Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO using windows kerbos by configuring SAP Front Ends automatically Win03

Former Member

‎06-17-2009 8:39 PM

0 Kudos

Hi Everyone,

We are trying to confogure SSO for our SAP Environment using AD on Windows2003 DC.

We are running SAPECC5 on Win200364bit with Oracle10.2 and we have only ABAP and no JAVA .

I tried to follow the steps configuring frontends individually and it worked fine.

Since we have many users we tried to do it using Domain Constroller as Group Policy but getting SNC errors.

I followed the below steps but even after the MSI file is installed on users meachines it is still showing the SNC error. I verified that Kerbos is installed , Dll files are created but getting SNC error.

.Can any one please provide the extact steps which need to be followed on domain to make it work successfully .

To define the Group Policy:

1. Log on to a front-end machine as domain administrator of the Windows 2000 domain.

2. Copy the program SAPSSO.MSI from the sapserv<x> directory

general/R3Server/binaries/NT/W2K to a shared directory.

3. From the Windows 2000 menu choose Start u2192 Programs u2192 Administrative tools u2192 Active

Directory Users and Computers.

The dialog box Active Directory Users and Computers appears.

4. Select the domain for which you want to set up Single Sign-On. Right-click and choose

Properties from the context menu.

The dialog box <Domain_Name> Properties appears.

5. On the Group Policy tab, choose New to access the dialog box for creating a new policy

object.

6. Under Group Policy Object Links, enter a name for the new policy object, for example,

SAPSSO. Choose Edit to define the contents of the policy.

7. In the Group Policy Editor choose User Configuration u2192 Software Settings u2192 Software

Installation.

The Deploy Software dialog box opens.

8. Right-click and choose New u2192 Package from the context menu.

The Open dialog box appears.

9. Select the file SAPMSSO.MSI from the shared location. Specify the path with the UNC name

(
<hostname>\<share>).

10. Select Assign and confirm with OK.

You have now created a new Group Policy. The next time any user logs on to the domain with the

SAP front end, the wizard SAP Single Sign-On Support for Windows 2000 is started and

automatically prepares the front end for Single Sign-On.

Regards

P

Edited by: Pradeep Gali on Jun 17, 2009 9:55 PM

5 REPLIES 5

SimonXu
Advisor
Advisor

‎06-18-2009 5:54 AM

0 Kudos

Morning

Sorry, the problem is not very clear now.

1. Which phase does the error locate? After ADS successfully distributed the solftware to client and client installations finished successfully?

2. Windows GUI settings for SNC were done?

3. What is the exact error here?

4. We definitely can get the trace as note 495911 for the exact missing.

regards

Simon

Former Member

‎06-18-2009 3:04 PM

0 Kudos

Hi Simon,

I am getting the problem during domain phase.

1. After ADS successfully distributed the solftware to client and client installations finished successfully?

The Error " SAP System message : Secure Network Layer SNC error".

When I check under control pannel - Add & remove programs - Kerberos SSO support is not fully installed. I mean I can see the description but not the size of the application.

We are trying to apply the SAPMSSO.MSI as domain policy .

When I tried to do the install locally on meachines individualy ,it's working fine .

Thanks & Regards

Pradeep

Former Member
In response to Former Member

‎06-29-2009 1:13 PM

0 Kudos

Hi ,

Can any one please provide me some help regarding the SSO issue...We are struck with this project and even SAP Support are not able to provide convinencing solution.

Regards

Pradeep.G

tim_alsop
Active Contributor
In response to Former Member

‎06-29-2009 2:29 PM

0 Kudos

Pradeep,

If I understand correctly, you are not having an SSO issue, but you are having a problem with deployment of the SAP supplied .msi package using AD group policy. If I understand correctly, then if you install the .msi package manually at each workstation then the SAP SSO is working ? Can you confirm ? If so, perhaps you can contact Microsoft for help with group policy based package installation issues. In my experience this kind of software is deployed using a software distribution tool and not normally via group policy. Maybe this is because it is easier to deploy using this method ?

Thanks,

Tim

Former Member

‎06-30-2009 4:05 AM

0 Kudos

Hi Pradeep,

Can you make sure that you have Mapped SAP System Users to Windows

Procedure :

1. Log on to the SAP system.

2. Choose Tools u2192 Administration u2192 User Maintenance u2192 Users. Alternatively, enter

transaction code SU01.

The User Maintenance window appears.

3. Enter the name of the SAP system user and choose User names u2192 Change.

4. Choose the SNC tab. In the field SNC name, enter the name of the Windows user that is to be

assigned to the SAP system user in uppercase:

p:<DOMAIN_NAME>\<NT_USERNAME>

DOMAIN_NAME> is the Windows domain that the Windows user belongs to and

<NT_USERNAME> the Logon ID of the Windows user.

p: is a prefix that all SNC names require

For the Windows user Kissnerj, belonging to the domain SAP_ALL, enter

p:SAP_ALL\ Kissnerj

5. Select Insecure communication permitted. This permits the user to still access the system

without using the Single Sign-On feature, to work in a different domain.

6. Save the entries.

Thanks,

Sridhar