Hi.
Did you set your environment variable SECUDIR to $(DIR_INSTANCE)/sec?
Also could you confirm if the password you set in the keytab password during the creation of pse file is the same as the password set for your service user?
Regards,
Florence
↧
Re: SSO 2.0 SP04 Assistance
↧
Re: Unable to Start Up ABAP Instance due to snc/enable=1
Hi Ura,
You have a double CN and also I don't see the step setting up Keytab (sapgenpse.exe) and Kerberos in the ABAP system (Transaction spnego).
Regards,
Ridouan
↧
↧
SSO based on Kerberos Token
Hi All,
I have configured an ABAP system to re-use my Windows authentication.
My system is starting fine but SAPGUI is giving me the following issue:
Any clues?
Thanks very much.
Regards,
Ridouan
↧
SSO for Personas embedded in Oracle WebCenter Portal
Hello All,
We have a requirement to implement the SSO (single sign-on) for Personas 2 for NW 7.4 AS-ABAP ECC 6 EhP 7. (abap stack only)
The Personas will be embedded as a link in the Portal [oracle webcenter portal].
The end user firstly logs in to the oracle webcenter portal with user credentials which are maintained by Oracle IDAM (oracle identity and access manager) which provides user authentication. User ids will be same across Oracle Portal, Oracle IDAM, and SAP ECC ABAP.
i have gone through several threads in SCN forums, but could not able to get a sense of approach discussed anywhere.
Personas 2.0 by default tries to authenticate using X.509 certificates if present in the system.
Also we can set up web SSO using SAML .
What should be the ideal approach for my above problem statement....pls let me know.
Do we have any setup guide in SMP for this?
BR,
shyam
↧
Re: SSO 2.0 SP04 Assistance
Hi Alexander,
I have now modified my user mapping option to Principal@Realm and Virtual User.
I did bind my UME to AD and it was successful, but now that you mentioned, I checked on Identity Management and it seems that users are not being pulled out from LDAP. I think that this is the root of the issue.
Regards,
Tom
↧
↧
Re: SSO based on Kerberos Token
Hi All,
I have removed the 'CN=' from the SNC-name and now I am getting another error message:
The encryption type requested is not target 'p:SL-JAVA-DP7@SAIC.COM'
Regards,
Ridouan
↧
Re: SSO for Personas embedded in Oracle WebCenter Portal
You need a cryptographic token to be generated after user has been authenticated which can be accepted by SAP NetWeaver so it knows who the user is. Since you are authenticating the user using Oracle, it won't be possible to get Oracle to generate an SSO2 logon ticket (the token) so maybe you can use SAML if Oracle support SAML ? If Oracle don't support SAML, then I recommend you consider using credentials of the user issued by Active Directory during the workstation logon to authenticate the user to NetWeaver. It should be possible to do the same with Oracle, so the user is being authenticated using their Active Directory credentials when they logon to Oracle and SAP NetWeaver.
Thanks
Tim
↧
Re: SSO based on Kerberos Token
Hi Ridouan,
Are you using Secure Login Library or the CommonCryptoLib on your backend as gss library (sapcrypto library)? This backend library is not compatible to the client Kerberos client you have.
KR
Valerie
↧
SSL enabling for Portal system.
HI Guru's,
SAP AS Java server has to be configured for SSL, So what steps i need to execute?
Method i am using for configuration of SSL is "By using the SSL configuration tool in the SAP NetWeaver Administrator."
Using the the above method i trying to configure step "Adding New SSL Access Points"
First step in Adding the SSL Access Point is to select the nstance in which we need SSL to be configured ( ie AS Java System in this case)
When i try to configure SSL Connection i get SSN errors , please find the attachment for the error screen shot.
Please help me out in solving the errors and configuring SSL for Portal System.
↧
↧
Re: SSO based on Kerberos Token
Thanks Valerie. I was probably using the Secure Login Library.
I have created a keytab and a credential file but I am getting the following error message:
CDwsGui::vMsgBox: Message box for thread 4440
CDwsGui::vMsgBox: message box: GSS-API(maj): No credentials were supplied
Unable to establish the security context
target="p:CN=SL-JAVA-DP7@SAIC.COM"
I have enabled trace for SAPGUI but I can't find any clue why this is happening?
sapgenpse seclogin -l shows my service user has access to the credentials file.
Any idea's?
Regards,
Ridouan
↧
Re: SSL enabling for Portal system.
Hello
In version which is above 7.1, ICM takes responsibility to start SSL port. In this case, the dev_icm log needs to be checked, it's located in following folder:
\usr\sap\<SID>\<Instance>\work\
When open the log, there is error like followings:
[Thr 288] *** ERROR => Parameter "icm/ssl_config_4" not configured, but used in parameter"icm/server_port_4" [icxxpara.c 1408]
The following is resolution:
1. Open instance profile <SID>_<Instance>_<Hostname> in the following folder:
\usr\sap\<SID>\SYS\profile
2. There is parameter icm/server_port_4 configured:
icm/server_port_4 = PROT=HTTPS, PORT=50001, SSLCONFIG=ssl_config_4
However there is no parameter icm/ssl_config_4 configured in the profile.
3. Please add parameter like following into instance profile <SID>_<Instance>_<Hostname>:
icm/ssl_config_4 = CRED=SAPSSLS.pse
which exact parameters need to be configured in icm/ssl_config_* can be decided by following document:
http://help.sap.com/saphelp_nwce10/helpdata/en/48/49c9363a79350ce10000000a42189d/frameset.htm
Regards,
Tapan
↧
SAP GUI to Authenticate with LDAP without SSO License?
Hi All,
I would like to ask is there an alternative way to configure SAP GUI to authenticate with our LDAP (MS AD) via SNC without NW SSO license?
I have done some reading on note 793191 and 603208, it seems not possible for it.
any free Kerberos SNC library for SAP system on Windows just to achieve SAP GUI SSO?
Thank you,
Regards,
Ura
↧
Re: SAP GUI to Authenticate with LDAP without SSO License?
Hello Ura,
this community is about the product SAP Single Sign-On. If you look for alternatives like SAP portal or other technologies. please check the related SCN communities.
Regards
Matthias
↧
↧
Secure Login Client does not bring SL Server Certificate
Hello,
We want to implement NW Single Sign-On for our SAP systems. We have done the implementations as follows; (with the help of Implementation Guide and http://scn.sap.com/docs/DOC-40179 Implementing Single Sign-On with X.509 Certificates)
Secure Login Server
- We installed NW 7.4 and Secure Login Server 2.0 SP4
- Configured UME for MS AD
- Initialized the Secure Login Server
- Activated SSL
- Activated SPNEGO
- Configured Apache Reverse Proxy
Secure Login Client
- Imported Root CA to client
- Applied Policy Registry files (ProfileDownloadPolicy_xxx.reg)
- Installed SL Client
- Inserted “ShowUserPoliciesPage” with the value 1 in the registry path
System Info is as follows;
SL Server FQDN : mycmnwsso.mycmp.com.tr
SPNEGO User : SL-JAVA-SSO (SPNs: HTTP/mycmnwsso.mycmp.com.tr, HTTP/sso.mycmp.com
SLA Console URL : https://sso.mycmp.com/slac
Enroll URL : https://sso.mycmp.com:443/SecureLoginServer/slc/getProfiles?grouppolicy...
I login to one of the client with domain user. I donot see the SLServer Root Certificate on SL Client. I opened trace. There is “[2014.12.03 17:08:50.754000][WARN ][sbus.exe ][LOADER ][ 6300] ERROR(0xA0800200) in sec_get_SEC_DLL: Failed to load library sbusslogin” error.
Why I cannot get SL Certificate on SL Client?
Although I entered ShowUserPoliciesPage registry entry I cannot see Profile tab page on SL Client Tool?
Any recommendation about the issue?
Can you help, please?
Thanks and Regards,
Yuksel AKCINAR
↧
Re: Secure Login Client does not bring SL Server Certificate
Hello,
seems that you missed to install the Secure Login Server support for Secure Login Client.
It is not checked in the default feature selection of SAPSetupSLC.exe.
-- Stephan
↧
Re: Secure Login Client does not bring SL Server Certificate
Thank you Stephan,
I reinstalled using the feature selected. Now Policy Groups tab has come.
And I see some more logs.
Try to solve other problems now.
↧
Re: SAP Portal 7.3 SPNego and NWBC SSO with ECC
Dheerendra/All,
Have you or anyone else implemented or aware of a working solution
with "SAP SSO, SAP GUI and Okta IDP"?
As per our understanding SLS 2 and SL Web Client do not support
SAML based authentication with 3rd party IDPs.
An indirect approach would be to use a customized appln to perform
the authentication and a redirect to the SL Webclient.
We are testing this option and facing error after authentication
by Okta (Error – Template SAML 2.0 App is misconfigured etc)
Another option would be to setup a separate AD which would be
synced from Okta and we could use SSO for SAP GUi with Kerberos
In addition we will be using NWBC which should work with the solution
we choose for SAP GUI (and eventually Fiori).
Any thoughts and input is appreciated.
Thanks
Hari
↧
↧
Re: Secure Login Client 2.0 SP04 Silent Installtion
Hi Frank,
Thank you for the tips. Unfortunately, I would also require the secure login server support as part of the installation. The extracting part helped a lot. I'll read through the PDF, as suggested.
Thank you.
Regards,
Tom
↧
SSO via Apache Reverse Proxy
Hello,
We are trying to implement NW Single Sign-On for our SAP systems.
We are also using Apache Reverse Proxy for our systems.
Some info for implementation;
All Users' Domain : mycomp.com.tr
SL Server FQDN : nwsso.mycomp.com.tr
Apache Proxy DNS for SLServer : sso.mycomp.com
SPNEGO User : SL-JAVA-SSO (SPNs: HTTP/nwsso.mycomp.com.tr, HTTP/sso.mycomp.com)
SLA Console URL : https://sso.mycomp.com/slac
We are using portal.mycomp.com, bo.mycomp.com, erp.mycomp com DNSs to reach SAP systems through Apache.
All systems are members of the "mycomp.com.tr" domain and all users are members of the same domain.
My question is:
Is it possible to implement SSO when we are using "*.mycomp.com" for URLs although our domain is "mycomp.com.tr"?
And if yes how?
Can you help, please?
Thanks and Regards,
Yuksel AKCINAR
↧
Implementing Single Sign-On from .NET Application to SAP System, using SAP.NET Connector 3.0
We are trying to use SAP.NET NCo 3.0 to implement single sign on from .net application to SAP System. In the configuration set up method we are fetching user name and password along with other configuration information from configuration file. E.g. -
RfcConfigParameters rfcConfig = new RfcConfigParameters(); rfcConfig.Add(RfcConfigParameters.User, ConfigurationSettings.AppSettings["SAP_USRNAME"]); rfcConfig.Add(RfcConfigParameters.Password, ConfigurationSettings.AppSettings["SAP_PWD"]); rfcConfig.Add(RfcConfigParameters.Client, ConfigurationSettings.AppSettings["SAP_CLIENT"]);
......and so on for other parameters
We are looking for a way that we can implement SSO with windows authentication where will ne NO need to pass user id and password explicitly. We also have SNC configuration and other required file available with us.
Any relevant code snippet or pointer addressing this will be of great help.
Thanks in advance
↧