Solved: SAPGUI SNC logon and digital signature

mauro_fallavollita · ‎03-04-2009

Dear all,

I have setup in a test environment a sap logon with SNC in order to use the active directory authentication instead of SAP R/3 User and Password. It works well. So I can enter directly in the system without specify R3 user and R3 password. My users have no to maintain R/3 password anymore.

Now I have a problem. For some transactions we have implemented the digital signature in order to have a further authentication when we want to perform some critical task. An example is releasing dms document in CV02N transaction.

Our customizing for digital signature is:

System signature with authorization by R/3 user ID/password

The other options are:

User signature with ext. security product with verification

User signature with ext. security product w/o verification

So the system still ask to the users their R/3 password for the authentication when they try to "sign" a document.

Do you think there is a way to configure the system in order to ask and check the active directory user password instead of R/3 password? Where can I found documentation about it ?

My system is SAP R/3 4.70 ext 2 on windows 2003 r2 sp2 x64.

My active directory is based on Windows 2003 x32 sp2 in native mode.

Thank you in advance for you help.

Kind Regards

Mauro Fallavollita

tim_alsop · ‎03-04-2009

Mauro,

I am familiar with this problem. I am trying to raise the profile within SAP company so that they add functionality to call an authentication module when authenticating for digital signature purposes. At the moment, the SAP software assumes that your user store has a password for the user who is logged on, but (as you know) when you use SSO the password in SAP system is not used and often deactivated.

Other customers who I know who have found this problem have changed the ABAP code to perform the authentication when digitial signature is used. This is not the ideal solution, but it is the only solution available until SAP change their product to work better.

There is another option - you could use a digital signature product which would require smart cards on each workstation and require additional software to be installed on each workstation. For customers who have already installed additional software on worsktations for SNC purposes, and are using Kerberos with Active Directory, this is not a very viable solution/option.

You might want to check out my thread which relates to this at

Thanks,

Tim

tim_alsop · ‎03-04-2009

Mauro,

I am familiar with this problem. I am trying to raise the profile within SAP company so that they add functionality to call an authentication module when authenticating for digital signature purposes. At the moment, the SAP software assumes that your user store has a password for the user who is logged on, but (as you know) when you use SSO the password in SAP system is not used and often deactivated.

Other customers who I know who have found this problem have changed the ABAP code to perform the authentication when digitial signature is used. This is not the ideal solution, but it is the only solution available until SAP change their product to work better.

There is another option - you could use a digital signature product which would require smart cards on each workstation and require additional software to be installed on each workstation. For customers who have already installed additional software on worsktations for SNC purposes, and are using Kerberos with Active Directory, this is not a very viable solution/option.

You might want to check out my thread which relates to this at

Thanks,

Tim

mauro_fallavollita · ‎03-04-2009

Tim,

Thank for your help.

I have red your thread. You went very heavy in the problem. I still have a lot of doubts mainly for my unknowledge. We have implemented digital signature for fda compliance. I think we have 2 or max 3 processes ( transactions ) using digital signature. We are spoking about 30 users on 350 users defined. I think if i ask to my company to search somebody to write Z code for trying to use Active directory password they shot to me. At the same time Z code for checking AD password could be accepted by the regulatory ? What I have not understood if at the end you ( or your company ) have developed some Z code for your customer in order to use AD password for digital signature.

At the same do you think is possible to implement thirty part software authentication only for the users who have to sign and at the same time still use SNS for other users ? Is there a list of these certified softwares ? Could RSA and one time password one of these software ?

Regards

Mauro

tim_alsop · ‎03-04-2009

>


>What I have not understood if at the end you ( or your company ) have developed some Z code for your customer in order to use AD password for digital signature.
I/we didn't need to do anything other than research the possibilities and recommend this solution to them. They made the changes to the code to meet their needs.
The details provided below might help:
The SAP supplied function module called SSFT_PPPI_SIGN needs to be changed (or copied to a module with a new name and changed, in order to avoid any support issues). If a new function module is used, then any code which calls the SAP supplied module (e.g. t-code QA33) would have to be changed to call the new module instead.
There are some options for what changes need to be made to the SSFT_PPPI_SIGN function module:
1. It could be changed to call a SAP supplied function module called LDAP_SIMPLEBIND. This would mean that a user and password entered by user would then be checked with LDAP server (e.g. Active Directory) instead of the user and password entered being checked with SAP user store, which of course won't work when SNC is enabled because user SAP passwords are then deactivated.
With this option, the user name entered would need to be an AD user account name, as well as the name of the SAP user. So, if there is no direct link between AD user and SAP user, this method will not work, unless name mapping was built into the coding.
2. It could be changed to call an RFC which would run code on users workstation, which would authenticate the user using an Active Directory SignOn screen ( our company provides this ). Once authenticated, the SAP user would be determined using the existing mapping information in USRACL table, and the function module would then be satisfied that a specific SAP user has authenticated and this can be used to create or verify their digital signature.
3. it could be changed to call some server side code to perform a Kerberos authentication with Active Directory (via the SNC library), and then use the USRACL table to determine the SAP user which is associated with the authenticated AD account name.
Options 2 and 3 would not require the AD account name to be same as SAP user name, but would be more complex to code, and therefore take longer to code and test. However, option 1 would/should be very easy to code, as long as the person doing it has the ABAP development skills required.
> At the same do you think is possible to implement thirty part software authentication only for the users who have to sign and at the same time still use SNS for other users ? Is there a list of these certified softwares ? Could RSA and one time password one of these software ? 
The problem you face is that the SAP software is expecting to use SAP userid+passwrod to authenticate the user. Once you "externalise" this authentication, e.g. make it use LDAP or Kerberos to allow Active Directory to be used, then you can look at supporting two-factor authentication methods instead of just a user id and password. 
> 
> Regards
> Mauro

BTW. You need to contact a SAP user group to raise a development request.

Former Member · ‎03-04-2009

I am also one of those who have opened a development request with SAP to enhance the function to add a configurable or "lighty codable" method to sign a document in standard transactions which does not use the local or a remote ABAP password.

The customer ended up modifying the standard function - it was either that, or all the standard transactions... or running into problems with legal requirements.

I know of several companies who support this request, so feel welcome to raise the issue with SAP and point to this thread.

Cheers (and thanks!)

Julius

mauro_fallavollita · ‎03-04-2009

Julius,

thanks for you answer.

I am about worried to write z code for this kind of task mainly because I don't want to run into problems with legal requirements ( as you stated ). Reading what you write it seems that some customers did that ( how does it work ? ) . I think I have no way to raise this issue to SAP( develpment ). I just tried with SAP support and they say to me that is not part of the support.

Best Regards

Mauro

Former Member · ‎03-04-2009

> I am about worried to write z code for this kind of task

What I was refering to is not writing Z-code. It is changing S-code... hot potatoe!

> I don't want to run into problems with legal requirements ( as you stated ).

Well, you might if you do use SNC SSO and don't change the code...

> I think I have no way to raise this issue to SAP( develpment ). I just tried with SAP support and they say to me that is not part of the support.

Yep, I had the same problems at first as well. I will bounce this thread of yours to the "powers that be".

Cheers,

Julius

Former Member · ‎10-12-2010

Hi Mauro,

We are having same issue and I would like to know what code we need to write in the Function module LDAP_SIMPLEBIND to authenticate the user with AD user id and Password.

Regards

Anandm

former_member211162 · ‎04-29-2014

Hello,

I know this is a pretty old thread, but this is exactly what I am looking for with standard SAP out of the box approach without NW SSO 2.0.

Please let me know if you have any suggestions if there is a way to achieve this without ABAP development. We are at SAP NW 7.02 SP10 AS ABAP

Thanks

Dhee

Former Member · ‎04-29-2014

You will need to activate a BADI and some light ABAP development / config for the LDAP binding. See SAP note 1515711.

Cheers,

Julius