Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Single Sign On of Windows terminal with SAP ECC 6.0 system

Former Member

‎05-28-2008 3:38 PM

0 Kudos

Hi All,

I have ECC 6.0 server in Solaris 9.0, DB 10.2g as database.

Currently we are using CITRIX server for SAP GUI Logon.

Users want a synchronization between their terminals and SAP system. Means Single Sign On.

Thy want automatic sign on to the SAP system when they are starting their terminals.

Users are working on windows XP systems.

Is there any relevant document regarding this. Will be very helpful.

Thanks In Advance

Regards,

Ami_Eka

8 REPLIES 8

tim_alsop
Active Contributor

‎05-28-2008 3:45 PM

0 Kudos

Ami,

You need to use an interface included in SAP GUI and SAP ABAP AS called SNC. With SNC, and a cryptographic library that implements the Kerberos protocol, you will be able to logon to a workstations using Active Directory domain account, or logon to Citrix server using an AD account, and then using SNC the user will be able to authenticate to SAP without needing to re-authenticate. There are a few vendors who provide SNC libraries that support Solaris, and you can find them by visiting [http://www.sap.com/sspcatalog|http://www.sap.com/sspcatalog] and searching for "Kerberos SNC".

SAP provide SNC libraries, but only if your SAP system is on Windows Server. Since you are using Solaris you need a third-party SAP cerified product instead.

Thanks,

Tim

Former Member
In response to tim_alsop

‎05-28-2008 3:54 PM

0 Kudos

Thanks for the reply Tim.

Could you please elaborate the Single Sign-On process(SNC, Kerberos protocol, cryptographic library and all) as I have not worked on it before?

Regards,

Ami_Eka

tim_alsop
Active Contributor
In response to tim_alsop

‎05-28-2008 3:59 PM

0 Kudos

Of course.

1. user logs onto Citrix server, or local workstation using AD account and password.

2. since AD uses Kerberos to authenticate users, a Kerberos ticket is issued by AD during this logon and cached on workstation.

3. user starts SAP GUI, and attempts to logon to a SAP system that has been configured to use SNC based authentication.

4. SAP GUI calls the SNC library on workstation to get credentials, and the credentials are returned, and send to SAP server.

5. SAP server will accept the credentials, and decrypt the token received from SAP GUI using a key in a key table file, and from this it knows the name of the user who logged onto workstation.

6. The SNC name of user at workstation is mapped onto a SAP user using information maintained in SU01 (and stored in USRACL table).

7. It is also possible to configure SAP GUI and SAP server to encrypt the communications, but for your needs I think you need just the authentication functionality offered by the SNC interface.

If you contact the vendors who supply products I am sure they will give you more details, and prices, or allow you to test their software on your own systems.

Thanks,

Tim

Former Member
In response to tim_alsop

‎05-28-2008 8:35 PM

0 Kudos

Thanks for the detailed .....

In these steps which are to be done by Basis and which are to be done by system admin...please specify and in addtion to that do u have some documents with the help I can go ahead and follow the steps and configure the Single Sign - On.........

tim_alsop
Active Contributor
In response to tim_alsop

‎05-28-2008 9:19 PM

0 Kudos

This message was moderated.

Former Member
In response to tim_alsop

‎05-29-2008 10:28 AM

0 Kudos

Thanks Tim for the last reply....the link that u have provided, gave me an idea of the SINGLE SIGN-ON config process

It was a very helpfull answer...

Now My last question to u is :

As u know my server is in solaris 9...and I need to implemement Single Sign On......Could u please suggest some of the 3rd party vendors who provides solution for Solaris??

I m eagerly waiting for ur reply....

Thanks in Advance

Regards,

Ami_Eka

tim_alsop
Active Contributor
In response to tim_alsop

‎05-31-2008 8:30 PM

0 Kudos

Ami,

The link I provided in first post, e.g. http://www.sap.com/eapcatalog will allow you to find the list of vendors who have SNC products which use Kerberos. Just use the search box to search for "SNC Kerberos". Alternatively, you can use google to find a company, who has SNC library for Kerberos on Solaris.

Thanks,

Tim

Former Member
In response to tim_alsop

‎06-01-2008 9:54 PM

0 Kudos

Hello Ami_Eka,

SDN is not intended for advertising nor vendor squabbles, but in some cases avoiding mentioning third party vendors is difficult, or even appropriate to do so to give you a picture or information about the "SAP eco-system" when the question specifically relates to it. Tim has already given you the official link.

To shorten your search efforts here at SDN (which is primarily a developer discussion and idea sharing forum), you might also want to take a look at some of the threads which Tim has contributed to.

Of course, advertising, along with interview questions and requests for offline documenation will be locked and removed as they are not what SDN is intended for.

Kind regards,

Julius