NWBC (4.0) meets Single Sign-On: Simplify Secure Data Access (Part 1)
NWBC was originally designed to enable users to access data using multiple UI technologies from a single ABAP back end system.
To make data access secure, we now recommend combining NWBC with SAP NetWeaver Single Sign-On.
This solution is both simple and secure.
As of release SAP NetWeaver Single Sign-On 2.0, SAP NetWeaver Single Sign-On offers support for SPNEGO for ABAP.
Setting up SPNEGO for ABAP is a simple and straightforward process that involves only a few
manual configuration steps:
- Install the Secure Login Library on the SAP NetWeaver ABAP back end.
- Set the system parameters spnego/enable and spnego/krbspnego in the SAP NetWeaver Application Server ABAP and configure the key Tab generated by the Active Directory Server in transaction SPNEGO.
- Map the user’s Kerberos principal name to the ABAP user name using transaction SU01.
Leveraging this Kerberos-based single sign-on technology, you can implement an SAP NetWeaver Single Sign-On solution for your NWBC quickly and easily, and without the need for a Java stack.
With SAP NetWeaver Single Sign-On 2.0 and NWBC you can simply reuse your Windows domain authentication for Single Sign-On, even across different domains.
This tutorial-like blog describes how to connect securely and in just three easy steps to either a single ABAP back end system or to multiple ABAP back end systems.
NWBC 4.0, SSO 2.0, SAP NetWeaver 7.3
- After implementing SSO with Kerberos (see How-To-Videos), create your SAP GUI system connection, e.g. System 1, in SAP Logon.
- Activate Secure Network Communication (SNC) for your system.
- Open NWBC and create a system connection (System 1) referring to SAP GUI system connection (enter exactly the same string: System 1) to make use of the SNC settings activated in SAP GUI.
Connecting to More than One System
If you’d like to implement safe connections to more than one ABAP backend system you have to repeat the steps described above for a second system (e.g. System 2).
Note: For the server configuration (transaction RZ11) you must set the profile parameter. Enter the value 3 (default parameter in the kernel as of NetWeaver 7.40) to enable the AS ABAP to issue authentication assertion tickets and no logon tickets. We recommend you use this value.
(login/create_sso2_ticket to 0 =no logon or assertion tickets)
Recommendation: Create a new service user on the Microsoft Active Directory server for each SAP system (see first part of the second video “Implementing Single Sign-On with Kerberos”)
Hint: Activate the NWBC system selector at start-up to switch easily between your systems, see the following screenshot.
To see how to access multiple systems. Referencing from one system to the other via PFCG mapping read part 2:
NWBC meets Single Sign-On: Simplify Secure Data Access in Remote Scenarios (Part 2)
More information on Authentication and Single Sign-On with NWBC
Find more information about Single Sign-On 2.0 in the Community for SAP NetWeaver Single-Sign On.
NWBC and SSO: Logon with/without SNC (Secure Network Communication)
NWBC and SSO: SAP NetWeaver Single Sign-On 2.0 with native support for SPNEGO for ABAP (SAPinsider-Artikel)
Thanks for sharing this useful information.
Thanks for sharing this. One question I have is w.r.t the profile parameter login/create_sso2_ticket if you set that to 0 then there will be no SAP Logon Ticket created for the system and then each time you access a page I expect a new authentication might take place... could this be a performance issue?
Just a thought/query I had when I read this.
becoming a big fan of NWBC 🙂 ....
No performance issues a.f.a. we've tested with Security Session Management active.
Thnx for sharing
We have a requirement to use Microsoft AD as a source for passwords, from the NWBC.
, but not using SSO, using manual username/password input.
Will this work for our requirement? Please let me know...
thanks so much,
entering un/pw manually will work. But thats exactly the thing we'd like to avoid using SSO.
Thanks for the reply.
Just for some clarity... does manual un/pw refer to the SAP user database or AD authentication?
I'd like to enter my un/pw manually using AD details, not SAP details (to access SAP).
We would not like to use SSO as many employees share clients. Our requirement is to basically use AD details to login to all SAP systems with manual un/pw input.
Same question here. Did you find a solution for your use case ?
We now have SNC/Kerberos working for SAPgui.
We used same sapgui entry in NWBC 4.0SP12 however it does not appar to make any connection to sapgui at all.
What could i be missing?
sorry, what do you mean by "any connection"?
After implementing Single-Sign On 2.0 with Kerberos (as shown in our video series: http://scn.sap.com/docs/DOC-40178) you don't have to log on seperately to NWBC and you'll get secure data communication.
If not working after implementation you have to open a message.
thanks for sharing.
We use software from Quest as SSO for SAP GUI, and it should work like SAP single-Signon software.
Parameter login/create_sso2_ticket = 2
Even thouth I have added same name in SAP GUI Logon Description as in SAP GUI I cannot get it to work.
NWBC still prompts for password - sometimes it has my username filled out and sometimes it has not.
We have 5 different saplogon.ini files that we use. How can I see what ini tile NWBC is using, so I be100% sure about the SAP GUI Logon Description.
We are on Windows 7.
currently I am on vacation, cannot really reproduce the issue. Please check your libs. Press Strg (hold) and click the NWBC menu button: Choose Help -> Extended Supportability -> System information. See what you can find here...
And have a look aat your NwbcOptions.xml.
You'll find it here: ProgramData\SAP\NWBC\NwbcOptions.xml
You can define a fixed set of possible connections for systems.
More information: http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4c/5bdad097817511e10000000a42189b/content.htm?frameset=/en/4c/5bd87b97817513e10000000a42189b/frameset.htm¤t_toc=/en/66/48a793bc2f4ec5bdb8e7e93ea6cd9f/plain.htm&node_id=31
SAP NetWeaver Business Client 4.0 (Changed) - What's New in SAP NetWeaver 7.4 (Release Notes) - SAP Library
Hope you will find a workaround! And as already mentioned, we absolutely recommend SAP Single Sign-On with NWBC.
SAP Single Sign-On | SCN
we have succesfully implemented SSO NW 2.0 with SPNEGO. Users can successfully connect to NWBC on ERP system without prompting user and password. We have configured the access to a remote system thru PFCG role catch in ERP from HCM system and creating RFC trusted between both systems. It works if the user access without SSO at logon but with SSO implemented when the user tries to use the transaction of the roles (and then is the windows AD credentials that is accessed) it prompts for user and password.
The ERP system is an ERP 6.0 EHP6. The HCM is an ERP 6.0 EHP4 where SPNEGO cannot be implemented due to low patch level.
any suggestion for my scenario to get it work?
so the second system is using logon tickets. Please have a look on the following correction SAP note 2044027.
Let me know if it works.
thank you very much. It worked! Another info if you can. Does it exist a way not to use SSO? Can be used a different link not to login automatically in SSO with SPNEGO active?
We now have NW SSO with SPNEGO setup working for SAPgui 730, So now are doing a POC with GUI 740 plus NWBC 5.0. Added one of ABAP system in SAP GUI 740 which works for SSO but when the same system description pulled in NWBC , it asks for Log in credentials.
Can you help us if there any addition setting to be done for NWBC to work for SSO.
Thanks in advance,
there are no additional settings on NWBC side. If you see the description, just choose it as you can see it on my screesshot:
Please check your SPN-Entries. Different technologies (SCN and SPNEGO) need different Service Principle Names. I am afraid you have to open a message. Here on Product Management Side we cannot reproduce your problem.
Detailed Discussion open with more details and issue screen shots, Can you please check here and help me on this regard, thanks
this is very useful information indeed. Is this procedure limited to SPNEGO/Kerberos scenarios? We have a "full-blown" PKI infrastructure which we use with SAP Netweaver SSO 2.0 Secure Login Client to achive SSO. This works fine, but if I try to create a connection as outlined in step 3, the client still prompts for username and password. I even activated the "Use Secure Login Client" checkbox in the XML configuration file, but without success.
Great articles! I'm having a problem with NWBC 5.0 PL9 and SAPGUI 740 PL4. I'm using the SAPUILandscapeGlobal.xml file stored on a central file share which all the NWBC clients point to. It has worked well. We just enabled SSO so I've added the SCN information to the xml file. When I open SAPGUI, everything works like a charm. When I open NWBC, it does not - I'm still getting prompted for a logon. Any thoughts?
Thanks in advance,
For those using the SSO scenario - Kerberos+SNC and already got it working on SAPGUI but struggling with NWBC SSO like me, please check your IE settings, under the security -> Any zone -> Custom Level -> Scroll to the bottom -> User Authentication -> Logon -> Select “Automatic logon with current user name and password”
The SLC is only working with SAPGUI, but NWBC@business client is heavily rely on IE.