on 11-19-2013 5:34 PM
Hello, I think this is in the right place. Does anyone know if there is a way to bypass the end-user having to select the cert/token the first time they use SSO? We have scripted the install of the SLC-2.x as well as moving over a new saplogon.ini that enables SSO. However its not fully unattended as the first time they open it, they get a prompt to pick a cert. We have about 30 on the list, they have to scroll all the way down to click the kerbros token with their user name.
Thanks!
Hi Scott,
If you are using the existing X.509 certificate directly, you can try this one:
[HKEY_CURRENT_USER\Software\SAP\SecureLogin]
"TokenType"="tokcapi"
"CertFingerprint"="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
here the CertFingerprint is the client user's certificate fingerprint.
So You need to create a user-specific registry and let it executed when user logon.
Best Regards
Huiyang
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi all,
you can use a CAPI filter (which is HKLM setting) to filter out unwanted certs or match the correct one.
Example:
Windows Registry Editor Version 5.00
;; CAPI FILTER SETTINGS FOR SLC 2.0
;; FILTERS OUT ANY UNWANTED CERTIFICATES FROM SLC e. g. SAP SERVICE MARKETPLACE
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common\capi]
"CAPIFilterIssuerDN"="CN=DUMMY Name"
Does this help you Scott AFAIK you "just" want to use the kerberos auth and not X.509?
Regards
Carsten
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Scott,
we have almost the same problem: We created for each Windows Active Directory domain in our landscape an authentication profile and used the active directory domain name in the name of the profile (for example "authentication profile - DOMAIN.CORP"). Then we distributed a reg key via logon script that created an entry in the HKCU Windows registry:
[HKEY_CURRENT_USER\SOFTWARE\SAP\SecureLogin\applications\DEFAULT]
"GssTargetName"="*"
"profile"="authentication profile - %USERDNSDOMAIN%"
"allowFavorite"=dword:00000001
The environment variable %USERDNSDOMAIN% was "translated / interpreted" by the logon script. A possible solution would be: use a REG_EXPAND_SZ reg type instead. Only drawback is: a windows relogon / restart is needed.
Best regards
Kai
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey thanks for the input. I dont have those keys there as well. its stops at HKEY_CURRENT_USER\SOFTWARE\SAP\SecureLogin\
I put them in anyway, but no luck. I get a error when I try to launch sap gui from logon pad:
Error: service '?' unknown
Component NI, (Network Interface) Version 40
rc = -3, Detail NiErrSet
To add to this, I can find anything in the reg related to the selected token.
User | Count |
---|---|
89 | |
10 | |
9 | |
9 | |
9 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.