations as follows; (with the help of Implementation Guide and http://scn.sap.com/docs/DOC-40179 Implementing Single Sign-On with X.509 Certificates)
Secure Login Server
- We installed NW 7.4 and Secure Login Server 2.0 SP4
- Configured UME for MS AD
- Initialized the Secure Login Server
- Activated SSL
- Activated SPNEGO
- Configured Apache Reverse Proxy
Secure Login Client
- Imported Root CA to client
- Applied Policy Registry files (ProfileDownloadPolicy_xxx.reg)
- Installed SL Client
- Inserted “ShowUserPoliciesPage” with the value 1 in the registry path
System Info is as follows;
SL Server FQDN : mycmnwsso.mycmp.com.tr
SPNEGO User : SL-JAVA-SSO (SPNs: HTTP/mycmnwsso.mycmp.com.tr, HTTP/sso.mycmp.com
SLA Console URL : https://sso.mycmp.com/slac
Enroll URL : https://sso.mycmp.com:443/SecureLoginServer/slc/getProfiles?grouppolicy...
I login to one of the client with domain user. I donot see the SLServer Root Certificate on SL Client. I opened trace. There is “[2014.12.03 17:08:50.754000][WARN ][sbus.exe ][LOADER ][ 6300] ERROR(0xA0800200) in sec_get_SEC_DLL: Failed to load library sbusslogin” error.
Why I cannot get SL Certificate on SL Client?
Although I entered ShowUserPoliciesPage registry entry I cannot see Profile tab page on SL Client Tool?
Any recommendation about the issue?
Can you help, please?
Thanks and Regards,
Yuksel AKCINAR
↧
↧
PI Java only 7.4 SSO to Solman 7.1 for CTS browser
In PI 7.4 Java only - via ESR -> open CTS transport browser I receive the logon popup for our Solman system (for charm). I am trying to implement SSO.
I have exported the SAPLogonTicketKeypair-cert (from PI NWA Keystorage) and imported in Solman (7.1 SP11) client 000. I have exported the Solman x.509 crt and imported into PI Ticketkeystore.
I still get the popup to supply login details. My id exists in both systems.
Has anyone done and can share details? Not sure what I missed. ..thanks in advance.
↧
Cross-domain authentication using SPNEGO
Hi Experts,
Consider this scenario.
Case 1:
There are 2 domains (forests), Domain A and Domain B.
SAP users are located in Domain A, while AS-JAVA server is located in Domain B.
There is a One Way Forest Trust (OWFT) between Domain A and Domain B, in which Domain A is the trusted domain, while Domain B is the trusting domain.
AS-JAVA is using Active Directory (Domain B) as the UME data source.
We run ‘setspn’ in Domain B for the AS-JAVA resource.
We create the Kerberos Realm in AS-JAVA for Domain B.
Would this SSO configuration work?
On this scenario, what would be the KPN (principal@REALM) of the user? Is it principal@DomainA or principal@DomainB?
Another side question I have:
when configuring SPNEGO authentication, is there a step where we need to connect from AS-JAVA to the LDAP (AD) server?
Can this connection be secured using LDAPS on port 636/tcp?
Thanks in advance.
Best Regards.
↧
sso-saml logout issue
Hi Experts,
We have configured SSO-Saml between Oracle web center portal and SAP-Abap. OWC portal(Idp) will initiate the saml request to SAP(sp) and we used Email-id as a identity federation.
Previously when owc portal initiated the saml request, we have faced relay state error while log into sap. So in Service provider ACS, we have mentioned the webgui services as a default application path and its started working and we are able to access SAP system through Sap gui for html(webgui) from OWC.
But when we are logging off from SAP,only SAP is logged off but SAML session is not logged off. I mean OWC portal in not logged off.
please guide me what we need to do in SLO for log off of the entire SAML session and is there any option to provide our own URL to redirect to logout page or what else we need to do.
Thanks in Advance,
Regards,
Lakshmanan V
,
↧