Solved: Kerberos for SAP GUI Authentication -- Single Sign...

Former Member · ‎01-24-2014

Hi All,

I have a need to proto type the SAP GUI sso using Kerberos. Before I proceed, would like to know if this can be achieved without buying any additional product or license. We don't own the license for SAP Net Weaver SSO suite.

My requirement is..

1. Once the user is logged in to his/her windows workstation, user launches the SAP logon, selects the SAP system and it should not prompt the user to supply the userid and password.

The below url reference is a old IBM document, the 1st and 2nd section talks about the SAP GUI and SAP R/3 system kerberos integration. I am not sure if this below implementation solution is still valid.

Single sign-on for SAP with Tivoli Access Manager and Microsoft Windows

I did see the below document as well.. Looks like it is possible to implement without SAP NW SSO / secure login.

http://help.sap.com/saphelp_nwmobile711/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm?fr...

The document talks about the gsskrb5.dll, if my SAP ABAP system is running on AIX or Z/OS then how to get the correct version of gsskrb5 for these systems?

What will be the process for the non-window servers? below

2. Copy the library to the appropriate Windows system directory on the primary application server instance:

○ Drive:\%windir%\system32

○ Drive:\%windir%\SysWOW64

I would highly appreciate the guidance in this regard.

-

Former Member · ‎01-24-2014

Hi Anjani,

this has been discussed just some days ago in the context of linux servers. Please have a look at this thread for more info.

Regards, Patrick

Former Member · ‎01-24-2014

Hi Anjani,

this has been discussed just some days ago in the context of linux servers. Please have a look at this thread for more info.

Regards, Patrick

Former Member · ‎01-24-2014

Patrick,

Thanks for the link, it will help a lot.. I am going to test this integration soon.

regards

Anjani

tim_alsop · ‎01-24-2014

Hi,

The gsskrb5 library you referred to, as mentioned on help.sap.com is for Windows. If your SAP systems are on AIX or z/OS, then you have 2 options. You can either use the open source Kerberos libraries on the operating system (as discussed in the thread referenced by Patrick) or purchase an SSO product such as SAP NW SSO, or a SAP certified product from an SAP partner. You can find all commercial products listed on http://store.sap.com and you will find they are available for prototype (try before buy) if required.

Thanks,

Tim

Former Member · ‎01-24-2014

Hi Tim,

Thanks for the information.. currently we are heavily invested in IBM Identity, federated identity and Access Management suites, based on our current infrastructure, it supports all kinds of web based sso such as "http header, certificate, SAML, openid, OAuth, spnego/Kerberos" and password synchronization to SAP systems from Active directory. Since we have the password synchronization to managed system, the user can use the windows password to login into any SAP system. Now we would like have the true sso for SAPGUI.

Since SAP NW SSO 2.0 provides more than kerberos, In my understanding we will be paying too much for the other functions and features which we already have in IBM tool set.

Is there a GSS API V2 SAP certified third party product "just the Kerberos API" which we can buy ? I guess this will reduce the cost.. ?

Thanks

Anjani Jha

tim_alsop · ‎01-24-2014

Yes, there are companies that offer GSS API v2 SAP certified third party products 'just for Kerberos'. You can find details by searching on SAP Store (http://store.sap.com).

Also, I need to let you now that due to rules of SCN, discussion about third party products is not allowed on SCN, so posts might get deleted if details are discussed. I will discuss with you outside of SCN instead.

Thanks

Tim

Kerberos for SAP GUI Authentication -- Single Sign-On with Microsoft Kerberos SSP