Hello Jeremie,
This community is for the SAP Single Sign-On product and we can help only if you decide to use our product for secure authentication and SSO for SAP Cloud for Customer solution.
Please, post your questions about ADFS integration with SAP C4C in the SCN community here : SAP Cloud for Customer
Regards,
Donka Dimitrova
Hi, I am trying to configure Single Sign-On based on Kerberos/SPNEGO. I have sucessfully already configured in other servers however in this one I am not able to success.
The error I am getting in dev_w0 is the following:
N SncInit(): Initializing Secure Network Communication (SNC)
N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/64/64)
N GetUserName()="SAPServiceSH1" NetWkstaUser="SAPServiceSH1"
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=F:\usr\sap\SH1\DVEBMGS01\SLL\sapcrypto.dll
N File "F:\usr\sap\SH1\DVEBMGS01\SLL\sapcrypto.dll" dynamically loaded as GSS-API v2 library.
N SECUDIR="C:\Users\sapservicesh1.SNL\AppData\Local\sec" (from APPDATA)
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.1) to CommonCryptoLib
N Product Version = CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.42 pl40 (Sep 24 2015) MT-safe
N SncInit(): found snc/identity/as=p:CN=SL-ABAP-SH1@<DOMAIN>
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [D:/depot/bas/74 1445]
N GSS-API(maj): No credentials were supplied
N Could't acquire ACCEPTING credentials for
N
N name="p:CN=SL-ABAP-SH1@<DOMAIN>"
N FATAL SNCERROR -- Accepting Credentials not available!
N (debug hint: default acceptor = "p:CN=DummyCredential")
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 271]
M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 273]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step TH_INIT, thRc ERROR-SNC-OTHER ERROR IN SNC LAYER, action STOP_WP, level 1) [thxxhead.c 2393]
Note: Where is <DOMAIN> I replaced with the correct domain.
Possible solution:
How can i set permanetly the SECUDIR to F:\usr\sap\SH1\DVEBMGS01\sec instead of C:\Users\sapservicesh1.SNL\AppData\Local\sec
I have executed the following commands:
1. set SECUDIR=F:\usr\sap\SH1\DVEBMGS01\sec
2. sapgenpse keytab -p SAPSNCSKERB.pse -a SL-ABAP-SH1@<DOMAIN>
3. sapgenpse seclogin -p SAPSNCSKERB.pse -O snl\SAPServiceSH1 -N
Profile Parameters:
snc/enable=1
snc/gssapi_lib=F:\usr\sap\SH1\DVEBMGS01\SLL\sapcrypto.dll
snc/identity/as= p:CN=SL-ABAP-SH1@<DOMAIN>
snc/data_protection/min=2
snc/data_protection/max=3
snc/data_protection/use=3
snc/accept_insecure_gui=1
snc/accept_insecure_rfc=1
snc/accept_insecure_cpic=1
snc/permit_insecure_start=1
snc/r3int_rfc_qop=8
snc/r3int_rfc_secure=0
snc/force_login_screen=0
spnego/enable=1
spnego/krbspnego_lib= F:\usr\sap\SH1\DVEBMGS01\SLL\sapcrypto.dll
SAPCRYPTOLIB= F:\usr\sap\SH1\DVEBMGS01\SLL\sapcrypto.dll
Information:
Command sapgenpse:
Command sapgenpse seclogin -l
Checked the RSBDCOS0 (t-code SE38) and executed the command sapgenpse seclogin -l 2>&1
Command setspn -L SL-ABAP-SH1
Command klist
Hi,
We want to implement SAML 2.0 so that users can use their AD credentials to login to SAP Fiori.
We have the documentation:
However The AD team has concerns on this configuration as they want to introduce TOTP on the ADFS.
Is there a documentation available which talks about this type of a scenario?
Specifically without SAP Authenticator or custom app.
regards
Keo
Hello Keo,
This community is about content, questions and discussions regarding SAP Single Sign-On product and the solutions that are offerd with it like SAP Authenticator. Please, post your question in the SCN space for SAP Fiori.
Regards,
Donka Dimitrova
Dear All,
We are currently working on Single sign on for Easy DMS in our 32 Bit Windows machines and it works perfectly by getting the password via Kerberos token. The same is not working on 64 bit windows machines. Please suggest us how to proceed, below is the error message triggered in Easy DMS logon screen. Thanks in advance,
Hi Pavalavel,
for a 64bit process you also need to have a 64bit SNC library. This is a capability that we added with SAP Single Sign-On 2.0. And then there is also a description available at http://wiki.scn.sap.com/wiki/display/PLM/Enabling+Single+Sign+On+in+SAP+Easy+DMS+application+for+64+bit+platform
Best regards,
Christian
Hi everyone,
I have configured SAP NW SSO 2.0 SP06 server for POC. I have further configured couple of ABAP servers for SNC and multiple users can logon fine into all the ABAP server with SSO. Only on one of the ABAP server 3 users can successfully logon whereas one user get following error while trying to logon with SSO. I am troubleshooting with user by having him logon on a different working machine and also by having a working user logon via machine where the issue started originally. But while we get all the troubleshooting results wanted to ask if anyone has seen this ? Already tried reloading SSO client on the effected users machine but no luck.
Hi Pankaj,
Check sap note
1965519 - SNC error when having multiple PSEs with same distinguished name
1942749 - NWSSO Fixes for Secure Login Library 2.0 SP 02 Patch 01
Regards,
Prithviraj
Hi Christian,
The Wiki page was very informative, Please find below the error message I am getting with the SNC LIB provided.
Logon failed (RFC_ERROR_COMMUNICATION)!
SAP_CMINIT3 : RC =20 > Connect to SAP gateway failed
Connect_PM GWHOST = IP ADDRESS, GWSERV = sapgw01s, SYSNR=01
Location CPIC (TCP/IP) on local host with unicode
Error GSS-API(maj):
STOP! -- initial call to gss_indicate_mechs() failed
Release 721
Component SNC (Secure network Communication)
Version 6
Module sncxxdl.c
line 572
detail SncPDLInit
Sysrem Call gss_indicate_mechs
counter 33
Regards
Paval
Hello Team,
I need some guidance over here.
refer below scenario.
1. I have NW SSO 2.0 server and IDM 8.
2. We DONT have any other other user source for authentication (Ex. AD, LDAP etc..)
3. Hence we are planning to use IDM 8 as user authentication source.
So, the system architecture will be that IDM will be treated as user source and connected to SSO 2.0.
Once the user is authenticated they will be allowed to use SAP ECC.
So based on this, we were planning to use SAML 2.0 method.
However. I would like to know if I can use this method, if not which other configuration method is applicable over here?
Regards,
Yatin Phad
Hello Yatin,
As I already mentioned, it is possible to achieve such requirement, see the details in my post to your question here:
Configuring SAML 2.0 Authentication for your Secure Login Server
Regards,
Donka Dimitrova
Hello Donka,
Thank you for the quick response.
From the standard documentation, I found that that to establish assertion the user needs to be available both in IDM (identity provider) and SLS (service provider).
Please correct me on this understanding.
Regards,
Yatin Phad
Hello Yatin,
These two providers are responsible for two different authentication types but both could be configured to use the AS JAVA UME as user store. For both will be ok when you provision your SAP IDM users to AS JAVA UME. What you need to decide is which technology to choose X.509 client certificates or SAML. AS ABAP server could be configured for both but if your company is still using SAP GUI, you have to go for X.509 client certificates.
If you are interested I can organize a remote session for you and your team and we can discuss the details and I will be able also to show you a demo. If you are interested just send me a message on donka.dimitrova at sap.com
Regards,
Donka Dimitrova
Thanks Prithviraj for your time. I already looked at these notes yesterday. 1965519 is the only note I could find with some relevance to the error I get but I don't have multiple PSE's in STRUST with same name. If that was the case then all 4 users trying SSO to that ABAP server should have got same error. In our case 3 out of 4 users are successfully able to connect to ABAP server with SSO and only one get this error.
Regards,
Pankaj
Hi Paval,
which SNC product are you using on the frontend?
Best regards,
Christian
Hi André
Does the ABAP system have the SETENV, SECUDIR parameter set within the instance profile?
i.e. SETENV_05 = SECUDIR=$(DIR_INSTANCE)/sec
Rgrds
Craig
Hi Christian,
we are using SAP Netweaver Single sing-on
Version 2.0
Patch Level 1
32 bit version.
Regards,
Paval
Hi Paval,
it should work from SAP SSO side. Please create an OSS message so that the developers can review the installation details, also for the Easy DMS client.
Best regards,
Christian
Hi Craig,
I have that parameters already set, but doesn't work.
In the trace file dev_w0 is normal that this appear?
N File "F:\usr\sap\SH1\DVEBMGS01\SLL\sapcrypto.dll" dynamically loaded as GSS-API v2 library.
N SECUDIR="C:\Users\sapservicesh1.SNL\AppData\Local\sec" (from APPDATA)
Instead of "C:\Users\sapservicesh1.SNL\AppData\Local\sec" in my case it should not be "F:\usr\sap\SH1\DVEBMGS01\sec"?
Other question:
My SNC SAPCRYPTOLIB pse generated in STRUST should have which name when I create it?
Hello Andre,
Have your other servers where you have done it also been windows servers ?
Anyway, open a command window as sh1adm and run the "set" command. This will confirm if SECUDIR is set properly/permanently.
For windows you do have to set it permanently in the windows user environment.
Hope that helps.
KR,
Amerjit