cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Windows NTLM Authentication on SAP 4.6c (Platform AIX)

Former Member

on ‎02-08-2005 5:10 AM

0 Kudos

I am trying to use NCo 2.0 for C# .Net application with Web Service and C# Web UI.

My Users are in AD domain and need to authenticate on IIS via AD (Integrated NTLM)

I need to implement single sign on for SAP integrated application.

As per NCo documentation: I need to set-up trust relationship between IIS and SAP, use this trusted user (DOMAIN\IUSR_SAPPOOL) and send active directory id as external id in connection string. All transaction should run with external user id context.

Can someone help me with following question.

1. Does NTLM trust relationship / authentication on SAP running on AIX? or Do I have to setup kerberos authetication?

2. What SNC library needed for SAP (AIX instance)?

3. How can I configure NTLM authentication on SAP (AIX instance) The NCo 2.0 documents only explains SAP (MS instance) configuration.

What option do I have to get Single Sign On working?

Any help is highly appreciated.

Regards and Thank you in advance.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

reiner_hille-doering
Active Contributor
‎02-08-2005 8:23 AM
0 Kudos

> 1. Does NTLM trust relationship / authentication on

> SAP running on AIX? or Do I have to setup kerberos

> authetication?

You can use any SNC provider to establish the trusted connection, e.g. Secude. You can also use Kerberos, which is the easiest way on the NT/IIS side (use gsskerb5.dll), but might complicate it on AIX. Using another SNC migh make it complicated on NT/IIS, because you need to authenticate the IUSR_SAPPOOL user somehow automatically on your SNC provider.

> 2. What SNC library needed for SAP (AIX instance)?

Depends on the SNC provider you choose.

> 3. How can I configure NTLM authentication on SAP

> (AIX instance) The NCo 2.0 documents only explains

> SAP (MS instance) configuration.

AIX would not authenticate the user. The user is authenticated by IIS. Then the user ID is just transfered to AIX. The AIX server needs to believe that IIS did authenticate him correctly. Therefore this is called "trusted connection".

Show replies
Show replies
Former Member
‎02-10-2005 5:25 AM
0 Kudos

Hi Reiner,

Thank you very much for response, this is helpful information.

My options are pretty much limited,

I can't use NTLM since, AIX will not accept trust

-- NTLM Auth will not work with AIX

-- Kerberos auth have to have third party tool like CyberSafe for SNC trust relationship.

I planning to try using SSO as mentioned in "Enabling Single Sign-On for ASP.NET Applications in Enterprise Portal 6"

Is this approach works with EP 5.0?

If any one has "sapsecu.dll" please send me at prashantkurane@yahoo.com with same size as stated in this document.

My SSO ticket did not get created after following steps in document, I am suspecting either sapsecu.dll or veryfy.pse is wrong?

Any help will be really appreciated..

Thank you in advance.

Regards,

-Prashant

reiner_hille-doering
Active Contributor
‎02-10-2005 7:59 AM
0 Kudos

> Hi Reiner,

> Thank you very much for response, this is helpful

> information.

If you consider an answer as helpfull, please mark it with the button on the left side :-).

> My options are pretty much limited,

> I can't use NTLM since, AIX will not accept trust

> -- NTLM Auth will not work with AIX

> -- Kerberos auth have to have third party tool like

> CyberSafe for SNC trust relationship.

As I wrote, you can use any SNC provider. Especially Secude would be interesting, as it is available on all platforms.

> I planning to try using SSO as mentioned in "Enabling

> Single Sign-On for ASP.NET Applications in Enterprise

> Portal 6"

> Is this approach works with EP 5.0?

This is a completely different approach: In the stuff I was writing to you before I was assuming that IIS would do the authentication. The other approach is that SAP Portal does it. This also works - EP 5.0 should be fine - but it works completely different. E.g. you doesn't need a trusted connection for SSO with MYSAPSSO2 ticket.

> If any one has "sapsecu.dll" please send me at

> prashantkurane@yahoo.com with same size as stated in

> this document.

This DLL is not allowed to be exported into some countries because it contains strong cryptography. You usually get it via your local SAP subsiduary.

> My SSO ticket did not get created after following

> steps in document, I am suspecting either sapsecu.dll

> or veryfy.pse is wrong?

Did you find a MYSAPSSO2 cookie in the request?

Former Member
‎02-11-2005 7:30 AM
0 Kudos

Hi Reiner,

It seems I am exhausting this option as well, and I need to get this working...

My Web Server reports that MYSAPSSO2 cookie is not found, that means it's not receiving any cookie from EP server.

1. My both Enterprise Server and IIS Web server are in same domain (I can login or authenticate to both server using my domain ID)

2. My verify.PSE file seems correct since I copied it from EP 5.0 server.(\SAP_J2EEngine6.20\alone\services\servlet_jsp\work\jspTemp\irj\root\WEB-INF\plugins\portal\services\usermanagement\data)

3. I used SAPSECU.DLL from same server (5.4.24.0) 1093632 bytes.

4. My Web setting and Config seems right, web application let me login by Domain id and my authentication type is window and and authentication is set to override which means IIS should get cookie from EP for client browser.

I am suspecting that IIS is not requesting the Client cookie from EP once it authenticate !! That may be because there is no PortalURL to go to or unable to read from verify.pse I am not sure here...

anyway any pointer on this one will be really helpful, I am hoping that this SSO mechanism will work.

Thank you,

Regards,

-Prashant

reiner_hille-doering
Active Contributor
‎02-11-2005 8:32 AM
0 Kudos

If you ASP.NET app doesn't receive the MYSAPSSO2 ticket, it's ususally caused by the fact that your portal and your IIS are not running in the same <b>DNS</b> domain, <b>not NT</b> domain. Cookies are assignt to a DNS domain, e.g. if your portal has DNS name myportal.it.mycompany.com, your IIS should have e.g. asp.it.mycompany.com. Not that it's even critical what the user enters as URL in the browser, e.g. if the portal can be also reached by different names and DNS domains. It's sometime necessary to create an entry in "hosts" file to ensure that both machines appear in the same DNS domain.

BTW: If you only want to connect with SAP .NET Connector, you don't have to caste about SAPSECU, verify.pse and so on. Once you have the the cooky, just assing it to the connection string:

SAP.Connector.Destination dest = new SAP.Connector.Destination();

// set other properties here

dest.MySAP_SSO2 = HttpUtility.UrlDecode(this.Request.Cookies["MYSAPSSO2"].Value);

Former Member
‎02-16-2005 10:17 PM
0 Kudos

Hi,

I was able to get Logon ticket from SAP Portal which reside in different server but same domain. The logon ticket allows me to connect to SAP using .Net Connector proxy. This is just a intermediate solution, we do not want to have dependency on SAP portal for logon ticket. I wish SAP had logon ticket server just to serve logon tickets.

I will still continue to work on getting direct single sign on working between .Net Connector and SAP.

Thank you for your help to figure out way to single sign on, really appreciate your efforts.

-Prashant

Ask a Question