cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO CRM 2007 WebUI with Windows Domain

Go to solution
manuel_veysseyre
Explorer

on ‎09-02-2008 5:12 PM

0 Kudos

Hi community,

Is it possible to get SSO between our Windows Domain and our CRM Server.

The enduser should be able to log in to his Windows client with his domain credentials, open the internet explorer with the CRM WebUI URL and getting signed in without entering a password again. (like it is possible with SPnego for the portal)

Is this possible with the WebUI? And if it is: how can I configure this?

Best regards,

Manuel

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎09-30-2008 8:25 PM
0 Kudos

A wonderful response from SAP. You would think that they would manage to support this, but I guess not!

==================================================================

30.09.2008 - 20:35:17 CET - Reply by SAP

Hello,

yes I confirm that SPnego will not work here. SPnego will

only work using the Java stack of a Web Application Server but not

for the ABAP stack.

Many thanks,

Christopher Leonard

Senior Support Consultant II

SAP Active Global Support

30.09.2008 - 20:09:04 CET - Info for SAP by Customer

Please verify that SPNego will NOT work (this may well BE a program

error) and that the only way I can have SSO into the CRM WebGui in

CRM2007 is via x.509 certs or by going thru EP (authenication through

the portal and saplogontickets)!

Please verify that this is a program limitation and that my

understanding is correct.

Regards,

30.09.2008 - 18:37:02 CET - Reply by SAP

Hello,

there are a number of options here (actually the number is 2... why not just say 2)

- use logon tickets issued by a portal for example to the users

browser that are accepted by the CRM system

- install X.509 certifcates eg SAP Passport to all CRM users's

browsers

You can find further information at http://www.service.sap.com/security ->

security in detail .

The circumstances you have described relate to a consulting issue

rather than giving evidence of a possible error and/or bug with

standard delivered SAP products and/or documentation.

We regret to inform you that this falls outside of the scope of

SAP Active Global Support under the SAP maintenance agreement.

You can find further details in SAP note 83020.

Our mission is to help you, our customers, with any error and/or bug of

standard delivered software licensed from SAP. Our tasks do not include

providing suggestions about system operation, configuration, how-to

request, etc.

You might also have a look at "The SAP Eco-System in a Nutshell" at

http://service.sap.com/~sapdownload/011 ... 45642006E/ .

Many thanks,

Christopher Leonard

Senior Support Consultant II

SAP Active Global Support

Show replies
Show replies
Former Member
‎10-01-2008 3:29 PM
0 Kudos

Hi,

As I already said this is possible with SPNEGO.

You authenticate against the J2EE stack with SPNEGO, you get a sapsso2 authentication cookie that you use to authenticate on the ABAP stack.

The trick is that this is not standard : you need to program the small java page which redirects you to the ABAP URL.

We use this technique successfully for Windows authentication on SRM (Abap only).

We had to use the java stack from MDM-catalog. MDM-catalog nedds to be set as a trusted system from SRM.

It's tricky but it does work and, I think this is the only possibility outsoide from the portal.

Regards,

Olivier

Answers (5)

Answers (5)

Former Member
‎10-01-2008 4:37 PM
0 Kudos

the source for the java redirect page would be highly appreciative.

thanks

Show replies
Show replies
gregorw
Active Contributor
‎02-26-2010 9:34 AM
0 Kudos

Hi Eric,

please check out the Blog "[Single Sign On to BSP pages from Duet's Action Pane|http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/11039] [original link is broken] [original link is broken] [original link is broken];" which describes how to build the little Java application that will redirect your users to the CRM WebUI.

Best regards

Gregor

Former Member
‎10-01-2008 4:36 PM
0 Kudos

Olivier,

can you provide detailed instructions how this can be done with SPNego?

SPNego will ONLY work for the java stack. The CRM WebGUI is an ABAP utility and does NOT use the java stack. It DOES use the integrated ITS... an ABAP utility.

Your assertion is completely contrary to what SAP has said. Please provide detailed instructions how this can be accomplished.

Show replies
Show replies
Former Member
‎10-02-2008 10:26 AM
0 Kudos

Hi,

No SAP is right : this is not possible to use SPNEGO as a standard SSO solution for ABAP.

What we did is a specific workaround which needs a specific java program to be written.

You authenticate on java stack with SPNEGO/Kerberos. The java stack gives you a saplogon ticket and you use this saplogon ticket to authenticate on the ABAP stack

Sorry, but I'm not authorised to share the java source code.

Regards,

Olivier

Former Member
‎09-29-2008 4:37 PM
0 Kudos

OK, i'm having the same issue... have you found a resolution to this yet??

this has NOTHING to do with SPNego. SPNego is specific to the java stack. I have SPNego setup for my abap based datasource and can log into the java stack with no issue (eg port 50xxx). I also have the SAP GUI using SNC/NTLM with no issues. HOWEVER, the integrated webgui (an abap based component) seems to not utilize either methodology in implementing WIA (Windows Integrated Authorization). Since this is an ABAP based web technology and since the ITS has been integrated in the kernel (eg. using port 80xx in my landscape), it would seem that we should be able to use SICF to modify SOMETHING to allow SSO utilizing the same technology as ABAP does.

In CRM2007, the login screen is located in the /default_host/sap/bc/bsp/sap/crm_ui_frame object. I have made SEVERAL changes but with no success.

Can anyone else add anything new to this?

Edited by: Eric Green on Sep 29, 2008 10:37 AM

Show replies
Show replies
Former Member
‎09-03-2008 9:33 AM
0 Kudos

Hi,

You need a java stack to use SPNEGO from it.

The best is to use the CRM java stack if you have it or you can use any other SAP java stack and configure trusted systems.

Regards,

Olivier

Show replies
Show replies
Former Member
‎09-03-2008 6:35 AM
0 Kudos

Hi,

I do not think SSO is possible here (although I could be wrong). The reason is that CRM does not use portal, it is standard alone application which can be start by entering URL in the internal explorer.

However most feasible option we have is having a login pop-up. You can enter once and have it marked for always. So evertime you open IE with CRM URL you will have to just have to action the login pop-up.

FYI - Once you are logged in CRM web IC, you could definitely use SSO feature for loging in other applications (ex: UCES, thrid party website) that are trigger from CRM web IC.

-ASB

Show replies
Show replies
Ask a Question