Single Sign-On: Authenticating Linux WebAS ABAP in Windows AD
This web page provides a description how to authenticate an SAP WebAS ABAP on Linux via Kerberos v5 and the SAP SNC adapter against a Windows Active Directory and map their users to use Single Sign-On with the SAP GUI on Windows clients.
Thnx in advance
Manfred
For SSO to use load balancing, you have to create 3 different accounts on the AD domain and setup the certification on those servers.
Now from the SAP Logon pad, create a entry using the group tab and generate the list. Entries from SMLG will be populated from the message server. Choose one of them and click on Add and Logon and enable the SNC box from advanced tab.
The SNC name is automatically populated from the profile parameter. Now edit the c:\windows\saplogon.ini using notepad and change the SNC name to use the message server.
If you login it you will see 2 things happening,
1. SSO using AD domain authentication
2. Load balancing
Feel free to send me any questions you might have I will be happy to help you.
Thanks
Ramesh
We want to implement SSO in our landscape. We have Solaris 10 64bit.
We have try with /usr/lib/64/libgss.so. The library is loading fine but SSO is not working...
How can we compile our own Library??
Many thanks,
David.
We want to implement SSO in our landscape. We have Solaris 10 64bit.
We have try with /usr/lib/64/libgss.so. The library is loading fine but SSO is not working...
How can we compile our own Library??
Many thanks,
David.
can you please send me detailed document for implementing SSO on HPUX for SAP systems, we would like to implement it in our landscape.
And also I would like to have SNC Adapter file as well. Please send it to sudhakar.kasam@btc.com.bh
Thanks in advance
Sudhakar
sudhakar.kasam@btc.com.bh
Can you please help me with the detailed document for implementing SSO on HPUX for SAP systems, we would like to implement it in our landscape.
Also would like to have SNC Adapter file as well..
mrajan7@yahoo.com.
Thanks & Regards,
Raj
Thanks,
Chad
I used http://osdir.com/ml/encryption.kerberos.general/2004-11/msg00007.html as reference. Pretty old, it was kind of hard to find the correct sources for all the necessary toos ;).
We built our own Kerberos (MIT Kerberos 1.6.2, not Heimdal) and using the tools (kinit etc.) from that self compiled package because the vendor libraries and tools (in our case at that time SuSE SLES 9) didn't turn out to be working, same was true for the Sun implementation.
Another advantage of that approach was, that we could use the same software and configuration for all the OS'es we run (Linux 32bit, Linux IA64, Solaris x64, HP-UX IA64, Solaris SPARC etc.) and we didn't need to fiddle with vendor specific implementations and their patches/problems.
The sources for gsskrb5.dll were modified to be able to be built with a newer Visual Studio compiler (VS 2005/7.1) and were distributed on the clients using an MSI package.
Some hundred users use that for BI (BEx) and various test systems (ABAP). The Java SSO did turn out to be problematic due to the bug in the Sun JDK and our need to use a version > 1.4.2_13 (on Sun x64). I haven't tried yet with the new Java version (*_18).
Markus
I am following this Realtech document to configure SSO on Linux and ADS.
I am on step 3.4 and get the following error
kinit(v5): Cannot contact any KDC for requested realm while getting initial cres
Any input from you will help.
Regards,
Hemanshu
I would check /etc/krb5.conf, especially the section
[realms] LINUXLAB.COM = {
kdc = linuxlabpdc.linuxlab.com
admin_server = linuxlabpdc.linuxlab.com
kpasswd_server = linuxlabpdc.linuxlab.com
}
and make sure that the user which executes the kinit has the permission to read this file.
If this doesn't help, post the detailed error from your your krb log.
Regards,
Matthias
Firstly I just want to say thanks for this whitepaper, it is very informative and easy to follow.
I just have one question. For every application server used do you have to create an additional service user, SPN and export key ? I thought I'd try use the same SPN but that didn't work, then I tried creating separate SPN's with the same service user and that also doesn't seem to work.
Thanks.
Regards,
Nelis
I want just to inform you that we implemented the SSO authentication between our SAP Systems (R/3 4.7 Ext 2.00, ECC 6.0, IDES ECC 6.0, and Solution Manager) and our AD Domain users (~ 400).
The O.S. used is SLES 10 SP2 for every SAP system, and we are in Production from the beginning of September.
Thanks for your help and for your useful document!
Regards,
Federico Biavati
Updated white paper with Windows 2008 AD and Windows 7 clients