Quantcast
Channel: SCN: Message List - SAP Single Sign-On
Viewing all 2732 articles
Browse latest View live

Re: BPC SSO using Client Certificates

April 10, 2014, 4:37 am
$
0
0

Thank you. I now have your PDF for EPM add-in. This is what we are discussing, since there are no doubts about BEx using SNC for SSO. I have therefore ignored your PDF for BEx.

 

In your PDF you show Connection being created and no Sign-On screen. This is not same as when I try... Maybe you can help me find out why.

Here's what I tried:

  1. I open excel
  2. I select EPM tab
  3. I press Log On button
  4. Screen opens allowing me to select a connection. I haven't created a connection yet, so I press ...
  5. On Connection Manager screen I press Create button
  6. I give the connection a name and put the URL into the Server URL field.
  7. I am unable to press OK on the Create Connection screen since OK button is greyed out. I therefore press the Connect button.
  8. When I press Connect button on Create Connection screen I am shown a Sign-On screen asking me for User Name and Password.

How does above differ from what you are doing ?

 

Thanks for your help.

Regards,

Tim

Search

Re: BPC SSO using Client Certificates

April 10, 2014, 5:08 am
$
0
0

Okay, I understand your issue better now.

 

Yes, you first need to connect before you can click Okay.

 

But for me, when I click connect, I do not get a popup.

 

 

 

 

Could you confirm that the web gui is correctly working for your BPC ABAP backend ?

 

You can do this by opening a browser and going to a this url :

 

e.g. : http://<hostname>:<port>/sap/bpc/

 

When I do this I get this in my browser:

 

But the important thing is there is no additional log on screen or prompt

 

e.g. a logon screen with a system that is not configured with ABAP HTML SPNEGO:

 

 

 

I hope this helps...

 

Kind Regards,

chris

Re: BPC SSO using Client Certificates

April 10, 2014, 5:23 am
$
0
0

Yes, when I access http://<hostname>:<port>/sap/bpc/ I am logged in. I configured SPNEGO in the SICF service at default_host/sap/EPM_BPC.

 

The info you have provided has given me a few ideas. I will do some more tests and get back to you soon. Thank you so far for your help.

 

@Dennis - sorry to take over your thread. Hopefully the info Chris has provided has given you what you needed ?

Re: Dual domain SPNEGO SSO - single domain UME

April 10, 2014, 8:49 am
$
0
0

Hi

 

This issue is now resolved. UME is setup towards the one AD and SPNEGO is setup with two realms, one for each domain with usermapping set to principal only. Each realm needs a service account and an SPN for this account and the portal URL in the corresponding domain.

Of course the browser settings also needs to be in place. The specific settings are described in the SPNego Configuration Guide (attached to note 1488409).

 

/Jacob

Re: SAP Portal 7.3 SPNego and NWBC SSO with ECC

April 10, 2014, 10:40 am
$
0
0

You should configure the NWBC connection to point to your AS ABAP and define the ICF service (or alias in this case) to use SAML authentication. If NWBC still gives the security warning, you should be able to suppress it with AllowTemporaryConnections. Make sure you set the setting in the admin template NwbcOptions.xml.template.

Re: BPC SSO using Client Certificates

April 10, 2014, 11:40 am
$
0
0

Chris,

 

I have made some progress, but still having some difficulty with the EPM add-in. I wondered if you could send me a fiddler trace showing the logon working so I can compare with my trace and check for differences ?

 

Thanks

Tim

Re: SAP Portal 7.3 SPNego and NWBC SSO with ECC

April 10, 2014, 1:21 pm
$
0
0

When I meant sapserver in the url in my previous post, It is the AS ABAP connection. Sorry for the confusion.

 

Additionally, I still get the same blank screen when I set the AllowTemporaryConnections to True in the NwbcOptions.xml.template.

 

I am not sure what do you mean by (alias in this case)?

 

https://<AS ABAP hostname fqdn>:44301/nwbc

https://<AS ABAP hostname fqdn>:44301/sap/bc/nwbc

 

None of these URL's work.

Also, on a different note, I configured NWBC-SSO on another AS ABAP system via the SAP portal's redirect application suggested by you in your previous posts. Its the exact same behaviour in this case too. It just stops at a blank screen. However, if I close the pop-up window and click on the connection again, it does SSO in the AS ABAP via the redirect portal app and works as expected.

 

But this is not the case for the SAML SSO. Am I missing something.

 

Thanks for your support in this issue. You have been a great help so far.

Re: SAP Portal 7.3 SPNego and NWBC SSO with ECC

April 10, 2014, 1:46 pm
$
0
0

In this case the ICF external alias is /nwbc, I assume you have configured it to use SAML? Can you use Fiddler to see what URLs are being accessed and in what order? Do you get the blank screen before redirecting to the IdP or after returning from it? I think you should create a new discussion thread regarding your problem since it's off topic for this discussion thread. On a related note this discussion thread was originally created in the wrong space, this space is for topics regarding the NWSSO product. Create a new discussion thread in the SAP NetWeaver Application Server space and name it accordingly (e.g. "SAML based SSO in context of NWBC for Desktop").

Search

Re: Parallel operation of SNC Client Encryption and SSO

April 11, 2014, 12:38 am
$
0
0

Hello Carsten,

 

there is the possiblity to configure X.509 and Kerberos authentication in parallel on the server side.

It would be ok that one client will be the SNC client Encryption SAP GUI instead of a full SSO Secure Login Client. It makes no difference for SNC on server side.

This scenario will work.

 

best regards

 

Alex

Re: Parallel operation of SNC Client Encryption and SSO

April 11, 2014, 12:44 am
$
0
0

Thanks Alex, for this official statement

Re: BPC SSO using Client Certificates

April 11, 2014, 9:15 am
$
0
0

Hi Tim,

 

Yes I can confirm the SSO is working as soon as the SPNEGO is configured on server side.

In fact, when the logon screen switches to SSO mode (without prompting for a user/pwd), it only depends on the server configuration.

Each time the user selects a specific connection, the EPM Add-In sends a first request (without any authentication info) to the server in order to know which authentication methods it is compatible with.

And in the case the server returns the header "WWW-Authenticate: Negotiate", then it means the SPNEGO is active and the EPM Add-In won't prompt the user to enter credentials...

 

This is a valid scenario for EPM Add-In with BPC MS and NW.

 

To answer Dennis, I just would like to confirm it is also possible to use HTTP Cient Certificate authentication from EPM Add-In.

I guess you will find all the information you need in the documentation Donka has provided, but to summarize, when creating your BPC connection in the EPM Add-In, you just have to click on the check box "Client Certificate" and to click on the Button "Choose Certificate" in order to pick up a certificate.

When conneting to the server, you won't be prompted for entering credentials...

 

Hope it helps...

 

Best Regards,

David.

Re: BPC SSO using Client Certificates

April 11, 2014, 10:35 am
$
0
0

David,

I have noticed that when using SPNEGO for EPM add-in authentication, there is no MYSAPSSO2 cookie issued, but instead a SAP_SESSIONID cookie is issued. Is this SESSIONID cookie being used instead of the SSO2 cookie ? I noticed that when using Basic Authentication instead of SPNEGO there is a MYSAPSSO2 cookie used.

Thanks

Tim

Re: SAP Portal 7.3 SPNego and NWBC SSO with ECC

April 11, 2014, 11:04 am

SNC Error

April 11, 2014, 4:58 pm
$
0
0

Hi,

 

We are implementing NW SSO 2.0 with X.509 based authentication. For now, I have successfully connected the Secure Login client to Secure login Server with my LDAP user account.

 

 

However I am not able to login via SNC through my SAP system. I am getting an SNC error mentioned below. I exported the SNC certificate from ABAP system and imported my certficate store but it doesnt get populated in my Secure login client.

 

*** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1439]

N        GSS-API(maj): No credentials were supplied

N        GSS-API(min): No credentials found for this name (not logged on) (USER=Unknown)

N      Could't acquire ACCEPTING credentials for

N

N      name="p:CN=DE1, OU=I0020095220, OU=SAP Web AS, O=SAP Trust Community, C=DE"

N  <<- SncProcessInput()==SNCERR_GSSAPI

M  *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c    1034]

M  {root-id=53480D4658932260E1008000A045047E}_{conn-id=00000000000000000000000000000000}_0

 

 

M  *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c    1039]

M  {root-id=53480D4658932260E1008000A045047E}_{conn-id=00000000000000000000000000000000}_0

 

 

M  in_ThErrHandle: 1

M  *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c   11329]

M  {root-id=53480D4658932260E1008000A045047E}_{conn-id=00000000000000000000000000000000}_0

 

 

Thanks

 

Thilip Kumar

Re: SNC Error

April 11, 2014, 6:00 pm
Search

Re: SSO (single sign on) on NetWeaver 7.0 Enterprise Portal based on spnego with Microsoft Active Directory

April 12, 2014, 2:26 am
$
0
0

Hi Cathal,

 

thanks for the guide.

I was able to follow the guide until it came to the topic SPNego wizard.

 

We are on NW 7.0 SP 26.

 

In SPNego there is no Wizard.

 

When I try to activate SPNego, I am getting the information, the system is not finding the encryption keys ...

NWD_SPNEGO_Select_Key.jpg

 

I checked back with my colleagues and I am the first one, that started SPNEGO.

I would expect to get the wizard displayed.

 

I was looking for help concerning this issue on SPNEGO and no wizard and the encryption keys are not to be found, but I have not found the solution yet ...

 

Best regards

 

 

 

Carlos

Re: SPNego for Incident Management

April 13, 2014, 3:51 am
$
0
0

Hi Patrick.

 

We tried to use SPNego because we don't know what SPNego is licensed as a part of NWSSO.

Unfortunately now redirect via portal dosn't work therefore I use the SSO to portal via SAP Shortcut.

 

--

regards,

Yessen


Re: SPNego for Incident Management

April 13, 2014, 5:02 am
$
0
0

Yessen,

 

Why are you not using SPNEGO on Java stack for Portal SSO ?

The SPNEGO on ABAP stack is part of NW SSO product, so is licensed. The SPNEGO on Java stack is not licensed.

If you don't want to pay for a licensed product, you can implement SPNEGO for ICF services such a the service desk application by redirecting to Java stack to authenticate the user, and setup the ABAP stack to trust the SSO2 ticket issued on Java stack.

 

Thanks

Tim

Re: SSO (single sign on) on NetWeaver 7.0 Enterprise Portal based on spnego with Microsoft Active Directory

April 14, 2014, 4:51 am
$
0
0

Hi,

 

I got it running.

The WebDiag tools is worth gold

There is a section, that you can trace on SPNego events.

 

It looks like with the new SPnego, that was shipped out with NW 7.0 SP26, doesn't need the krb5principalname in the J2EE configuration.

 

In my case, SPNego just needing the keys from AD (generated with Java 6.x, via ktab program) and the setting to be set for "Simple" in SPNego configuration, as username in AD and SAP are the same (Log-on ID).

 

Best regards

 

 

 

 

Carlos

Re: SSO (single sign on) on NetWeaver 7.0 Enterprise Portal based on spnego with Microsoft Active Directory

April 14, 2014, 4:57 am
$
0
0

Hi Carlos,

 

Good to hear, I should have mentioned that for the spnego module there is good configuration guide attached to note 1488409 that explains the encryption (generation of keytabs) and the user mapping tab in more detail.

 

All the best,

Cathal

Viewing all 2732 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>