Skip to Content

SAP SSO from Workgroup systems

Hi,

We are in the process of implementing SAP SSO for all our SAP ABAP systems using Secure Login Client with Kerboros authentication.

Most of our client systems (laptops & desktops) are in work-group but having communication to domain servers. Also, each user have domain accounts.

As per our observations, only domain joined laptops are able to login to SAP systems using secure login client.

Work-group system also has the secure login client (SLC) installed and is in the same network as that of AD.

When we are try to logon to SLC in work-group machine with AD credentials, it fails with the error message "User name and password incorrect".

Whereas it works perfectly fine when we login to SLC with domain credentials in a domain connected system.

Please let us know how can we connect SAP from a work-group machine using Secure Login Client through Kerberos authentication.

References:

https://blogs.sap.com/2017/07/27/sap-single-sign-on-authenticate-with-kerberosspnego/

https://wiki.scn.sap.com/wiki/display/Security/Single+Sign-On+with+Kerberos

Regards,

Varadharajan M

sso.png (146.8 kB)
sso2.png (52.6 kB)
sso3.png (100.4 kB)
Add a comment
10|10000 characters needed characters exceeded

Related questions

2 Answers

  • Posted on Oct 04, 2018 at 02:37 PM

    Hi Varadharajan,


    The users in the Windows workgroup must exist on Active Directory (AD) and be authenticated on the same domain (or at least in a domain that is known by AD and the ABAP system via keytab).


    What is the output of the following command when executed in a workgroup user's workstation:

    1. Open cmd

    2. klist


    Cheers,

    Filipe Santos

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Oct 21, 2018 at 02:59 PM

    Hi Varadharajan,

    there are some ways to solve this. Here is one.

    First, the SLC with Kerberos scenario is only possible using a domain-joined client. You won't get TGT or ST on a workgroup client "."

    In my scenario you have to use X.509 certificates instead of Kerberos Tickets as the SSO token. You should setup the Secure Login Server (SLS) and configure for LDAP authentication. Export the profile from SLS and import on workgroup-client to setup SLC. Now, the user needs to perform a manual authentication using AD username and password. The credentials will be send to the SLS together with a CSR. SLS validates login credentials via LDAP destination and creates the temporary X.509 login certificate for the user, it will automatically be installed on the SLC.

    Cheers, Carsten

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.