How to configure SAP NetWeaver Single Sign-On for SAP GUI for Windows with Kerberos integration
Matthias comment on 15.04.2013
SAP released (RTC) the a new version of SAP NetWeaver Single Sign-On (version: 2.0). The screenshots in this blog are from version SAP NetWeaver Single Sign-On 1.0. So if you install the new version, some screens will be look different, since SAP improved the UI.
There is a complete new option available for Kerberos (SPNego for ABAP): http://scn.sap.com/docs/DOC-40178
Introduction
SAP NetWeaver Single Sign-On provides various possibilities to configure/implement a single sign-on scenario. At the moment (there are coming more), there are the following scenarios available
The components of SAP NetWeaver Single Sign-On can be combined depending on the business case. This how to guide describes only how to configure the solution for SAP GUI for Windows with a Kerberos integration. If you are using SAP GUI and Web based applications, you should check the version with the certificates (out-of-the-box -> no external PKI required) especially for intranet use cases. Furthermore SAML (third option) provides Web single sign-On capabilities without the need to deploy anything on the client side.
If you are interested to implement the second option – please read this blog:
Detailed worklflow of the scenario
Prerequisites and information
You need to download the product SAP NetWeaver Single Sign-On from SAP marketplace (-> you need a valid license)
System name: TDI install an D:
Operation system: Windows (but the solution works of course also if the system is running on Linux/Unix -> see PAM)
Guide
1. Install the Secure Login Library (ON THE SERVER)
Create the folder D:\usr\sap\TDI\SLL
Change to folder D:\usr\sap\TDI\DVEBMGS00\exe\
sapcar –xvf SECURELOGINLIB.SAR –R D:\usr\sap\TDI\SLL
Change to the folder D:\usr\sap\TDI\SLL and verify the Secure Login Library status using the command snc.exe.
Verify if the PSE directory is defined to D:\usr\sap\TDI\DVEBMGS00\sec(existing)
5.
2. 2. Check for Microsoft Environment Variable SNC_LIB and for the Kerberos Entry in MS Active Directory
5.
Check if SNC_LIB is set to C:\Program Files (x86)\SAP\FrontEnd\SecureLogin\lib\secgss.dll
If not, please add the entry (FOR SAP GUI for Windows)
With the next steps we take a look at the Kerberos Configuration in Microsoft Active Directory. Call Start -> Run. Enter adsiedit.msc to call the MS Support-Tool for Active Directory. Press the OK button.
Open the tree Domain -> DC=fair .. (change to your enviroment) and OU=SCI266 (change to your enviroment). Click on CN=Kerberos TDI (change to your enviroment) with the right mouse button and select Properties .
The value of the attribute servicePrincipalName is set to SAP/KerberosTDI. Close the application without any savings.
rte
3. Ceate and Configure the Secure Store Environment (pse.zip) –> on the server
Make sure that you are in the folder D:\usr\sap\TDI\SLL.
Create the security store (pse.zip) with the following command:
snc crtpse –x 1234567890 (use here a secure password instead!!!)
Verify if the secure security store is available using the command snc.exe. You will see that PSE does now exist […pse.zip (existing)]
Make sure that you are in the folder D:\usr\sap\TDI\SLL.Create Kerberos KeyTab with the following command:
snc crtkeytab –s SAP/KerberosTDI@fair.sap.corp -p abcd1234 (-> use the correct password in your enviroment).
Verify if Kerberos KeyTab entries are available using the command snc.exe. Everything is fine if 4 entries for Kerberos KeyTab are listed.
4. Configure SNC for SAP ABAP Server
Start transaction RZ10. Import the profiles of the active servers by selecting Utilities ->Import profiles -> Of active servers.
Select the Instance profile of the TDI system TDI_DVEBMGS00_MADR… and select Extended maintenance. Press the Change button.
Verify the listed snc parameters with the table of snc parameters on the next page.
You need to change the following snc parameters:
snc/enable 1
snc/gssapi_lib D:\usr\sap\TDI\SLL\secgss.dll
snc/identity/as p:CN=SAP/KerberosTDI@fair.sap.corp
(change this to your enviroment)
Information on related profile parameters:
|
Parameter |
Description |
|
snc/enable |
Set this parameter to activate SNC on the AS ABAP. 1: SNC is activated |
|
snc/gssapi_lib |
Specify the path and file name of the GSS-API V2 shared library. D:\usr\sap\TDI\SLL\secgss.dll |
|
snc/identity/as |
Specify the SNC name of the AS ABAP with this parameter. Format: <name type>:<external name> or <name type>/<product>:<external name> p:CN=SAP/KerberosTDI@fair.sap.corp |
|
snc/force_login_screen |
Set this parameter to display the logon screen even if SNC is enabled. 0: the logon screen is only displayed when necessary 1: the logon screen is displayed for every logon |
|
snc/permit_insecure_start |
Set this parameter to permit the starting of programs without using SNC-protected communications, even when SNC is enabled… 1: start program without SNC protected communication |
|
snc/accept_insecure_rfc |
Set this parameter to accept unprotected incoming RFC-connections on an SNC-enabled AS ABAP. 1:accept all unprotected RFCs |
|
snc/accept_insecure_gui |
Set this parameter to accept SAP GUI connections that are not protected with SNC on an SNC-enabled AS ABAP. 1: Except unprotected logons |
|
snc/accept_insecure_cpic |
Set this parameter that unprotected incoming CPIC connections on an SNC-enabled AS ABAP are be accepted. 1: Accept unprotected connections |
|
snc/r3int_rfc_qop |
Use this parameter to set the quality of protection for internal RFCs that use SNC protection. 8: Use the value from snc/data_protection/use |
|
snc/r3int_rfc_secure |
Use this parameter to specify that SNC should be used for internal RFC communications initiated by the AS ABAP. 0: Internal RFCs are unprotected |
|
snc/data_protection/use |
Use this parameter to set the default level of data protection for connections initiated by the AS ABAP. This parameter applies to CPIC and RFC connections only. 3: Data privacy protection |
|
snc/data_protection/min |
Use this parameter to set the minimum data protection level required for SNC communications. 2: Data integrity protection |
|
snc/data_protection/max |
Use this parameter to set the maximum data protection level for connections initiated by the AS ABAP. 3: Data privacy protection |
Now you restart the application server in order to activate the new SNC parameters.
5. Install the Secure Login Client
Please install the secure login client on the PC/laptop where the SAP GUI is available. Please use the wizard an choose the complete option.
Start the Secure Login Client with the application icon in the taskbar.
The entry in the Secure Login Client should look like this:
6.
6. Configure SNC for SAP GUI Application
Please create you entry in SAP GUI to connect to the system.
Set the flag for Activate Secure Network Communication. Enter the SNC Name to p:CN=SAP/KerberosTDI@fair.sap.corp.
7. Configure SNC User Mapping in SAP User Management
Start transaction SU01 and enter SCI264 (choose your user who will access the system via SAP GUI (end user on the microsoft client)) for the User.
Maintain the field SNC name. SNC name: p:CN=SCI264@FAIR.SAP.CORP
Now you can test your scenario. You should be able to use SSO from the SAP GUI for Windows to a SAP system.
Hi Matthias very good blog which I'm trying to follow at the moment.
One basic question, is the Kerberos Configuration check screenshot that you perform in Active Directory against the User Account or Computer Account (in your example CN=Kerberos TDI) ?
Thanks
At point 2? The screenshot of AD? This is the service user not the user account.
Regards
Matthias
So just to clarify, this is not the SAPServiceSID account for the SAP server that we install the libraries onto? Is this a totally new account not created by any SAP install?
Thank again
Mark
Yes, it is a new account.
Remark:
Theoretically you can use this user for various SAP system, but we do not recommend this.
Regards
Matthias
Hello Matthias
I have 2 questions?
- Item 2 in the configuration made in AD, the SPN would be on the server or User?
- Where is the User Service "SAP" would be the name of the server?
Example: In my case the User Service is named SVC-SAPPRD.
The Server Name and SRV-ECCPER.
In this case the SPN is:
SRV-ECCPER/svc-sapprd @ XXXXX.corp
Thank you.
It is based on the user.
In my example (SAP/KerberosTDI) TDI is the name of the system. It is independent from the server (system can run an several instances).
So in my case the user is KerberosTDI with the SPN SAP/KerberosTDI.
Regards
Matthias
Look you can help me:
After changed the SPN -> SRV-ECCPER/SVC-SAPPRD@localiza.corp
Archive DEV_W
********************************************
.
.
SncInit(): Initializing Secure Network Communication (SNC)
N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=D:\usr\sap\EPE\SLL\secgss.dll
N File "D:\usr\sap\EPE\SLL\secgss.dll" dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2
N SncInit(): found snc/identity/as=p:CN=SRV-ECCPER/SVC-SAPPRD@Localiza.corp
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1439]
N GSS-API(maj): No credentials were supplied
N Could't acquire ACCEPTING credentials for
N
N name="p:CN=SRV-ECCPER/SVC-SAPPRD@Localiza.corp"
N SncInit(): Fatal -- Accepting Credentials not available!
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 237]
M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 239]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 11329]
.
.
*********************************************************************************
Here the parameters RZ10 Profile.
**********************************************************************************
snc/force_login_screen = 1
login/create_sso2_ticket = 1
ssf/name = SAPSECULIB
ssf/ssfapi_lib = D:\usr\sap\EPE\DVEBMGS33\exe\sapcrypto.dll
sec/libsapsecu = D:\usr\sap\EPE\DVEBMGS33\exe\sapcrypto.dll
snc/r3int_rfc_qop = 8
snc/identity/as = p:CN=SRV-ECCPER/SVC-SAPPRD@Localiza.corp
snc/permit_insecure_start = 1
snc/r3int_rfc_secure = 0
snc/accept_insecure_r3int_rfc = 1
snc/data_protection/use = 3
snc/data_protection/max = 3
snc/data_protection/min = 2
snc/accept_insecure_rfc = 1
snc/accept_insecure_cpic = 1
snc/gssapi_lib = D:\usr\sap\EPE\SLL\secgss.dll
snc/enable = 1
snc/accept_insecure_gui = U,1
**************************************************************
Many thanks for the help
Regards
Ederson Meneses
Am I right assuming that this case does NOT require the secure login server?
Also, can you add multiple keytabs so that you can support multiple kerberos realms?
(i.e. Windows domains in my case).
i.e. usera@domain1.companyA.com and userb@domain2.companyB.com
can both sso to a single SAP system so long as the relevant SU01 entry is defined in the SAP system. USERA and USERB are separate SAP users defined in SU01
Andy.
Hi Andy
Yes we are not using the Secure Login Server at all, just the Secure Login Client and the Secure Login Library.
Yes you can also use multiple Domains, (see page 28 of the Secure Login Library guide). I am trying to configure this at the moment but having a few issues...
I have created 2 service accounts with sPN's - 1 in each Domain and generated a KeyTab for each, then added them both to the PSE, the 1 account works ok (snc test -n ....) but the other one fails. The 1 that passes is in the same Domain as the ABAP server whereas the failed one is in a different Domain to the server.
Maybe Matthias can shed some light?
Mark
Matthias, I've read through many of your blogs and solutions and what is quite frustrating is you fail to mention in most of your documentation what version of Netweaver to which the specific solution is applicable.
We sold and installed for our client an ECC 6.0 EHP5 Netweaver 7.02 solution - (ABAP ONLY) with our Best Practices solution. We also installed Netweaver Business Client for the majority of end users to use and SAP Gui for a few power users.
I installed SSO for the SAPGui using Kerberos certificates and authentication with the Domain controller and all is working well. Our client is also expecting, naturally, SSO to work for NWBC as well.
Please tell me what solution to use for NWBC SSO on an ABAP only system with Netweaver 7.02 - is this even possible without a large capital expenditure?
Possible options I've read about:
1. Netweaver SSO 1.0 SP4 (need NW 7.3?)
2. X.509 certificates using SAP TCS ( Need NW 7.3)
3. Install a Java instance (we have Netweaver 7.02) and use this for authentication.
Thank you.
Hi Dugan,
I can understand you frustration. SCN is not a replacement of SAP PAM (release info), it is not replacing help.sap.com and it sharing knowledge by choice.
I analysed also different SSO options for NWBC but I am not ready yet and I plan to share again my knowledge when I am ready.
Based on my current knowledge, I would recommend to use:
-SAP NW SSO 1.0 with X.509 certificates (so this blog is another implementation option), only secure login server needs a NW 7.2/7.3
-SAP Logon Tickets (but there are perhaps some challenges with the encryption of SAP GUI communiction). If you want to have a MS AD integration you need here again a SAP NW Java server -> SPNego
Both technologies are used already by many very large companies.
I don't know if SAP TCS is applicable for many end users.
Regards
Matthias
Hi Matthias
So are you saying that currently the configuration described in your blog here does not support NWBC and only supports SAPGui ?
Thanks
Mark
Hi,
This scenario will work only for SAP GUI for Windows. Not for NWBC for Windows. NWBC for Windows is a combination of SAP GUI for Windows and a Web Browser. This makes it so difficult. The first request is always a HTTP request, after that NWBC can call also a SAP GUI for Windows based application.
So for NWBC this will work:
http://scn.sap.com/community/netweaver-sso/blog/2012/08/17/how-to-configure-sap-netweaver-single-sign-on-with-certificates-out-of-the-box
Please check also our new videos. Same scenario but a video.
http://scn.sap.com/docs/DOC-40179
Of course this scenario allows also an integration with MS AD or any other LDAP.
Have a nice weekend
Matthias
Hi Matthias,
Thanks for this blog. It guides a lot !!
We are configuring the SSO for our SAB BI system( we have BEx reporting (Excel based) Web Reporting, Precalculation and IGS services) based on PKI cards. But the first scenario (SAP GUI for Windows with a Kerberos integration) does not support Web based applications as you mentioned in the blog. The 2nd scenario does not require PKI card.
Can you provide some documentation on Combination of these 2 scenarios.
Also we are testing for our Development system and GUI is logging fine but for BEx its giving error.
Can you please provide some suggestions on my quesries.
PS: I'm a BI consultant.
Best Regards,
Kiran
Hi Kiran,
an answer depends on your PKI cards provider. The following scenario is a common one:
Most PKI providers are integrated with the Microsoft Certificate store. So the card middleware put the X.509 certificate into this store automatically. So you can configure Secure Login Client to use this certificate for SSO for SAP GUI. Furthermore you an use this certificate for Web SSO. If this is the case you have to configure your landscape in the similar way I described in my blog with the X.509 certificates but without using Secure Login Server, because in your special case the certificate is coming from your third party PKI/smart card.
So in this case you authenticate with the certificate on your smart card but you do not use the Kerberos integration of SAP NW SSO (as described in this blog).
Regards
Matthias
Regards
Matthias
Hey Vicki -- we are also thinking of a very similar approach but we are in the piloting phase. Are you able to shed more insights on this? I'd love to connect with you to see the pros/cons in your deciding the SSO method as well as business feedback from users.
Joe
Hello Mathias
We are planning to setup Windows Kerberos setup for SSO to SAPGUI (without using SLS). We see that it is possible for the user to "Log In" in the Secure Logon Client (SLC) with a blank user and password field (that is user has the possibility to enter another user's credentials to get a kerberos ticket which would be a security risk that he could use that to login to any SAP system configured with SSO).
Could you help us understand how we can prevent this? Also if you could help us understand why such an option would have been provided in the first place? Woud it be required for any "use case" ?
Thanks
Chandrakanth
Hi,
this logon screen is for use cases like:
- authentication via LDAP in combination with secure login server
- authentication via RADIUS in combination with secure login server
- login/logoff manually
The standard Kerberos integration does not require to type in user or password.
So I would guess that you perhaps choose the wrong installation option of secure login client --> option: Kerberos Single Sign-On
Regards
Matthias
Hi Matthias,
I've implement SNC via sapcryprolib a year ago on a sandbox environment:
• set principal name
• install sapscryptolib + environment variables (SECUDIR (sec path) + SNC_LIB (gx64krb5.dll))
• set instance parameters
• install Kerberos DLL (gsskrb5.dll) + environment variable (SNC_LIB (gsskrb5.dll))
• on 2k8 / 7 - re-enable local policies for kerberos
• map users on ABAP
For now, one customer want to implement SSO and buy NW-SSO-Licenses, but they don't have any Java in their environment. I've searched and found some information (including your how-to), but I'm a bit confused.
• What is the difference between the 'simple' way I've setup and the 'new' way via NW-SSO (SSO Client and SSO Library)?
• Why should I buy NW-SSO-Licenses, if I get it worked without any investigations?
• And what if, my company is hosting the SAP servers with an extra SAP domain and the customers just connect to the SAP servers through a SAPRouter? What's about the domain trust relationship between the SAP domain and the customer domain? Is it unnecessary with the 'new' NW-SSO implementation?
Thanks for any advice.
Best regards,
Tobias
Hi Tobias,
Not all scenarios of SAP NW SSO require a Java server. This blog is a scenario without a java server.
You are describing an implementation without SAP NW SSO and you are asking, why you should use tSAP NW SSO The answer is very simple. You are describing a spot solution which works only in pure Windows environments and only for SAP GUI. But most customers expect more. They want to have a holistic SSO solution. They want support for non Windows OS systems on client or server, support of LDAP integration, Web SSO, NWBC support, non SAP support, integration into the cloud world, 2 factor authentication, partner integration, support of public authentication standards, support of other SAP native clients,....
The advantage of SAP NW SSO is, that you get a "SSO suite". The solution contains many modules and the customers choose the ones, which fits to his requirements and he can change it also later. We add also new innovations to the product.
Furthermore you are describing a solution where SAP is not the owner of the whole code. So we are not able to make changes and customers expect a end to end support. Furthermore there are some security related arguments, which I don't want to mention here.
SAP NW SSO supports also scenarios without a trusted domain relationship.
Regards
Matthias
Hi Matthias,
thanks for your quick reply, that brings some light in the darkness.
Ok, so switching to NW SSO implementation gives us and our customers the guaranty for the future to implement some other applications, like Java or Web SSO?
Found the part for non trusted domains in the Secure Login Guide, I will check NW SSO out, thanks for your how to.
Regards,
Tobias
We are supporting already now Web applications (ABAP, Java, non-SAP) via SAML or automatic created short living certificates (secure login server). Furthermore we plan new Web SSO options. But you decide which component you will implement depending on your business needs.
In secure login server you can maintain already today different independent domains. Same for SAML. For "Kerberos only" this question was answered by Frane Milicevic (SAP colleague) in this community. I need to find this information again 🙂
Regards
Matthias
Hi Matthias
We have a ASCS + 2 SAP app instances kind of setup. Which means load balancing.
i setup Kerberos config and keytab for each app instance seperately.
Does ASCS also require something?
Also our GUI entry for these systems are setup for loadbalancing (messager server + smlg group based)
I noticed that unless you specify a hostname in the GUI entry , you are not allowed to choose the SNC encryption check box in the network tab. But we rollout our sapgui configuration with sapmsg.ini and hence the GUI entries by default dont show the hostname. how do we deal with this problem
also with SAP systems having multiple application servers, would it not be easy to have the configuration in the Default profile rather than each instance. Coudl we not put SLL in a shared location that each instance could access? The same question about how loadbalancing + SSO works for SAP systems with multiple instances
Hi,
The Kerberos keytab contains Kerberos principals and encrypted keys that are derived from the Microsoft Windows user password. Therefore a Microsoft Windows account in Microsoft Active Directory is required.
--> so the service principle name depends on the SAP system not on the server. It is of course related to the server name of the MS AD.
The solution works of course also for systems with many application servers.
Regards
Matthias
hi Matthias,
Sorry my question might not have been clear
Yes we do understand that a AD user is required
scenario :
1 SAP system SID
2 application servers : hosta and hostb
1 ascs instance : hostc
AD user created , setspn with SAP/KerberosSID
Setup SLL on the 2 application servers and created ktabs on both servers with same spn
a) Do i need to do any configuration on the ASCS instance for SSO?
b) in the SAPGUI , for the sap system entry SID, if i put the message server details and the SNC name, will it perform load balancing like it used to without SNC configuration?
c) Instead of doing the SLL configuration on each host, would it not be easy that we put SLL in a shared location to which all sap instances of that system have access, which is like /sapmnt/SID/SLL ?. This way maintenance could be easier because the update can only be done at one place and also the parameters can be made in the default profile instead of the sap instance profiles?
Thanks
Chandrakanth
Hi Chandrakanth,
here my answers to your questions:
Answer to question a)
ASCS will receive the "correct" SNC name from the application servers. So you don't need to configure anything in ASCS.
Answer to question b)
Loadbalancing will work as before (with or without SNC). In this "group/server selection" mode you cannot change SNC name (only enable/disable SNC).
Answer to question c)
This is possible.
Best regards,
Frane
Hello Frane
About b) if you could please elaborate what you meant by "cannot change SNC name"
About c). By putting the SLL directory on a shared path which can be accessed by all application servers, say /sapmnt/SID/SLL , do you think there could be any NFS, etc problems? The libraries within will be in use by all application servers of the SAP system from an nfs rather than a local directory. Would you foresee any problems with it?
My idea was that putting SNC parameters into a default profile and the SLL folders in a common directory would help reduce efforts . The guide somehow is very explicit about snc parameters to be in "instance profiles" and also about SLL under the local instance directory. Appreciate if you could help understand why this is
Have a new question d). The guides mentions about two files to be maintained in $HOME/sec which are sec_log_file_filename.txt and sec_log_file_filelevel.txt. Typically for a SAP system with multiple application servers, the home directory of a sidadm user is shared . This means the two files mentioned would have the same content on all application servers.
Is it possible that i can make these files read from a different directory than $HOME/sec so that i can have different content for each application server?
If not, is there a way that i can put the content in the filename in such a way that it has "hostname" also in it? (it already has something for %.PID.%). This way i can be sure that the trace files on all four application servers will be differe
Hi Matthias, Frane
Please could you clarify my questions above when you get the chance. We are almost ready to start our program to setup SSO.
Also we already use kerberos/spnego for our portal applications. There we sometimes face the problems documented in SAP note 1283986. Could the same symptoms be experienced in SAP GUI SSO also?
Hi Chandrakanth,
Related to answer b)
I mean you cannot change the SNC name in SAP Logon (SAP GUI) application, if you are using the loadbalancing option (snc name is grayed).
Related to answer c)
This depends to you network access/right management.
If you want to be on the safe side, deploy to every application server a "local" folder (local access).
What about configure for the profile parameter snc/gssapi_lib the value $(DIR_INSTANCE)\SLL\secgss.dll ?
Answer to question d)
Typically this option will be enabled to analyze problems in Secure Login Library.
Again my suggestion, use local Secure Login Library installation with local
log file configuration.
If there are different application servers available in one hardware, you can adjust/distinguish the path in sec_log_file_filename.txt for every application server.
You can use $HOME/sec or /etc/sec
Answer to new question related to SPNEGO in AS JAVA
This is an issue related to the Kerberos implementation (checking time/date information in Kerberos ticket).
Yes, this has also an influence to the Kerberos implementation in AS ABAP.
Best regards,
Frane
Hello Frane
Many thanks.
c) Yes we could put this in Default profile by using $(DIR_INSTANCE)\SLL\secgss.dll etc however would you know why the guide explicitly mentions "Instance profile" ? May be there were issues identified by putting this parameter in the Default?
d) Understood that we can give a path in the sec_log_file_filename.txt. but this path must be the same on all application servers as the file content is going to be the same. And we dont have any such path common to all appliction servers which is meant for SAP use. Would there be any format i could use to ensure that these log files always get created inside $(DIR_INSTANCE)/SLL/logs etc? Or may be is it possible to put %hostname% (like we have %.PID.%) ? to make the logs distinguishable etc? I tried these two options but wont work. Appreciate if you could suggest some ideas.
e) The kerberos time question. Thanks for highlighting. In case of portal, a nice message is given to the user indicating that the time is out of sync for the issued keberos token. How or what kind of message woudl a GUI user get? Though we have a good Active Directory domain setup and all the domain controllers are synced to a common time source, our unix servers (on which SAP is running) are synced to a different time source. Hence we could expect that this issue can happen. Would you know how the error message would look like? if not, can we reproduce this somehow?
Thanks
Chandrakanth
Hi Chandrakanth,
Answer to c)
The guide provides configuration options. Please feel free to adapt to your own requirements.
Answer to d)
In this case i would like to recommend to ask for consulting support.
This forum is maybe not the best place to provide customer specific solutions.
Answer to e)
You can test by yourself, if you change the time on the desired SAP AS ABAP (test) server.
Best regards,
Frane
Hello, Chandrakanth.
Did you manage to setup you SSO successfully for system with logon groups? Can I know how?
I already setup SSO on our Sandbox and Dev systems which happened to have only 1 application server. Now I am about to setup SSO in our Test systems with the same as you have (ASCS and 2 apps server).
Appreciate if you could share the setups you did for this..
Have a great day!
Regards,
Florence
Hi,
when I try create Kerberos KeyTab, I get the following error.
sapr3-test:prdadm 53> snc crtkeytab -s hosts/kerberosPRD@ORION.LOCAL -p password
------------------------------------------------------------------------------
------------ crtkeytab -------------------------------------------------------
------------------------------------------------------------------------------
#############################################################################
License Disclaimer SAP NetWeaver Single Sign-On
You are about to configure trust for single sign-on or SNC Client Encryption.
Please note that for single sign-on you require a license for
SAP NetWeaver Single Sign-On.
As exception, the usage of SNC Client Encryption only without SSO is free
as described in SAP Note 1643878.
#############################################################################
PSE password >********
WARNING: Kerberos service user name contain a '/', this is unusual !
Syntax: <serviceUserName>@<domain> e.g. SAPService<sid>@SAP.COM
Kerberos principle name must contain a '@'!
Syntax: <serviceUserName>@<domain> e.g. SAPService<sid>@SAP.COM
problem solved.
the problem was the version of snc_lib.
The validated version for linux is SLLIBRARY02_4-20008874.SAR
Hello Matthias
This was a a very helpful blog for setting up the SSO in our current project. Many thanks.
We have a scenario of SSO to solution-ise and we are looking for support. We successfully established SSO for desktop and html (NWBC) to SAP ABAP server directly.
The project has a requirement to login a blackberry user (only Managers - around 50) directly (SSO) to SAP to approve/reject leaves (There will be a direct link to NWBC from HCM).
Is there any way to use SPNs and achieve this single sign-on for blackberry user? Or how can the blackberry users receive the kerberos token which is normally installed via the secure logon client on desktops. Our blackberry users get an email in the Outlook with links to approve and reject leaves (using NWBC). When they open the links, the single sign on has to be achieved. We are struggling to pass on the Kerberos token to the blackberry client. ( Outlook on blackberry is already signed in and they try to open a link from the email which needs SSO to backend ABAP Server)
Request your suggestion, please.
Regards
Sai
Hi Sai,
I do not have much experience with Blackberry. The problem is that the devices itsself have to support SSO standards. Of course there are other techniques available like app wrapper ... to provide a solution.
I know that Apple start to support Kerberos and SPNEGO for Web based applications. In this case you can use SPNego for ABAP and SPNego for Java.
Mobile Single Sign On from iOS 7 to SAP NetWeaver
Similiar to Samsung. They plan to provide something in Samsung knox.
Of course SAML supports also Web based applications on mobile devices. But you want to pass a Kerberos Ticket on the mobile device and I am not an Blackberry expert.
Currently I would recommend to ask the question in the SAP mobile community: http://scn.sap.com/community/mobile
Regards
Matthias
Thank you for the reply Matthias. I have posted in the mobile community now.
Matthias,
We do have SNC enabled with external PKI cards on our SAP systems.
For our external business partners, since they don't have PKI cards we are planning to use userid and password but we still like to use SNC (so that password is not sent in clear text).We are having issues when we try that with message
"Unable to establish security context".
Do you have any suggestions.?
Regards,
Srini
Dear Srinivasta,
Please, provide more details:
1) Do you have a success with enabling the SNC with external PKI cards for your company users?
2) What is the application used by your external business partners for authentication and is this application inside or outside of the Firewall of your company?
3) If possible, provide more details about the landscape (systems you are trying to connect with SNC).
Best regards,
Donka Dimitrova
1.) Yes we have successfully implemented PKI card based authentication for our internal users
2) External users are outside our firewall and they will use SAPGUI to login but they do not have PKI cards.
Hi Srini,
you are currently using SAP NW SSO for SNC - right?
About which userid and passwords are you talking (related to partners) -> maintained in SAP, LDAP, Domain users, .... ?
Regards
Matthias
Hi Matthias,
This is a great blog, thanks. We are looking to deploy Netweaver SSO 2.0 for SAP Windows GUI to connect to ABAP systems, which looks like exactly your use case. Could you confirm if the above blog is still current for SSO 2.0 SP2. Your comment above seems to suggest it is, but I wondered if there was a more current view. If not, I'll try and create one as we deploy it.
Thanks,
Ian
Hi Daniel,
this videos are newer http://scn.sap.com/docs/DOC-40178
Just skip the SPNEGO part if you only would like to have SNC.
Regards
Matthias
Thanks, I'll have a look.
All the best,
Ian
Hi All,
We are planning to configure SSO, as of now our landscape is ERP: DEV, QAS & PRD along side with SolMan.
The requirement is to configure SSO between PRD, QAS & SolMan but not Dev.
I would like to know the requirements & pre-requisite to configure SSO.
Thanks & Regards
Ahsan
hello,
where i'm currently working (as extern) we use Sap single sign one.
With a customre PC, i can use the single sign-on
but as i have my own computer it doesnt work. i imagine that the reason is because the windows account i'm using to log on the taptop is different than the account provided by my customer
is there a way to make it works?
regards
Seb
Dear Sebastien,
Most probably you have been provided with a Domain UserID and password by your customer in order to be able to work wuth their systems but you can use these credentials only from the "customer PC" because these PCs are recognized by the customer Domain. Your personal computer most probably is not registered in this customer domain and this is why you are not able to use the same credentials (UserID and Password) provided by your csutomer to log-on to their Domain and systems with your laptop. Also if you are using different credentials (UserID and Password), they most probaby authenticate you for log-in localy on your own laptop - outside of the customer Domain.
Kind regards,
Donka Dimitrova
Dear Experts,
the demo above are excellent and gives deep insite for setting up SSO for SAP Application. we recently brought licenses for SAP SSO and currently in phase of Pilot run . we are done with SAP ABAP and JAVA system SSO Setup which is working fine with no issue, however non-sap web applications are challenge for example BMC remedy and couple of home development JAVA based applications. these application supports X.509 certificates. we tried to find docs but unfortunately no success.
how do we take non-sap application sso enablement forward... any hint pls....
Regards,
Uday.
Hi Udayveer,
Have you checked also this blog about SSO with certificates:
http://scn.sap.com/community/netweaver-sso/blog/2012/08/17/how-to-configure-sap-netweaver-single-sign-on-with-certificates-out-of-the-box
Kind regards,
Donka Dimitrova
Hi All,
We are planning to configure SSO, as of now our landscape is ERP: DEV, QAS & PRD along side with SolMan.
The requirement is to configure SSO between PRD, QAS & SolMan but not Dev.
I would like to know the requirements & pre-requisite to configure SSO.
Thanks & Regards
Ahsan
Hello Ahsan,
Please, find the Prodct Availability Matrix (PAM) for SAP NetWeaver Single Sign-On 2.0 product here: https://websmp107.sap-ag.de/~sapidb/011000358700000373232013E
Here is also an SAP Note:1808526 - Release Note SAP NetWeaver Single Sign-On 2.0
where you will be able to find the information about the requirements and prerequisites.
Please, notice that you need a valid licence to use SAP NetWeaver SSO 2.0 product.
Best regards,
Donka Dimitrova
Dear Donka,
Thanks for the info.
In our requirements, we need to configure sso between domain user id's, sap users id's and users email id'.
Possible to configure SSO if user id's are different in domain, sap and with email id's
This SSO can be done even on email id's.
Thanks & Regards
Ahsan
Hello Matthias,
We have configured the SSO with SecureLibrary 1.0 and Secure Client 1.0 for SAP GUI two years ago. Now we would like to configure NWBC SSO. I read that the Secure Client and the Secure Library 2.0 is a must. Is there any document which describes the upgrade procedure?
Regards,
Alexander Tuerk
Official documentation of SAP NetWeaver Single Sign-On:
3.3 Migrating Secure Login Library to SAP NetWeaver Single Sign-On 2.0 from 1.0
Secure Login for SAP Single Sign-On Implementation Guide
But it is more a simple update than an upgrade ....
Yes, you need for NWBC SPNEGO for ABAP which is only part of 2.0.
Regards
Matthias
Hi Matthias
We have configured SSO between SAP Portal 7.30 and SAP ECC 6.0 (ABAP only) servers. Both SAP ECC and SAP Portals servers are configured on
AIX environment. In SAP Portal, user ID is created as firstname.lastname and in SAP ECC server, user ID is created as initial.lastname. SAP Reference server method has been used for user mapping between SAP Portal and SAP ECC. No issue in this environment and SSO is working good between SAP Portal and SAP ECC.
Now, new requirement is to configure SSO between SAP Portal 7.30 and LDAP (MS Active Directory). In SAP Portal and MS ADS (Microsoft Active
Directory Server), user ID is configured as Firstname.lastname.
Question:
user ID is created as initial.lastname). Here I'm assuming that user Mapping for SAP ECC server will be done in MS ADS server but not sure about it.Pls suggest.
another certificate (between ECC and MS ADS). Pls suggest.
or if you have any document to refer, pls send me the link.
Thanks
Amar
Hi Amar,
are you using SAP Logon Tickets or SAP NetWeaver Single Sign-On?
Regards
Matthias
Hi Matthias
We used SAP NetWeaver Single Sign-On.
We used following processing for SSO setting between SAP ECC and SAP Portal server:
1. http://servername:port/sso2 ->Trusted System (added the ECC server as trusted system)
2. http://servername:port/nwa --> Authentication and Single Sign-On (Here we can see the trusted system that is created in step 1)
3. http://servername:port/nwa --> Configuration -> Certificate and Keys (Cretaed the ‘SAPLogonTicketKeypair’ and ‘SAPLogonTicketKeypait-cert’). Download the certificate of As Java system and upload it on As ABAP system.
Thanks
Amarjit
Hi Amar,
so this blog is about SSO for SAP GUI for Windows. So this would not work for SAP Portal.
So this looks like you are using SAP Logon Tickets and not SAP NetWeaver Single Sign-On (a separate product which is not part of the SAP NetWeaver Standard Package).
--> check the SAP Portal community if you would like to continue with SAP Logon Tickets.
Regards
Matthias
Thanks for your reply, Matthias.
I'll open the new thread for SAP Portal for this requirement.
Regards
Amar
Hi Matthias. We have CRM system Release 7.01 (ABAP) and need configure SSO with Active Directory.
All users logon in the Workstation with user and password in the domain. Open the Internet explorer and logon to the web gui CRM.
Web GUI = https://server_CRM/sap/crm_logon
which method we use SSO?
Best Regards.
Hi,
if you would have ABAP 7.02 SP14 -> SPNEGO for ABAP.
In your case
a) Secure Login Server (automatically generated certificates --> see my blog) out of SAP NW SSO (a MS AD integration is available)
b) via SAML IDP on a SAP NW Java Server in combination with SPNEGO for Java
if you use option a you have automatically SSO for SAP native clients and other non-SAP applications. I would recommend this for internal scenarios. I would recommend option b for extranet scenarios.
You can of course also setup a SAP Portal with SAP Logon Tickets and SPNEGO for Java (but this is perhaps a little bit too complex for end users).
Regards
Matthias
Hi Matthias, please, you can send the link "automatically generated certificates".
Best Regards
EDRS
Regards
Matthias
How to configure SAP NetWeaver Single Sign-On with certificates out-of-the box!
Hi Matthias, thanks for you information.
The Software SSO 2.0 and addiotional license, Right?
I cant a get DEMO the software SSO 2.0?
Best Regards.
EDRS
yes, this is not included in SAP NetWeaver. Yes, your SAP account manager can provide you a demo license so you can test it.
Regards
Matthias
Dear Matthias,
Sorry to go this way but ...
I am getting the error
**************************************************
Sapgui 730 [Build 9027] Thu Feb 05 08:01:16 2015
: 'GSS-API(maj): No credentials were supplied
Unable to establish the security context
target="p:CN=SL-ABAP-DVU"
Error in SNC
I have used the procedure described by http://scn.sap.com/docs/DOC-40178
The configuration is only to able SSO for SAPGUI.
Regards,
Haroon.
Hi Matthias,
Thanks, this is the good stufff.
Actually we are using X509 method. In that we are going with secure login webclient for AS ABAP system
i read the configuration doument of secure login webclient.
in that they mention
Several types of connections to SAP GUI are available. For more information, see the related links.
Simple redirect to URL
I have a question, on X509 Webgui(URL), once the user click on the web link, it will prompt the user to authenticate with AD. Once the user is authenticated, what happen next?
Does it get the SAPLogon and then double-click on XXX to get to SAP? Will he login directly to SAP XXX then?
Do you have any configuration documents or screen shots like above document on secure login webclient please provide
Thanks,
Srini
Thanks
Hello Srinivas,
When you want to implement Secure Login Web Client (SLWC) for Single Sign-On to the SAP GUI, you have to configure the connections to the SAP GUI as mentioned in the documentation, you copied in your message. When this is configured, after the authentication of the user the SAP GUI/SAP Logon Pad will start automatically as post authentication action.
If you use Microsoft infrastructure and if the user is already authenticated to the directory and a Kerberos/SPNEGO token is available for him, it could be reused for authentication to the SLWC. This way the user will have only to click on the link for the SLWC and SAP GUI/SAP Logon Pad will be automatically opened for him.
Best regards,
Donka Dimitrova
Hello Dimitrova,
i have so many questions here:
This way the user will have only to click on the link for the SLWC and SAP GUI/SAP Logon Pad will be automatically opened for him.
1. uning SLWC in this SAP GUI will i get all the SID's what ever we have in SAP logon pad on the desktop.
2. if first one is right that means one URL for all the SAP instances
3. After sucessfull athentication in URL. SAP GUI logon pad will display. in that we can choose any system(which ever i have access)
4. have heard about Winshuttle application
Some of the users still need SAPGUI access b/c they use Winshuttle application (for loading data into SAP, this requires SAPGui and Gui scripting).
is this possible through SLWC ?
please provide the information on this and thanks for the previous message
Thanks,
Srini
Hello Srinivas,
When you implement Secure Login Web Client (SLWC) for Single Sign-On with configuration for SAP Logon Pad, after the successful authentication the SAP Logon Pad will be started as a post authentication action. The SAP Logon Pad will display all the system IDs and the user will have just to select the system that he wants to use and he will be logged in automatically.
As part of the implementation process you have to make sure that all SAP systems are configured to trust the same Secure Login Server Root CA.
Regarding the 3rd party solution Windshuttle, I am not able to confirm any integration. Please, get in contact with the vendor representatives for more information.
Best regards,
Donka Dimitrova
Hi Dimitrova,
Thanks you so much for the information. This so useful for me.
Regarding SSO for Business Explorer:
If we configure SLWC. Is there any additional configuration required for business explorer or same configuration enough
Thanks,
Srinivas
Hello Srinivas,
It is possible to implement Single Sign-On to SAP Business Explorer but you have to implement it it using the Secure Login Client.
Best regards,
Donka Dimitrova
Hi Dimitrova,
Thanks you so much for helping me
while configering SLWC:(as per the installation guide)
1. Start the Secure Login Administration Console.
i opend secure login URL : http://localhost:50000/securelogin
i got three options
a. sever configuration
b. instance management
c. console user
i choosed sever configuration but in that ill get so many options(please find the attachments)
2. Choose the relevant client authentication profile
3. Select the Secure Login Web Client Settings tab.
i really confuse which option i need to choose.
Please route the right directions and help on 2 and 3 points
Thanks soo...much again for helping
Regards,
Srinivas S
Hello Srinivas,
It is strongly recommended to use the latest version of the SAP Single Sign-On 2.0 SP04 available since beginning November 2014. Please, download and install the latest version and then proceed with the SLWC setup based on the SAP Single Sign-On 2.0 SP04 implementation guide:
http://help.sap.com/download/sapsso/secure_login_impl_guide_en.pdf chapter 5.5.
Best regards,
Donka Dimitrova
Hi Dimitrova,
We are integrating Microsoft Active directory to SAP in NW SSO configuration (X509-method->SLWC).
Create a Service User Account in Windows Active Directory
we created the Service user account.
Define Service Principal Name for the newly created windows user
Could you please help me the format to create the service princpal name
Regards,
Srini
Donka -- to clarify, this solution in the original blog at the top requires full purchase of the SAP SSO license? Does the Secure Login Sever incur additional costs on top of this?
Hello Joe,
Secure Login Server is part of the SAP Single Sign-On product.
Regargs,
Donka Dimitrova
I've configured this, and it worked ok, until I changed an user password. What is the correct procedure for password changing?
Here are the steps I've performed:
1. Configured everything according to your document, added system variable SECUREDIR, using D:\usr\sap\SID\DVEBMGS00\sec
2. Executed snc -s SAP/NEWUSER@MYDOMAIN.LOCAL -p PASSWORD (this is an user accesing from a client computer) This wordked ok.
3. Changed AD password for NEWUSER, SNC stopped working. Received message error A2210217: The verification of the Kerberos ticket failed target "p:CN=NEWUSER@MYDOMAIN.LOCAL"
4. Changed password on ABAP.
5. Executed snc -s SAP/NEWUSER@MYDOMAIN.LOCAL -p NEWPASSWORD
Still get the error.
Regards,
Hi All,
SSO 2.0 secure login webclient is configurd and working fine for ABAP systems. can any one tell me the procedure for AS JAVA systems(only java).
Thanks,
Srini
Hello All
I have ERP 6.0 SR3 using only ABAP System install with all latest support stack but T-Code SPNEGO is not working . We do not install JAVA Stack.
Please review Screen shot
Thanks
Tejas
Hello Tejas,
You posed the same question here:
Reusing Kerberos Token for Issuing X.509 Client Certificates with Secure Login Server
and I already answered. See my answer there.
Regards,
Donka Dimitrova
Good Morning Donka
As per your suggestion using this T-Code SPNEGO require Kernel Upgrade 7.21 with latest support stack. After upgrade check T-Code SPNEGO is not available. Now I Try to Configure SNC with SPNEGO Tcode
Do you have any document for ERP 6(SR3) my SAP_BASIS level 700 or do you have any document without SPNEGO TCode
Thanks
Tejas
Hello Tejas,
If you want to use SPNego (browser-based Kerberos) authentication with an ABAP system, you require these 3 components:
Please, make sure you have the minimum SP/PL for these components.
Please, notice that this capability is not available for SAP_BASIS level 700
For more details, please, consider reading again the SAP Note http://service.sap.com/sap/support/notes/1798979
Best regards,
Donka Dimitrova
Hello All
Given Error GSS-API(maj): NO credential's were supplied
Unable to establish the security context
I try to configuring SAP ERP SR3 with SSO 1. & SSO 2 for ABAP Stack only with Window Server 2008 R2. my SNC configuration done successfully here it is attach screen shots
while using SAP GUI given following Error
Hi Experts,
With this type of SSO implementation, we dont need password in netweaver business client?
Best Regards,
Eduardo Silva
Hello Eduardo,
Yes, the SAP Single Sign-On product offers SSO solution also for SAP NetWeaver Business Client and users will not need their passwords once the SSO is implemented.
Regards,
Donka Dimitrova
Hi Donka,
thanks for the quick response, I am implementing the sso with the integration with AD, implementing this way when you open the NWBC it will make SSO or have to implement something else?
Best Regards,
Eduardo Silva
Excellent documentation. Thanks for it.
Hello,
i want to configure the SAP NetWeaver Single Sign-On for SAP GUI for Windows with Kerberos integration.
the SAP username is made from the first letter of the firstname and the family name "flastname" but the Kerberos token generated by the SAP secure login client is "CN=FIRSTNAME.LASTNAME@COMPANY.COM".
My question is the following: is there a way to use variables in the transaction SNC1 so that the SAP user "flastname" will be mapped to "CN=FIRSTNAME.LASTNAME@COMPANY.COM"?
Regards,
Hassan
Hi Matthias,
I have a doubt, We are going to implement SSO with kerberos in SAP ECC and BW system.
For BW - Our SAP component version is SAP Netweaver 2004 - SAP BASIS-640- 12 patch
Kernel Version - 640_EX2- 414
For ECC - Our SAP component version is SAP R/3 Enterprise 4.7 with SAP_BASIS - 620- 36 patch
Kernel Version - 640_EX2- 414
Can we implement SSO with kerbose for this version .
Any prerequisiste needs to be taken care for the above version.
Regards
Subbu
Hi Subbu,
with SAP Single Sign-On you can use Kerberos based single sign-on for SAP GUI and RFC clients also on those releases. However, you cannot use SPNEGO to enable single sign-on for web applications. SPNEGO requires version 7.02 or higher.
Best regards,
Christian
Hi All,
My case is some particular. Some users can connect via SNC by single sign on, but others cann´t do it, the parth level are the same, cnd configuration. We have 3 apps server and 1 for database. The 3 AppServer are correctly configur. My account work properly at any App Server. Sap Gui present an error below the screen in message bar for some users like this:
No user exists with SNC name "p:CN=WRONGSNCNAME
Any clue?
Thanks in advance.
Regards
check in SU01 whether those users that cannot connect with SNC have a SNC entry!
Dear Matthias,
Dear SAP Gurus,
I have implemented SSO with kerberos, both ID's AD and SAP are same in that case. I need this prerequisite written in any SAP note or SAP document.
Or SSO with kerberos is possible if AD id is sachin.shrivastavdesai@abc.com and SAP id is sachin?
Waiting for urgent response. Please reply
Regards
Dear Matthias/SAP Gurus,
How do we integrate SAML2 with SAPgui using the web approach
Is it possible to implement SSO for SAP GUI using Kerberos without Secure Login Server and only using secure login client?
I see that there are Authentication Methods without Secure Login Server in SSO Implementation Guide in below link but I can't find much information elsewhere.
https://help.sap.com/viewer/df185fd53bb645b1bd99284ee4e4a750/3.0/en-US/ed9de17f21374673ac8118928eb77c72.html
Regards,
Abhi
Hi Matthias very nice blog.
I have one query.
How to map users when their windows id and sap ids differ from each other.
Do we need to edit thousands of users manually in SU01 -> SNC tab?
Thank you.
Regards,
Mandar
Hi,
When a new user (user A) logon windows 7, SAP Gui SSO Works fine. But when a new user (user B) logon same Windows 7 client, SAP Gui get this error:
Unable to load GSS-API DLL named "sncgss32.dll". But user A still when logon same Windows 7 SAP Gui SSO Works fine.
Hello Matthias,
Thanks for your blog.
I have some concerns, could you please get back to me? I configure SSO and cannot login.
Thanks and have a great weekend!
Penny
Hello Experts,
My need is to login from SAP Enterprise Portal via SAML SSO. I have two set-ups-
Please guide me which system is easy to proceed with to achieve my target. and how?
Thanks!!