cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Confused About BOBJ Client SNC

Go to solution
Former Member

on ‎11-09-2011 7:35 AM

0 Kudos

All,

I have been doing a lot of reading on SDN and Ingo's blog on setting up client SNC for LiveOffice on Crystal Reports based on SAP BEx queries as well for Advanced Analysis for Excel. We do not have SAP Gui Client SNC/SSO using gssapi currently setup.

I need to understand how users can refersh the crystal reports via live office without logging in twice one for BOE and one for SAP and the same for Advanced Analysis. From my research if I am correct the first logon to BOE via WinAD can be avoided if we setup Kerberos SSO and set principal names on service account running the SIA.

My understanding is also that If we require to avoid the second logon for SAP BW we need to implement client SNC. For that I have done the RZ10 profile parameter changes as well as transfer of certificates from BOBJ and SAP system.

However its not working. In SAP authentication in CMC using the service account and its password (which is also running SIA since we need it for WinAD SSO) we can run Webi reports using SSO in Universe. However when we turn on SNC its showing error.

I have my doubts on the all the places where the SNC name needs to be provided and which format. I have used:

SIA Account = DOMAIN/service_account

SAP SNC0 tcode = p:DOMAIN/service_account

library path = C:\Program Files\SAP\Crypto\sapcrypto.dll

SNC name of SAP system = p: CN= SSL client SSL Client (Standard), OU=I0020254816, OU=SAP Web AS, O=SAP Trust Community, C=DE (taken from STRUST of SAP)

SNC Name of Enterprise System: : CN=, OU<domain>, OU=<domain>, OU=COM, O=BOBJ

su01 for service account, snc name = p:DOMAIN/service_account

RZ10 parameters:

snc/gssapi_lib = gssapi32.dll

snc/identity/as = sidadm@ domain.com (help.sap.com says to use krb.dll with SAPService<sid>@ domain.com)

snc/accept_insecure_rfc = 1

snc/accept_insecure_r3int_rfc = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_cpic = 1

snc/permit_insecure_start = 1

snc/data_protection/min = 1

snc/data_protection/max = 3

There is no end to end documentation for a complete password-less logon scenario BOBJ 4.0 + SAP in the admin guide so I am trying to conect the dots.

Any help is appreciated.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

IngoH
Active Contributor
‎11-13-2011 6:38 PM
0 Kudos

Hi,

first of all for which version is this ? Xi 3.1 or BI 4 ?

other comments

-

I need to understand how users can refersh the crystal reports via live office without logging in twice one for BOE and one for SAP and the same for Advanced Analysis. From my research if I am correct the first logon to BOE via WinAD can be avoided if we setup Kerberos SSO and set principal names on service account running the SIA.

-

Ingo: in case you want to combine Windows AD with SAP then you need to configure both authentication and you will have to setup either SNC Server Side trust using the proper libraries or in BI 4 you will have to configure the SSO Token Service.

-

My understanding is also that If we require to avoid the second logon for SAP BW we need to implement client SNC. For that I have done the RZ10 profile parameter changes as well as transfer of certificates from BOBJ and SAP system.

-

Ingo : That depends on the actual workflow.

-

However its not working. In SAP authentication in CMC using the service account and its password (which is also running SIA since we need it for WinAD SSO) we can run Webi reports using SSO in Universe. However when we turn on SNC its showing error.

-

Ingo : which is most likely based on a wrong configuration.

I would suggest you first of all outline what workflows you are trying to realize and we can then look into the details.

Ingo

Show replies
Show replies
Former Member
‎11-22-2011 7:20 AM
0 Kudos

Thank you Ingo and Roberto. I wasnt tracking the thread so sorry for the late reply.

Few updates since my last post. We have changed the dll on SAP BW to gx64krb5.dll and defined snc/identity/as RZ10 parameter to SAPService<sid>. As well we have mapped user running the SAP BW app server to the snc name using setspn. This has enabled us to use SSO from SAPGui to SAP BW as well as in Advanced Analysis and Crystal Reports Designer toolbar.

Now we are on BI 4.0 SP02 level 7. The requirement is simple, i.e. complete password less logon for all tools. That is

1) Crystal Report refresh in Launch Pad without logon pop-up to backend SAP BW system

Question: I think this requires Server Side SNC but can it it be acheived using gx64krb5.dll that we are using for passwordless logon to SAP BW via SAPGui, or do we need to use sapcrypto.dll? Can both be acheived using sapcrypto.dll

2) Advanced Analysis SSO to BOE Platform as well as Single Sign On to SAP BW platform. Actually second part of it is already acheived using GSS-API library i.e. gx64krb5.dll with SAP BW servers as explained above.

Question: Is this what you were refering to as SAP SSO Token? The questions still remains how we SSO to BOE Platform

3) Live Office SSO to BOE Platform as well as Single Sign On to SAP BW Platform (For both Webi and Crystal Reports).

I tried to put the Web Service URL, System and Authentication (Win AD) in the Application Options, Enterprise tab but when I turn on the "Enable Windows Active Directory Single Sign On" I get error LO 02040 Active Directory failed to log you in, please make sure that you are member of default domain.

Question:

I am not sure why it doesnt work since SSO to BI Launch Pad using Windows AD using Kerberos is working.

The second part is ofcourse is the SSO for Crystal and Webi Document on SAP BW.

Question

Do we need to use Client SNC scenario or Server SNC scenario for Crystal Live OFfice? The Webi SSO to SAP, I think we can figure out since I know we dont need SNC for that

4) Lastly is the SSO to BI Launch pad using Win AD. This is working

So far I raised OSS message with SAP since I am getting error "incomplete logon details" in the Role Import tab if I provide the snc name for the entitlement SAP user

Thanks

Raj

Former Member
‎11-23-2011 1:05 AM
0 Kudos

I wanted to provide an update. It turns out that the reason the Client SNC was not working is because in SNC0 tcode in our SAP BW system I had checked option "Entry for RFC Activated". Apparently we should not set that setting for Client SNC but must set it for Server SNC. Which means we need to have two different service accounts one running Adapative Processing and Webi Processing Servers and another running the Tomcat and CMS according to OSS note/KB 1342435 and then set the SNC0 options separately for the service accounts.

To make matters worse SAP Support doesnt provide suport for any other crypto library other than sapcyrpto.dll which by the way doesnt support Client SNC.

I am sure others have tried to implement Client and Server SNC to SAP BW without having to create multiple SIA running on multiple service accounts but using Kerberos GSS API dll library file. We are using gx64krb5.dll and are on BI 4.0 SP02. Please help....

IngoH
Active Contributor
‎11-23-2011 2:34 AM
0 Kudos

Hi Raj,

sorry to disagree here but you have a couple of facts wrong.

- in XI 3.1 there is a way to have client side SNC and server side SNC configured.

- SAP - as part of an SAP backend - is shipping SAP Crypto Lib which is designed and licensed for Server Side SNC (not client side SNC)

- in case you would like to do server side SNC and client side SNC there are lots of partners out there offering the necessary software as SNC is a "certification"

- in BI 4 you can use server side SNC for the "legacy" scenarios like running a XI 3.1 OLAP Universe in a BI 4 environment

- in BI 4 you can use the SSO Token Service to achieve client and server side SNC workflows

... and all the items related to BI 4 are in the product installation documentation

regards

Ingo Hilgefort

Answers (1)

Answers (1)

Former Member
‎11-11-2011 5:05 PM
0 Kudos

Hi Raj,

it looks to me you're trying to implement Client SNC through SAP Crypto Library. But SAP Crypto Library only support Server Side Trust, not Client Side.

Kind regards.

Roberto.

Edited by: Roberto G. on Nov 11, 2011 6:06 PM

Show replies
Show replies
Ask a Question