cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Error in SPNego Configuration SAP NW 7.4 (JAVA)

Former Member

on ‎02-24-2016 3:18 PM

0 Kudos

Hi Guys,

We have installed a new SAP Netweaver Java 7.4 system for our customer.

This java system will be connected to the customer´s ERP System via VIM Portal => Vendor Invoice Management.

In the guideline from OpenText (who delivers the VIM tool) we read, that SPNego must be configured for the logon to VIM-Portal.

I´ve done all the steps for SPNego Configuration regarding a guideline which was written by a SAP guy (Dimitar Dimkin) from 2011 but when I want to logon to VIM Portal or SAP Portal, the entries of username and password are still required.

(I´m sorry but I can´t attach the guide because PDF and DOC formats are not allowed to attach)

Please let me know what to do to ensure successful SPNego configuration.

Thanks & Regards,
Manuel

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Matt_Fraser
Active Contributor
‎02-24-2016 5:53 PM
0 Kudos

Hi Manuel,

I can't speak to the VIM product, so I'm not sure, but basic achievement of SPNego-based SSO to an AS Java shouldn't be too hard. I wrote a blog about this (for NW 7.01, using Visual Admin instead of NetWeaver Administrator, but you should be able to translate it to NW 7.4), and perhaps it will help:  .

Cheers,

Matt

Show replies
Show replies
Former Member
‎02-24-2016 6:28 PM
0 Kudos

Hi Matt,

Thanks for your reply in that case!

Seems to look interesting - I will check your post.

I´ve done all steps regarding Active Directory, Browser Settings, SAP Netweaver Administrator SSO Settings and so on, but I don´t know how to check if my settings really work or not?!

How could I check this?

Thing is, that the users log on to the VIM-Portal with their Windows-Accounts. Is it necessary to configure SPNego on SAP-Java-side when users logon to VIM-Portal and not to SAP-Portal??

Regards,

Manuel

Former Member
‎03-04-2016 8:41 AM
0 Kudos

Hi Matt,

Thanks for your link. I´ve configured SPNego but it doesn´t work yet. Now I want to ask you some further questions:

Our customer wants to use the OpenText VIM portal, which could be accessed by a Web-URL.

The users should be able to logon to this VIM-portal with their domain account. As written in the OpenText VIM Admin Guide, SPNego should be configured for that.

Therefore we have setup a newly-installed AS Java Server 7.4 and during the installation we have choosen the option "Java UME as datasource".

Than I´ve configured SPNego in Netweaver Administrator regarding your steps in the link you shared.

Now I have two questions:

Is it right to choose Java UME as datasource or is this wrong? Because user must use their domain-account to logon to VIM-portal...

Regards,
Manuel

Matt_Fraser
Active Contributor
‎03-04-2016 5:52 PM
0 Kudos

Hi Manuel,

In my organization we use the ECC system as an ABAP user store for the UME in our Portal. If I were doing it over today, I might choose LDAP datasource instead, but it works fine with the ABAP datasource, I would fully expect it to work with the Java UME datasource as well.

In this case, SPNego is being used to authenticate your domain user to your Java engine. From there, you may need to ensure that you have SSO tickets correctly configured between the Java engine and other systems, such as your VIM portal. For instance, this is a standard part of setting up a Java Portal against an ABAP backend system, involving creating the SAPJSF user in the ABAP system and configuring that in the UME, and creating a SAPLogonTicketKeypair in the portal and importing that into STRUSTSSO2 in the ABAP system (plus a couple of ABAP profile parameters relating to accepting logon tickets). This establishes trust between the portal and the ABAP system, so that SSO can occur between the two.

So, my guess at this point is that you probably need to configure that SSO trust from your Java engine to your VIM portal.

Cheers,

Matt

Former Member
‎03-07-2016 1:57 PM
0 Kudos

HI Matt,

Thanks for your quick response!

But we have our LDAP as User Source and not the ABAP-system.

So the error must be between LDAP -> Java System -> VIM Portal.

It is not necessary to connect an ABAP system to my Java System because it´s a Standalone Java System which only should connected to VIM Portal...

Are there any steps to do for configuring LDAP <-> Java-System?

Regards,
Manuel

Matt_Fraser
Active Contributor
‎03-07-2016 4:47 PM
0 Kudos

Manuel,

Can you confirm for me, is the Opentext VIM Portal a separate instance, or is this a component installed into an SAP Enterprise Portal? I had been thinking this was a separate instance, a separate server, but after digging around I don't think this is the case.

If it's a software component installed into an SAP portal, then you don't actually configure SPNego for VIM; you just configure it for your Enterprise Portal, i.e. for the NetWeaver AS Java that contains your portal.

Whether you configure your user store to be the Java UME, the ABAP datasource, or the LDAP datasource is relatively immaterial for purposes of configuring SPNego; it will work with all three, as long as you correctly configure reference user mapping. If you choose LDAP as the datasource, and ensure that the user accounts have matching names between Active Directory and your ECC system, then you will probably have the easiest time of it. There is lots of documentation in SAP Help and all over SCN about configuring LDAP as a user store for AS Java, so it shouldn't be hard to find that with a quick search.

The SPNego configuration itself should be exactly as described in either Andy's or my own blog (Andy's is closer to your release version, however, so go with his).

If, after configuring SPNego, you find that SSO works fine when users first access the portal, but then they are asked to login again when they navigate to an iView that talks to the backend ECC system, that indicates that the SSO trust between the portal and ECC is not correctly configured, or the reference user mapping between the Java UME and ABAP datasource is not correct. Is this the symptom you're seeing? Or is the initial access of the portal still prompting for a login, right away?

--Matt

Former Member
‎03-07-2016 5:37 PM
0 Kudos

Hi Matt,

Another quick response - I very appreciate your informations in this case - thanks for that

Yes, I have the following constellation:

Active Directory -> SAP AS Java -> VIM Portal

And yes, the VIM-component is installed in my Standalone-SAP-AS-Java System.

The following procedure is requested from our customer:

The user (Domain-User, AD) should be able to logon to VIM-portal-URL.

So I want to know how should this work? Is it OK just to have the users in our AD or do we have to configure AS Java Identity Management to AD-Server?

Regards,
Manuel

Matt_Fraser
Active Contributor
‎03-07-2016 5:40 PM
0 Kudos

The users can just be in AD, if you configure the AS Java to use LDAP as the user store, and set up the reference to your ECC users.

yakcinar
Active Contributor
‎02-24-2016 5:45 PM
0 Kudos

Hello Manuel,

Did you have a chance to check below links?

SAP Single Sign-On: Kerberos-based single sign-on to Application Server Java - YouTube

Regards,

Yuksel AKCINAR

Show replies
Show replies
Former Member
‎02-24-2016 6:25 PM
0 Kudos

Hi Yüksel,

Thanks for your reply.

I´ve already seen the YouTube Video and have tried to follow the steps for my configuration but the only thing is: I don´t know how to check if SPNego/SSO etc. already works or not?

Regards,

Manuel

yakcinar
Active Contributor
‎02-24-2016 6:42 PM
0 Kudos

Hello Manuel,

Andy Silvey is telling that SPNego is as easy as abc in his blog HowTo: New Implementation of SPNego in Freshly Installed SAP NW EP7.3x – it’s as easy as abc.

Check this blog also in addition to Matt Fraser's

Regards,

Yuksel AKCINAr

Matt_Fraser
Active Contributor
‎02-24-2016 7:49 PM
0 Kudos

Ah, I never found Andy's blog before when I was researching this. If I had, I might not have bothered writing my own, though mine does focus on 7.0x instead of 7.3+. The differences are relatively minor (generation of the keytab file, use of Visual Admin instead of NWA, and can't use AES encryption, only RC4).

Ask a Question