Skip to Content
avatar image
Former Member

Is principal propogation possible for .net->SOAP->PI->XI(ABAP Proxy)->ECC ?

Hello Experts,

I have a sync scenario as :

.Net client -> SOAP -> P I-> XI(ABAP Proxy) -> ECC where functionalities from ECC are exposed as Webservices via PI and consumed by .net client.

For this solution we expect to have a SSO enabled along with Principal propogation(PP) end to end.

1.How can we achieve PP for this scenario?

For SSO from .net client to PI we have configured SPNego which uses Kerberos Authentication. This part is working fine when we use static USER on RFC destination of type H for XI adapter to call proxy. But when I am trying to configure PP on this part(PI to ECC) it fails with error UnAuthorised 401?

2.Has anyone tried this kind of scenario and got it working? Or if anyone knows how this can be implemented successfully?

3.OR Is there any way using which I can use RFC destination of Type T for calling a proxy, as type T RFC destinations have direct option to Use SAP logon tickets which I am getting from SPNego?

I could find many blogs/threads on SDN regarding Principal propogation, but most of them are quite old (around 2005 - 2007) or they refer to threads which contradict to each other. I believe that SAP has improvised over time and it should be possible to achieve this in one way or other?

Any inputs in answer to above questions/concerns will be very helpful.

Kind Regards,

Abhijeet.

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

2 Answers

  • avatar image
    Former Member
    Nov 26, 2011 at 09:49 AM

    Hi,

    I don't know for your detailed flow, but according to page 4 of this[ document (2007)|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/808d3048-638c-2a10-35a6-faa48e50ad59], yes PP is suported by Soap and XI adapter.

    I had also this [PI71- Principal Propagation Using Logon Tickets -2009.03|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/50d07121-07a5-2c10-5280-a081de9b851c].

    Advice: check your PI version and the oss notes, because there are somes...

    regards

    Mickael

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Mickael,

      I have already gone through these docs. All documents are refering to SAP sender system & RFC adapters where one can use "T type" rfc destinations.

      I have configured steps needed for PP, but PI system logs in with PIAFUSER onto the backend SAP system(ECC) using ABAP proxy instead of actual user.

      I have made one change to my scenario, I am using type G destination now which has option to use SAP logon tickets.With this logon to backend SAP system is working with SAP logon tickets but it uses "PIAFUSER" as user to logon.

      Any hints - what could be the reason for this?

      kind Regards,

      Abhijeet.

  • avatar image
    Former Member
    Jul 07, 2015 at 04:51 PM

    Hi,

    Were you able to flow your user thru the entire process, not just PIAFUSER?

    Thanks!

    Add comment
    10|10000 characters needed characters exceeded