Skip to Content
Technical Articles
Author's profile photo Peter Langner

Using KeePass Instead of SAP Logon

Together with Renald Wittwer I am preparing SAP Inside Track 2012 in Hamburg. Instead of the usual InnoJam we decided to create something new, which we called “Solution Jam” (short: SolJam). The idea is to present within 8 minutes innovative solutions / ideas / tools with or on top of SAP technology. I decided to show the participants how I use KeePass instead of SAP Logon.

As soon as I had posted the title, Uli Burner came up with I am very interested in your #sithh soljam topic “keepass instead of sap login” – any information about this available yet? and also Gregor Wulf was interested. Both managed to find out themselves before I could answer – only knowing the title was already a benefit for them.

Since a good story can always be told twice, I decide to write this blog even before I am going to show it to you in May.

1. The Open Source Software KeePass

So how did I came across this? Well, being a busy consultant my SAP Logon is flooded with system entries and I somehow had to remember all these passwords. The most  people I know use either more or less the same password for all the systems or they use something like excel where they keep their passwords protected with a master password.

Both ways of doing it are not very secure. Since I have to remember not only the user an passwords of the SAP systems, but also of a lot of websites and other applications, I was very happy to find this excellent open source software KeePass, a light-weight and easy-to-use password manager.

You can create different databases, each of them protected with a master password. It also allows to create  (sub-) directories and the content is encrypted (see Figure 1 – KeePass – Main Screen).

image

Figure 1 – KeePass – Main Screen

If you enter an entry you have data fields for e.g. title, user name, password, quality of the password and URL of the application. If you enter the password, it is not shown. You have to repeat it, as if you would logon to a system (see Figure 2). But you can also switch to visible password (if nobody is looking over your shoulder).

Entry Screen

Figure 2 – KeePass Entry Screen

2. How to Logon to a SAP System via KeePass

As you can see in the screenshots I have used the URL field to connect to the SAP system. With command “cmd” you can call a program. The program I am calling is SAP Shortcut (sapshcut). It is in the same directory as saplogon. Maybe you have to extend the path, if the program is not found. SAP Shortcut has a lot of parameters, which are all described in sapnote 103019.

What I have entered is the following:

cmd://sapshcut -system=NSP -client=100 -user={USERNAME} -pw={PASSWORD} –maxgui

The parameters have the following meaning:

  • system – System name
  • client – The client you want to login to
  • user – Your username. The “{USERNAME}” is a feature of KeePass to refer to the user name you have entered in the KeePass entry.
  • pw – Your password. The “{PASSWORD}” is a feature of KeePass to refer to the password you have entered in the KeePass entry.
  • language – The language you want to logon with (I omitted that).
  • maxgui – Maximize SAPGUI after login

If you select the entry and click on the link shown in the lower area of  the main screen, you are immediately logged into the selected system.

Watch yourselve:

Assigned tags

      76 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Gregor Wolf
      Gregor Wolf
      Hi Peter,

      I've used the variant described by Florian Keller at SAP-GUI Anmeldung automatisieren mit KeePass. Unfortunately this solution requires that the need entry is selected in KeePass. So your solution is very elegant as you can start the connection from within KeePass. But with SAP GUI 7.20 SP 10 Hotfix 1 I get the error message "Name or Password incorrect". That also happens when I run SAPSHCUT from the command line.

      Hope you have a tip.

      Best regards
      Gregor

      Author's profile photo Peter Langner
      Peter Langner
      Blog Post Author
      Hello Gregor,

      I am pleased, that you find my blog helpful.

      Regarding your question: yes it runs with SAP GUI 7.20. I am currently using also using Patch 10 Hotfix 1 and everything runs fine. Also lower versions are not problem (I am using KeePass since two years in this way).

      The message you have mentioned normaly occurs, if the username or password is wrong. Please check, that they are correct in KeePass resp. in the commandline and that there is no whitespace somewhere.

      Please let me know, if you could solve your problem.

      Regards
      Peter

      Author's profile photo Roger Beach
      Roger Beach
      @Gregor

      I had the same issue and tried removing the -maxgui and it worked.  I then moved -maxgui closer to the beginning of the URL and it also worked.

      cmd://sapshcut -maxgui -system=HT1 -client=240 -user={USERNAME} -pw={PASSWORD}

      Author's profile photo Gregor Wolf
      Gregor Wolf
      Hi Roger,

      thank you for this tip. That made it work :-).

      Best regards
      Gregor

      Author's profile photo Bryan Cain
      Bryan Cain
      I had this same issue, and this corrected it.  Although I put the -maxgui after the client.

      Thanks!

      Author's profile photo Gregor Wolf
      Gregor Wolf

      Hi Peter,/sap/bc/bsp/sap/crm_ui_start/default.htm?sap-client=002&sap-sessioncmd=open&sap-user=&sap-password=&sap-language=DE<br/><br/>Best regards<br/>Gregor

      Author's profile photo Sergio Ferrari
      Sergio Ferrari
      Thank you very much I like the idea
      Author's profile photo Alessandro Spadoni
      Alessandro Spadoni
      I just installed keypass and it works good!i'm sharing this with my colleagues
      Author's profile photo Former Member
      Former Member

      Hi, I'm using KeePass since a while now, and now I found this....<nice>

      🙂

      And the best of it: It works also with the SAPGUI 7.30 (Patch 0)

      Thank you som much !!!

      Author's profile photo Xavier Hacking
      Xavier Hacking

      Great blog. To further optimize this I'm looking for a hotkey solution:

      Now I still have to go to Keepass, select the system I want to logon to and type the CTRL-U shortcut. It would be even better if I just could type CTRL-F1 (or any other keycombo) from any application, and it would log me on to the system I assigned to CTRL-F1.

      Cheers,

      Xavier

      HackingSAP.com

      Author's profile photo Peter Langner
      Peter Langner
      Blog Post Author

      Hi Xavier,

      thank you for your interest in this subject. What you request would be an extension of KkeePass, because as of today such a feature is not available. The best way to implement it would be to program a KeePass plugin, with which you can define short cuts. But still you would have to login to KeePass once, before you can login to a SAP system...

      May be you are the right one to supply this plugin?

      Regards,

      Peter

      Author's profile photo Former Member
      Former Member

      The "magic sequence" with SAPGUI 7.30 (patch 0) is:

      cmd://sapshcut -maxgui  -user={USERNAME} -pw={PASSWORD} -language=E -system=SY1 -client=200

      Cheers!

      Antonio

      Author's profile photo Peter Langner
      Peter Langner
      Blog Post Author

      Hi Antonio,

      thank you for sharing your experience! As I can see, you have moved -maxgui to the front. Others like Marc above, have it in another position also using SAPGUI 7.30. So I think it has nothing to do with the GUI version but with something else... I you (or somebody else) found out, what it is, I really would like to know...

      By the way, the parameter is optional.

      Regards,

      Peter

      Author's profile photo Former Member
      Former Member

      Nice Tip!

      Author's profile photo Former Member
      Former Member

      Hi Peter,

      i have a problem with this function. We use more than one SAPLogon.

      Have you an idea for this? Which is the right code

      Thanks

      Jan

      Author's profile photo Peter Langner
      Peter Langner
      Blog Post Author

      Dear Jan,

      please describe the problem you are having in more detail. Do you receive an error message? Just because I am curious: Why do you have more than one SAP Logon on your client? One should be enough...

      I am looking forward to help you,

      Peter

      Author's profile photo Former Member
      Former Member

      Hello Peter,

      we have many customers, so we need five SAPLogon with different names.

      It works only with customers from "SAP Logon" not for example "SAP Logon A-F".

      Thank you for your support.

      Jan

      Author's profile photo Peter Langner
      Peter Langner
      Blog Post Author

      Dear Jan,

      The problem might be, that SAP shortcut does not know how to resolve the systems name to the actual server. Please check the following:

      Are all the System-IDs and instance numbers unique?

      If not, try to identify the system via its system name, which of cause must be unique too, by using the option -sysname="<name of your system>" instead of -system=<system-id>.

      I hope, that this works for you. I am looking forward to your feedback.

      Cheers

      Peter

      Author's profile photo Michael Zier
      Michael Zier

      Works perfectly!

      Author's profile photo Rainer Schuler
      Rainer Schuler

      Great blog, I found it very helpful.

      I prefer the URL in the form:

      
      cmd://sapgui.exe /SHORTCUT="–maxgui -sid=XYZ -clt=123
      -u={USERNAME} -pw={PASSWORD}"
      
      

      but everything else is great!

      Author's profile photo Peter Langner
      Peter Langner
      Blog Post Author

      Hi Rainer,

      thank you for your feedback. Please let us know, why you prefer your version of the URL. What are the advantages? Or is it just a matter of taste?

      Regards,

      Peter

      Author's profile photo Rainer Schuler
      Rainer Schuler

      Hi Peter,

      it's more or less a matter of taste. The only argument I have: I'd like to be indepentent from a wrapper applicatoin such as sapshcut.exe. One can never know if this wrapper still exists in the next release.

      For all command line parameters I prefer the short version i.e. clt instead of client. But this doesn't really matter.

      By the way, the URL:

      cmd://<path to SAPGUI for Java>/bin/guistart.bat"
      conn="/H/appserver.domain.local/S/3200&clnt=100&user={USERNAME}&pass={PASSWORD}"
      
      

      works for the SAPGUI for Java as well

      Regards,

      Rainer

      Author's profile photo Peter Langner
      Peter Langner
      Blog Post Author

      Hi Rainer,

      thank you for your answer and for sharing your experience regarding Java.

      Regards,

      Peter

      Author's profile photo Modadugu Hemanth Kumar
      Modadugu Hemanth Kumar

      Nice Idea.

      Author's profile photo Former Member
      Former Member

      Hi Peter,

      everything is working fine with this solution. But I got a question:

      The IS-U password has to be changed regularly, how to manage the change? Is there a functionality for changing automatically?

      Because if I use the reference option in KeePass and change the password of the referencing entry because of the change via sapgui. The referenced entry will have a wrong password for the next open of a different system.

      Thanks!

      Best regards

      Roman

      Author's profile photo Peter Langner
      Peter Langner
      Blog Post Author

      Hi Roman,

      first of all yes, there are functionalities you can use. As you already found out, that can not use the reference option regarding the password. You have to deactivate that.

      If you use the link to logon to the system it will show up with the "enter new password" windows as soon as the password is expired or if you have logged in with an initial password or if you have requested an new password manually.

      In such case you use the autotype functionality of keepass. Therefore you must enable additional information in the window title of SAPGUI (>7.30 needed). You do so in SAPGUI->options->visualization 2.

      In Keepass you edit the entry, go to the Auto-Type tab and enter e new user defines sequence. The target window is the window with the new password request and the user defined sequence is

      {NEWPASSWORD}{TAB}{NEWPASSWORD}{ENTER}.

      If you do a right click on the entry and choose auto-type keepass will identify the selected window and will generate a new password for you and enter it into the dialog.

      If you want to initiate an new password, the sequence could be

      {INSERT}{S:CLIENT}{TAB}{USERNAME}{TAB}{PASSWORD}+{TAB}+{TAB}+{TAB}{ENTER}

      if you are in the client field the insert button is pressed and the systems goes into overwrite mode. The client is taken from a user defined field, username and password are entered and than it goes back three fields and presses the "change password" button.

      You can't combine both. Be aware, that you might already be logged in. Then the "you naughty boy"-window pops up und will disrupt the process...

      Hope this quick answer helps,

      Peter

      Author's profile photo Former Member
      Former Member

      Hi Peter,

      thank you very much for your detailed explanation. "Unfortunately" in our company the SAP GUI 7.20 is still in use, so at the moment it won't help me.

      But i will remember when it will be updated.

      Thank you and have a nice day!

      Best regards

      Roman

      Author's profile photo Peter Langner
      Peter Langner
      Blog Post Author

      Hi Roman,

      are you able to change the registry on your client? If yes, please proceed as described in SAP Note 757964.

      Regards,

      Peter

      Author's profile photo Former Member
      Former Member

      Hi Peter,

      thanks for your reply.

      I can not call the SAP Note, it tells me that I need a username and password for the https://websmp130.sap-ag.de  - but unfortunately I don't have one therefore. How can I access the note?

      Best regards

      Roman

      Author's profile photo Peter Langner
      Peter Langner
      Blog Post Author

      Hi Roman,

      you can show the information by setting the registry entry 'ShowAdditionalTitleInFo' under [HKEY_CURRENT_USER\Software\SAP\SAPGUI Front\SAP Frontend Server\Administration] to 1 (REG_DWORD). Default is 0.

      Regards,

      Peter

      Author's profile photo Former Member
      Former Member

      Hello Peter,

      thanks for sharing this very interesting information.

      One question: is it possible to open SAP entries which also includes a router string?

      (e.g. /H/194.76.44.213/H/98.55.139.39/H/)

      Best regards,

      Torsten

      Author's profile photo Peter Langner
      Peter Langner
      Blog Post Author

      Hi Tortsen,

      yes, it is possible. In the above mentioned note it says in section 2.2.:

      "...specifies a logon using system name and logon group.

                          -gui="[/H/<saprouter1[/S/saprouterservice1][...]

                                        /M/<messageserver>/S/<service>/G/<group>"

      "

      Hope that helps.

      Peter

      Author's profile photo Meinrad Funke
      Meinrad Funke

      Hi Peter,

      thank you so much. Good idea! Works for me. I had to use the fully qualified path. But it was not difficult to figure out the following

      cmd://"C:\Program Files (x86)\SAP\FrontEnd\SAPgui\sapshcut.exe" -system=xyz -client=300 -user={USERNAME} -pw={PASSWORD}

      Thanks again

      Meinrad

      Author's profile photo Former Member
      Former Member

      Nice Blog Good Information for sharing HNY 2014 for all

      Author's profile photo Douglas Marcel de Moraes
      Douglas Marcel de Moraes

      Peter, thanks a lot for share this feature with the community, it very helpful! Congrats!

      Let me ask you something. I have in my SAP Logon Pad, at least two entries with the same system name (PRD, QAS, DEV...). This way, if I press CTRL + U to open a determined entry, SAP tries to access the fisrt entry found in the entries list whose system name is "PRD", for example.

      This is the parameter that I'm using:

      cmd://sapshcut –maxgui -system=BFP -client=500 -user={USERNAME} -pw={PASSWORD} -command=SE16N

      I tried to use the parameter -guiparm with the description of the intended entry, but SAP issues the message:

      "Cannot split connection string: %s"

      How should I do in this case?

      Thanks a lot,

      Douglas

      Author's profile photo Peter Langner
      Peter Langner
      Blog Post Author

      Hi Douglas,

      I think instead of "system name" you mean the system ID, right? If two systems have the same ID you can use the the option -sysname="<name of your system>" instead of -system=<system-id> which make the entries unique again.


      I hope this helps.

      Cheers,


      Peter

      Author's profile photo Trond Stroemme
      Trond Stroemme

      Very useful info. But, I guess if you use SSO and don't know your SAP password, it doesn't really apply. At our company we have 400+ systems (yes, four hundred), and SSO is really the only viable solution. Entering (and regularly changing!) such a number of passwords would not be possible.

      So, I guess KeePass is only a solution for non-SSO sites, right?

      Regards,

      Trond

      Author's profile photo Peter Langner
      Peter Langner
      Blog Post Author

      Hi Trond,

      yes, if you have SSO possibility, then you don't need Keepass.

      May be one exception is if you use ABAP in Eclipse (ADT) for development pusposes. Thomas Alexander Ritter will know, if ADT is SSO enabled.

      Cheers,

      Peter

      Author's profile photo Thomas Alexander Ritter
      Thomas Alexander Ritter

      Hi,

      yes, ADT is SSO enabled.

      cheers

      Thomas

      Author's profile photo Peter Langner
      Peter Langner
      Blog Post Author

      Thank you Thomas for the information.

      Thus if SSO is used, Keepass is not needed.

      Author's profile photo Former Member
      Former Member

      Hi all,

      Since I am using various SAP systems simultaneously, I make use of the saplogon icon in the Windows taskbar. I right click on saplogon icon and I can select an active session. SID and client nr and user-id are mentioned.

      I miss this option when I use KeePass .. or .. actually I miss this option when using sapshcut.

      Do you know a solution for this?

      Nice scn contribution!
      Kind regards

      Author's profile photo Peter Langner
      Peter Langner
      Blog Post Author

      Dear R,

      when I click the link in Keepass I am not only logged in to the system, but also my saplogon opens. Then, when I left click the saplogon icon, I can see the open modus.

      So from my point of view it works as you requested. I am using

         saplogon.exe

         SAP Logon for Windows

         730 Final Release

         7300.1.0.1074

      on Windows 7 professional.

      Cheers,

      Peter

      Author's profile photo Former Member
      Former Member

      Great tips !

      Just one remark : on production system, it is easy : one system id, one client, 1 keepass entry. Just for that it is very useful.

      For development and quality environments, I have the same password for both environments and all clients and only 1 keepass entry.

      I can create 2 lines in keepass for the 2 system id, but for each client it is too huge

      I wonder if I can choose the client as a parameter after typing the "open url" option ?

      The other solution is to put the default client in the URL and use the auto-type option for the others.

      Thank you

      Author's profile photo Rainer Schuler
      Rainer Schuler

      Dear Anthony,

      in your case I would put the client number into the notes field.

      in the auto-type section the notes field can be used as {notes}.

      Then _duplicate_ the entry (right-click and choose option duplicate).

      In the upcoming popup choose "Replace user/pwd by reference".

      Thus you get a new entry which references to the old one. Username and password have to be maintained in the original entry only. in the new entry you just change the client in the notes field.

      Hope it's comprehensive and helps.

      BR, Rainer

      Author's profile photo Former Member
      Former Member

      Hello,

      Sorry for my late answer. I found 2 useful tools :

      - The "duplicate" option as you mentionned to have only one password to maintain.

      Disadvantage : You have to create one entry for each environment / clients. I my case, I have access to 13 environments and the developpement environments have sometimes 2 or 3 clients ...

      - The "PICKCHARS" key words that allow to enter a parameter before opening the URL

      Disadvantage : the pop-up needs to be more customizable (name of the field), more user-friendly

      The URL used for all SAP entries

      cmd://sapshcut –maxgui -system={S:SYST} -client={S:CLIENT} -user={USERNAME} -pw={PASSWORD}

      The custom parameters changes for each keepass entry :

      CLIENT : fixed entry if only one exist or  {PICKCHARS::ID=Mandant, Hide=False, C=3} for a parameter of 3 characters

      SYST : fixed entry

      Author's profile photo Former Member
      Former Member

      3 of the systems are now SSO enabled. In this case, the URL in keepass must be :

      cmd://sapshcut -system={S:SYST}  -snc_name="p:{USERNAME}@<your_domain>" -snc_qop=9 -pw=dummy -l={S:LANG}

      And the password is useless

      Author's profile photo Former Member
      Former Member

      Hello

      I know about sapshcut -?

      your reply is showing arguments

      -snc_qop=9

      -snc_name="p:{USERNAME}@<your_domain>"

      Are these unsupported keywords for sapshcut?

      Are there any other keywords?

      We are using some wrappers which are 'designing' command lines like ...

      "c:\Program Files (x86)\SAP\FrontEnd\SAPgui\sapgui.exe" 'FQDN' 03 SNC_PARTNERNAME="p:L=WOB, SN=GID: 12345678, CN=AAA, OU=Prozesse, O=company"  SNC_QOP=9 SNC_LIB="C:\Program Files (x86)\SAP\FrontEnd\SecureLogin\lib\secgss.dll"

      ... to start different sap systems automatically with smartcard logon

      snc_qop  -snc_name

        are looking like the 'secrets' to force sapshcut.exe to try a smartcard based logon

      Cheers Claus-Dieter

      Author's profile photo Former Member
      Former Member

      found answer by myself ... see sapnote 103019 ... next time google rather than program -? 8. Folgende Parameter sind seit 46D GUI Compilation 3 verfügbar: (File version: sapshcut.exe >= 659 and sapsmlib.dll >= 642) (File version: sapgui.exe >= 8852, bitte Hinweis 396559 lesen) a) Zur Unterstützung von SNC-Anmelden:     -snc_name="p:CN=SID, O=SAP-AG, C=DE" (SNC Name)     -snc_qop=9  (schaltet SNC-Anmeldung an)

      Author's profile photo Former Member
      Former Member

      Hi community,

      Unfortunately the mentioned Keepass Solutions are not working in my case, maybe the reason is that I am using SAP Logon 740. Could somebody support me with a working script?

      Thanks a lot in advance.

      cheers

      Author's profile photo Rainer Schuler
      Rainer Schuler

      cmd://sapgui.exe /SHORTCUT="–maxgui -sid=T80 -clt=100 -u={USERNAME} -pw={PASSWORD}"

      This command works fine for me with SAPGUI 7,40

      Author's profile photo Former Member
      Former Member

      Hi Yaj, Rainer,

      unfortunately has SAP changed the rule for the use of parameters as of SAPGUI 7.4 (see note 146173 (yes, it realy THAT old note!).

      So, what SAP says, the <password> parameter doesn't work for new entries made with SAPGUI 7.4.

      DONT BLAME ME FOR LOST DATA !! STOP here, when you are not experienced with text editors and manuall changes to the saplogon.ini  🙂

      You act on your own risk...

      However, MY workaround (sucessfully tested with SAPGUI 7.4 all versions including PL3, is as follows:

      0) Be carefull, manuall changes via SAPGUI 7.4 are LOST !! So be carefull !

      1) close SAP GUI (all systems incl. SAPLOGON Pad)

      2) that I maintain new systems and changes of parameters (appServer/IP-adress, name etc.)  manually by editing the saplogon.ini with a text editor.

      3) Then I make a backup of the file C:\Users\[myname]\AppData\Roaming\SAP\Common\SAPUILandscape.xml

      4) delete the original file (see 3)

      With the next start of SAPGUI the SAPUILandscape.xml file is created based on the updated saplogon.ini. And voilá, works fine for me.

      Good luck, and again, don't blame me for lost system-information !

      Marc

      Author's profile photo Former Member
      Former Member

      Hi Marc,

      many thanks for your reply. Could you please explain me what I have exactly to configure within the saplogon.ini? By the way I do not have a SAPUILandscape.xml, instead of that my folder contains the SapLogonTree.xml.

      Thanks for your support.

      Cheers.

      Author's profile photo Former Member
      Former Member

      Hi Yaj,

      please check the path you find in SAPLogon, Options, Options for SAP Logon, Local Configuration, and at the first path (local configuration path). I think, the SapLogonTree.xml is not used anymore (you can check be changing something and save, then the last modification date should be changed.

      In saplogon.ini at the following parameters need to be set;

      [Description]

      ItemXY=my system name

      [Server]

      ItemXY=123.234.345.456 (ot mysap.system.de)

      [Database]

      ItemXY=00

      [System]

      ItemXY=3 (seems to be always 3, but I don't have a documentation 🙂 )

      [MSSysName]

      ItemXY=SL0 (your system ID)

      [MSSrvName]

      ItemXY=when.you.need.a.message.server (or IP Adress)

      [SessManKey]

      ItemXY=-1 (always -1)

      [SncName]

      ItemXY= (always empty, except you have an SNC connection - but the you don't need Keepass)

      [SncChoice]

      ItemXY=-1 (always -1 for no SNC)

      [Codepage]

      ItemXY=1100 (your preferred codepage (always 1100 for me)

      [CodepageIndex]

      ItemXY=-1 (always -1 for me)

      Origin]

      ItemXY=USEREDIT (when you manually update the Appserver or MS_SEL_GROUPS when you've the message server lockup (I haven't used that)

      [MSSrvPort]

      ItemXY=sapmsSL0 (replace the last three digits with your system ID (see MSSysName)

      [LowSpeedConnection]

      ItemXY=0 (I have always high speed networks)

      [Utf8Off]

      ItemXY=0 (not sure what this means)

      [EntryKey]

      ItemXY= (empty)

      [EncodingID]

      ItemXY=DEFAULT_NON_UC (not sure what this means)

      [ShortcutType]

      ItemXY=0 (always 0)

      [ShortcutString]

      ItemXY= (always empty)

      [ShortcutTo]

      ItemXY= (always empty)

      [ShortcutBy]

      ItemXY= (always empty)

      [SncNoSSO]

      ItemXY=0 (always 0)

      I added always all line, not sure, whether they are required or not - just to be sure. It's a pain in the neck, but i works fine 🙂

      Good luck.

      Marc

      Author's profile photo Former Member
      Former Member

      Hi Marc,

      thanks a lot for your support so far. Unfortunately I am still getting the SAP Logon error message "Name or password is incorrect" after the execution of Rainers script in Keepass. As I mentioned the script is working fine, it just seems that the script is not able to insert the stored password from Keepass into SAP Logon 7.40. Would be happy if somebody has a solution for my problem.

      Cheers.

      Author's profile photo Former Member
      Former Member

      Hi Yaj,

      I use this Script:

      cmd://sapshcut -system={S:SystemID} -client={S:Client} -language={S:Language} -user={USERNAME} -maxgui -pw={PASSWORD}

      That works fine for me. The parameter "SystemID", "Language" and "Client" under "advanced" and "string fields". When the response is Name or password is incorrect" then probably, the password or user is wrong. The reponse, when the password can not be saved is, that the SHortcut menu opens, and says, password will not be saved or something.

      So, propably, you have another problem 🙂

      Thanks,

      Marc

      Author's profile photo Marko Graf
      Marko Graf

      Hello,

      now there is a more convenient way available to logon to SAP systems.

      Simply use the KeePass plugin KeeSAPLogon. See...

      http://keepass.info/plugins.html#keesaplogon

      Regards,

      Marko

      Author's profile photo Former Member
      Former Member

      Hello Marko,

      Thank you for your plugin, I just tried it. Here are my 3 remarks :

      1) Seems to not work with system using SSO (I have all my systems in Keepass, even the ones where passwords are not required)
      2) The references doesn't work. If you duplicate one entry and decide to use references, you will get a message like "User name {REF....} has exceeded the maximum length 12"

      3) No error message when connexion failed (wrong password)

      Author's profile photo Marko Graf
      Marko Graf

      Hello Anthony,

      to 1)

      The plugin doesn't support SSO login, because of the way of handle SSO login is complete different. SSO logons provided by specific SSO clients which are use certificates, not passwords. This is not the purpose of the plugin.

      KeeSAPLogon uses the assistance of sapshcut.exe, which only supports password based logon.

      Note:

      You can run both in parallel (password based and SSO based logon), but this need to be ensured by SAP configuration.

      The RZ10 profile parameter snc/accept_insecure_gui need to be set to '1' or 'U'. In case of value 'U' make sure that your user got the permission to password based logon (insecure logon) via SU01 setting (see tab SNC).

      Also ensure you stored a valid password within KeePass.

      See also...

      https://help.sap.com/saphelp_erp60_sp/helpdata/en/f3/fc53af92c5421891a31b7d1d525c5e/content.htm

      to 2)

      Need to research...

      to 3)

      Might be a leak of sapshcut.exe. Will have a look...

      I hope it helps.

      Regards,

      Marko

      Author's profile photo Former Member
      Former Member

      Hi Marko, I confirm you can use SSO with sapshcut.

      I do it in Keepass using URL, of course if the configuration is done on both server and client sides.

      In that case, the password is useless, it is just to have all systems in a single tool.

      The syntax is (I now use your field names)

      cmd://sapshcut -system={S:SAP ID}  -snc_name="p:{USERNAME}@{S:Your domain}" -snc_qop=9 -pw=dummy -l={S:SAP Language} -client={S:SAP Client}

      Anthony

      Author's profile photo Marko Graf
      Marko Graf

      Hello Anthony,

      I think about to include the SSO logon style into the plugin.

      Do you think this would be valuable?

      Of course, at the end the plugin is only filling the sapshcut arguments with the right values. Same as you do with cmd, but I guess the plugin is doing so in a more convenient way.

      Regards,

      Marko

      Author's profile photo Former Member
      Former Member

      Your plugin is useful to not have to fill each time the URL, and for someone that don't know the syntax expected by sapshcut.

      So yes please continue in this way !

      Don't know if it is possible, but a popup to fill system, client and langage ... without entering manually the variable names would be convenient ! (A nice to have for next versions 🙂 )

      Now I'm searching if I can display the column "SAP logon" only in SAP folders.

      In other folders, this column is useless

      Author's profile photo Marko Graf
      Marko Graf

      Thanks, for the input you gave.

      Regarding the column display option, I will have a look, if the program API from KeePass supports this requirement.

      Regards,

      Marko

      By the way, it would be nice, if you can leave your ideas and concerns at the projects home page KeeSAPLogon download | SourceForge.net.

      Author's profile photo Former Member
      Former Member

      Hello altogether,

      does anybody know a magic sentence to open the sap NWBC with KeePass? I found the following Link, but I did not get it to run.

      Greetings, Martin

      Author's profile photo felix zhao
      felix zhao

      Hello Peter,

      Good works, I have a problem with keepass, now my system enable SSO by default, but I need logon with many users everytime for test purpose, when I click item in keepass that specific username and password, but every time, I logon with own user because of SSO, So I want to know whether is there a parameter to make SSO disable in keepass?

      thank you

      best regards,

      felix

      Author's profile photo Peter Langner
      Peter Langner
      Blog Post Author

      Hi Felix,

      thank you very much for your interest in Keepath and SAP logon. To do what you want your system needs to be configured in a certain way. Please have a look at the Q&A above. SSO has already been discussed and there were several suggestion what to do.

      Have fun,

      Peter

       

      Author's profile photo felix zhao
      felix zhao

      Hello Peter,

      Thank you for your kindly reply, I took a look at previous comments, all are about how to logon with SSO but not without SSO.

       

       

       

      thank you

      best regards,

      felix

      Author's profile photo Peter Langner
      Peter Langner
      Blog Post Author

      Hi Felix,

      this answer from above might help you.

      Please let us know, if it worked in you case.

      Cheers,

      Peter

       

      Author's profile photo Christopher Krumscheid
      Christopher Krumscheid

      Hi,

      I know that meanwhile there are maybe more convenient plug-ins available, but with bare KeePass 2.* functionality I have a proposal which I think isn't mentioned here: The way to re-use information without referencing or creating additional fields. It took a while until I found it. The key words in KeePass's manual are "Placeholder" and "Text Transformation".

      I guess most people will add the SID and the client number to the title of an entry just to find the right credentials. How can you use the information in the title? By using {TITLE} and substitute text by regular expressions

      Let's say title is ABC.666, so SID is ABC and client is 666. If you stick to this or any naming convention you could use the following as URL:

      	cmd://sapshcut -system={T-REPLACE-RX:/{TITLE}/....$//} -client={T-REPLACE-RX:/{TITLE}/^....//} -user={USERNAME} -pw={PASSWORD}

      This means for "-system=": Take the title and substitute the last four arbitrary characters by nothing. The substitution for "-client=" is the four first arbitrary characters. People familiar with sed, awk, vi or regular expressions in general will immediately understand. You can do anything with the text!

      For this entry this would be solved to:

      	cmd://sapshcut -system=ABC -client=666 -user={USERNAME} -pw={PASSWORD}

      So you can copy this URL into every entry. No additional custom fields, no references, no redundant data.

      Cheers,

      Christopher

      Author's profile photo Peter Langner
      Peter Langner
      Blog Post Author

      Thank you, Christopher for letting us know!

       

      Author's profile photo Momchil Minchev
      Momchil Minchev

      I guess everybody made something similar on their own:

      Check also my solution: http://edp.bg/kpsapbutton-project/

      Author's profile photo Peter Langner
      Peter Langner
      Blog Post Author

      Thank you Momchil, for sharing your solution.

      Author's profile photo Laurent BOUHELIER
      Laurent BOUHELIER

      Hello,

      I began to use keepass and the command line to connect to SAP and it's working well except in one situation.

      When you put non latin characters (Greek, Cyrillic, Hebrew...) in password or in username, they are replaced by "?" by sapshcut.exe and of course connection fails.

      Did anyone face such an issue ? How did you solve it ?

      Regards.

      Laurent

      Author's profile photo Peter Michael von Schubert
      Peter Michael von Schubert

      Dear all,

      what would be the URL in KeePass when there are multiple entries for system-id but different group/server & instances in SAP logon?

      As KeePass uses the first hit of system-ID (e.g. ERP) but this one has group/server (e.g. abc.de, instance 01) and the other entry is ERP with group/server (e.g. efg.de, instance 02).

      How to use the right command string in KeePass to adress it correctly?

      Regards,

      Peter

       

      Author's profile photo Robert Weber
      Robert Weber

      You can use the the option -sysname=”<name of your system>” instead of -system=<system-id>, see above ....

      In the SAPLOGON you also must have two different sysname for the same SID but with different servers and instances.

      Hope this will help.

       

      Regards

      Robert

       

       

      Author's profile photo Sandro Engelbrecht
      Sandro Engelbrecht

      Hi,

      is there a way to login to SAP via KeePass without creating an entry in SAP Logon? I tried to figure that out but it still does not work. 🙁

      Here is my not working result:

      cmd://sapshcut -gui="<SERVER> <INSTANCE> <SAPROUTER>" -system={S:SAP ID} -client={S:SAP Client} -user={USERNAME} -pw={PASSWORD} –maxgui

      Regards

      Sandro

      Author's profile photo Jude Bradley
      Jude Bradley

      Since 7.40 gui, this option is no longer possible https://launchpad.support.sap.com/#/notes/146173