How to block the multiple logons with NWBC?

BlaiseF · ‎08-01-2011

Hello,

With Sapgui we have the possibility to prevent the multiple dialog logon by profile parameters (login/disable_multi_gui_login).

How to prevent the multiple dialog logon using NWBC to the same system?

Best regards

Frédéric Blaise

e-Kenz S.A.

Luxembourg

Former Member · ‎08-01-2011

Hi Frederic,

Due to technical reasons this is not possible. The portal has no control over the user session. In fact the server does never know whether the user is still working, if a user closes the session directly.

You may need to look at your own custom development mechanisms.

Regards,

Raghu

mvoros · ‎08-01-2011

Hi Raghu,

I agree that it's not technically possible but I don't agree with your explanation. You can connect directly to any ABAP AS, you don't have to have portal. This connection is done over HTTP (you need to activate some services in SICF to be able to connect directly using NWBC). HTTP protocol is stateless so it's really hard to figure out to which session a coming request belongs .

Cheers

BlaiseF · ‎08-02-2011

Hello,

Normally Sap does not accept the multiple connections on the production system for licence agreement.

How does it take place with NWBC if we cannot block the multiple connections?

Best regards

Frédéric Blaise

e-Kenz S.A.

Luxembourg

WolfgangJanzen · ‎01-13-2016

Times have changed - now it's possible.
See SAP Note 2105302 ("Multiple logon check based on security sessions for HTTP/HTTPS login into an ABAP system").

Corrections are available for ABAP systems with SAP_BASIS component 7.02, 7.30, 7.31 and 7.40.

Kind regards,

Wolfgang

Former Member · ‎12-11-2013

Hello,

Has SAP devised a way to disable multiple login via NWBC yet? I could only find this post with regards to this issue.

Best Regards,

Shilpa

BlaiseF · ‎12-11-2013

Hello,

I opened a ticket at Sap but unfortunately they do not have a solution even if the problem is known.

"Unfortunately, due the HTTP protocol nature, is not possible to force a single logon via web browser. The profile parameter login/disable_multi_gui_login is solely valid for SAPGUI logons."

"Since this case is known since the Web Application Server was created, I am pretty convinced that SAP knows about the fact that multiple logons cannot be blocked (you can only give a warning for the user)."

Since we monitor multiple connections with the SM04 transaction and notify customers that they may be controlled by Sap.

Best regards

Frédéric

Former Member · ‎12-11-2013

If multiple logins from different terminals is the problem, then you can deactivate the password based authentication and use SSO instead. That normally sorts it out and the "clones" come asking for their own IDs / AD accounts / PKI certs / etc.

Cheers,

Julius

Former Member · ‎12-12-2013

Thanks Frederic for the update. But isnt it a tedious task to monitor SM04 continuously and the users can login at any time which makes this very inconvenient.

Former Member · ‎12-12-2013

Hi Frederic,

for Protocol reasons it is not feasible to check for a single login (which is your intended behaviour I guess). Reason here is, that for SAP-GUI we have a permanet TCP connection. The Protocol itself gives us a clear statement, there is a new login coming (someone launching the SAP-GUI to connect to the backend instead of for instance just opening a new mode).

This features is not part of the HTTP protocol. There just opening a new window for an already existing session will lead to same execution flow as a direct acccess from a new window on the protocol layer. In fact even the IP can change in HTTP without the app loosing the connection (you may try it in bigger WLANs, moving from one section to an other if the IP changes the SAP-GUI wil break but the HTTP session will stay). So just checking the IP is not feasible either without breaking one of the main features of the HTTP protocol.

If you could provide more info on the use case, there may be some other option to avoid the issue you are facing.

regards,

Patrick