Skip to Content
avatar image
Former Member

SAP NWSSO2.0 SP03 SPNEGO not working( No Webgui/NWBC or Portal )

Login testing the service WebGUi

1. SICF->Default_Host->sap->bc->gui->sap->its->webgui –test the service

Getting this Prompt for first AD user ID and Password and then SAP user ID and Password.

2. Same thing happens with NWBC and BW-Portal Login- it Prompts for AD ID and then SAP ID and passowrd.

Where as ABAP SSO work perfect.

Here are my configuration steps.

  • Our OS: Windows Server 2012
  • DB: MSSQL 2012
  • AD: Microsoft Active Directory
  • SAP NW7.4 with SPS5
  • SAP Installation – Central System
  • SSO product- SAP NW SSO2.0 SP03
  • SID – SB1, SE1 ….
  • DOMAIN: MYCOMPANYNAME.COM ( Just an example, not the real name)

NWSSO Configuration Steps.

1.  Service User in the MSADfor AS-ABAP or AS-JAVA/Portal with following information

  • User ID: SAPService<SID>(existing individual<SID> Service user id)

  • Set the User cannot change the password

  • Set Password never expire

2.  Created SPN for this Service User

  • For ABAP -SAP/SAPService<SID>

  • Web (HTTP/ Hostname for ABAP apps server)

3.  Installed Secure Login Library on SAP Server

  •  Created a folder name (SLL)in /user/sap/<SID>/DVEBMGS00 ($(DIR_INSTANCE)\SLL)

   • Verified SLLibrary:(Version - 8.4.18.0)

(Starting NW7.4 sapcrypto library is coming and check the version is same at SLL directory and in the Kernel Dir.

4.  Define the following SNC parameters using RZ10

   snc/identity/as = p:CN=SAPServiceSB1@mycompany.com

   snc/enable  = 1

   snc/accept_insecure_cpic = 1

   snc/accept_insecure_rfc = 1

   snc/accept_insecure_gui = 1

   snc/data_protection/min = 3

   snc/data_protection/max = 3

   snc/data_protection/use = 3

   snc/permit_insecure_start = 1

   snc/r3int_rfc_qop = 8

   snc/r3int_rfc_secure = 0

   snc/force_login_screen = 0

   spnego/enable = 1

   spnego/krbspnego_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll

   snc/gssapi_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll

5.  Kerberos KeyTab was generated successfully for SPNEGO/SNC and verified 

        #sapgenpse seclogin -l –v

6.  Configured Credential file and verified

7.  Install Secure Login Client and defined SNC name as p:CN=SAPServiceSB1@mycompany.com

8.  Configure User Mapping in SAP AS ABAP – SNC name – p:CN= @ MYCOMPANY.COM

9.  Restarted the SAP server and my ABAP SSO is working perfectly.

10.     SPNEGO Configuration:

     a.  Define Kerberos KeyTab for SPNEGO using tcode – SPNEGO

     b.  Created UPN - SAPServiceSB1@MYCOMPANY.COM with the password of this server ID.

For WebGui all the required Service are activate and published via SICF and also per http://scn.sap.com/docs/DOC-29485

Created SAP Message and SAP also confirmed all your setting looks and Kerbros being case sensitive but since my ABAP SSO is working so that possibility is also ruled out.

Are there any different steps or know issue with above setting for SPNEGO. I have not mention the steps for Portal because first lets get the Webgui or NWBC resolve which usages the SPNEGO configuration.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    avatar image
    Former Member
    Oct 16, 2014 at 05:45 AM

    Hi,

    Please check the general troubleshooting note: https://service.sap.com/sap/support/notes/1732610

    and https://service.sap.com/sap/support/notes/1819808

    Did you test the connection using IE or FIrefox. You need some configuration to allow SPNego in browser.

    Check that you have the right ABAP patch to support SPNego.

    If this did not help, please enable SPNego traces like described in SAP SSO implementation guide chapter 4.7.5.5 and the traces in Secure Login Library in chapter 4.8.1

    The Implementation guide can be found in help.sap.com/sapsso

    KR

    Valerie

    Add comment
    10|10000 characters needed characters exceeded

    • Yes I do have SLL client installed for SNC to work.  I actually just got it working and it was a combination of the items you and Matthias mentioned, as well as clearing all tokens with klist and then also the SAP user was locked (stupid I know).

      Thanks for everyone's responses and help on this one.  It doesn't seem like this SDN post is marked as a question, so I'm not able to award points, but if someone can advise I will gladly award points for the excellent help.

      Thanks again to a community that collaborates and helps in such a manner!

      Johan