cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO

Former Member

on ‎03-29-2010 8:33 AM

0 Kudos

Hi,

I want to implement SSO with AD on my new SAP server( not installed yet). I have a parent domain 123 and abc and xyz as its child domain. I want to install SAP on xyz and route the SSO to abc, can it be possible? I read few docs regarding SSO with AD but could not connect the terms properly like LDAP server, do we really need it? I just want to know the concept behind SSO with AD and major steps( prerequisite also) so that I can implement SSO. Can someone help me with some good document or weblink to it.

Regards,

Mridul

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎05-26-2010 3:27 PM
0 Kudos

Hi Mridul!

I guess that the difficult point here is that you are working with several different areas.

From the security configuration, you will find a lot of information in the link: . You can also check the following notes:

121178 - NT: Installation note for SSO Single Sign On

352295 - Microsoft Windows Single Sign-On options

550742 - FAQ: General questions about Single Sign-On

From the operating system point of view, first at all take into account that AD is Microsoft's implementation of an LDAP, so I guess that you do not need to have another LDAP as you already have one (anyway, it depends on your design). I also recommend you to check the "trust relationship" between domains; have a short description in note 117395 ("Authorization problems for file I/O on Windows NT").

Cheers!!

-Jesú

Show replies
Show replies
Former Member
‎06-28-2010 3:21 PM
0 Kudos

Hi,

Can any one just help me or tell me the steps in implementing SSO with Active directory, as previously asked I am not using cross-domain but the simple parent child architecture i.e I wanted when I login into my domain it should allow the SAP servers of that domain to login without need of password.

Regards,

Mridul Gupta

cris_hansen
Advisor
Advisor
‎06-28-2010 5:51 PM
0 Kudos

Hi Mridul,

It is not possible to have users from a ABAP system being authenticated via AD. As already mentioned here, you can only synchronize user master data (not passwords!) through LDAP and a specific report.

Best regards,

Cristiano

Former Member
‎06-29-2010 3:27 PM
0 Kudos

Hi,

I am trying to implement Single Sign-On with Microsoft Kerberos SSP as per installation guide and changed the parameter as per guide

snc/enable = 1

snc/gssapi_lib =<DRIVE>:\%windir%\system32\<kerberos_file>.dll

snc/identity/as =p:SAPService<SAPSID>at the rate<UPPERCASE_DNS_DOMAIN_NAME>

The domain name of my system as mentioned in the Properties of My Computer is WSE.wsmain.local and when I am mentioning

snc/identity/as =p:SAPService<SAPSID>at the rateWSE.wsmain.local the dispatcher is not coming up and I think the root cause is this snc paramter only. I even tried snc/identity/as =p:SAPService<SAPSID>at the rateWSE.WSMAIN.LOCAL, p:SAPService<SAPSID>at the rateWSE as well as same with three more cases with <sid>adm like snc/identity/as =p:<sid>admat the rateWSE.WSMAIN.LOCAL and so on but the dispatcher is not coming up.

I am also pasting the log for dev_w0 for your reference:

-

trc file: "dev_w0", trc level: 1, release: "700"

-

N SncInit(): Initializing Secure Network Communication (SNC)

N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)

N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)

N SncInit(): found snc/data_protection/use=9, using 3 (Privacy Level)

N SncInit(): found snc/gssapi_lib=C:\WINDOWS\system32\gx64krb5.dll

N File "C:\WINDOWS\system32\gx64krb5.dll" dynamically loaded as GSS-API v2 library.

N The internal Adapter for the loaded GSS-API mechanism identifies as:

N Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

N SncInit(): found snc/identity/as=p:SAPServiceW6Rat the rateWSE.WSMAIN.LOCAL

N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]

N GSS-API(maj): No valid credentials provided (or available)

N GSS-API(min): SSPI u2u-problem: please add Service principal for own account

N Could't acquire ACCEPTING credentials for

N

N name="p:SAPServiceW6Rat the rateWSE.WSMAIN.LOCAL"

M *** ERROR => ErrISetSys: error info too large [err.c 944]

M Tue Jun 29 19:11:31 2010

M LOCATION SAP-Server wss-cha-w6r_W6R_14 on host wss-cha-w6r (wp 0)

M ERROR GSS-API(maj): No valid credentials provided (or available)

M GSS-API(min): SSPI u2u-problem: please add Service principal for own a

M name="p:SAPServiceW6Rat the rateWSE.WSMAIN.LOCAL"

M TIME Tue Jun 29 19:11:31 2010

M RELEASE 700

M COMPONENT SNC (Secure Network Communication)

M VERSION 5

M RC -4

M MODULE sncxxall.c

M LINE 1432

M DETAIL SncPAcquireCred

M SYSTEM CALL gss_acquire_cred

M ERRNO

M ERRNO TEXT

M DESCR MSG NO

M DESCR VARGS GSS-API(maj): No valid credentials provided (or available);;;;

M ;;;;GSS-API(min): SSPI u2u-problem: please add Service principal for own a;;;;

M ;;;;name="p:SAPServiceW6Rat the rateWSE.WSMAIN.LOCAL"

M DETAIL MSG N

M DETAIL VARGS

M COUNTER 1

N SncInit(): Fatal -- Accepting Credentials not available!

N <<- ERROR: SncInit()==SNCERR_GSSAPI

N sec_avail = "false"

M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 230]

M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 232]

M in_ThErrHandle: 1

M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 10468]

M ThCallHooks: call hook >ThrSaveSPAFields< for event BEFORE_DUMP

M *** ERROR => ThrSaveSPAFields: no valid thr_wpadm [thxxrun1.c 724]

M *** ERROR => ThCallHooks: event handler ThrSaveSPAFields for event BEFORE_DUMP failed [thxxtool3.c 261]

M Entering ThSetStatError

M ThIErrHandle: do not call ThrCoreInfo (no_core_info=0, in_dynp_env=0)

M Entering ThReadDetachMode

M call ThrShutDown (1)...

M ***LOG Q02=> wp_halt, WPStop (Workproc 0 4088) [dpnttool.c 327]

Please suggest.

Regards,

Mridul

Former Member
‎07-05-2010 12:23 PM
0 Kudos

Hi,

I am able to SSO login through my machine and some other machines where Windows XP SP2 is installed but its giving error in SP3 stating Unable to load the GSS-API DLL named gssapi32.dll.

Please help.

Regards,

Mridul Gupta

cris_hansen
Advisor
Advisor
‎07-06-2010 12:22 AM
0 Kudos

Hi Mridul,

You have to check SAP note 352295.

You may also refer SAP note 1257108 for tips & tricks about SSO issues.

Best regards,

Cristiano

Former Member
‎05-25-2010 11:31 AM
0 Kudos

Hi Mridul,

your question is dated from end of marchl? is it still unsoved for You ? (my AD looks same as yours and we use SSO since 4 years)

regards

Michael

Edited by: Michael Krüger on May 25, 2010 12:32 PM

Show replies
Show replies
Former Member
‎05-25-2010 11:48 AM
0 Kudos

yes, its still not solved...can you help me in this....

Former Member
‎05-26-2010 1:47 PM
0 Kudos

Hi,

As you said, that you wanted to implement SSO and wanted to use AD as your data source.

LDAP intergration with your ABAP is possible using LDAP transactoin,

I have some questions:

1. what is the lenght of user ID's in your Active directory, if this is more then 13 char then you will have to use mapping option in LADP with some unique ID i.e. Emp number

2. For SSO ....r u planning to use any 3rd party software like PSE or you have plan to use windos kerberos utility for creating tickets?

Let me know and also let me know what kind of info you need while doing the setup.

Regds,

Ask a Question