Skip to Content

The most widely used scenario to access SAP applications is to use SAP applicatons from windows based workstations. In the past different approaches had to be taken to achieve SSO using windows integrated authentication for a browser based or SAPGUI based access.

In the whitepaper Unleash the Power of Single Sign-On with Microsoft and SAP you find a review of the mainstream enabling technologies for authentication as well as Single Sign-On within the Microsoft/SAP context and outline their usage in some typical scenarios on the enterprise level.

In a Windows environment, where both SAP GUI and backend ABAP systems are running on Windows platform, SNC can use Integrated Windows Authentication for SSO with the backend systems as described in the SAP Online Help.

If the backend systems are based on UNIX SAP’s support for SSO for SAPGUI is limited. Custuomers either have to use a 3rd party SNC solution or go for a Kerberos implementation on the UNIX side.

For browser based access SSO using the SPNego Login Module could be used for various underlying OS platforms for the J2EE Engine host. 

Here the new SAP NetWeaver Business Client comes into play.

SAP NetWeaver Business ClientSAP NetWeaver Business Client

The SAP NetWeaver Business Client is SAP’s next generation windows desktop client using the latest smart client technology. It is using the Portal services infrastructure for role based access to SAP systems and consistent navigation capabilities and it can host existing SAP UIs in the “canvas” area (including SAP GUI and WebDynpro) as well as any other web based content.

The SAP NetWeaver Business Client supports Windows Integrated Authentication as the initial authentication if the SAP NetWeaver Portal services infrastructure used is configured to use the SPNego Login Module.

It must be mentioned however that the scenario described has one limitation because the SAPGUI(WinGUI) communication  between the frontend and the SAP server is NOT encrypted by default. If the customer wants encrypted communication between the frontend and the SAP server that is running on a non-Windows platform and at the same time wants to use the WinGUI, the customer must use one of the certified SNC solutions.

If encrypted communication for the WinGUI is not mandatory and only SSO is needed they can benefit from the scenario described above.

The same applies to customers that are using web-based access to their SAP systems (using the WebGUI or Web Dynpro). In this case the encryption between the frontend and the SAP server is established using SSL.

The SAP NetWeaver Business Client will be available with SAP ERP 6.0 Enhancement Package 2.

In order to implement this SSO scenario please make sure that you have a portal available that is configured with SPNego.

For questions (FAQ) and information how to download the NWBC see SAP Note 900000
“Netweaver Business Client – FAQ”.

Best regards,

André

To report this post you need to login first.

10 Comments

You must be Logged on to comment or reply to a post.

  1. Cleber Santz
    Hi Andre,

    I have search for NWBC but, cant find anything. In the service.sap no have the link describe in note 900000.

    Is any other place to download NWBC ?

    tks,
    Cleber

    (0) 
  2. Tim Alsop
    Andre,

    I might be mistaken, but it seems to me that your blog is suggesting that SAP do not want customers to use SNC libraries with SAP GUI because the new business client means they do not need products such as the one our company (CyberSafe) sells to SAP customers ? I am sure this was not intentional, because you represent SAP and are therefore aware of the importance of the SAP Partner Ecosystem, and would not intentionally damage the ability for a partner to do business with SAP customers by misrepresenting the options available ?

    We provide supported security solutions to customers of SAP, and all products are designed and tested to work with Active Directory as the Kerberos Server, especially in an environment where the SAP servers are on UNIX or Linux, or on Windows. We include a GSS-API library for Windows and UNIX/Linux platforms, so that customers can use our solution for SNC based authentication with SAP GUI, RFC or JCO interfaces in a multi-platform environment.

    We often find that companies want an SSO experience for most of their business users, but they have some users who need to access the same systems, but do not have domain access (e.g. using a shared workstation, or a workstation in a partner company accessing the SAP systems). In these cases, our solution can be used because of features we have added specifically to meet these needs. We also provide support for HTTP access to SAP applications, but we do not use the old and broken implementation of Kerberos included in JAVA JDK (the SAP SPNEGO login module uses this Kerberos implementation). This means we can use RC4 or AES ciphers, and not the inferior DES cipher which is not very well supported in Active Directory or in Java version of Kerberos. Also, our solutions do not use the Microsoft ktpass utility, which opens an opportunity for a denial of service attack since it uses a user account in the domain instead of a computer account. These are just a few examples of differences, and from my perspective it therefore looks like you are suggesting to your customers to implement SSO without being aware of the security implications, or the partner solutions available which they might want to consider.

    I would like to offer you the opportunity to talk to us in more detail and find out how our products can be of benefit to your customers, and then perhaps you can write about SSO options available for SAP customers, and not effect our ability to sell our solutions to SAP customers. If you are interested to talk more about this, please contact me using my email address in my SDN business card.

    Thanks,
    Tim

    (0) 
    1. Andre Fischer Post author
      Hi Tim,
      Yes I think that you have misinterpreted my blog. Therefore I changed the wording to avoid any further misinterpretations.
      It is not that I do not want customers to use SNC products. If they are happy to use them and if they see a benefit in using them then I am fine with it.
      However I wouldn’t call our SPNego Login Module being based on “an old and broken implementation of Kerberos included in JAVA JDK”. I would rather call it being based on standards. If a 3rd party solution can add additional value to such a scenario this leaves room for certified partner solutions.
      A complete list of certified vendors that offer certified solutions can be by the found here http://www.sap.com/partners/directories/SearchSolution.epx 
      Best regards,
      André

      (0) 
      1. Tim Alsop
        Andre,

        Thankyou for making the improvements to your blog, so it is less missleading. I also appreciate and fully understand that you are not suggesting that the customer should not use SNC, but I still feel that some of the wording could be further improved to make the positioning and the options available clearer to the reader. I hope you don’t mind, but I have suggested a few other changes below, and provided some useful feedback :

        1. I think the 3rd paragraph should say “In a Windows environment, where both SAP GUI and backend ABAP systems are running on Windows platform, the SNC library available from SAP can provide Integrated Windows Authentication for SSO with the backend systems, as described in the SAP Online Help.”

        2. The 4th paragraph should be added onto end of 3rd paragraph (since it is related), and should be changed to “However, if the backend systems are on UNIX or Linux, SAP do not support SNC libraries for SAP GUI, so customers either have to use a 3rd party SAP certified SNC solution, which will provide suitable Kerberos libraries, or use a SAP certified SNC solution which uses another type of cryptographic mechanism for SSO, e.g. using x.509 certificates. The list of SAP certified vendors who provide such products can be found [insert link here].”

        3. I appreciate that SAP do not specifically certify or support Kerberos implementations, but the SNC interface is available for certification, and at least 2 vendors (including ourselves) have SAP certified Kerberos libraries for use with SAP and SAP GUI.

        4. When I mentioned that the JAVA JDK was using “an old and broken implementation of Kerberos”, I was not suggesting that this is not standard. The fact is that Kerberos is a standard which was originally described in IETF RFC1510, and there are many implementations which were based on this RFC, but the RFC was considered to be “open to interpretation” which meant that Microsoft and other vendors (including SUN) implemented Kerberos in a way which sometimes breaks the interoperability, so although SUN JDK Kerberos is standards based, it is using an old RFC (1510 instead of 4120) and is also not using many/any of the additions which Microsoft have added to their implemetnation of Kerberos. Yes, of course, vendors such as ourselves can use this as an opportunity to add value to the SPNEGO login module provided by SAP, by avoiding the use of the out dated Kerberos implementation in JDK, and this is what we have already done. So, can you add a reference in your blog so it says that there are 3rd party vendors who provide alternatives to the SPNEGO login module, which offer some advantages ?

        Many thanks,
        Tim

        (0) 
  3. David Branan
    Hello Andre,

    The link behind the words “Unleash the Power of Single Sign-On with Microsoft and SAP” is incorrect and throws an error when someone who is not a blog superadmin tries to use it. It is the edit link for the item. Please change it.

    Thanks,
    David

    (0) 
  4. Charles Gorzenski
    Hello Andre.

    Choosing the link after “For questions (FAQ) and information how to download the NWBC see the following” brings the following error message:

    403
    Die angeforderte Aktion ist für diese Ressource nicht erlaubt. Sie haben nicht die erforderlichen Berechtigungen, um auf diese Ressource zuzugreifen.

    Can you please update this link ?

    Thanks & regards

    Charles

    (0) 
    1. Andre Fischer Post author
      Hi Charles,

      OSS notes that are indexed on our site can only be accessed by those with Customer, Partner, or SAP Employee accounts. If the person is actually logged in at the time with an account that is at that level, and not reading the blog anonymously, they should be able to view the note.

      I added the number of the SAP Note in clear text in my blog so that you can ask somebody that has access to SAP Service Marketplace to retrieve this note.

      Best regards,
      Andre

      (0) 
  5. Anonymous
    I was really hoping to find some information on implementing single sign on for NWBC to an ERP system in a windows environment. This article is so high level it is worthless. Could you at least provide links to more information for implementing SAPNego?
    (0) 

Leave a Reply