on 04-15-2021 11:30 AM
Hello
we are already using SNC/SSO2.0 successfully for our ABAP-Systems. Now we wan't to let our users login via a stand alone SAP-WebDispatcher. Let's assume this WebDipsatcher has the hostname "ServerA". We have setup the SAP-WebDispatcher so that the connections to our SAP-System (e.g. C11) works fine, but we have no sso yet. To get this done we have added this new SPN to the existing sso-Service-User.
setspn -S HTTP/ServerA /sap_srv_sso_c11
This was also OK, and we were able to login to C11 via SAP-WebDispatcher on ServerA.
Now we decided to route another SAP system (e.g. S11) via the same SAP-WebDispatcher on ServerA. The integration was done successfully, but again a password pop-up occurs. Now we tried to add the same SPN HTTP/ServerA to th other service user sap_srv_sso_s11.
setspn -S HTTP/ServerA /sap_srv_sso_s11
But this has failed. The error message was:
The operation failed because SPN value provided for addition/modification is not unique forest-wide.
I've tried to set an alias for ServerA (e.g. ServerB). Then I was able to execute the command
setspn -S HTTP/ServerB /sap_srv_sso_s11
but that didn't help for get SSO to be enabled on S11.
What can I do to get multiple Backend-Systems connected via one SAP-WebDispatcher all with SSO enabled?
Rgds
Ulrich Sander
Hi Ulrich,
this issue is mostly non-existent in environments that are using an embedded hub approach but often pops up when having a central SAP web dispatcher in place.
As a common best practice for SAP SSO, it is recommended to have a dedicated AD service account for each SAP system (SID) that normally has SPNs for SAP Logon like SAP/<SID> and HTTP/<FQDN> for browser-based access using SPNEGO.
This way you have a Kerberos key tab on each backend server being able to decrypt Service Tickets or SPNEGO-Tokens for both DIAG/RFC and HTTP connections.
Trying to register your SAP Web Dispatcher's FQDN as an SPN can be done only once as you have learned, that's because SPNs are unique in a AD forest 🙂 And as the client resolves the alias (C-NAME) back to the A-Record via DNS, this approach doesn’t help.
As a possible solution, you could introduce a proper DNS concept and thus make use of an additional DNS domain to expose your SAP applications through the central SAP Web Dispatcher.
This could be one possible way and surely there are other ways to solve those requirements.
And BTW: you should really upgrade to SAP SSO 3.0 🙂
Hope that helps a bit.
Cheers Colt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
OK - this was not successful. So will try your suggestion.
I've created a wdp.de.kostal.int as a subdomain of de.kostal.int.
In this domain is a host s11.wdp.kostal.int that is pointing csapqd1wdp48.de.kostal.int
After that the command
setspn -S HTTP/s11.wdp.de.kostal.int KOSTALROOT\svc_sap_sso_s11
should be executed successfully.
But how do I change my webdispatcher config?
I have two relevant lines:
wdisp/system_6 = SID=S11, EXTSRV=https://csaps11aas03.de.kostal.int:8103, CLIENT=001, SSL_ENCRYPT=1, SRCSRV=s11001:8903
icm/HTTP/redirect_7 = PREFIX=/, FROM=*, FOR=s11001, HOST=s11001, PORT=8903
Which "s1100" must be changed to "s11.wdp.de.kostal.int"? The FOR-part or the HOST-part? I guess the HOST-part because you told me add the new name to the SAN of the certificate.
Rgds
Ulrich
User | Count |
---|---|
72 | |
9 | |
8 | |
6 | |
6 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.