11 Comments

You must be Logged on to comment or reply to a post.

  1. santhosh G

    Hi Donka,

    Thanks for sharing the Details on multi domain Configuration.

    I have a Issue with SSO Multi Domain.

    We have 2 Domain one is windows AD(A Company) and other is uses citrix Domain(B Company)

    Changed the password of the service and updated in config tool and rested the system.

    Company A user don’t have issue to login to SSO and citrix Users domains are unable to login via SSO.

    Please let me know how can i fix the issue.

    Thanks in Advance.

    SNC: KERBEROS AUTHENTICATION


    Logs:


    #2.0 #2015 10 12 18:04:07:759#0-

    700#Error#com.sap.security.core.server.jaas.spnego.util.SPNEGOUserMapping

    Util#

    #BC-JAS-

    SEC#security#C000AC140A3625810000000000000D4C#7640950000000004#sap.com/Se

    cureLoginServer#com.sap.security.core.server.jaas.spnego.util.SPNEGOUserM

    appingUtil#Guest#0##4D77E728714611E5A6C6000000749776#4d77e728714611e5a6c6

    000000749776#4d77e728714611e5a6c6000000749776#0#Thread[HTTP Worker

    [@524425904],5,Dedicated_Application_Thread]#Plain##

    Could not search for user by logon id: saptest

    [EXCEPTION]

    com.sap.security.api.NoSuchUserException: USER_AUTH_FAILED: User

    account

    for logonid “xxxxxxxx” not found!


    Regards

    Santhosh

    (0) 
  2. Srinivasarao Polimera

    Hello,

    Thanks for sharing valuable information. I need some help in similar case. I have a scenario, we have company A and HR portal with in company A. Now company B is acquired by company A. we have to facilitate company B to access HR portal of company A in company B domain. I think, we need LDAP/AD integration. Can any one suggest and share the necessary document how we can achieve this. HR portal version is 7.0 and company B ip can be able to ping in company A domain. This is very critical and urgent. Highly appreciated, pls help.

    Thanks in Advance

    Srini

    (0) 
  3. Ming Feng

    Hello Donka,

    we have implemented SSO(SNC with Kerberos) on Windows server. and we would like to migrate our ERP server to Linux Redhat6 from Windows 2012.

      I wonder if we need to do some prerequisite on Linux server for SSO or SSO cannot be implemented on Linux Server?

    Thanks in advance

    Ming Feng

    (0) 
  4. Rahila Zahir

    Hi Donka, Thanks for this very helpful blog. I have a question regarding SSO in the multiple domains. We are talking about two domains abc.de and efg.com which do not have a trust in between them. The System XYZ in question is residing in the domain abc.de . The users of Domain A are able to access it (both SAP GUI or Webgui) through SSO2.0. Until then everythings seems good. The Service Principal User has two Service Principal Names: HTTP/xyz.abc.de SAP/KerberosXYZ . Now comes the second domain efg.com. The users in the second domain are required to access the System XYZ (just the webgui) per SSO which is otherwise accessible WITHOUT SSO since the firewall rules let it in the domain efg.com. We have created a service prinicpal user in domain B with the same Service Principal Names as in the first one (HTTP/xyz.abc.de and SAP/KerberosXYZ) Only the name of the Service Principal user is different ! We expected just to use the transaction spnego get it done with. which means adding the second entry in the transaction for the  Kerberos User Principal also. So the entries in Transaction now look like this : xyz.abc.de@ABC.DE xyz.abc.de@DEF.COM Unfortunately SSO just the first one with the same domain is still working. The Keytab was previously generated for the first case in the first domain ABC.DE  using:  Keytab 1 (set and working already) /usr/sap/xyz/DVEBMGS00/sec sapgenpse keytab -p SAPSNCSKERB.pse -x pass1 -a KerberosXYZ@ABC.DE sapgenpse seclogin -p /usr/sap/XYZ/DVEBMGS00/sec/SAPSNCSKERB.pse -x pass1 -O xyzadm Keytab 2 (not set yet) what do we do for the second one? Generate another keytab under: /usr/sap/XYZ/DVEBMGS00/sec using… sapgenpse keytab -p SAPSNCSKERB.pse -x pass2 -a KerberosXYZ@EFG.COM sapgenpse seclogin -p /usr/sap/XYZ/DVEBMGS00/sec/SAPSNCSKERB.pse -x pass2 -O xyzadm Should we generate both the keytabs after setting the snc_enable to 0 afresh?? I look forward to your valued input. perhaps it could help those who are strugling with the same issue. Thanks and Best Regards, Rahila Zahir

    (0) 
    1. Donka Dimitrova Post author

      Hello Rahila,

      When there is no trust between the domains you have to use the Option 2 described in the blog. If you face some issues, Please, create a CSS ticket.

      Regards,

      Donka Dimtirova

      (0) 
  5. Drasko Budac

    Hi Donka,

    I´m facing some Problems while implementing SSO Kerberos for SOLMAN. AS ABAP (SOLMAN) is in one domain and users are in second Domain.

    SSO via SAPGUI works, but not via WebBrowser. In SPNEGO I´ve set up Key Tab, somehow I have the impession it is not complete – no Tabs in lower part of screen (pls. compare attached pic). Could you please advise.

    Furthermore, as you explained in your tab, do I have to set up one key tab for every Domain anyway?

    Regards

    DraskoTC SPNEGO.PNG

    (0) 
  6. Harish Madhavadas

    Hello Donka

    Thank you for sharing the information. It was really helpful

    I would like to seek your expert advice on the approach to be followed for SSO. Is it mandatory to go for  SAP Single Sign-On product to achieve kerberos scenario or can we do AD integration with SAP stack to achieve the same. Are there any disadvantages by going for AD integration with SAP stack.

    Regards
    Harish

    (0) 

Leave a Reply