on 06-24-2009 11:04 PM
Our Configuration:
BOE XI 3.1 Fix Pack 1.6
CMS is one one server, Tomcat on another.
Established WinAD authentication using Kerberos
Installed and configured SAP Integration and server side trust.
Established that SAP authentication is working.
Imported roles to BOE, aliased SAP Accounts to WinAD accounts in BOE.
Set BW universe connections to use SSO.
Only works for one user, the other users get an error message "Unable to connect to SAP BW server Incomplete logon data"
All users on SAP side are present in the same roles.
As this is a development environment all users for BOE in SAP have full rights.
So, my problem is why does it work for only one user? (this suggests that the tickets are being exchanged correctly by the SAP BW server and the BOE server).
Any ideas and/or suggestions would be appreciated.
JW
Hi Ingo
I've checked the SAP Int Kit pdf and setting up client snc does not appear to be documented. I know you have provided some documentation but I cannot find it. Could you point to a url where I could download this documentation.
Thanks
Jon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jon,
let me know if this helps:
http://ingohilgefort.blogspot.com/2009/07/businessobjects-and-snc-for-client.html
Ingo
Hi Ingo
OK. So the instructions in the SAP Integration kit PDF are somewhat light on this. Do you have something a little more helpful? Also do I need to involve a basis person to do something on the SAP/BW side?
Please provide details on the bulk aliasing, thankfully the SAP guid and WinAD guids are the same
Jon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ingo
- Do you want to use your SAP Credentials for achieving SSO for the BusinessObjects reports ?
Yes. By this I mean that the users SAP credentials will be transparent, it is a security layer to BW that we need.
- Do you want to use your Windows AD credentials to achieve SSO for the BusinessObjects reports ?
Yes
- What is the entry point for the initial user authentication ?
WinAD. The user opens the InfoView URL and SSO via Kerberos opens the InfoView portal. The user can then browse to a report that is using a BW universe with SSO to a BW cube. The user should be able to refresh the report data using their SAP credentials that have been aliased to their WinAD account in BOE.
BTW do you know of a utility that can do bulk aliasing? We will have about 300 users that will need to be aliased.
Jon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jon,
so when you want to use Windows AD as the entry point that you need to configure CLIENT SIDE SNC - which is not SAP Crypto Lib.
on the mapping of Aliases I thought I did mention the registry entry earlier. The SAP Authentication has a registry entry that you can use the set the simplified usernames and assuming the usernames are identical you would then get the mapping automatically
Ingo
>
> Hi Jon,
>
> so when you want to use Windows AD as the entry point that you need to configure CLIENT SIDE SNC - which is not SAP Crypto Lib.
>
> on the mapping of Aliases I thought I did mention the registry entry earlier. The SAP Authentication has a registry entry that you can use the set the simplified usernames and assuming the usernames are identical you would then get the mapping automatically
>
> Ingo
Can you clarify the statement: "when you want to use Windows AD as the entry point that you need to configure CLIENT SIDE SNC - which is not SAP Crypto Lib.".
This is confusing because the blog you mention below says "SAP server needs to be setup for SNC and SNC library needs to be deployed on your BOE system" though you do not cover deploying the SNC library steps.
Where do we get the SNC library path from? Also, we do not see the SNC profile parameters in the Instance profile.
Hi Michael,
SNC can be implemented with several different software vendors. The SAP Cryptographic Lib that was mentioned in this entry previously is made for server side trust - not for client side SNC.
you could use for example the Kerberos / NT version that is delivered but you can also use software from other companies. the deployment of the library depends on which one you selecting.
Ingo
>
> Hi Jon,
>
> so when you want to use Windows AD as the entry point that you need to configure CLIENT SIDE SNC - which is not SAP Crypto Lib.
>
> on the mapping of Aliases I thought I did mention the registry entry earlier. The SAP Authentication has a registry entry that you can use the set the simplified usernames and assuming the usernames are identical you would then get the mapping automatically
>
> Ingo
Can you clarify the statement: "when you want to use Windows AD as the entry point that you need to configure CLIENT SIDE SNC - which is not SAP Crypto Lib.".
This is confusing because the [blog|http://ingohilgefort.blogspot.com/2009/07/businessobjects-and-snc-for-client.html] you mention below says "SAP server needs to be setup for SNC and SNC library needs to be deployed on your BOE system" though you do not cover deploying the SNC library steps. When checking SAP Help, it alludes to sapcrypto.lib as being a prerequisite to using SNC.
Where do we get the SNC library path from? Also, we do not see the SNC profile parameters in the Instance profile.
Hi,
when you want to integrate with Windows AD and use Windows AD as the first entry point for the user authentication and achieve SSO with your SAP system and BusinessObjects system you need to leverage client side SNC.
In the blog part 1
/people/ingo.hilgefort/blog/2009/07/03/businessobjects-enterprise-and-client-side-snc-part-1-of-2
i am showing the profile parameters for the SAP Server and I also included a link to the MSFT Kerberos implementation that you could leverage.
In part 2
/people/ingo.hilgefort/blog/2009/07/03/businessobjects-enterprise-and-client-side-snc-part-2-of-2
you see the steps that is required to configure the SNC options in the Central Managment Console.
these two blogs don't reference the SAP Cryptographic Library. You might have seen references in the installation guide for the Integration Kit for SAP Solutions - but that is in the chapter of server side trust - which is server side SNC and not client side SNC.
Ingo
Thanks Ingo
Could you point me to the relevant documentation on what is required. We have Kerberos working for WinAD SSO but I did not realise that it is required SAP database SSO.
Jon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jon,
before I do that lets clarify the actual requirement:
- Do you want to use your SAP Credentials for achieving SSO for the BusinessObjects reports ?
- Do you want to use your Windows AD credentials to achieve SSO for the BusinessObjects reports ?
- What is the entry point for the initial user authentication ?
thanks
Ingo
Hi Ingo
Sorry for the confusion.
We need SSO to a BW database working for webi reports running off BW universes with SSO enabled. We have set up the crypto libs and server trust with SNC.
Only one SAP aliased to WinAD account works, the rest return the incomplete login data error. If I setup a enterprise BOE account and then alias this account to the SAP account that works for SSO this works also. But if for the same BOE account I alias to a different SAP account then SSO does not work.
As far as I can tell the SAP profiles on the BW system are exactly the same for all accounts in this instance.
Jon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jon,
Server Side trust with the SAP crypto lib does not give you SNC client authentication - which you require when you want to use you Windows AD credentials for SSO.
Server Side trust is very different from the client authentication part. When you want to leverage your Windows AD credentials for achieving SSO to your SAP reports, then you need to setup SNC for client authentication with software like Secude or the Kerberos implementation.
Ingo
Hi
quick question: in the previous entries the error messages are referring to SAP Crytpo lib for the SNC part. SAP Crypto Lib is used for SERVER SIDE TRUST - not for client authentication.
Yes, I'm aware of this. We are trying to get SSO to BW to work. This is to ensure that end users get the data that they are entilted to see. We have used SAP authentication as part of the fault finding process. This ensures that users can get authenticated to SAP.
I included the dump (in a previous post) from using the SAPJCO demo suite to high light where I think the problem is.
Thanks
Jon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jon,
on the one hand you mentioned you trying to get SSO to work, then you mentioned SNC, but you also mentioned that you are aware that SAP Crypto Lib is not SNC CLient AUTHENTICATION.
Perhaps you can clarify what exactly you mean by SSO because all the logfiles copies in the previous entries indicate that you are using the SAP Crypto Lib - which is NOT CLIENT AUTHENTICATION.
Ingo
Hi Ingo,
We are having a very similar problem setting up client Side SNC to SAP as described in your blogs.
We tried using the SNC name as p:DOMAIN\user as well as p:CN=...,OU=.... format but to no avail.
we think we have done the steps outlined in your post.
However we still get the dreaded error, "Unable to load the GSS-API DLL named ..."
I understand that sapcrypto.dll is NOT for client side SNC. So I downloaded the gssntlm.dll from sap. However I can't get rid of that error. No matter what file I use, 64-bit, 32-bit, gssntml, I still get the unable to load error.
My Question is: I am trying to determine whether,
Am I using the right library? am I getting problems loading the library?
Or is this error a generic error for some configuration error in my SNC settings either on SAP server or BOBJ side?
I did set SNC_LIB env variable; however the job of loading this library is done by Tomcat, right? Is there something else we need to do?
Thanks a lot
ac
Hi Ingo,
-What are the steps that you completed ?
For a User in SAP, in the SNC tab, I activated the SNC settings by adding the SNC Name.
Also in SAP, I defined the bobj system.
In Business Objects CMC, I enabled SNC and in mutual auth, defined the name of the SAP system in the DN format.
I defined the SNC_LIB env variable on windows to point to the file name/path of gssntlm.dll library.
I defined the profile parameters including the library location on SAP.
- which software are you using ?
I am using XIR3.1 to go against SAP BW system.
I am using the gssntlm.dll library from SAP for 32-bit.
Trying to do client side SNC from bobj XIR31 to SAP bw 7.10
- when do you see the error message ?
I get the unable to load gss-api DLL error when trying to click on the "Role Import" tab.
thx
HI Scott,
I assume you are looking to combine Windows AD and SAP Credentials:
For a User in SAP, in the SNC tab, I activated the SNC settings by adding the SNC Name.
Also in SAP, I defined the bobj system.
>> I assume transaction SNCO
In Business Objects CMC, I enabled SNC and in mutual auth, defined the name of the SAP system in the DN format.
I defined the SNC_LIB env variable on windows to point to the file name/path of gssntlm.dll library.
I defined the profile parameters including the library location on SAP.
- which software are you using ?
I am using XIR3.1 to go against SAP BW system.
I am using the gssntlm.dll library from SAP for 32-bit.
Trying to do client side SNC from bobj XIR31 to SAP bw 7.10
- when do you see the error message ?
I get the unable to load gss-api DLL error when trying to click on the "Role Import" tab.
- Did you configure Windows AD ?
- Did you map user aliases ?
see here:
SNC Part 1
/people/ingo.hilgefort/blog/2009/07/03/businessobjects-enterprise-and-client-side-snc-part-1-of-2
SNC Part 2
/people/ingo.hilgefort/blog/2009/07/03/businessobjects-enterprise-and-client-side-snc-part-2-of-2
Ingo
Hi Ingo,
thanks for the links; I have been using them to start my process.
- Did you configure Windows AD ?
Yes, AD SSO with kerberos is working fine.
- Did you map user aliases ?
Yes, I mapped SAP to AD aliases and also changed the Windows registry to use SimpleUserName as your blog suggested.
Not matter what changes I make, I do not get a different error message from "unable to load gssapi DLL".
Does the SAP server side library have to match the BOE side library?
I am using sapcrypto.dll on SAP side and gssmtlm.dll on the BOE side, would that work?
thx
Ingo,
I'd appreciate if you could confirm a few things from your blogs,
1. in Blog 2, you suggest to go to SAP SU0 and edit the user used for the purpose of setting up the entitlement system.
This is the user account entered in BOE CMS -> Authentication-> SAP page, correct?
2. you said to go to SNC tab for this user in SAP and write the SNC name in p: format.
If I enter the domain name of the user running the SIA , tomcat processes
p: DOMAIN\user , it gives an error, "Canonical name cannot be determined". It saves the name though.
Only if I enter an entry in the Distinguished Name (DN) format, does it give me the green check mark.
Is this right? Should I be proceeding with the p: DOMAIN\user format in spite of the error?
3. SNC name in the BOE CMS Authentication-> SAP-> Entitlement tab. Should this also be in p:DOMAIN\name format?
4. I am using the 32-bit library gssntlm.dll from SAP on BOE side. This is part of winsso.zip package. is that ok?
These points, I felt , had some anbiguity and would help me troubleshoot better.
thx a lot.
Hi,
1. in Blog 2, you suggest to go to SAP SU0 and edit the user used for the purpose of setting up the entitlement system.
This is the user account entered in BOE CMS -> Authentication-> SAP page, correct?
yes
2. you said to go to SNC tab for this user in SAP and write the SNC name in p: format.
If I enter the domain name of the user running the SIA , tomcat processes
p: DOMAIN\user , it gives an error, "Canonical name cannot be determined". It saves the name though.
Only if I enter an entry in the Distinguished Name (DN) format, does it give me the green check mark.
Is this right? Should I be proceeding with the p: DOMAIN\user format in spite of the error?
This depends on which SNC software you are using.
3. SNC name in the BOE CMS Authentication-> SAP-> Entitlement tab. Should this also be in p:DOMAIN\name format?
see above
4. I am using the 32-bit library gssntlm.dll from SAP on BOE side. This is part of winsso.zip package. is that ok?
yes
Ingo
Scott,
I'd suggest to talk to your Basis team to find out if they have SNC enabled on SAP server. What I found from my analysis is if you are using SAP on windows environment you would get library files for Client side SNC that can be downloaded from marketplace else you would have to go through 3rd party SNC providers like Secude, Quest etc to get the library files to achieve SNC (which is an investment).
The canonical name error is generally caused if SNC is not enabled on SAP server.
Ingo: Correct me if my understanding is wrong.
Regards,
Vijay
Hi Ingo
what happens when you use the other SAP credentials and try to logon to InfoView with their AD credentials ?
Get the incomplete logon data error message when other uses try to refresh a webi report using a BW universe with SSO defined in the BW data connection
Can you logon with those users using the SAP authentication ?
Yes
Jon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
All SAP users have been aliased to the appropriate Windows AD users ?
Yes
So whats the error message you received ?
IDBD Unable to connect to SAP BW server ncomplete Login data
Can the users logon to InfoView with their AD credentials ?
Yes
Note: Only one user can successfully pass SAP login credentials to the SAP BW server.
Jon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
SAP user accounts have been aliased to WinAD accounts
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ingo
As I pointed out in my orginal post, SSO works for one user, but not for any others that have been aliased. This suggests that BOE and SAP are exchanging certificates and that server side trust is working. I know this as the user that SSO works for the same WinAD and SAP login but different passwords. To eliminate WinAD as a cause we set up a BOE enterprise user and aliased that user to a SAP user. This failed with the incomplete login information error.
I have had this working at another site, but the SAP side was configured by their SAP service provider and these people have a diiferent skill level to the SAP service provider I'm working with at the moment.
In answer to your question Ingo, yes SNC has been configured on the BOE and SAP sides.
Jon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Jon,
You need to log on to InfoView with your SAP logins.
Regards,
Roman
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jon,
are you logging on to InfoView with your SAP Credentials and trying to create the report ?
whats the initial step of user authentication towards the BOE server ?
Ingo
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ingo
are you logging on to InfoView with your SAP Credentials and trying to create the report ?
No we log into Infoview via WinAD SSO
whats the initial step of user authentication towards the BOE server ?
As above WinAD.
The users WinAD credentials are aliased to their SAP credentials in BOE.
We ran the JCO test tool. The output:
Java Runtime:
Operating System: Windows 2003 5.2 for x86
Java VM: 1.5.0_12 Sun Microsystems Inc.
Java Codepage: Cp1252
Versions:
JCo API: 2.1.8 (2006-12-11)
JCo middleware: 2.1.8 (2006-12-11)
JCo library: 2.1.8 (2006-12-11)
RFC library: 710.0.135
Paths:
JCo classes: D:\Program%20Files%20(x86)\Business%20Objects\sapjco\sapjco.jar
JCo library: D:\Program Files (x86)\Business Objects\sapjco\sapjcorfc.dll
RFC library: System-defined path
jco.client.x509cert:
jco.client.snc_partnername: p:CN=!sysBusinessObjectsD, OU=Service Accounts, DC=zeus, DC=ghsewn, DC=com
jco.client.ashost: 10.116.6.40
jco.client.snc_mode: 1
jco.client.snc_myname: p:CN=!sysBusinessObjectsD, OU=Service Accounts, DC=zeus, DC=ghsewn, DC=com
jco.client.snc_lib: /usr/sap/BD2/SYS/exe/run/libsapcrypto.so
jco.client.sysnr: 40
jco.client.client: 800
jco.client.snc_qop: 3
JCO.createClient()..........................................ok
client.connect()............................................[Thr 1768] Thu Jun 25 15:31:59 2009
[Thr 1768] *** ERROR => SncPDLInit(): DlLoadLib("/usr/sap/BD2/SYS/exe/run/libsapcrypto.so")=DLENOACCESS
[Thr 1768] [sncxxdl.0340][Thr 1768] *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter (#0) /usr/sap/BD2/SYS/exe/run/libsapcrypto.so not loaded
[Thr 1768] [sncxxdl.0604]failed
com.sap.mw.jco.JCO$Exception: (102) RFC_ERROR_COMMUNICATION: SAP_CMINIT3 : rc=20 > Connect to SAP gateway failed
Connect_PM GWHOST=10.116.6.40, GWSERV=sapgw40, SYSNR=40
LOCATION CPIC (TCP/IP) on local host
ERROR Unable to load the GSS-API DLL
named "/usr/sap/BD2/SYS/exe/run/libsapcrypto.so"
TIME Thu Jun 25 15:31:59 200
RELEASE 710
COMPONENT SNC (Secure Network Communication)
VERSION 5
RC -1
MODULE sncxxdl.c
LINE 342
DETAIL SncPDLInit
SYSTEM CALL LoadLibrary
COUNTER 1
So this seems to indicate that SAP is unable to load the libsapcrypto.so
Jon
Hi,
>>.InfoView with your SAP Credentials and trying to create the report ? No we log into Infoview via WinAD SSO whats the initial step of user authentication towards the BOE server ? As above WinAD. The users WinAD credentials are aliased to their SAP credentials in BOE. We ran the JCO test tool.
So you are logging on with Windows AD but want to use the SAP credentials for SSO. Have you configured SNC for client authentication ?
Ingo
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.