Skip to Content
Technical Articles
Author's profile photo Sandra Thimme

NWBC (4.0) meets Single Sign-On: Simplify Secure Data Access (Part 1)

NWBC was originally designed to enable users to access data using multiple UI technologies from a single ABAP back end system.

To make data access secure, we now recommend combining NWBC with SAP NetWeaver Single Sign-On.

This solution is both simple and secure.

/wp-content/uploads/2014/02/col2_396525.png

As of release SAP NetWeaver Single Sign-On 2.0, SAP NetWeaver Single Sign-On offers support for SPNEGO for ABAP.

Setting up SPNEGO for ABAP is a simple and straightforward process that involves only a few

manual configuration steps:

  • Install the Secure Login Library on the SAP NetWeaver ABAP back end.
  • Set the system parameters spnego/enable and spnego/krbspnego in the SAP NetWeaver Application Server ABAP and configure the key Tab generated by the Active Directory Server in transaction SPNEGO.
  • Map the user’s Kerberos principal name to the ABAP user name using transaction SU01.

Leveraging this Kerberos-based single sign-on technology, you can implement an SAP NetWeaver Single Sign-On solution for your NWBC quickly and easily, and without the need for a Java stack.

With SAP NetWeaver Single Sign-On 2.0 and NWBC you can simply reuse your Windows domain authentication for Single Sign-On, even across different domains.

This tutorial-like blog describes how to connect securely and in just three easy steps to either a single ABAP back end system or to multiple ABAP back end systems.

Prerequisites

NWBC 4.0, SSO 2.0, SAP NetWeaver 7.3

Procedure

  1. After implementing SSO with Kerberos (see How-To-Videos), create your SAP GUI system connection, e.g. System 1, in SAP Logon.
  2. Activate Secure Network Communication (SNC) for your system.
  3. Open NWBC and create a system connection (System 1) referring  to SAP GUI system connection (enter exactly the same string: System 1) to make use of the SNC settings activated in SAP GUI.

3Steps.PNG

Result

Encrypted content.

lupi3.PNG

Connecting to More than One System

If you’d like to implement safe connections to more than one ABAP backend system you have to repeat the steps described above for a second system (e.g. System 2).

Note: For the server configuration (transaction RZ11) you must set the profile parameter.  Enter the value 3 (default parameter in the kernel as of NetWeaver 7.40) to enable the AS ABAP to issue authentication assertion tickets and no logon tickets. We recommend you use this value.

(login/create_sso2_ticket to 0 =no logon or assertion tickets)

Recommendation: Create a new service user on the Microsoft Active Directory server for each SAP system (see first part of the second video “Implementing Single Sign-On with Kerberos”)

Hint: Activate the NWBC system selector at start-up to switch easily between your systems, see the following screenshot.

System_Selector.PNG

To see how to access multiple systems. Referencing from one system to the other via PFCG mapping read part 2:

NWBC meets Single Sign-On: Simplify Secure Data Access in Remote Scenarios (Part 2)

More information on Authentication and Single Sign-On with NWBC

Find more information about Single Sign-On 2.0 in the Community for SAP NetWeaver Single-Sign On.

See also:

NWBC and SSO: Logon with/without SNC (Secure Network Communication)

and

NWBC and SSO: SAP NetWeaver Single Sign-On 2.0 with native support for SPNEGO for ABAP (SAPinsider-Artikel)

Assigned tags

      21 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Ravi Ekambaram
      Ravi Ekambaram

      Hi Sandra,

      Thanks for sharing this useful information.

      Regards,

      Ravi

      Author's profile photo Simon Kemp
      Simon Kemp

      Hi Sandra,

      Thanks for sharing this. One question I have is w.r.t the profile parameter login/create_sso2_ticket if you set that to 0 then there will be no SAP Logon Ticket created for the system and then each time you access a page I expect a new authentication might take place... could this be a performance issue?

      Just a thought/query I had when I read this.

      Cheers,
      Simon

      Author's profile photo Sandra Thimme
      Sandra Thimme
      Blog Post Author

      Hi Simon,

      becoming a big fan of NWBC 🙂 ....

      No performance issues a.f.a. we've tested with Security Session Management active.

      Regards,

      Sandra

      Author's profile photo Former Member
      Former Member

      Hi sandra

      Thnx for sharing

      Cheers 😉

      Pradyp

      Author's profile photo Clinton Premananthan
      Clinton Premananthan

      Hi Sandra,

      We have a requirement to use Microsoft AD as a source for passwords, from the NWBC.
      , but not using SSO, using manual username/password input.

      Will this work for our requirement? Please let me know...

      thanks so much,

      Clinton

      Author's profile photo Sandra Thimme
      Sandra Thimme
      Blog Post Author

      Hi Clinton,

      entering un/pw manually will work. But thats exactly the thing we'd like to avoid using SSO.

      Regards,

      Sandra

      Author's profile photo Clinton Premananthan
      Clinton Premananthan

      Hi Sandra,

      Thanks for the reply.

      Just for some clarity... does manual un/pw refer to the SAP user database or AD authentication?

      I'd like to enter my un/pw manually using AD details, not SAP details (to access SAP).

      We would not like to use SSO as many employees share clients. Our requirement is to basically use AD details to login to all SAP systems with manual un/pw input.

      thanks,

      Clinton

      Author's profile photo Former Member
      Former Member

      Same question here. Did you find a solution for your use case ?

      Author's profile photo Former Member
      Former Member

      Hi Sandra,

      We now have SNC/Kerberos working for SAPgui.

      We used same sapgui entry in NWBC 4.0SP12 however it does not appar to make any connection to sapgui at all.

      What could i be missing?

      Author's profile photo Sandra Thimme
      Sandra Thimme
      Blog Post Author

      Hi Clinton,

      sorry, what do you mean by "any connection"?

      After implementing Single-Sign On 2.0 with Kerberos (as shown in our video series: http://scn.sap.com/docs/DOC-40178) you don't have to log on seperately to NWBC and you'll get secure data communication.

      If not working after implementation you have to open a message.

      Sandra

      Author's profile photo Lars Hansen
      Lars Hansen

      Hi Sandra,

      thanks for sharing.

      We use software from Quest as SSO for SAP GUI, and it should work like SAP single-Signon software.

      Parameter login/create_sso2_ticket = 2

      Even thouth I have added same name in SAP GUI Logon Description as in SAP GUI I cannot get it to work.

      NWBC still prompts for password - sometimes it has my username filled out and sometimes it has not.

      We have 5 different saplogon.ini files that we use. How can I see what ini tile NWBC is using, so I be100% sure about the SAP GUI Logon Description.

      We are on Windows 7.  

      Thanks,

      Lars

      Author's profile photo Sandra Thimme
      Sandra Thimme
      Blog Post Author

      Hi Lars,

      currently I am on vacation, cannot really reproduce the issue. Please check your libs. Press Strg (hold) and click the NWBC menu button: Choose Help -> Extended Supportability -> System information. See what you can find here...

      And have a look aat your NwbcOptions.xml.

      You'll find it here: ProgramData\SAP\NWBC\NwbcOptions.xml

      You can define a fixed set of possible connections for systems.

      More information: http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4c/5bdad097817511e10000000a42189b/content.htm?frameset=/en/4c/5bd87b97817513e10000000a42189b/frameset.htm&current_toc=/en/66/48a793bc2f4ec5bdb8e7e93ea6cd9f/plain.htm&node_id=31

      NWBC+SSO documentation:

      SAP NetWeaver Business Client 4.0 (Changed) - What's New in SAP NetWeaver 7.4 (Release Notes) - SAP Library

      Hope you will find a workaround! And as already mentioned, we absolutely recommend SAP Single Sign-On with NWBC.

      SAP Single Sign-On | SCN

      Regards,

      Sandra

      Author's profile photo Former Member
      Former Member

      Hello Sandra,

      we have succesfully implemented SSO NW 2.0 with SPNEGO. Users can successfully connect to NWBC on ERP system without prompting user and password. We have configured the access to a remote system thru PFCG role catch in ERP from HCM system and  creating RFC trusted between both systems. It works if the user access without SSO at logon but with SSO implemented when the user tries to use the transaction of the roles (and then is the windows AD credentials that is accessed) it prompts for user and password.

      The ERP system is an ERP 6.0 EHP6. The HCM is an ERP 6.0 EHP4 where SPNEGO cannot be implemented due to low patch level.

      any suggestion for my scenario to get it work?

      bruno

      Author's profile photo Sandra Thimme
      Sandra Thimme
      Blog Post Author

      Hi Bruno,

      so the second system is using logon tickets. Please have a look on the following correction SAP note 2044027.

      Let me know if it works.

      Regards,

      Sandra

      Author's profile photo Former Member
      Former Member

      hello Sandra,

      thank you very much. It worked! Another info if you can. Does it exist a way not to use SSO? Can be used a different link not to login automatically in SSO with SPNEGO active?

      thank you.

      Author's profile photo Shravan Adurukatla
      Shravan Adurukatla

      HI Sandra,

      We now have NW SSO with SPNEGO  setup working for SAPgui 730, So now are doing a POC with GUI 740 plus NWBC 5.0. Added one of ABAP system in SAP GUI 740 which works for SSO but when the same system description pulled in NWBC , it asks for Log in credentials.

      Can you help us if there any addition setting to be done for NWBC to work for SSO.

      Thanks in advance,

      Shravan

      Author's profile photo Former Member
      Former Member

      Hi Shravan,

      there are no additional settings on NWBC side. If you see the description, just choose it as you can see it on my screesshot:

      SNC.PNG

      Please check your SPN-Entries. Different technologies (SCN and SPNEGO) need different Service Principle Names. I am afraid you have to open a message.  Here on Product Management Side we cannot reproduce your problem.

      Good luck,

      Regards,

      Sandra

      Author's profile photo Shravan Adurukatla
      Shravan Adurukatla

      Detailed Discussion open with more details and issue screen shots, Can you please check here and help me on this regard, thanks

      SSO For NWBC 5.0 not working

      Author's profile photo Michael Sachs
      Michael Sachs

      Hi Sandra,

      this is very useful information indeed. Is this procedure limited to SPNEGO/Kerberos scenarios? We have a "full-blown" PKI infrastructure which we use with SAP Netweaver SSO 2.0 Secure Login Client to achive SSO. This works fine, but if I try to create a connection as outlined in step 3, the client still prompts for username and password. I even activated the "Use Secure Login Client" checkbox in the XML configuration file, but without success.

      Best regards,

      Michael

      Author's profile photo Former Member
      Former Member

      Hi Sandra,

      Great articles!  I'm having a problem with NWBC 5.0 PL9 and SAPGUI 740 PL4.  I'm using the SAPUILandscapeGlobal.xml file stored on a central file share which all the NWBC clients point to.  It has worked well.  We just enabled SSO so I've added the SCN information to the xml file.  When I open SAPGUI, everything works like a charm.  When I open NWBC, it does not - I'm still getting prompted for a logon.  Any thoughts?

      Thanks in advance,

      -Wayne

      Author's profile photo Former Member
      Former Member

      For those using the SSO scenario - Kerberos+SNC and already got it working on SAPGUI but struggling with NWBC SSO like me, please check your IE settings, under the security -> Any zone -> Custom Level -> Scroll to the bottom -> User Authentication -> Logon -> Select “Automatic logon with current user name and password”

      The SLC is only working with SAPGUI, but NWBC@business client is heavily rely on IE.