NWBC was originally designed to enable users to access data using multiple UI technologies from a single ABAP back end system.

To make data access secure, we now recommend combining NWBC with SAP NetWeaver Single Sign-On.

This solution is both simple and secure.

/wp-content/uploads/2014/02/col2_396525.png

As of release SAP NetWeaver Single Sign-On 2.0, SAP NetWeaver Single Sign-On offers support for SPNEGO for ABAP.

Setting up SPNEGO for ABAP is a simple and straightforward process that involves only a few

manual configuration steps:

  • Install the Secure Login Library on the SAP NetWeaver ABAP back end.
  • Set the system parameters spnego/enable and spnego/krbspnego in the SAP NetWeaver Application Server ABAP and configure the key Tab generated by the Active Directory Server in transaction SPNEGO.
  • Map the user’s Kerberos principal name to the ABAP user name using transaction SU01.

Leveraging this Kerberos-based single sign-on technology, you can implement an SAP NetWeaver Single Sign-On solution for your NWBC quickly and easily, and without the need for a Java stack.

With SAP NetWeaver Single Sign-On 2.0 and NWBC you can simply reuse your Windows domain authentication for Single Sign-On, even across different domains.

This tutorial-like blog describes how to connect securely and in just three easy steps to either a single ABAP back end system or to multiple ABAP back end systems.

Prerequisites

NWBC 4.0, SSO 2.0, SAP NetWeaver 7.3

Procedure

  1. After implementing SSO with Kerberos (see How-To-Videos), create your SAP GUI system connection, e.g. System 1, in SAP Logon.
  2. Activate Secure Network Communication (SNC) for your system.
  3. Open NWBC and create a system connection (System 1) referring  to SAP GUI system connection (enter exactly the same string: System 1) to make use of the SNC settings activated in SAP GUI.

3Steps.PNG

Result

Encrypted content.

lupi3.PNG

Connecting to More than One System

If you’d like to implement safe connections to more than one ABAP backend system you have to repeat the steps described above for a second system (e.g. System 2).

Note: For the server configuration (transaction RZ11) you must set the profile parameter.  Enter the value 3 (default parameter in the kernel as of NetWeaver 7.40) to enable the AS ABAP to issue authentication assertion tickets and no logon tickets. We recommend you use this value.

(login/create_sso2_ticket to 0 =no logon or assertion tickets)

Recommendation: Create a new service user on the Microsoft Active Directory server for each SAP system (see first part of the second video “Implementing Single Sign-On with Kerberos”)

Hint: Activate the NWBC system selector at start-up to switch easily between your systems, see the following screenshot.

System_Selector.PNG

To see how to access multiple systems. Referencing from one system to the other via PFCG mapping read part 2:

NWBC meets Single Sign-On: Simplify Secure Data Access in Remote Scenarios (Part 2)

More information on Authentication and Single Sign-On with NWBC

Find more information about Single Sign-On 2.0 in the SCN Space for SAP NetWeaver Single-Sign On.

See also:

NWBC and SSO: Logon with/without SNC (Secure Network Communication)

and

NWBC and SSO: SAP NetWeaver Single Sign-On 2.0 with native support for SPNEGO for ABAP (SAPinsider-Artikel)

To report this post you need to login first.

20 Comments

You must be Logged on to comment or reply to a post.

  1. Simon Kemp

    Hi Sandra,

    Thanks for sharing this. One question I have is w.r.t the profile parameter login/create_sso2_ticket if you set that to 0 then there will be no SAP Logon Ticket created for the system and then each time you access a page I expect a new authentication might take place… could this be a performance issue?

    Just a thought/query I had when I read this.

    Cheers,
    Simon

    (0) 
    1. Sandra Thimme Post author

      Hi Simon,

      becoming a big fan of NWBC 🙂 ….

      No performance issues a.f.a. we’ve tested with Security Session Management active.

      Regards,

      Sandra

      (0) 
  2. Clinton Premananthan

    Hi Sandra,

    We have a requirement to use Microsoft AD as a source for passwords, from the NWBC.
    , but not using SSO, using manual username/password input.

    Will this work for our requirement? Please let me know…

    thanks so much,

    Clinton

    (0) 
      1. Clinton Premananthan

        Hi Sandra,

        Thanks for the reply.

        Just for some clarity… does manual un/pw refer to the SAP user database or AD authentication?

        I’d like to enter my un/pw manually using AD details, not SAP details (to access SAP).

        We would not like to use SSO as many employees share clients. Our requirement is to basically use AD details to login to all SAP systems with manual un/pw input.

        thanks,

        Clinton

        (0) 
  3. A. Operations Team

    Hi Sandra,

    We now have SNC/Kerberos working for SAPgui.

    We used same sapgui entry in NWBC 4.0SP12 however it does not appar to make any connection to sapgui at all.

    What could i be missing?

    (0) 
    1. Sandra Thimme Post author

      Hi Clinton,

      sorry, what do you mean by “any connection”?

      After implementing Single-Sign On 2.0 with Kerberos (as shown in our video series: http://scn.sap.com/docs/DOC-40178) you don’t have to log on seperately to NWBC and you’ll get secure data communication.

      If not working after implementation you have to open a message.

      Sandra

      (0) 
  4. Lars Hansen

    Hi Sandra,

    thanks for sharing.

    We use software from Quest as SSO for SAP GUI, and it should work like SAP single-Signon software.

    Parameter login/create_sso2_ticket = 2

    Even thouth I have added same name in SAP GUI Logon Description as in SAP GUI I cannot get it to work.

    NWBC still prompts for password – sometimes it has my username filled out and sometimes it has not.

    We have 5 different saplogon.ini files that we use. How can I see what ini tile NWBC is using, so I be100% sure about the SAP GUI Logon Description.

    We are on Windows 7.  

    Thanks,

    Lars

    (0) 
    1. Sandra Thimme Post author

      Hi Lars,

      currently I am on vacation, cannot really reproduce the issue. Please check your libs. Press Strg (hold) and click the NWBC menu button: Choose Help -> Extended Supportability -> System information. See what you can find here…

      And have a look aat your NwbcOptions.xml.

      You’ll find it here: ProgramData\SAP\NWBC\NwbcOptions.xml

      You can define a fixed set of possible connections for systems.

      More information: http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4c/5bdad097817511e10000000a42189b/content.htm?frameset=/en/4c/5bd87b97817513e10000000a42189b/frameset.htm&current_toc=/en/66/48a793bc2f4ec5bdb8e7e93ea6cd9f/plain.htm&node_id=31

      NWBC+SSO documentation:

      SAP NetWeaver Business Client 4.0 (Changed) – What’s New in SAP NetWeaver 7.4 (Release Notes) – SAP Library

      Hope you will find a workaround! And as already mentioned, we absolutely recommend SAP Single Sign-On with NWBC.

      SAP Single Sign-On | SCN

      Regards,

      Sandra

      (0) 
      1. Bruno Astorino

        Hello Sandra,

        we have succesfully implemented SSO NW 2.0 with SPNEGO. Users can successfully connect to NWBC on ERP system without prompting user and password. We have configured the access to a remote system thru PFCG role catch in ERP from HCM system and  creating RFC trusted between both systems. It works if the user access without SSO at logon but with SSO implemented when the user tries to use the transaction of the roles (and then is the windows AD credentials that is accessed) it prompts for user and password.

        The ERP system is an ERP 6.0 EHP6. The HCM is an ERP 6.0 EHP4 where SPNEGO cannot be implemented due to low patch level.

        any suggestion for my scenario to get it work?

        bruno

        (0) 
        1. Sandra Thimme Post author

          Hi Bruno,

          so the second system is using logon tickets. Please have a look on the following correction SAP note 2044027.

          Let me know if it works.

          Regards,

          Sandra

          (0) 
          1. Bruno Astorino

            hello Sandra,

            thank you very much. It worked! Another info if you can. Does it exist a way not to use SSO? Can be used a different link not to login automatically in SSO with SPNEGO active?

            thank you.

            (0) 
  5. Shravan Adurukatla

    HI Sandra,

    We now have NW SSO with SPNEGO  setup working for SAPgui 730, So now are doing a POC with GUI 740 plus NWBC 5.0. Added one of ABAP system in SAP GUI 740 which works for SSO but when the same system description pulled in NWBC , it asks for Log in credentials.

    Can you help us if there any addition setting to be done for NWBC to work for SSO.

    Thanks in advance,

    Shravan

    (0) 
    1. Anonymous

      Hi Shravan,

      there are no additional settings on NWBC side. If you see the description, just choose it as you can see it on my screesshot:

      SNC.PNG

      Please check your SPN-Entries. Different technologies (SCN and SPNEGO) need different Service Principle Names. I am afraid you have to open a message.  Here on Product Management Side we cannot reproduce your problem.

      Good luck,

      Regards,

      Sandra

      (0) 
  6. Michael Sachs

    Hi Sandra,

    this is very useful information indeed. Is this procedure limited to SPNEGO/Kerberos scenarios? We have a “full-blown” PKI infrastructure which we use with SAP Netweaver SSO 2.0 Secure Login Client to achive SSO. This works fine, but if I try to create a connection as outlined in step 3, the client still prompts for username and password. I even activated the “Use Secure Login Client” checkbox in the XML configuration file, but without success.

    Best regards,

    Michael

    (0) 
  7. Wayne Eaton

    Hi Sandra,

    Great articles!  I’m having a problem with NWBC 5.0 PL9 and SAPGUI 740 PL4.  I’m using the SAPUILandscapeGlobal.xml file stored on a central file share which all the NWBC clients point to.  It has worked well.  We just enabled SSO so I’ve added the SCN information to the xml file.  When I open SAPGUI, everything works like a charm.  When I open NWBC, it does not – I’m still getting prompted for a logon.  Any thoughts?

    Thanks in advance,

    -Wayne

    (0) 

Leave a Reply