Single Sign-On of Windows-based Web Service Clients using SAP Logon Tickets

Interoperability of Web Services is key for the integration of 3rd party software products with SAP NetWeaver. Products that are based on Microsoft technology are widely used and therefore their integration is of great interest.

One special topic is Single Sign-On. Though SAP and Microsoft work on the support of advanced Web services standards such as SAML for the next major releases Single Sign-On is also an issue for technology platforms that are currently existing and being used.

Because of this we provide a series of whitepapers that outlines the basic concept how Single Sign-On can be achieved using existing technologies and describe sample applications based on .NET, Win32 and Java that consume SAP Web services that are either based on the SAP NetWeaver Application Server and the SAP Exchange Infrastructure.

The basic concept is that Single Sign-On of Windows based Web services clients to SAP NetWeaver Web services can be achieved using Windows Integrated Authentication and SAP Logon Tickets. Windows based Web Services Clients can acquire a SAP Logon Ticket from a SAP NetWeaver Portal that supports Windows Integrated Authentication using SAP’s SPNego Login Module. The SAP Logon Ticket can than be used by the Web Service Client for allowing SSO to SAP NetWeaver based Web Services. This concept is outlined in detail in the following whitepaper:

Single Sign-On of Windows-based Web Service Clients using SAP Logon Tickets

Developers of 3rd party applications leverage from sample applications based on

.NET: Sample Application: SSO with a .NET-based Web Service Client using SAP Logon Tickets

Win32: Sample Application: Call a Web Service with Single Sign On from a Windows Client Using a SAP Logon Ticket

Java (in preparation)

Lieven De Bock June 22, 2009 at 4:54 am

Hi Herr Fischer,

we run the following code..:

Imports System.Net
Imports System

Dim url As String = “http://hkbw3.pidpant.local:56100/irj/portal“
‘ Create a ‘HttpWebRequest’ object with the specified url.

Dim myHttpWebRequest As HttpWebRequest = CType(WebRequest.Create(url), httpWebRequest)
myHttpWebRequest.Credentials = CredentialCache.DefaultCredentials
myHttpWebRequest.CookieContainer = New CookieContainer()
Dim response As HttpWebResponse = CType(myHttpWebRequest.GetResponse(), HttpWebResponse)
response.Cookies = myHttpWebRequest.CookieContainer.GetCookies(myHttpWebRequest.RequestUri)

‘ Print the properties of each cookie.
Dim cook As Cookie
For Each cook In response.Cookies
            Console.WriteLine(“Cookie:”)
            Console.WriteLine(“{0} = {1}”, cook.Name, cook.Value)
            Console.WriteLine(“Domain: {0}”, cook.Domain)
            Console.WriteLine(“Path: {0}”, cook.Path)
            Console.WriteLine(“Port: {0}”, cook.Port)
            Console.WriteLine(“Secure: {0}”, cook.Secure)

            Console.WriteLine(“When issued: {0}”, cook.TimeStamp)
            Console.WriteLine(“Expires: {0} (expired? {1})”, cook.Expires, cook.Expired)
            Console.WriteLine(“Don’t save: {0}”, cook.Discard)
            Console.WriteLine(“Comment: {0}”, cook.Comment)
            Console.WriteLine(“Uri for comments: {0}”, cook.CommentUri)
            Console.WriteLine(“Version: RFC {0}”, IIf(cook.Version = 1, “2109”, “2965”))

            ‘ Show the string representation of the cookie.
            Console.WriteLine(“String: {0}”, cook.ToString())
Next cook

At the line “Dim response As HttpWebResponse = CType(myHttpWebRequest.GetResponse(), HttpWebResponse)” the code fails, with an error ‘400’..

Browsing to the portal, however works fine, SSO works well, and a user is loged on with the Kerberos authentication ..

Looking into the logviewer we however see 2 entries..

The Second is successful: The first fails

Second entry >
Date : 06/22/2009
Time : 15:24:05:874
Message : LOGIN.OK
User: ldebock
Authentication Stack: ticket

Login Module                                                               Flag        Initialize Login      Commit     Abort      Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT ok          exception false                 java.security.SignatureException: Certificate (Issuer=”CN=QP2″, S/N=1393841314) not found.
2. com.sap.security.core.server.jaas.SPNegoLoginModule                     OPTIONAL    ok          true       true
3. com.sap.security.core.server.jaas.CreateTicketLoginModule               SUFFICIENT ok          true       true
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok                     true
5. com.sap.security.core.server.jaas.CreateTicketLoginModule               REQUISITE   ok                     false
Central Checks                                                                                                true
Severity : Info
Category : /System/Security/Authentication
Location : com.sap.engine.services.security.authentication.logincontext
Application : sap.com/irj
Thread : SAPEngine_Application_Thread[impl:3]_23
Datasource : 1245658549199:E:usrsapDP1JC52j2eeclusterserver0logsystemsecurity.log
Message ID : 00505689433600780000001E00000FA400046CEFC9D2828D
Source Name : /System/Security/Authentication
Argument Objs :
Arguments :
Dsr Component : n/a
Dsr Transaction : f5bf25205f2f11deb9ef005056894336
Dsr User :
Indent : 0
Level : 0
Message Code :
Message Type : 0
Relatives : com.sap.engine.services.security.authentication.logincontext
Resource Bundlename :
Session : 589
Source : /System/Security/Authentication
ThreadObject : SAPEngine_Application_Thread[impl:3]_23
Transaction :
User : ldebock

First Entry >

Date : 06/22/2009
Time : 15:24:05:327
Message : LOGIN.FAILED
User: N/A
Authentication Stack: ticket

Login Module                                                               Flag        Initialize Login      Commit     Abort      Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT ok          exception             true       java.security.SignatureException: Certificate (Issuer=”CN=QP2″, S/N=1393841314) not found.
2. com.sap.security.core.server.jaas.SPNegoLoginModule                     OPTIONAL    ok          exception             true       Access Denied. No authorization header received.
3. com.sap.security.core.server.jaas.CreateTicketLoginModule               SUFFICIENT ok          false                 true
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          false                 false
5. com.sap.security.core.server.jaas.CreateTicketLoginModule               REQUISITE   ok          false                 true
Severity : Info
Category : /System/Security/Authentication
Location : com.sap.engine.services.security.authentication.logincontext
Application : sap.com/irj
Thread : SAPEngine_Application_Thread[impl:3]_27
Datasource : 1245658549199:E:usrsapDP1JC52j2eeclusterserver0logsystemsecurity.log
Message ID : 00505689433600620000002A00000FA400046CEFC9CA4715
Source Name : /System/Security/Authentication
Argument Objs :
Arguments :
Dsr Component : n/a
Dsr Transaction : f56badf05f2f11de9745005056894336
Dsr User :
Indent : 0
Level : 0
Message Code :
Message Type : 0
Relatives : com.sap.engine.services.security.authentication.logincontext
Resource Bundlename :
Session : 0
Source : /System/Security/Authentication
ThreadObject : SAPEngine_Application_Thread[impl:3]_27
Transaction :
User : Guest

When trying to acquire a ticket through VB-code, only one entry appears .. The faulty one..

What needs to be done in the codeing ?
Any advice ?

like (0)

3 Comments

You must be Logged on to comment or reply to a post.

Former Member March 3, 2008 at 2:29 pm

We don’t have kebrberos but want to do SSO from .PDK component to ABAP web service. Any ideas?

like (0)
Lieven De Bock June 22, 2009 at 4:54 am

Hi Herr Fischer,

we run the following code..:

Imports System.Net
Imports System

Dim url As String = “http://hkbw3.pidpant.local:56100/irj/portal“
‘ Create a ‘HttpWebRequest’ object with the specified url.

Dim myHttpWebRequest As HttpWebRequest = CType(WebRequest.Create(url), httpWebRequest)
myHttpWebRequest.Credentials = CredentialCache.DefaultCredentials
myHttpWebRequest.CookieContainer = New CookieContainer()
Dim response As HttpWebResponse = CType(myHttpWebRequest.GetResponse(), HttpWebResponse)
response.Cookies = myHttpWebRequest.CookieContainer.GetCookies(myHttpWebRequest.RequestUri)

‘ Print the properties of each cookie.
Dim cook As Cookie
For Each cook In response.Cookies
            Console.WriteLine(“Cookie:”)
            Console.WriteLine(“{0} = {1}”, cook.Name, cook.Value)
            Console.WriteLine(“Domain: {0}”, cook.Domain)
            Console.WriteLine(“Path: {0}”, cook.Path)
            Console.WriteLine(“Port: {0}”, cook.Port)
            Console.WriteLine(“Secure: {0}”, cook.Secure)

            Console.WriteLine(“When issued: {0}”, cook.TimeStamp)
            Console.WriteLine(“Expires: {0} (expired? {1})”, cook.Expires, cook.Expired)
            Console.WriteLine(“Don’t save: {0}”, cook.Discard)
            Console.WriteLine(“Comment: {0}”, cook.Comment)
            Console.WriteLine(“Uri for comments: {0}”, cook.CommentUri)
            Console.WriteLine(“Version: RFC {0}”, IIf(cook.Version = 1, “2109”, “2965”))

            ‘ Show the string representation of the cookie.
            Console.WriteLine(“String: {0}”, cook.ToString())
Next cook

At the line “Dim response As HttpWebResponse = CType(myHttpWebRequest.GetResponse(), HttpWebResponse)” the code fails, with an error ‘400’..

Browsing to the portal, however works fine, SSO works well, and a user is loged on with the Kerberos authentication ..

Looking into the logviewer we however see 2 entries..

The Second is successful: The first fails

Second entry >
Date : 06/22/2009
Time : 15:24:05:874
Message : LOGIN.OK
User: ldebock
Authentication Stack: ticket

Login Module                                                               Flag        Initialize Login      Commit     Abort      Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT ok          exception false                 java.security.SignatureException: Certificate (Issuer=”CN=QP2″, S/N=1393841314) not found.
2. com.sap.security.core.server.jaas.SPNegoLoginModule                     OPTIONAL    ok          true       true
3. com.sap.security.core.server.jaas.CreateTicketLoginModule               SUFFICIENT ok          true       true
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok                     true
5. com.sap.security.core.server.jaas.CreateTicketLoginModule               REQUISITE   ok                     false
Central Checks                                                                                                true
Severity : Info
Category : /System/Security/Authentication
Location : com.sap.engine.services.security.authentication.logincontext
Application : sap.com/irj
Thread : SAPEngine_Application_Thread[impl:3]_23
Datasource : 1245658549199:E:usrsapDP1JC52j2eeclusterserver0logsystemsecurity.log
Message ID : 00505689433600780000001E00000FA400046CEFC9D2828D
Source Name : /System/Security/Authentication
Argument Objs :
Arguments :
Dsr Component : n/a
Dsr Transaction : f5bf25205f2f11deb9ef005056894336
Dsr User :
Indent : 0
Level : 0
Message Code :
Message Type : 0
Relatives : com.sap.engine.services.security.authentication.logincontext
Resource Bundlename :
Session : 589
Source : /System/Security/Authentication
ThreadObject : SAPEngine_Application_Thread[impl:3]_23
Transaction :
User : ldebock

First Entry >

Date : 06/22/2009
Time : 15:24:05:327
Message : LOGIN.FAILED
User: N/A
Authentication Stack: ticket

Login Module                                                               Flag        Initialize Login      Commit     Abort      Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT ok          exception             true       java.security.SignatureException: Certificate (Issuer=”CN=QP2″, S/N=1393841314) not found.
2. com.sap.security.core.server.jaas.SPNegoLoginModule                     OPTIONAL    ok          exception             true       Access Denied. No authorization header received.
3. com.sap.security.core.server.jaas.CreateTicketLoginModule               SUFFICIENT ok          false                 true
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          false                 false
5. com.sap.security.core.server.jaas.CreateTicketLoginModule               REQUISITE   ok          false                 true
Severity : Info
Category : /System/Security/Authentication
Location : com.sap.engine.services.security.authentication.logincontext
Application : sap.com/irj
Thread : SAPEngine_Application_Thread[impl:3]_27
Datasource : 1245658549199:E:usrsapDP1JC52j2eeclusterserver0logsystemsecurity.log
Message ID : 00505689433600620000002A00000FA400046CEFC9CA4715
Source Name : /System/Security/Authentication
Argument Objs :
Arguments :
Dsr Component : n/a
Dsr Transaction : f56badf05f2f11de9745005056894336
Dsr User :
Indent : 0
Level : 0
Message Code :
Message Type : 0
Relatives : com.sap.engine.services.security.authentication.logincontext
Resource Bundlename :
Session : 0
Source : /System/Security/Authentication
ThreadObject : SAPEngine_Application_Thread[impl:3]_27
Transaction :
User : Guest

When trying to acquire a ticket through VB-code, only one entry appears .. The faulty one..

What needs to be done in the codeing ?
Any advice ?

like (0)
1. Andre Fischer Post authorJune 22, 2009 at 5:17 am
  
  Hi Lieven,
  
  could you please try another URL than http://hkbw3.pidpant.local:56100/irj/portal ?
  
  I would suggest a URL that points to a specific iView.
  
  Best regards,
  André
  
  like (0)