cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Kerberos SSP for Windows vs NW SSO 2.0

Go to solution
former_member184682
Participant

on ‎10-26-2014 11:35 AM

0 Kudos

All

Assuming a customer has Windows / Oracle environment for his SAP applications

I understand that SAP provides the wrapper libraries for Kerberos SSP

If the objective is to get simple SSO into the sap application using SNC (SAPGUI), in what way is NW SSO 2.0 superior?

Or in other words , what are the shortcomings of a Kerberos SSP solution which is for free that a customer has to buy the license for NW SSO ?

Details would be much appreciated

Note : Its clear that SSO to browser based icm applications iwth spnego is only possiblke with NW SSO but this is not required for the time being and SSO to the SNC interface with SAPGUI is the sole criteria

Thx

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Kaempfer
Advisor
Advisor
‎10-27-2014 9:28 AM
0 Kudos 


If the objective is to get simple SSO into the sap application using SNC (SAPGUI), in what way is NW SSO 2.0 superior?

It is about security. So in case of the open source solution SAP is not the owner of the crypto lib. Many large customers expect that SAP is able to support the full securtiy scenario. In case of the open source solution, this is not the case. So SAP cannot test+correct the open source solution end2end.

SAP also hires external security consultants to "test" SAP SSO for security flaws.

So the question is, if the customer want to have a completely supported and tested product or not. Of course, there are also other functionality beside SSO/SNC (SPNEGO for ABAP, 2 factor autherntication, central access management).

Regards

Matthias

Show replies
Show replies
former_member184682
Participant
‎10-27-2014 9:34 AM
0 Kudos

Thanks Matthias

but as per the sap notes, SAP fully supports this dll wrapper for SAP on Windows customers. Or am i  wrong ?

Former Member
‎10-27-2014 9:43 AM
0 Kudos

Hi Chandrakanth,

the wrapper coding itself is supported, however not the coding used by microsoft or any other underlying technology provider the wrapper is configured to be used with. For this the regulations in note 150380 apply.

See also note 352295 for more details on this.

Regards, Patrick

former_member184682
Participant
‎10-27-2014 9:53 AM
0 Kudos

Thanks Patrick

the notes- I have read them many times over but the confusion remains

What is clear is that these wrappers are provided by SAP. Also there are lines in the notes which say interoperability with kerberos implementation from other vendors (eg *Unix" )  is 'possible' but not supported.

But for a pure Windows based SAP environment, what is SAP's statement about this.

My understanding is that being free, this is very popular (is it?)  amongst SAP /Windows customers and works without problems for a simple SSO to SAPGUI requirement (Yes agree that features like 2 factor authentication etc are not available with this free solution)

What i understand is that in case SSO to SAPGUI stops working some day,  an SAP message would be responded to without 'consulting' ?

Former Member
‎10-27-2014 10:05 AM
0 Kudos

There is some limited support for this library in a windows only environment (both client and server must be windows!). However there have been a lots of changes to the MS Kerberos implementation in the past, which you will notice when reading the notes. Support therefor is on a best effort basis only. This is not the same as the support for our SSO product.

Hope this clarifies the situation a bit.

Regards, Patrick

former_member184682
Participant
‎10-27-2014 10:16 AM
0 Kudos

Thx a lot

just to wind up - would you know how popular is this windows wrapper based solution amongst SAP/Windows (pure) customers ? Is it a very widely used thing ?

Former Member
‎10-27-2014 11:02 AM
0 Kudos

Sorry, we do not have numbers on how widely this is used.
As this is a free solution, we can not track the number of installations.

Answers (2)

Answers (2)

Former Member
‎03-19-2015 2:31 PM
0 Kudos

Hi Chandrakanth,

Did you end up using this (Kerberos SSP) free solution? I'm considering this approach and wondering how it's gone for you. Would you be able to shed some insight into this?

Joe

Show replies
Show replies
vijay_kumar49
Active Contributor
‎10-26-2014 12:04 PM
0 Kudos

Please refer the below document

Hope this is helpful

Single Sign-On with Microsoft Kerberos SSP - User Authentication and Single Sign-On - SAP Library

Show replies
Show replies
former_member184682
Participant
‎10-26-2014 12:24 PM
0 Kudos

Thanks Vijay

I know already how to configure Kerberos SSP

What i need to know is for windows based SAP customers, if a simple SSO to SAPGUI is required (and not much more than that) , in what way would they is NW SSO useful?

vijay_kumar49
Active Contributor
‎10-27-2014 3:37 AM
0 Kudos

Please look at this

Single Sign-On for the SAP GUI - User Authentication and Single Sign-On - SAP Library

Regards

Vijay Kalluri

former_member184682
Participant
‎10-27-2014 7:44 AM
0 Kudos

?????

Please read my comment above

I dont need the documentation on how to configure

tim_alsop
Active Contributor
‎10-27-2014 8:58 AM
0 Kudos

It is clear to me that you are wondering why somebody would want to buy an SSO product when they just need SAP GUI SSO. As you know, there is a free Kerberos SNC library available if your SAP system is on Windows. If you are happy with this and you don't have any product support concerns then you can continue to use this SNC library and no need to purchase a product to replace it. There are additional features included in commercial SAP SSO products, and you can find some of them if you look a the list of features mentioned on the products described in the SAP Store (http://store.sap.com).

tim_alsop
Active Contributor
‎10-27-2014 9:02 AM
0 Kudos

One feature/difference that I just thought of, which you might be already aware of, is the inclusion of electronic signature user authentication. The free SNC library doesn't offer this functionality.

Ask a Question