You need to use Kerberos credentials of the user that are delegated to the .net server. Then the RFC connection string needs to include appropriate SNC parameters. You need an SNC library installed on your .net server that supports Kerberos. Do you have a Kerberos SNC library on the SAP ABAP system ?
↧
Re: Implementing Single Sign-On from .NET Application to SAP System, using SAP.NET Connector 3.0
↧
Re: Implementing Single Sign-On from .NET Application to SAP System, using SAP.NET Connector 3.0
Hi Tim,
Yes we have Kerberos as Kerberos library = @"C:\Windows\SysWOW64\gsskrb5.dll"
How we can configure RFC connection string to include these parameters. Do we need to implement them in as parameter add in RfcConfigParameters as shown in question.
Any code example will be real help 
↧
↧
Re: Implementing Single Sign-On from .NET Application to SAP System, using SAP.NET Connector 3.0
Is the gsskrb5.dll being used on both ABAP system and on .net server ?
↧
Secure Login Client - Kerberos Token disappeared
Dear Colleagues,
We are using Secure Login Kerberos Token for our SSO in the SAP GUI. SAP GUI Version is 7.30 Patch 5 and Secure Login is Version 2, Support Package 3, Patch level 2.
In rare cases endusers are not able to login via SSO. When we check the PC and open SAP Secure Login Client we detect that there is no Kerberos Token to select. At the moment our solution is to reinstall the whole SAP Secure Login Client with the SAP GUI for the user.
We are not sure why a kerberos token would suddently not be available in the sap secure login client. Any idea in which area to look?
Regards,
Alexander
↧
Re: Secure Login Client - Kerberos Token disappeared
Hello Alexander
One reason can be the lifetime of Kerberos token has crossed and it has been removed from the SLC.
Thanks.
Tapan
↧
↧
Re: SSO via Apache Reverse Proxy
Hello Yuksel
The domain of the user and FQDN of the server can be different.
Thanks.
Tapan
↧
Re: SSO via Apache Reverse Proxy
Thank you Goyal.
We passed that part and stuck on Apache Reverse Proxy now.
Since there is an Apache Reverse Proxy Server between clients and the Java or ABAP server the certificate is not transferred to the backend system.
Does anybody know how to configure Apache Reverse Proxy to transfer SL Server certificate to backend systems?
Thanks and Regards,
Yuksel AKCINAR
↧
Re: Implementing Single Sign-On from .NET Application to SAP System, using SAP.NET Connector 3.0
Hi Tim,
SNC_MYNAME is optional. In many SNC implementations there exists only a single identity per PSE and then you can use anyway only the one that exists.
Best regards,
Markus
↧
Re: Implementing Single Sign-On from .NET Application to SAP System, using SAP.NET Connector 3.0
There is no PSE involved here - PSE is a proprietory file format used on NetWeaver servers, and not applicable to this discussion. Instead, we are talking about a .net application that has Kerberos credentials delegated from a workstation and these delegated credentials will be stored by IIS in the Windows LSA cache. So, the GSS library being used on the .net server needs to know the Kerberos principal name of the user before it performs the init_context, or it needs to be told the principal name using the SNC_MYNAME param. So, it entirely depends on how the GSS library has been coded and whether it is able to know the principal name, or if it needs to be told.
↧
↧
Re: Implementing Single Sign-On from .NET Application to SAP System, using SAP.NET Connector 3.0
HI Tim,
I should have been more precise that I was referring to the PSE as an example. Well, anyway, if there is a default for an SNC implementation, it will be used, when not specifying the SNC_MYNAME. And if the GSS library depends on it no one prevents you from specifying a value.
Best regards,
Markus
↧
Re: Implementing Single Sign-On from .NET Application to SAP System, using SAP.NET Connector 3.0
The SNC library being discussed here is called gsskrb5.dll and this library doesn't use the correct default principal name in a .net environment, so code needs to be developed that gets the principal name of the delegated principal/user and passes this as SNC_MYNAME (with p: prefix).
Many of our customers are using a similar approach, but using our sncgss32.dll or sncgss64.dll library instead of gsskrb5.dll, and we have developed code to determine the correct SNC parameters to specify in the RFC call (including SNC_MYNAME). The same code would be required when using the gsskrb5.dll
↧
Re: Implementing Single Sign-On from .NET Application to SAP System, using SAP.NET Connector 3.0
So, using the sncgss##.dll libraries would for sure be simpler for Atul ...
Best regards,
Markus
↧
Re: Implementing Single Sign-On from .NET Application to SAP System, using SAP.NET Connector 3.0
Yes, I agree. For that he would have to purchase our product. He wants to get gsskrb5.dll instead, since this library is free.
↧
↧
Re: Implementing Single Sign-On from .NET Application to SAP System, using SAP.NET Connector 3.0
Well, then I can understand that he tries with a free one.
Best regards,
Markus
↧
Secure Login Server and SSL Certificates
Dear All,
I am trying to use an SSL certificate created in Secure Login Server (SSO 2.0) for an ABAP system.
I have exported the the certificate as an PSE file and imported the certificate into the Server SSL node.
I noticed that the issuer will be removed as soon as I save the certificate into the SSL node.
I have done the same in an AS Java system and here all worked fine.
I know I need a third party PKI but can this not be achieved by the SSO 2.0 product?
Regards,
Ridouan
↧
Re: Secure Login Server and SSL Certificates
Hello Ridouan,
Please, explain what do you mean by "the issuer will be removed as soon as I save the certificate into the SSL node" and if possible provide some screenshots.
Best regards,
Donka Dimitrova
↧
Re: Secure Login Server and SSL Certificates
Hello Donka,
Thanks very much for your response.
The certificate was created in and issued by the Root CA (Secure Login Server).
I have exported the PSE file and imported the file into ABAP using transaction STRUST.
I looked before saving the file and the file was still correct (e.g. Issuer is still Root CA), then I have saved the file into the Server SSL-node.
After saving this file, the certificate was Self-Signed and the issuer was not part of the certificate path.
This issue only occurs in ABAP (ICM) and not in AS Java.
I am using an SSL certificate in AS Java and all works fine, no certificate warnings.
SSO is working it's just the warnings we get when trying to open the URL.
I am sorry I can't send any screenshots right now.
Regards,
Ridouan
↧
↧
Re: (Kerberos Authentication) Windows AD id and SAP GUI id's are different
Hi Ch,
so we try not to discuss license questions in SCN. This has to be done with the corresponding sales team. We would like to keep SCN a platform for technical questions and solutions.
From a SAP perspective:
- SAP Single Sign-On requires always a license.
- Any old SSO techniques like SAP Logon Tickets are still part of the NW platform.
Any details on SAP pricing --> please contact sales.
Regards
Matthias
↧
SAP Netweaver SSO 2.0 - keytab lifetime
Hi,
just a short question.
Do we need to update the keytab file ( SAPSNCSKERB.pse ) with ( crontab )
../SLL/sapgenpse keytab -p SAPSNCSKERB.pse -a USER@DOMAIN.ORG -nopsegen -y " "
like we have to do it in the old SNC connection method ( kinit -k planned in the crontab ) ? or is it enough to build the pse one time.
Are there tickets that will expire ?
sapgenpse keytab -p SAPSNCSKERB.pse -nopsegen
#############################################################################
License Disclaimer SAP NetWeaver Single Sign-On
You are about to configure trust for single sign-on or SNC Client Encryption.
Please note that for single sign-on you require a license for
SAP NetWeaver Single Sign-On.
As exception, the usage of SNC Client Encryption only without SSO is free
as described in SAP Note 1643878.
#############################################################################
keytab: Found keyTab entries in PSE.
keytab: KeyTab content stored:
Version Time stamp KeyType Kerberos name
1 Fri Dec 12 09:43:16 2014 DES USER@DOMAIN.ORG
1 Fri Dec 12 09:43:16 2014 AES128 USER@DOMAIN.ORG
1 Fri Dec 12 09:43:16 2014 AES256 USER@DOMAIN.ORG
1 Fri Dec 12 09:43:16 2014 RC4 USER@DOMAIN.ORG
greetings
Oliver
↧
Re: SSO based on Kerberos Token
Hi,
please check that the SECUDIR is set in the sidadm environment.
greetings
oliver
↧