cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Logon Ticket Generator on EP6 for .Net Connector Application

Former Member

on ‎04-14-2005 12:14 AM

0 Kudos

Hi All,

We have a .Net Application which need retrieve SAP Logon Ticket for Single Sign On to Back end R/3 (IBM AIX platform) for executing RFC for application. We have solution that works for EP 5.0 on Microsoft Platform (SAP Portal EP5) which allows us to get Logon Ticket from EP5 via server to server call. This does not need to have your application on SAP Portal (iView etc)

We created an UME Proxy file which calls CreateTicket(userName) function from Portal directory Common\TicketCreator.asp. This function use /irj/servlet/prt/prtroot/InitialLogonSupport.default?IntegrityToken= link to generate ticket.

In EP6 the platform changed from Microsoft to Unix and also SAP WAS is Web server. How can I implement the same feature on EP6?

What will be location of TicketCreator function or Jsp/Servlet code which will generate the Logon Ticket? e.g.: /irj/servlet/prt/prtroot/InitialLogonSupport.default? or similar to this in EP6

The UME Proxy code page in SAP Portal server accepts user name passed from .Net Application server in Query string, after user is already authenticated on .Net Server.

This proxy page is secured only to service account so no one use this page to generate Logon ticket.

SAP: 4.7 AIX Platform

EP5: MS Windows 2000 Platform

EP6: AIX Unix Platform (Migration process)

Any help to resolve this is greatly appreciated.

Regards,

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎10-01-2008 3:18 PM
0 Kudos

Hi,

We have a dot net application and we need to connect this dot net application to ECC. What are the possible ways to do it. We have XI in but they are not planning to make use of it.

between SAP.Net connector and Web services what could be the best possible option to follow??

and if we use Web sevices is it better to create web services for RFC enabled function modules or BAPI's??/

Show replies
Show replies
reiner_hille-doering
Active Contributor
‎04-14-2005 10:11 AM
0 Kudos

If I understood you correctly, you have a UNIX-based portal that authenticated you and want to use the authentication for a SAP .NET Connector based solution.

In fact this is terrbibly simple: You just need to take the cookie named "MYSAPSSO2", UrlDecode it and pass it to the connection string.

You can do more with the ticket, e.g. verify it, take the user name and so on. For this I have written an article and some code. It also mentions the integration with SAP .NET Connector.

https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/webas/enabling single sign-on for asp.net applications in enterprise portal 6.article

An alternative is this article:

https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/unkown/java and .net code samples for sap logon ticket verification.pdf

If you need even more control on the ticket information transfered, thsi article could help.

https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/nw/dotnet/using ume 40 in asp.net

But note that is is a much more complicated solution.

The last alternative is to use the .NET PDK.

Show replies
Show replies
Former Member
‎04-14-2005 9:40 PM
0 Kudos

Hi Reiner,

These articles were very useful and have provided lot of information for us. We reviewed both articles for our solution.

1. The User is authenticated by .Net Application Server

2. We need to read Logon ticket from SAP Portal (EP6) which resides on same domain

3. This is server to server mechanism (.Net Server and SAP Portal server) to get logon ticket on behalf of end user client(already authenticated by .Net application server)

This solution currently works for us on EP5. We wrote one Proxy code in asp which resides in Virtual directory on SAP Portal. This actually is similar way how SAP Portal Create the Logon ticket.

We want similar approach to work on EP6 (platform is UNIX)

The .Net application will NOT reside on SAP Portal or will not have link via iView from SAP Portal. The SAP Portal server is used only to get Logon ticket and .Net Application will then continue using Logon ticket to login to R/3 and execute RFC for .net application. Dot Net application is integrated w/SAP R3.



               <========== SAME DOMAIN =============>
-----            ----------               --------   
| SAP |         |  .Net    |             |        |
| R/3 |<------->|  App     |<-------- -> |  SAP   | 
-----           |  Server  |  Get Logon  | Portal |
                 ----------   Ticket      --------
                      ^
                      |
                      V
                -----------
                |  Cleint  |
                | Browser  |
                -----------

Since client browser is not beting authenticated by SAP Portal, the Logon ticket need to be retrieved by custom proxy running on SAPPortal on behalf of Authenticated user (Service account is used to login to SAP Portal w/ appropriate rights).

Here is part of code for Custom UME Proxy which need to ported to EP6

I would like to know what location /irj/servlet/prt/prtroot/InitialLogonSupport.default?IntegrityToken= in EP 6 or it is something different?


Function CreateTicket(userName)
	
	dim url, encoder, timeStamp, retVal, protocol, port, javaSecuredPortNumber
	
	on error resume next
			
	set encoder = Application("Locator").NamedComponent("HyRelEncoder")
	timeStamp = Server.URLEncode(encoder.TimeStamp(userName))
	set encoder = Nothing
	
	javaSecuredPortNumber = GetTagParser().ProjectVariables("JAVASecurePortNumber")
	if Request.ServerVariables("SERVER_PORT_SECURE") = "0" or javaSecuredPortNumber = "0" then
		protocol = "http://localhost:"
		port = GetTagParser().ProjectVariables("JAVAPortNumber")
	else
		protocol = "https://" & Request.ServerVariables("SERVER_NAME") & ":"
		port = javaSecuredPortNumber
	end if	
	
	url = protocol & port	
	if (UCase(Left(url,4)) <> "HTTP") then
		call PrintError("Failed to initialize parser. Error : " & url, false)
		Response.End
	end if
	
	url = url & "/irj/servlet/prt/prtroot/InitialLogonSupport.default?IntegrityToken=" & timeStamp & "&URL="

	set req = server.CreateObject(GetXMLProgID("serverXMLHTTP"))
	retVal = ReportError("Failed to create MSXML object.")
	if retVal <> "" then
		CreateTicket = retVal
		exit function
	end if
		
	req.open "GET", url, false
	retVal = ReportError("Failed to open the URL : " & url & ".")
	if retVal <> "" then
		CreateTicket = retVal
		exit function
	end if

	req.setRequestHeader "APPLICATIONUSER", userName
	retVal = ReportError("Failed to set request header (APPLICATION_USER).")
	if retVal <> "" then
		CreateTicket = retVal
		exit function
	end if
		
	if Request.ServerVariables("AUTH_TYPE") = "Basic" then
		
		req.setRequestHeader "Authorization", Request.ServerVariables("HTTP_Authorization")
		retVal = ReportError("Failed to set request header (Authorization).")
		if retVal <> "" then
			CreateTicket = retVal
			exit function
		end if
		
	end if
		

	req.send
	retVal = ReportError("Failed to send the URL : " & url & ".")
	if retVal <> "" then
		CreateTicket = retVal
		exit function
	end if

	if req.status = 200 then					
	
		dim cookie, attributes, startIndex, responseHeaders, temp, firstCookie
		
		firstCookie = req.getResponseHeader("Set-Cookie")
		if (Mid(firstCookie, 1, Len("MYSAPSSO2")) <> "MYSAPSSO2") then
		
			startIndex = 1
			temp = 1			
			responseHeaders = req.getAllResponseHeaders()
						
			while (temp <> 0 and temp >= startIndex)
				startIndex = temp
				temp = InStr(startIndex, responseHeaders, Chr(13) + Chr(10)) + 2
				if (Mid(responseHeaders, startIndex, Len("Set-Cookie")) = "Set-Cookie") then
					if (Mid(responseHeaders, startIndex + Len("Set-Cookie: "), Len("MYSAPSSO2")) = "MYSAPSSO2") then
						temp = 0
					end if
				end if
			wend
						
			endOfTicket = InStr(startIndex + Len("Set-Cookie: MYSAPSSO2="), responseHeaders, "Expire") - startIndex - Len("Set-Cookie: MYSAPSSO2=") -2 
			cookie = TCPDecode(Mid(responseHeaders, startIndex + Len("Set-Cookie: MYSAPSSO2="), endOfTicket))
		else
			cookie = TCPDecode(Mid(firstCookie, Len("MYSAPSSO2=")+1))
		end if
		
		if cookie = "" or (temp <= startIndex and temp <> 0) then
			CreateTicket = "Failed to create SSO cookie."
			exit function
		end if
						
		attributes = split(cookie, ";")
		Response.Cookies("MYSAPSSO2") = attributes(0)	
		serverName = Request.ServerVariables("SERVER_NAME")
		domain = Mid(serverName, InStr(serverName, ".") + 1)
		if ( serverName <> domain ) then
			dim useIPlanetGateway
			useIPlanetGateway = Application("UMRegHelper").GetRegEntry(Application("ProjectName"), "Use  iPlanet Gateway")
			if ( useIPlanetGateway="true") then				
				domain = "." & domain																			
			end if
		
			call Execute("Response.Cookies(""MYSAPSSO2"").domain="""&domain&"""")
		end if
					
		for i = 1 to UBound(attributes)
			attribValue = split(attributes(i), "=")
			if StrComp(Trim(attribValue(0)), "secure", vbTextCompare) = 0 then
				' Support for secure cookies
				call Execute("Response.Cookies(""MYSAPSSO2"").Secure=""true""")
			else
				if StrComp(Trim(attribValue(0)), "domain", vbTextCompare) <> 0 then
					if UBound(attribValue) > 0 then
						call Execute("Response.Cookies(""MYSAPSSO2"")."&attribValue(0)&"="""&attribValue(1)&"""")
					end if
				end if
			end if					
		next
		retVal = "Done!"
	else
		'TO DO: handle error
		retVal = "Failed to create SSO ticket. <BR>"				
		retVal = retVal + "HTTP Status : " & req.status & "<BR>"
		retVal = retVal + "HTTP Response : <BR>"
		retVal = retVal + req.responseText
	end if
	set req = nothing

	CreateTicket = retVal
end function

reiner_hille-doering
Active Contributor
‎04-15-2005 8:33 AM
0 Kudos

I think I got your points, even if I didn't fully understand the solution.

The main issues is as follows:

- You want to have a MYSAPSSO2 ticket.

- Anyone that could give it to you needs of cause a prove of authentication.

- Usually the Portal is the "main instance". It can either authenticate by Username/password or by an NT user (via IISProxy). In both cases the portal would create a MYSAPSSO2 ticket.

- If your user is autenticated by NT or you have his/her password, you can redirect to the portal to get the ticket.

- If you (from .NET side) cannot prove the users identity, the portal would never give you a MYSAPSSO2 ticket.

There are other ways of SSO for .NET Connector, e.g. trusted SNC with external User ID, but they are not easy to configure.

Former Member
‎04-18-2005 5:55 AM
0 Kudos

Thank you for your response.

-Yes the .Net application would request for Logon ticket for NT authenticated user.

- The proxy in EP5 is currently running in IIS under service account ID. How can I have a same proxy running in EP6, this instance in Unix platform with J2EE Web server?

-What servlet/ Java Code can be called to generate MYSAPSSO2 cookie in EP6?. in EP5 it calls: /irj/servlet/prt/prtroot/InitialLogonSupport.default

I would like to write a similar function as I mentioned in my earlier post to generate the Cookie.

Thank you,

reiner_hille-doering
Active Contributor
‎04-18-2005 8:36 AM
0 Kudos

If you just want to have an NT-authencitcated user being authenticated as portal user, you don't need to write code. Just use the IISProxy ISAPI module.

Ask a Question