NWBC and SSO: Logon with/without SNC (Secure Network Communication)
If SNC is activated in SAP GUI and in NWBC, the logon popup never appears again.
This is exactly what you would expect from a
Single Sign-On technology, but sometimes you might still want to have a logon popup (for testing purposes for example).
If you have previously used the SAP Logon Pad, you might know the options SNC Logon with Single Sign-On (Enter) and SNC Logon without Single
Sign-On (Shift+Enter).
Unfortunately we do not have this kind of “switch” in NWBC.
Fortunately however there is a workaround:
You can use the existing external service (delivered with 7.40) /nwbc-no-sso.
This alias calls the NWBC service without support of certificates and always forces a logon screen.
Alternatively, you can create your own external alias in transaction SICF.
See: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/78/9852bdc06b11d4ad310000e83539c3/frameset.htm
Hi Sandra,
thanks for the workaround.
unfortunately this works only as long as you stay in the web world. as soon as you enter the first abap transaction in nwbc which starts sapgui implicit, you get again the logon screen. and if you have a certificate you just have the option to choose one of your mapped user (snc), hence no chance to enter again the same user/password as in nwbc...
it would only work if you remove the <SaplogonDescr> Parameter in the nwbcoptions.xml file... but then snc is deactivated
do you have a solution that snc can still be activated?
Regards Marc
Hi Marc,
if you'd like to activate SNC for your NWBC connections you have to enter your SNC SAP GUI connections to the NWBC Log on description:
http://scn.sap.com/community/netweaver-business-client/blog/2014/02/24/simplify-secure-data-access-nwbc-meets-single-sign-on
Regards,
Sandra
Hello Sandra,
I have tried your description but it doesn`t work. NWBC still uses SSO. I should have a possibility to log in with another SAP User for tests.
I have created a new external Alias named /nwbc-no-sso and deleted the Logon through SSL Certificate.
I used this URL: https://servername.domain:port/nwbc-no-sso/ for testing.
Should I do some more things or does this workaround not work anymore?
KR
Carmen
Hi Carmen,
Quick and dirty solution (not officially supported): IE Explorer => Internet Options => security =>Trusted sites, choose Custom Level and select “Don’t prompt for client certificate selection when no certificates or only one certificate exists”. Select “Disable”. If you start Business Client again you can see which certificate will be used and you have the possibility to cancel the request => logon popup will appear.
The supported solution is to create a new external alias (/nwbc-no-sso, Trg Element: /default_host/sap/bc/nwbc, description “this alias calls NWBC service without support of certificates and forces a logon screen) in transaction SICF. An alias where you delete option 2 (Logon Through SSL certificate) inside Logon Data/Logon Procedure as described in the blog.
Regards,
Sandra
Hi Sandra,
I just followed the supported solution:
Now I can log on with an other user/pwd (means: no sson), but when I click on UI5 apps i(embedded Edge/Chrome) the system user is still used.
I can see it in the log.
The nwbc shows me the logged on user.
Is there a solution in BC for that testing szenario?
Thank you
Hans-Dieter
Hallo Hans-Dieter,
könntest du mir sagen, was genau du machst? Also ohne SSO anmelden - o.k. Und dann? Klickst du auf eine Kachel im Fiori Launchpad (UI5 App) ? Du nutzt die FLP Verbindung im Business Client? Und welcher Browser? Chromium (CEF)? Oder tatsächlich Edge? Du schreibst: "i(embedded Edge/Chrome)"
Chromium based on the Chromium Embedded Framework (CEF) which embeds Chromium core as web browser engine
Edge based on Microsoft’s WebView2 control which also embeds Chromium core
Erkläre es mir bitte noch ein bisschen genauer und verrate vielleicht auch, was genau du vorhast :-).
Das wäre hilfreich.
Es kann sein, dass wir am Ende doch noch ein Ticket brauchen......
Would it be fine for you to create a ticket? Component BC-FES-BUS-DSK. Including version info and traces. That would be great!
Regards,
Sandra
Hi,
I am on 7.40 but cannot find this existing no-sso service, or am I looking in a bad way (SICF?)..
M.
Hi Michal,
you are looking the right way. If the service is not available in your system please create your own service. Choose alternative logon procedure, delete logon with SSL and select SAP Assertion tickets as logon procedure.
Regards,
Sandra
Hi Sandra,
we have the problem only in Business Client 6.5.
When we are using BC 6.0 and are starting a link to a Fiori App (SSO) there will appear a SSO PopUp only one time. That's OK.
After closing the created tab in BC6.0 an starting the Link to the Fiori App again, no PopUp will appear again. Great !!
In BC 6.5 every time starting the link a PopIp for the SSO is shown. That's a problem using the BC 6.5.
What can be done to solve the problem because we want to use BC 6.5 (Belize theme).
Thanks and regards,
Thomas
Hi Thomas,
it is not that easy to just compare 6.0 with 6.5. It really depends on Patch-Levels, tentative new systems with different settings, Back-end-Changes. Only updating BC without touching anything else the behavior you describe is not reproducible in my environment. We'd need the traces. So you have to open a ticket to reproduce that issue.
Regards,
Sandra
Hi Sandra,
yes I agree with you. But nevertheless if you want to use BC6.5 with a (business client connection) and there you have some links to Fiori apps (SSO) the shown SSO-PopUp should only be prompted once and not every time you click on the link.
What would you do to solve this problem ?
Regards,
Thomas
SAP Business Client 6.5
Hi Thomas,
I could use Chrome with our new beta version.
As a workaround without Chrome you could switch to the browser engine internetExplorer (Loosing the advantages of the multi-process-design). The logon popups should disappear. Try it.
NwbcOptions.xml: <PreferredBrowserType>Type</PreferredBrowserType>
Meanwhile you have to check your requests/certificates. For the Fiori Apps you have to check the logs on the fronted server. FLP standalone in Chrome=>F12 key =>jQuery.sap.log.setLevel(5).
And I guess then it's time to open a message on the FLP component.
Regards,
Sandra
Hello Sandra,
is this workaround still the prefered solution to prevent automatically login by SSO?
In the SAP UI Landscape Configuration Guide i found the attribute "Ssoparameter" which can be configured to "spnego=disabled" but unfortunately I couldn't get this to work. This sound to me like it should be the prefered option?
When i don't use the Business Client and instead access the System by browser with the option "?spnego=disabled" it is working like a charm.
Regards
Boris