Single Sign-On of Windows-based Web Service Clients using SAP Logon Tickets
Interoperability of Web Services is key for the integration of 3rd party software products with SAP NetWeaver. Products that are based on Microsoft technology are widely used and therefore their integration is of great interest.
One special topic is Single Sign-On. Though SAP and Microsoft work on the support of advanced Web services standards such as SAML for the next major releases Single Sign-On is also an issue for technology platforms that are currently existing and being used.
Because of this we provide a series of whitepapers that outlines the basic concept how Single Sign-On can be achieved using existing technologies and describe sample applications based on .NET, Win32 and Java that consume SAP Web services that are either based on the SAP NetWeaver Application Server and the SAP Exchange Infrastructure.
The basic concept is that Single Sign-On of Windows based Web services clients to SAP NetWeaver Web services can be achieved using Windows Integrated Authentication and SAP Logon Tickets. Windows based Web Services Clients can acquire a SAP Logon Ticket from a SAP NetWeaver Portal that supports Windows Integrated Authentication using SAP’s SPNego Login Module. The SAP Logon Ticket can than be used by the Web Service Client for allowing SSO to SAP NetWeaver based Web Services. This concept is outlined in detail in the following whitepaper:
Single Sign-On of Windows-based Web Service Clients using SAP Logon Tickets
Developers of 3rd party applications leverage from sample applications based on
.NET: Sample Application: SSO with a .NET-based Web Service Client using SAP Logon Tickets
Java (in preparation)
we run the following code..:
Imports System.Net
Imports System
Dim url As String = "http://hkbw3.pidpant.local:56100/irj/portal"
' Create a 'HttpWebRequest' object with the specified url.
Dim myHttpWebRequest As HttpWebRequest = CType(WebRequest.Create(url), httpWebRequest)
myHttpWebRequest.Credentials = CredentialCache.DefaultCredentials
myHttpWebRequest.CookieContainer = New CookieContainer()
Dim response As HttpWebResponse = CType(myHttpWebRequest.GetResponse(), HttpWebResponse)
response.Cookies = myHttpWebRequest.CookieContainer.GetCookies(myHttpWebRequest.RequestUri)
' Print the properties of each cookie.
Dim cook As Cookie
For Each cook In response.Cookies
Console.WriteLine("Cookie:")
Console.WriteLine("{0} = {1}", cook.Name, cook.Value)
Console.WriteLine("Domain: {0}", cook.Domain)
Console.WriteLine("Path: {0}", cook.Path)
Console.WriteLine("Port: {0}", cook.Port)
Console.WriteLine("Secure: {0}", cook.Secure)
Console.WriteLine("When issued: {0}", cook.TimeStamp)
Console.WriteLine("Expires: {0} (expired? {1})", cook.Expires, cook.Expired)
Console.WriteLine("Don't save: {0}", cook.Discard)
Console.WriteLine("Comment: {0}", cook.Comment)
Console.WriteLine("Uri for comments: {0}", cook.CommentUri)
Console.WriteLine("Version: RFC {0}", IIf(cook.Version = 1, "2109", "2965"))
' Show the string representation of the cookie.
Console.WriteLine("String: {0}", cook.ToString())
Next cook
At the line "Dim response As HttpWebResponse = CType(myHttpWebRequest.GetResponse(), HttpWebResponse)" the code fails, with an error '400'..
Browsing to the portal, however works fine, SSO works well, and a user is loged on with the Kerberos authentication ..
Looking into the logviewer we however see 2 entries..
The Second is successful: The first fails
Second entry >
Date : 06/22/2009
Time : 15:24:05:874
Message : LOGIN.OK
User: ldebock
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok exception false java.security.SignatureException: Certificate (Issuer="CN=QP2", S/N=1393841314) not found.
2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok true true
3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok true true
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok true
5. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok false
Central Checks true
Severity : Info
Category : /System/Security/Authentication
Location : com.sap.engine.services.security.authentication.logincontext
Application : sap.com/irj
Thread : SAPEngine_Application_Thread[impl:3]_23
Datasource : 1245658549199:E:usrsapDP1JC52j2eeclusterserver0logsystemsecurity.log
Message ID : 00505689433600780000001E00000FA400046CEFC9D2828D
Source Name : /System/Security/Authentication
Argument Objs :
Arguments :
Dsr Component : n/a
Dsr Transaction : f5bf25205f2f11deb9ef005056894336
Dsr User :
Indent : 0
Level : 0
Message Code :
Message Type : 0
Relatives : com.sap.engine.services.security.authentication.logincontext
Resource Bundlename :
Session : 589
Source : /System/Security/Authentication
ThreadObject : SAPEngine_Application_Thread[impl:3]_23
Transaction :
User : ldebock
First Entry >
Date : 06/22/2009
Time : 15:24:05:327
Message : LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok exception true java.security.SignatureException: Certificate (Issuer="CN=QP2", S/N=1393841314) not found.
2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true Access Denied. No authorization header received.
3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false true
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok false false
5. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUISITE ok false true
Severity : Info
Category : /System/Security/Authentication
Location : com.sap.engine.services.security.authentication.logincontext
Application : sap.com/irj
Thread : SAPEngine_Application_Thread[impl:3]_27
Datasource : 1245658549199:E:usrsapDP1JC52j2eeclusterserver0logsystemsecurity.log
Message ID : 00505689433600620000002A00000FA400046CEFC9CA4715
Source Name : /System/Security/Authentication
Argument Objs :
Arguments :
Dsr Component : n/a
Dsr Transaction : f56badf05f2f11de9745005056894336
Dsr User :
Indent : 0
Level : 0
Message Code :
Message Type : 0
Relatives : com.sap.engine.services.security.authentication.logincontext
Resource Bundlename :
Session : 0
Source : /System/Security/Authentication
ThreadObject : SAPEngine_Application_Thread[impl:3]_27
Transaction :
User : Guest
When trying to acquire a ticket through VB-code, only one entry appears .. The faulty one..
What needs to be done in the codeing ?
Any advice ?
could you please try another URL than http://hkbw3.pidpant.local:56100/irj/portal ?
I would suggest a URL that points to a specific iView.
Best regards,
André