cancel
Showing results for 
Search instead for 
Did you mean: 

BI SSO Problem

Former Member
0 Kudos

Dear Expert!

We are using BI 7 with BW Release 700 Level 19.

I have configured BI Java through web template which configured successfully and we are able to run web query in IE but no SSO.

Here, the problem arised that its not SSO; I have reviewd all SSO setting and its seems okey; i will summarize below for your advise.

logon.ticket.client = 002 - SID = bidj ( non existing client )

BI Mandt Client = 600 - SID = bid.xx.net

The Certificate has been exchange from Abap and Java by the template setup; so that; we are able to execute any report in portal but after submitting the username and password;

In the Service Provider servicce>Policy configuartion>Ticke & Evaluate Assertion Ticket ; they added the proposal likes are

trustediss1 =CN=bid.xx.net

trusteddn1 = CN=bid.xx.net

trustedsys1=BID,600

trustediss2 =CN=bid.xx.net

trusteddn2 = CN=bid.xx.net

trustedsys2=BID,000

trustediss3 =CN=bidj

trusteddn3 = CN=bidj

trustedsys3=BID,002

=----


=

Also in the BI Mandt client Abap Side ACL has been maintained in that order;

BID = 000 = bid.xx.net

BID = 600 = bid.xx.net

BID = 002 = bidj

Please advise;what setting are missing and need to be done manually in order to execute query in portal with SSO;

I have downloaded many notes ; like are SAP Note 701205 but all settings are correct reviewed with that note.

I have executed the BI Diagnostic and support desk tool which are green and did not find any RED light to troubleshoot that area.

REgards

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
0 Kudos

solved

Former Member
0 Kudos

Hi, Anwer Waseem!

I have same problem. Can you tell me what is solution, please?

Former Member
0 Kudos

Dear ALPE

its old threat. but I did same steps as above mentioned to do.

I have did last steps of expert provided which help me to come out from  the problem.

You can read carefully above steps to solve your problem or -execute the template for fresh installation.

Regards

Anwer Waseem

former_member227283
Active Contributor
0 Kudos

Hi Anwer,

but cannot SSO through the SAP-GUI if you called in web query in SAP-GUI.

Can we know what error your are getting while calling thorugh SAP gui.

Thanks

Anil

Former Member
0 Kudos

Hello Anil!

its logon to portal after entering the username and password!

Regards

former_member227283
Active Contributor
0 Kudos

Hi Anwer,

Some confusion : )

Can you explain me the process how the user request flow till the section where you get the error ??

Thanks

Anil

Former Member
0 Kudos

Dear Anil

The SSO setting has been done in that flow;

This is the one server which has dual stack (abap+java) therefore, i have set the logon.ticket_client = 002 which is actually non existing client. The BI Mandatory clients is 600 and our system ids are bid.xx.net.

The rest of setting done by the web template which import/export the certificate to abap/java side and set the proposal in security provider and in the ACL abap side.

We did not created any user in java but we set the datasource as abap"dataSourceConfiguration_abap.xml" and abap tab we define the SAPJSF setting and locate the BI mandatgory client; the connection has been tested successfully.

In the UserMapping we define the reference system as abap system whcih has been maintained in the SAP_BW connection under the system landscape portal.

We are able to verify the test connection under SAP_BW --> connection test ; did not find any problem there to test the 3 connection.

We have some query whcih are running in the portal but here we need to input the username and password to execute the query in portal.

Also, we executed the Bi Diagnostic and Support desk tool which gave me green signal light; did not reported any problem.

IE side, we set the accept all cookies and define the bid.xx.net as trusted side. but no luck.

Any Idea and any step missing whcih causes the SSO problem.!

Also, i have doubt about the SAPSECULIB Setting; which did not done. i am reviewing about it.

Please advise and share your expiereince.

former_member227283
Active Contributor
0 Kudos

Hi Anwer,

SSO through the SAP-GUI if you called in web query in SAP-GUI.

I am assuming that your are using SAP GUI for HTML.

Do the following process for SSO testing.

Login to portal --> to System Administration->Support->SAP Application-> Under Test and Config Tools select SAP Transaction.

Enter any TCODE and select SAP GUI for HTML and execute the same.

Check what output you get.

After that select option as SAP GUI for windows and excute.

Let us know the output of above 2 things.

Thanks

Anil

Former Member
0 Kudos

Hello Anil!

Sorry for the delay reply. I am using teh SAP GUI for Windows.

We are loggin to GUI Windows, we made favorite menu for the BI query which calling the portal like this;

<prt_protcl>://<prt_server>/<bi_launcher>?QUERY=ZAZCSSD_Q0005.

We have created two entries for each report, 1 for calling the Bex Analyzer and 2) open into the Portal.

The Bex Analyzer not prompting to user to enter the username and passwrod; its open perfectly but the portal prompt us to enter the username and passwrod to execute the reports. Its executing after entering the login credentail

As you told us to execute the following option into the portal. i am able to execute the SAP transaction through portal into the Win-Gui not in the HTML which giving error due to not configure.

-


For Jaun

I have made login.ticket_client is 000 instead of 002 ; portal sid was defined in SAPLoginTicketKeypair is bidj.

in my sitution are like this

BI mandat client is 600 sid = bid.xx.net

login.ticket client is 000 sid = bidj

also, i modify the entires in the service provider according to our proposal and set in the ACL but Bi diagnostic and Support desk tool propsing us to set entires for the 000 bid.xx.net instead of bidj.

any idea or advise

-


but in both cases , i am prompting to enter the username and password to execute the BI query in portal.

Regards

Anwer Waseem

Regards

JPReyes
Active Contributor
0 Kudos

Have you runned RSPOR_SETUP on your BI system?... (I can't remember if the procedure has changed )...

In any case check the BI certificate in the portal

http://help.sap.com/saphelp_nw04s/helpdata/en/fa/741a403233dd5fe10000000a155106/frameset.htm

Regards

Juan

p330068
Active Contributor
0 Kudos

Hi Anwer,

Are you using FQDN(fully qualified Domain name) for portal. if not, update icm/host_name_full (iGo to RZ10>Instance Profile->Extended Maintenance with FQDN).

Verify your portal/BI backend certifiactes in http://<HOST>:<Port>/sso2

Also, check the JCO(BI_MataData and BI_ModelData) and SAP_BW system for BI System test is successfull. Verify system SAP_BW used in SAP Gui system field.

Hope it helps

Regards

Arun

Former Member
0 Kudos

Hello Arun / Juan

Thanks for the continously reply!

I have executed the SSO link; it is green there and found two entires like this;

BID-600-bid.xx.netbid.xx.net--


OK

BID-000-bidj--


bidj--


OK

I have verified the certificate by the below button "Check against issuing system--> By Queryiing issuing system; then define the setting for the verification; the message has been displayed "SSO Certificate in trusted and accepting systems are identicial"

BID-600-bid.xx.netbid.xx.net--


OK

I can verify only in abap side to to 000/600 clients but cannot verify in JAVA Side

The error display for JAVA" The system you entered does not match the selected trusted system; update is not possible"

BID-000-bidj--


bidj--


OK

Here, i can verify only JAVA Side not in the ABAP ;

The error display " SSO Certificates on Trusted and Accepting System do not Match. To Update Certificate on Accepting System, Choose "Update"

the both parameter has the FQN

SAPLOCALHOSTFULL

icm/host_name_full

---Juan

Our PSE created with CN=bid.xx.net without the issuer and subject distinguished name ; like CN=bid.xx.net with key length 1024

Please advise!

Regards

Anwer Waseem

Former Member
0 Kudos

Hello Arun and Juan

Please see the trace file which has been recorded by the security component and level 2.; to execute the RFC connection to portal; the connection has been tested successfully but the trace has been generated with strange message that " create_AuthenticationAssertionTicket: "intended recipient" constraint missing "

I am able to verify the abap connection of portal ; no prompt to enter username and password to login;

but from the ABAP to portal prompt to enter username and password.

N create_AuthenticationAssertionTicket was called.

N create_AuthenticationAssertionTicket: "intended recipient" constraint missing

N mySAPWrapTicket was called.

N Got Codepage 4103 for ticket creation.

N mySAP: Got the following SSF Params:

N DN =CN=bid.azcs.net, OU=I0020261506, OU=SAP Web AS, O=SAP Trust Community, C=DE

N EncrAlg =DES-CBC

N Format =PKCS7

N Toolkit =SAPSECULIB

N HashAlg =SHA1

N Profile =K:\usr\sap\BID\DVEBMGS00\sec\SAPSYS.pse

N PAB =K:\usr\sap\BID\DVEBMGS00\sec\SAPSYS.pse

N login/create_sso2_ticket = 2 found. No certificates included in signature.

N Added client 600 and sysid BID to ticket contents.

N Added date 201005130902 to ticket contents.

N Got user ANWER for ticket creation.

N mySAPWrapTicket returns 0.

N dy_signi_ext: ticket created (612 chars)

N create_AuthenticationAssertionTicket was called.

N create_AuthenticationAssertionTicket: "intended recipient" constraint missing

N mySAPWrapTicket was called.

N Got Codepage 4103 for ticket creation.

N mySAP: Got the following SSF Params:

N DN =CN=bid.azcs.net, OU=I0020261506, OU=SAP Web AS, O=SAP Trust Community, C=DE

N EncrAlg =DES-CBC

N Format =PKCS7

N Toolkit =SAPSECULIB

N HashAlg =SHA1

N Profile =K:\usr\sap\BID\DVEBMGS00\sec\SAPSYS.pse

N PAB =K:\usr\sap\BID\DVEBMGS00\sec\SAPSYS.pse

N login/create_sso2_ticket = 2 found. No certificates included in signature.

N Added client 600 and sysid BID to ticket contents.

N Added date 201005130902 to ticket contents.

N Got user ANWER for ticket creation.

N mySAPWrapTicket returns 0.

N dy_signi_ext: ticket created (608 chars)

N create_AuthenticationAssertionTicket was called.

N create_AuthenticationAssertionTicket: "intended recipient" constraint missing

Please advise!

JPReyes
Active Contributor
0 Kudos

Try ro reimport the portal certificate in strustsso2 ACL

Regards

Juan

p330068
Active Contributor
0 Kudos

Hi Anwer,

Please refer to this blog might help for creating assrtion tickets

/people/dennis.kleymeonov/blog/2005/09/15/connecting-sap-systems-to-enterprise-portal-with-sso

Hope it helps

Regards

Arun

manish_singh13
Active Contributor
0 Kudos

Hi Anwer,

Have you maintained profile parameter for creating/accepting SSO ticket?

Thanks,

Manish P Singh

Former Member
0 Kudos

Yes. It has been maintained!

manish_singh13
Active Contributor
0 Kudos

Hi Anwer,

Can you please check if option for Send SAP Logon Ticket is activated in SM59 RFC which you hvae created for your BI Portal.

Thanks,

Manish P Singh

Former Member
0 Kudos

Hello

I have executed the Web Template installer to the configuration. The RFC has been tested and check with SAP Logon Ticket.

All setting has been made by the template installer!

Regards

manish_singh13
Active Contributor
0 Kudos

Hi Anwer,

In past I had also used Template Installer but seen that its not perfect and had to complete many configuration manually.

Please check the Certificate Validity also using tcode SSO2.

Thanks,

Manish P Singh

Former Member
0 Kudos

the result has been green even having the green status by the BI Diagnostic & Support desk tool result

manish_singh13
Active Contributor
0 Kudos

Hi Anwer,

It is very strange that every config is fine and results are green but still SSO is not working.

Can you please open your Portal page and goto System Administration--->System Landscape-<SAP SYSTEM SID>

Here you can check all the config details for your ABAP Stack system. Kindly check those also please.

Thanks,

Manish P Singh

Former Member
0 Kudos

hello manish!

Thanks for the sharing your knowledge!

I have logged to our system portal and verify the all configuation, this configuration has been done by the template installer and I did not find any inconsistencies with the system. Also. i have verified the Connection test ; there are 3 types of connection which successfully exeucted!

I did not find any strange problem !

REgards

manish_singh13
Active Contributor
0 Kudos

Hi Anwer,

Its really strange because if everything is perfect then your SSO should also work.

Now as it is not working then I still believe that there is something missing in the system that's why I am asked you to check those details.

One more check from my end, hope you won't mind doing that...

1. Check if username exists both in ABAP & JAVA Stack which you are using for testing this. Username should be same.

2. In UME -ConfigurationData Source is ABAP System or not?

3. In UME -ConfigurationABAP System-- UserId (SAPJSF), Password, Client (Productive Client) should be maintained. You can test connection also here.

Please check these and let us know.

Thanks,

Manish P Singh

Former Member
0 Kudos

Hello Manish

Thanks for the reply;

Datasource: UME Configuration has been set as ABAP Datasource "dataSourceConfiguration_abap.xml"

ABAP System: has been configured with SAPJSF user-id pointed to BI Abap system and mandatory client. TEST connection has been successfully tested.

User Mapping: has been set to the System Alias which has been configured in the System Landscape configuation; this is not the same of SAP_BW.

we are able to look the detail of user and roles authoization which are created in the abap side.

The SSO is perfectly working in the Bex Analyzer and WAD but cannot SSO through the SAP-GUI if you called in web query in SAP-GUI.

Regards

Anwer