Skip to Content
Author's profile photo Andre Fischer

Single Sign-On of Windows-based Web Service Clients using SAP Logon Tickets

Interoperability of Web Services is key for the integration of 3rd party software products with SAP NetWeaver. Products that are based on Microsoft technology are widely used and therefore their integration is of great interest.

One special topic is Single Sign-On. Though SAP and Microsoft  work on the support of advanced Web services standards such as SAML for the next major releases Single Sign-On is also an issue for technology platforms that are currently existing and being used.

Because of this we provide a series of whitepapers that outlines the basic concept how Single Sign-On can be achieved using existing technologies and describe sample applications based on .NET, Win32 and Java that consume SAP Web services that are either based on the SAP NetWeaver Application Server and the SAP Exchange Infrastructure.

The basic concept is that  Single Sign-On of Windows based Web services clients to SAP NetWeaver Web services can be achieved using Windows Integrated Authentication and SAP Logon Tickets. Windows based Web Services Clients can acquire a SAP Logon Ticket from a SAP NetWeaver Portal that supports Windows Integrated Authentication using SAP’s SPNego Login Module. The SAP Logon Ticket can than be used by the Web Service Client for allowing SSO to SAP NetWeaver based Web Services. This concept is outlined in detail in the following whitepaper:

Single Sign-On of Windows-based Web Service Clients using SAP Logon Tickets

Developers of 3rd party applications leverage from sample applications based on

.NET: Sample Application: SSO with a .NET-based Web Service Client using SAP Logon Tickets

Win32: Sample Application: Call a Web Service with Single Sign On from a Windows Client Using a SAP Logon Ticket

Java (in preparation)

Assigned Tags

      3 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member
      We don't have kebrberos but want to do SSO from .PDK component to ABAP web service. Any ideas?
      Author's profile photo Lieven De Bock
      Lieven De Bock
      Hi Herr Fischer,

      we run the following code..:

      Imports System.Net
      Imports System

      Dim url As String = "http://hkbw3.pidpant.local:56100/irj/portal"
      ' Create a 'HttpWebRequest' object with the specified url.

      Dim myHttpWebRequest As HttpWebRequest = CType(WebRequest.Create(url), httpWebRequest)
      myHttpWebRequest.Credentials = CredentialCache.DefaultCredentials
      myHttpWebRequest.CookieContainer = New CookieContainer()
      Dim response As HttpWebResponse = CType(myHttpWebRequest.GetResponse(), HttpWebResponse)
      response.Cookies = myHttpWebRequest.CookieContainer.GetCookies(myHttpWebRequest.RequestUri)
            
      ' Print the properties of each cookie.
      Dim cook As Cookie
      For Each cook In  response.Cookies
                  Console.WriteLine("Cookie:")
                  Console.WriteLine("{0} = {1}", cook.Name, cook.Value)
                  Console.WriteLine("Domain: {0}", cook.Domain)
                  Console.WriteLine("Path: {0}", cook.Path)
                  Console.WriteLine("Port: {0}", cook.Port)
                  Console.WriteLine("Secure: {0}", cook.Secure)
                 
                  Console.WriteLine("When issued: {0}", cook.TimeStamp)
                  Console.WriteLine("Expires: {0} (expired? {1})", cook.Expires, cook.Expired)
                  Console.WriteLine("Don't save: {0}", cook.Discard)
                  Console.WriteLine("Comment: {0}", cook.Comment)
                  Console.WriteLine("Uri for comments: {0}", cook.CommentUri)
                  Console.WriteLine("Version: RFC {0}", IIf(cook.Version = 1, "2109", "2965"))
                 
                  ' Show the string representation of the cookie.
                  Console.WriteLine("String: {0}", cook.ToString())
      Next cook

      At the line "Dim response As HttpWebResponse = CType(myHttpWebRequest.GetResponse(), HttpWebResponse)" the code fails, with an error '400'..

      Browsing to the portal, however works fine, SSO works well, and a user is loged on with the Kerberos authentication ..

      Looking into the logviewer we however see 2 entries..

      The Second is successful: The first fails

      Second entry >
      Date : 06/22/2009
      Time : 15:24:05:874
      Message : LOGIN.OK
      User: ldebock
      Authentication Stack: ticket

      Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
      1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          exception  false                 java.security.SignatureException: Certificate (Issuer="CN=QP2", S/N=1393841314) not found.
      2. com.sap.security.core.server.jaas.SPNegoLoginModule                     OPTIONAL    ok          true       true                 
      3. com.sap.security.core.server.jaas.CreateTicketLoginModule               SUFFICIENT  ok          true       true                 
      4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok                     true                 
      5. com.sap.security.core.server.jaas.CreateTicketLoginModule               REQUISITE   ok                     false                
      Central Checks                                                                                                true                 
      Severity : Info
      Category : /System/Security/Authentication
      Location : com.sap.engine.services.security.authentication.logincontext
      Application : sap.com/irj
      Thread : SAPEngine_Application_Thread[impl:3]_23
      Datasource : 1245658549199:E:usrsapDP1JC52j2eeclusterserver0logsystemsecurity.log
      Message ID : 00505689433600780000001E00000FA400046CEFC9D2828D
      Source Name : /System/Security/Authentication
      Argument Objs :
      Arguments :
      Dsr Component : n/a
      Dsr Transaction : f5bf25205f2f11deb9ef005056894336
      Dsr User :
      Indent : 0
      Level : 0
      Message Code :
      Message Type : 0
      Relatives : com.sap.engine.services.security.authentication.logincontext
      Resource Bundlename :
      Session : 589
      Source : /System/Security/Authentication
      ThreadObject : SAPEngine_Application_Thread[impl:3]_23
      Transaction :
      User : ldebock

      First Entry >

      Date : 06/22/2009
      Time : 15:24:05:327
      Message : LOGIN.FAILED
      User: N/A
      Authentication Stack: ticket

      Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
      1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          exception             true       java.security.SignatureException: Certificate (Issuer="CN=QP2", S/N=1393841314) not found.
      2. com.sap.security.core.server.jaas.SPNegoLoginModule                     OPTIONAL    ok          exception             true       Access Denied. No authorization header received.
      3. com.sap.security.core.server.jaas.CreateTicketLoginModule               SUFFICIENT  ok          false                 true      
      4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          false                 false     
      5. com.sap.security.core.server.jaas.CreateTicketLoginModule               REQUISITE   ok          false                 true      
      Severity : Info
      Category : /System/Security/Authentication
      Location : com.sap.engine.services.security.authentication.logincontext
      Application : sap.com/irj
      Thread : SAPEngine_Application_Thread[impl:3]_27
      Datasource : 1245658549199:E:usrsapDP1JC52j2eeclusterserver0logsystemsecurity.log
      Message ID : 00505689433600620000002A00000FA400046CEFC9CA4715
      Source Name : /System/Security/Authentication
      Argument Objs :
      Arguments :
      Dsr Component : n/a
      Dsr Transaction : f56badf05f2f11de9745005056894336
      Dsr User :
      Indent : 0
      Level : 0
      Message Code :
      Message Type : 0
      Relatives : com.sap.engine.services.security.authentication.logincontext
      Resource Bundlename :
      Session : 0
      Source : /System/Security/Authentication
      ThreadObject : SAPEngine_Application_Thread[impl:3]_27
      Transaction :
      User : Guest

      When trying to acquire a ticket through VB-code, only one entry appears .. The faulty one..

      What needs to be done in the codeing ?
      Any advice ?

      Author's profile photo Andre Fischer
      Andre Fischer
      Blog Post Author
      Hi Lieven,

      could you please try another URL than http://hkbw3.pidpant.local:56100/irj/portal ?

      I would suggest a URL that points to a specific iView.

      Best regards,
      André