Skip to Content
Introduction
To understand our requirements for user authentication, you have to understand where we were coming from. Before we began development on the WebAS, all of applications were written for and ran on Microsoft IIS. Because of this we always used Integrated Windows Authentication. For anyone not familiar with this, it is a function of the combination of Microsoft IE and IIS. It allows you to reuse a Windows Domain authentication for your web based authentication. To the user everything is transparent. They never have to login to a webpage. It just as if the website already knows who they are. In reality the browser is passing authentication information to the web server. The web server then verifies this information with the windows domain.

This is a nice solution for intranet development when everything runs on the Microsoft platform. Naturally our users expected the same the same transparent type of authentication. To them, even having to logon on to a web application once was unheard of. So to start off we knew that we wanted to use some form of Single Sign On. However the SAP Enterprise Portal was out of scope at the time. Even to this day (2 years later) we have yet to implement EP. It is still an ongoing project. Our goal was clear – find some way to provide seamless SSO without user interaction, which works with SAP WebAS BSP and perferably took advantage of our windows security environment. Oh, and we couldn’t spend any money either.

The ITS
These requirements lead us to what is probably a fairly unusual solution. We starting looking at the ITS. As a leftover, from the old workplace 2.11 days, ITS has some functionality call PAS (Pluggable Authentication Service). The install Package, NTAUTH.SAR can still be found in the Service Marketplace under the Patches Area->SAP NetWeaver->SAP NetWeaver components ( < SAP NW 04) -> SAP Workplace ->SAP Workplace 2.11 -> Workplace 2.11 ITS Package. Details about this solution can also be read in OSS note 361064 and 493107.

The PAS module allowed us to setup the ITS to do authentication based upon NTLM (Windows integrated authentication). This package contains a simple service file called sapntauth, that you can copy from and setup services for each of our BSP applications. In this service you setup what url you want to redirect to after the ITS has generated your SAP SSO2 ticket.

That way users actually launch an ITS webpage. This is the ITS that is setup for our standalone WebAS. This ITS first uses the PAS to talk to the underlying IIS server and get the user’s Windows authentication. The ITS then connects to the WebAS via SNC (Secure Network Communications). The WebAS first authentications that it trusts the ITS that is calling it. It then uses a cross reference table to verify the user’s Windows Authentication and to lookup their corresponding SAP User ID (which doesn’t necessarily have to be the same). If everything checks out, the WebAS generates a SSO2 ticket and passes it back to the ITS. The ITS then sends this ticket back to the user’s browser along with a redirect to the BSP page that you actually want to load. To the end user, this process is all transparent and nearly instantaneous. All they see is that they are logged into a BSP page without any request for user name or password.

More Detail
Now there are several things that need to be setup for this work. Naturally you have to have an ITS and you have to connect using SNC between the AGate and the backend WebAS. Of course if you want Windows Integrated Authentication your ITS has to run on top of IIS. In our system we actually run the ITS on the same physical server that our WebAS is running on. Just make sure that you use different HTTP ports for your WebAS and for your ITS virtual web server. There are several nice documents already available on the Service Marketplace that talk about setting the ITS with secure connection to the backend SAP system. In particular have a look at the marketplace alias SECURITY.

The next step is to setup your WebAS for SSO. You can also find some excellent document in the SECURITY alias as well as several articles within SDN. Even with all the good documentation that is out there, this is still a rather complicated process. I can offer you the following: these are all the profile parameters from our instance profile that we set to turn on SNC with the ITS and SSO2.

sec/libsapsecu f:\usr\sap\D15\sys\exe\run\sapcrypto.dll ssf/name SAPSECULIB ssf/ssfapi_lib f:\usr\sap\D15\sys\exe\run\sapcrypto.dll snc/enable 1 snc/gssapi_lib c:\winnt\system32\gsskrb5.dll snc/identity/as p:SAPServiceD15@kii.kimball.com ssl/ssl_lib f:\usr\sap\D15\sys\exe\run\sapcrypto.dll snc/accept_insecure_cpic 1 snc/accept_insecure_gui 1 snc/accept_insecure_rfc 1 snc/permit_insecure_start 1 snc/extid_login_rfc 1 snc/extid_login_diag 1 snc/accept_insecure_r3int_rfc 1 snc/data_protection/max 1 snc/data_protection/min 1 snc/data_protection/use 1 login/accept_sso2_ticket 1 login/create_sso2_ticket 2

Next it helps to know where to do the External Identification Mapping. This is where you can setup the trust relationship for SNC with the ITS and where you setup the user Mapping for authentication. This is a screen shot of the IMG path in our WebAS (I had to reduce it quite a bit to meet SDN file size limits. Hopefully it will still help you find your way):
image

Finallly I thought I might include a look at what one of our ITS redirect service files look like:

############################################################################### # @Copyright SAP AG 2002 # Example Service File for the Pluggable Authentication Service (PAS) # # Remark:The PAS Modul sapextauth must be included in ~xgateways in global.srvc # There are following types for PAS on ITS: # # X509 --> ITS 4.6D # NTLM --> ITS 4.6D # NTPassword --> ITS 4.6D # LDAP --> ITS 6.10 (remark also note: 509237) # HTTP --> ITS 4.6D (see note: 493107 and 494984) # # The following settings are an example for NTLM : # For detailed information see documentation (http://service.sap.com/security) ############################################################################### ~theme 99 ############################################################################### # Module ~xgateway sapextauth # possible settings -> X509 , NTLM , NTPassword , LDAP , HTTP ~extauthtype NTLM # For NTLM and NTPassword: NT , for LDAP: LD , for HTTP: define your # own mapping in USREXTID # Remark: extid_type UN (user name) can also be set. Then you dont have to # map in USREXTID, but the authentication mechanism must provide the unique # SAP System user ID. This might be useful for LDAP and/or HTTP mechanism. ~extid_type NT # ############################################################################### # predefine Domainname - only for type NTPassword ~ntdomain # ############################################################################### # for LDAP connect - only for type LDAP #~ldaphost ldap.sap.com ~ldaphost #~ldapport 389 ~ldapport #~ldapbasedn //Base DN ~ldapbasedn #~ldapuid //User Attribute Name e.g. cn ~ldapuid #~ldapsapuid //SAP User Attribute Name e.g. sapuid ~ldapsapuid # Remark: ~ldapsapuid should be only set in combination with ~extid_type UN #~maxtrials 3 //limits the ldap logon trails ~maxtrials # ############################################################################### # define which HTTP Header Variable contain the User - only for type HTTP #~remote_user_alias - the most common and useful value is REMOTE_USER# which will be set by webservers for authenticated users # please remark here note 494984 for the WGate settings ~remote_user_alias # ############################################################################### # settings for PAS service self ~client 088 ~language en #get a SSO2 Ticket ~mysapcomgetsso2cookie 1 ~timeout 10 #converts the login input to upper case. Might useful for LDAP and NTPassword #if in doubt, set to 1 and maintain USREXTID mapping in caps. ~login_to_upcase 1 # ############################################################################### # after external authentication # Hostname which should redirected ~redirectHost kww-d15s.kimball.com # path to another service ~redirectPath /sap/bc/bsp/sap/zeq_eqi_2003/default.htm #~redirectQS (Query String): ITS specific service parameters can be set there ~redirectQS ~redirectHttps 0 ~login_template login # if 1, user get only a ticket, if there is no ~dont_recreate_ticket 1 # ############################################################################### ~sncNameR3 p:SAPServiceD15@kii.kimball.com #~sncQoPR3 9 ~mysapcomusesso2cookie 1 ~mysapcomnosso1cookie 0 ~mysapcomssonoits 1

Closing
I realize that this weblog was a little different from my past ones. There wasn’t even a single line of ABAP code in it! It also was a little heavy on the system setup side. I hope that I haven’t scared anyone off. Next time we will step back into the ABAP world a little more as we talk about Trusted RFC. I will warn you though this one is still heavy in system setup as well. If that isn’t your particular interest then, I promise I will get back to development with Part 10 – IGS Charting.

To report this post you need to login first.

36 Comments

You must be Logged on to comment or reply to a post.

    1. Thomas Jung
      I swear that the image was there yesterday.  In fact it is missing from my Weblog Upload Image area as well.  It looks like this might be a problem with SND itself.  Thanks for the heads-up.
      (0) 
    1. Thomas Jung
      I swear that the image was there yesterday.  In fact it is missing from my Weblog Upload Image area as well.  It looks like this might be a problem with SND itself.  Thanks for the heads-up.
      (0) 
    1. Thomas Jung
      I swear that the image was there yesterday.  In fact it is missing from my Weblog Upload Image area as well.  It looks like this might be a problem with SND itself.  Thanks for the heads-up.
      (0) 
  1. Ed Delva
    We currently have a need for similar functionailty in our environment.  Unfortunately, we’re not overly excited about ITS or PAS.  Although, it is still a viable option. 

    Our thought is to use WebAS Java’s UME to issue MYSAPSSO2 tickets.  Has anyone done this?

    Ed

    (0) 
  2. Ed Delva
    We currently have a need for similar functionailty in our environment.  Unfortunately, we’re not overly excited about ITS or PAS.  Although, it is still a viable option. 

    Our thought is to use WebAS Java’s UME to issue MYSAPSSO2 tickets.  Has anyone done this?

    Ed

    (0) 
  3. Ed Delva
    We currently have a need for similar functionailty in our environment.  Unfortunately, we’re not overly excited about ITS or PAS.  Although, it is still a viable option. 

    Our thought is to use WebAS Java’s UME to issue MYSAPSSO2 tickets.  Has anyone done this?

    Ed

    (0) 
      1. Gregor Wolf
        Hi Thomas,

        thanks for your answer. You are quicker than OSS. I will try tomorrow to get it running. I see that you are using the gsskrb5.dll. Have you tried also the GSSNTLM.DLL?

        Regards
        Gregor

        (0) 
        1. Thomas Jung
          GSSNTLM.dll is of course NTLM based authentication.  The GSSKRB5.dll is Kerberos based and compatiable with other 3rd party Kerberos implementations.  We have tested the solution with HP’s Kerberos implementation for HP-UX 11 and have successfully been able to bridge the GSSKRB5.dll on the ITS in Windows to our R/3 system running on Unix.  That is our main reason for using the GSSKRB5.dll instead of GSSNTLM.dll.  Have a look at OSS Note 352295 for all the latest information on these two libraries.  This note is updated regularly. 
          (0) 
      1. Gregor Wolf
        Hi Thomas,

        thanks for your answer. You are quicker than OSS. I will try tomorrow to get it running. I see that you are using the gsskrb5.dll. Have you tried also the GSSNTLM.DLL?

        Regards
        Gregor

        (0) 
        1. Thomas Jung
          GSSNTLM.dll is of course NTLM based authentication.  The GSSKRB5.dll is Kerberos based and compatiable with other 3rd party Kerberos implementations.  We have tested the solution with HP’s Kerberos implementation for HP-UX 11 and have successfully been able to bridge the GSSKRB5.dll on the ITS in Windows to our R/3 system running on Unix.  That is our main reason for using the GSSKRB5.dll instead of GSSNTLM.dll.  Have a look at OSS Note 352295 for all the latest information on these two libraries.  This note is updated regularly. 
          (0) 
      1. Gregor Wolf
        Hi Thomas,

        thanks for your answer. You are quicker than OSS. I will try tomorrow to get it running. I see that you are using the gsskrb5.dll. Have you tried also the GSSNTLM.DLL?

        Regards
        Gregor

        (0) 
        1. Thomas Jung
          GSSNTLM.dll is of course NTLM based authentication.  The GSSKRB5.dll is Kerberos based and compatiable with other 3rd party Kerberos implementations.  We have tested the solution with HP’s Kerberos implementation for HP-UX 11 and have successfully been able to bridge the GSSKRB5.dll on the ITS in Windows to our R/3 system running on Unix.  That is our main reason for using the GSSKRB5.dll instead of GSSNTLM.dll.  Have a look at OSS Note 352295 for all the latest information on these two libraries.  This note is updated regularly. 
          (0) 
  4. John Ratliff
    Hello Thomas,

    Thank you for the great post.  It has helped me a lot.  I have setup our systems the same way your example shows.  Kerberos authentication works if I connect via a SAP GUI, but if I try and connect via ITS Web GUI the trace says it is trying to match my domain id (DOMAIN\USERID) and not the UPN/Kerberos ID (USERID@DOMAIN).  My question is which format do you have SNC set for each user in SU01?

    Thank you for your time.

    John Ratliff

    (0) 
    1. Thomas Jung
      The format for SNC in SU01 is correct.  This field is only used for SSO from the SAPGui.  For SSO from ITS we have to do the setup elsewhere.  That setup is done from the IMG and does need DOMAIN\USERID.  In my system I found it in the IMG at the following:
      SAP Web Application Server->System Administration->Management of External Security Systems->Maintain external identifications for users->External Identification for users (all types).

      The data is stored in table USREXTID.  I ended up writting my own program to populate IDs into this table rather than setup everyone up manually.  

      (0) 
      1. John Ratliff
        Thomas,

        Thank you for the quick response.  This suggestion was the help I needed.  We now have this up and running.  We did find a program that was already in our system to generate the user ID’s in the USREXTID table.  The program is RSUSREXT.

        Again, thank you for your help.

        Sincerely
        John Ratliff
        The Schwan Food Company
        john.ratliff@schwans.com

        (0) 
  5. John Ratliff
    Hello Thomas,

    Thank you for the great post.  It has helped me a lot.  I have setup our systems the same way your example shows.  Kerberos authentication works if I connect via a SAP GUI, but if I try and connect via ITS Web GUI the trace says it is trying to match my domain id (DOMAIN\USERID) and not the UPN/Kerberos ID (USERID@DOMAIN).  My question is which format do you have SNC set for each user in SU01?

    Thank you for your time.

    John Ratliff

    (0) 
    1. Thomas Jung
      The format for SNC in SU01 is correct.  This field is only used for SSO from the SAPGui.  For SSO from ITS we have to do the setup elsewhere.  That setup is done from the IMG and does need DOMAIN\USERID.  In my system I found it in the IMG at the following:
      SAP Web Application Server->System Administration->Management of External Security Systems->Maintain external identifications for users->External Identification for users (all types).

      The data is stored in table USREXTID.  I ended up writting my own program to populate IDs into this table rather than setup everyone up manually.  

      (0) 
      1. John Ratliff
        Thomas,

        Thank you for the quick response.  This suggestion was the help I needed.  We now have this up and running.  We did find a program that was already in our system to generate the user ID’s in the USREXTID table.  The program is RSUSREXT.

        Again, thank you for your help.

        Sincerely
        John Ratliff
        The Schwan Food Company
        john.ratliff@schwans.com

        (0) 
  6. John Ratliff
    Hello Thomas,

    Thank you for the great post.  It has helped me a lot.  I have setup our systems the same way your example shows.  Kerberos authentication works if I connect via a SAP GUI, but if I try and connect via ITS Web GUI the trace says it is trying to match my domain id (DOMAIN\USERID) and not the UPN/Kerberos ID (USERID@DOMAIN).  My question is which format do you have SNC set for each user in SU01?

    Thank you for your time.

    John Ratliff

    (0) 
    1. Thomas Jung
      The format for SNC in SU01 is correct.  This field is only used for SSO from the SAPGui.  For SSO from ITS we have to do the setup elsewhere.  That setup is done from the IMG and does need DOMAIN\USERID.  In my system I found it in the IMG at the following:
      SAP Web Application Server->System Administration->Management of External Security Systems->Maintain external identifications for users->External Identification for users (all types).

      The data is stored in table USREXTID.  I ended up writting my own program to populate IDs into this table rather than setup everyone up manually.  

      (0) 
      1. John Ratliff
        Thomas,

        Thank you for the quick response.  This suggestion was the help I needed.  We now have this up and running.  We did find a program that was already in our system to generate the user ID’s in the USREXTID table.  The program is RSUSREXT.

        Again, thank you for your help.

        Sincerely
        John Ratliff
        The Schwan Food Company
        john.ratliff@schwans.com

        (0) 
  7. Anonymous
    Hi Thomas,

    Thank you for a great post. You’ve given me hope that what I’m trying to do will actually work!

    As per John Ratliff’s post, I am attempting to configure kerberos authentication between my SAP systems…  I have successfully configured kerberos from the SAPGUI, but I’m failing to successfully configure kerberos from the ITS.

    Looking at the log files it apperas that the user is successfully authenticated and mapped to an SAP user, but the ITS server is being rejected.  The error in the dev_rfc.trc file is: “SNC name of the partner system not in ACL system”.

    I’ve added an entry in the SNCSYSACL table (using VSNCSYSACL -> E) for the kerberos identity used by the SAP ITS service (the value specified in the “SncNameAGate” parameter but there seems to be more required as I still get the same error…

    Do you have any idea what I’m missing…?

    Thank you for your time.

    PT.

    (0) 
    1. Anonymous
      I’ve sorted the issue… I knew the SNC parameters were case sensitive but it appears I still got it wrong – the domain part of the SNC name’s are required to be in uppercase even though they are lowercase in User and Computers.

      All appears to now be working.  Thanks mate.

      (0) 
  8. Anonymous
    Hi Thomas,

    Thank you for a great post. You’ve given me hope that what I’m trying to do will actually work!

    As per John Ratliff’s post, I am attempting to configure kerberos authentication between my SAP systems…  I have successfully configured kerberos from the SAPGUI, but I’m failing to successfully configure kerberos from the ITS.

    Looking at the log files it apperas that the user is successfully authenticated and mapped to an SAP user, but the ITS server is being rejected.  The error in the dev_rfc.trc file is: “SNC name of the partner system not in ACL system”.

    I’ve added an entry in the SNCSYSACL table (using VSNCSYSACL -> E) for the kerberos identity used by the SAP ITS service (the value specified in the “SncNameAGate” parameter but there seems to be more required as I still get the same error…

    Do you have any idea what I’m missing…?

    Thank you for your time.

    PT.

    (0) 
    1. Anonymous
      I’ve sorted the issue… I knew the SNC parameters were case sensitive but it appears I still got it wrong – the domain part of the SNC name’s are required to be in uppercase even though they are lowercase in User and Computers.

      All appears to now be working.  Thanks mate.

      (0) 
  9. Anonymous
    Hi Thomas,

    Thank you for a great post. You’ve given me hope that what I’m trying to do will actually work!

    As per John Ratliff’s post, I am attempting to configure kerberos authentication between my SAP systems…  I have successfully configured kerberos from the SAPGUI, but I’m failing to successfully configure kerberos from the ITS.

    Looking at the log files it apperas that the user is successfully authenticated and mapped to an SAP user, but the ITS server is being rejected.  The error in the dev_rfc.trc file is: “SNC name of the partner system not in ACL system”.

    I’ve added an entry in the SNCSYSACL table (using VSNCSYSACL -> E) for the kerberos identity used by the SAP ITS service (the value specified in the “SncNameAGate” parameter but there seems to be more required as I still get the same error…

    Do you have any idea what I’m missing…?

    Thank you for your time.

    PT.

    (0) 
    1. Anonymous
      I’ve sorted the issue… I knew the SNC parameters were case sensitive but it appears I still got it wrong – the domain part of the SNC name’s are required to be in uppercase even though they are lowercase in User and Computers.

      All appears to now be working.  Thanks mate.

      (0) 

Leave a Reply