Reusing Kerberos Token for Issuing X.509 Client Certificates with Secure Login Server
Your company is using Secure Login Server (SAP Single Sign-On) for issuing short lived X.509 client certificates for authentication to the SAP and non-SAP business systems across your landscape.
Your company is also using Microsoft Active Directory and now you want to re-use Kerberos tokens, issued by the MS Domain Controller (KDC), for the Single Sign-On with Secure Login Server X.509 client certificates.
After implementing this scenario, your domain users will have to authenticate only once, using their Microsoft Active Directory credentials, and they will be authenticated automatically to any SAP and non-SAP system, that requires short lived X.509 client certificates and where they have been granted authorizations.
In my new guide SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates you will be able to find step-by-step instructions how to implement this scenario:
Hi,
We have implemented the exact configuration steps that are published in your document to enable SSO. SSO for ABAP system works fine but SSO for webgui does not work even after maintaining RootCA certificate in STRUST and user is mapped in transaction EXTIN_DN. Could you please advise what am I missing or can you share documentation for enabling SSO for wbgui using " SPNEGO based single sign -on using secure login server X.509 client certificate.
Thank you in advance.
Syes Rasheed.
Hello Syes,
Please, create a CSS message and provide the icm traces. The information, you provide, is not enough to find what you are missing.
Regards,
Donka Dimitrova
Good Morning Donka
ihave ERP 6.0 SR3 using only ABAP System install with all latest support stack but T-Code SPNEGO is not working . We do not install JAVA Stack.
Please review Screen shot
Thanks
Tejas
Hello Tejas,
As mentioned by my colleague in the other post, you have to check the SAP Note: https://service.sap.com/sap/support/notes/1798979.
Seems you have to update your Kernel if you want to use the T-Code SPNEGO.
See the supported SAP_BASIS Component Supported Packages:
Support Packages & Patches
Software Component
Release
Support Package
SAP_BASIS
702
SAPKB70214
730
SAPKB73010
731
SAPKB73107
731
SAPKB73109
740
SAPKB74002
740
SAPKB74004
Software Component
Support Package
Patch Level
SAP KERNEL 7.21 32-BIT
SP041
000041
SAP KERNEL 7.21 32-BIT UNICODE
SP041
000041
SAP KERNEL 7.21 64-BIT
SP041
000041
SAP KERNEL 7.21 64-BIT UNICODE
SP041
000041
SAP KERNEL 7.21 EXT 32-BIT
SP041
000041
SAP KERNEL 7.21 EXT 32-BIT UC
SP041
000041
SAP KERNEL 7.21 EXT 64-BIT
SP041
000041
SAP KERNEL 7.21 EXT 64-BIT UC
SP041
000041
For more details, see the note.
Regards,
Donka Dimitrova
Hello Donka,
thank you for this dokumentation. It works fine, but now I have to find a way to do user mapping between SAP NW SSO 3.0 and some SAP AS JAVA without homogenous users. Can you recommend a documentation describing the nessessary configuration?
Best Regards
Andreas