cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO not working in webdynpro ABAP

Former Member

on ‎11-24-2009 8:18 AM

0 Kudos

Hi Experts,

I am facing problem when i am trying to create a WebdynproABAP component view in SE80 tcode.

It gives a pop up for password entry.

As we have SSO implemented in the SAP system we dont have any password.

I think the issue is with SSO as it works for other things except webdynpro view.

Please help me on this.

Regards,

Nik

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎11-24-2009 8:46 AM
0 Kudos

Hi,

>As we have SSO implemented in the SAP system we dont have any password.

If you use snc based SSO for sapgui access, it does not give you SSO for HTTP access (webdynpro).

We had the same problem for BSP applications and had to recreate a password and disable sapgui SSO for users neeeding both sapgui and BSP access.

We have now a project to implement SPNEGO SSO through the portal for HTTP access.

Regards,

Olivier

Show replies
Show replies
Former Member
‎11-24-2009 12:58 PM
0 Kudos

Hi Olivier, hi Nik,

here is my quick guide to implementing SPNego SSO. Maybe it could be helpful...

SSO with JAVA AddIn on SAP WebAS NS2004s Configuring SPNego with ABAP

datasource

Written by Gerd Schuster

References: SAP note 994791

Create a user like j2ee-SID in the ADS and make sure that the settings

  • Password never expired and

  • Use DES encryption types for the account

are set. In the following screenshot I will use j2ee-q2b, j2ee-p2b as the service-user.

Then run the setspn command to assign trhe ServicePrincipalName to the user. This

was the URL that you use to access the J2EE engine.

setspn -A HTTP/hostname.domain.de domain_dej2ee-SID

Registering ServicePrincipalNames for CN=j2ee-q2b,OU=System-Accounts,...

HTTP/hostname

Updated object

A short ldifde revals some important parameters that we are going to use later:

SAMAccountName: j2ee-SID

userPrincipalName: j2ee-SID @domain.de

servicePrincipalName: HTTP/hostname

now start the configtool and add the krb5principalname as an additional UME attribute.

cd /usr/sap/SID/DVEBMGSxx/j2ee/configtool

./configtool.sh

go to "cluster-data", "instance_IDxxxxx", "server_IDxxxxxxx", "services",

"com.sap.security.core.ume.service" mark ume.admin.addattrs and set the custom

value krb5principalname

Restart ABAP and Java instance.

Create a user like j2ee-SID in the UME

Assign the Roles SAP_BC_JSF_COMMUNICATION and

SAP_BC_JSF_COMMUNICATION_RO to the user j2ee-SID

Now we can start the SPNego wizard. hostname.domain.de:port/spnego

Kerberos Realm: DOMAIN.DE

KDC-Host: domaincontroller.somain.de:88

Make sure that the KPN Prefix is set to uniquename wich is defined in the ABAP

dataSourceConfiguration file.

Auflösungsmodus: Präfix-basiert

KPN-Präfix: uniquename

KPN-Suffix: dn

Testauflösungsmodus, enter the J2EE user name e.g. j2ee-Q2B.

Kerberos Principal Name j2ee-Q2B @DOMAIN.DE will be resolved in

user j2ee-Q2B in UME

After the testing the resolution mode continue with the next step. I prefer to create

a new template and assign this template later on to my ticket component.

*password Fallback aktivieren

*SSO mit SAP-Anmeldetickets aktivieren

That's it.

Assign the spnego template we created to the ticket component via Visual Administrator.

cd /usr/sap//DVEBMGSxx/j2ee/admin

./go

Logon with user j2ee_admin, go to SID, Server, Services, Security Provider. On the

right side clickticket. Switch to edit mode. Authentication template: spnego

Regards

Gerd

Ask a Question