Skip to Content

SPNego Authentication on ABAP ICM does not issue logon ticket for SSO to subsequent systems

Hi all!

At one of our customers we have a SAP ABAP system, let's call it System 1 running a web based CRM (BSP). After logging in on system 1 (basic authentication), you can jump via a link to a SAP Web Dynpro application (ICF) that runs on another SAP ABAP system, which is a SAP ERP, call it system 2.

The systems are configured correctly for issuing and accepting logon tickets using login/create_sso2_ticket = 2 and login/accept_sso2_ticket = 1. The system PSE from system 1 is stored in the ACL on system 2. Everything good —> When logging on to CRM (1) with user + password the subsequent link to System 2 is working via SSO. (in SM05 of System 2 you see AT as the authentication method)

Now we configured the ABAP system for using SPNEGO instead of Basic Authentication. SSO now works on system 1 but no longer the link from CRM to system 2.

Question: Where can I tell the system 1 that it still issues a logon ticket despite SPNEGO authentication? So far IMHO that always worked, so I'm a bit confused ... ��

I look forward to your suggestions ...

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    Jan 29, 2018 at 02:15 PM

    Found it.

    Solution: 2044027 - No logon ticket created after SPNego logon (ABAP)

    Customer needs to install ABAP SP and kernel correction


    When users logon to an ABAP system using SPNego authentication (see note 1798979) no logon ticket (cookie MYSAPSSO2) is created, however when the same user is logging onto the same ABAP system by using a different authentication method (e.g. username and password, X.509 client certificate or SAML) a logon ticket is created.

    It was a design decision not to create logon tickets in this context. This decision has turned out to cause problems when using ABAP systems in contexts where the creation of logon tickets is required to enable cross-system Single Sign-On and when the other systems cannot be enabled for using SPNego, as well. Thus the decision was revised, enabling the creation of logon tickets now also for SPNego authentication.

    Cheers, Carsten

    Add comment
    10|10000 characters needed characters exceeded