cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Single sign on - SAPGUI - RHEL 6 - ABAP AS

Go to solution
Former Member

on ‎06-13-2012 2:36 PM

0 Kudos

Hi,

We have a requirement to configure Single sign-on between SAPGUI / NWBC  and SAP ERP 6 EHP 6 with Best practices system running on RHEL 6 OS using Windows active directory authentication.

Client is interested to use SAP products to achieve the same. I have gone through lot of documents on SAP Netweaver single sign-on and I am confused exactly which option of the SAP Netweaver single sign on to be used.

Please share any configuration document for the same.

Regards,

Nalla

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Kaempfer
Advisor
Advisor
‎06-13-2012 3:04 PM
0 Kudos

Hi Nalla,

are you using SAP NWBC and SAPGUI or only SAP GUI for Windows on the client side? Is there only 1 SAP system or do you have a large system landscape?

Regards

Matthias

Show replies
Show replies
Former Member
‎06-13-2012 6:37 PM
0 Kudos

Dear Matthias,

We are in the plan of using NWBC and SAPGUI in client side. Currently we have SAP ERP 6 EHP6 (DEV,QA,PRD), SAP BW (DEV,QA,PRD) and Solution manager 7.1 system.

We want to connect all system using SSO. But currently user count is only 50 to 100 users.

Portal and other products will be added to the landscape later.

Can you please share any link or documentation and which feature of SAP NW Single sign-on product is required for our implementation.

As I said our SAP systems are on RHEL 6.

Regards,

Nalla

Kaempfer
Advisor
Advisor
‎06-14-2012 9:40 AM
0 Kudos

Hi Nalla,

you find the offical documentation of the prodcut SAP NW SSO here: http://help.sap.com/nwsso10

If you use only SAP GUI for Windows you can start to implement the following components:

Secure Login Client -> on the PC

Secure Login Library-> on the SAP system

--> configure the integration with MS AD Kerberos

SAP NWBC is special. It includes Web UI and SAP UI technology. So SSO is more complex. I recommend to use the certificate out of the box version (so no external full blown PKI required)

Secure Login Client -> on the PC

Secure Login Library-> on the SAP system

Secure Login Server -> small additional Java component. This components provides automatically certificates to the client and you can integrate the MS AD authentication

--> configuration of MS AD Kerberos and Secure Login Server

--> configuration of the back end system to accept certificates for authentication

http://help.sap.com/saphelp_nw70ehp3/helpdata/en/4e/125e0a1e3d2287e10000000a15822b/content.htm

--> this delployment options offers you later to integrate many other components (SAP Portal, direct acces to SAP NetWeaver Web Dynpro ABAP/Java, non-SAP systems)

With the next version of SAP NW SSO there will be a new option for SSO and NWBC. But this will not help you now.

SAP NW SSO is a separate product. There are also SSO capabilities in the SAP NW platform available (SAP Logon Tickets). But an integraton with MS AD is only possible with SPNego for Java --> if a user want to access  an ABAP system direct, this is not working.

http://help.sap.com/saphelp_nw70ehp3/helpdata/en/d0/dc33c460a243929b7ec120f55af101/content.htm

http://help.sap.com/saphelp_nw70ehp3/helpdata/en/43/4bd58c6c5e5f34e10000000a1553f6/content.htm

General information on authentication SAP NW ABAP:

http://help.sap.com/saphelp_nw70ehp3/helpdata/en/99/8814a32d89405484ba08b4ea033718/content.htm

Regards

Matthias

Former Member
‎06-14-2012 12:02 PM
0 Kudos

Dear Matthias,

Thanks for your detailed reply. I have one small query. Currenlty I have completed the below setup.

1. Installed Secure login library on SAP App server running on Linux OS.

2. Installed SNC Client encryption with SAP GUI on front end PC.

3. Configured the Secure login library - For windows Kerberos as mentioned in the Secure login library Installation guide in SAP App server running on Linux OS.

4. Also created Service principal name in Windows AD and integrated it.

5. If I enable SNC in SAPGUI, it is working and prompting user / password to login.

So now to enable SSO, if I just install Secure login client tool in my PC, will it work ? Or I need to do any additional steps. This is for SAP GUI.

Regards,

Nalla

Kaempfer
Advisor
Advisor
‎06-14-2012 12:38 PM
0 Kudos

This is the scenario  works only for SAP GUI for Windows (Kerberos Version). You did not install Secure Login Server for the certificates. So if you install now Secure Login Client, SSO will work for SAP GUI for Windows - not for NWBC!

Keep in Mind:

Profile parameter for the SAP system -> docu secure login library (system restart)

User mapping -> docu secure login client

Configure SAP GUI -> add a new system entry and maintain SNC options -> docu secure login client

Regards

Matthias

Former Member
‎06-14-2012 3:02 PM
0 Kudos

Dear Matthias,

I have done all steps as per the document link provided by you. But I am getting the attached error.

I even followed the note 1635019. But no luck. Have you faced any issue like this.

Regards,

Nalla

Kaempfer
Advisor
Advisor
‎06-14-2012 4:08 PM
0 Kudos

check secure login client documentation.

--> 3 Secure Login Client Console

Do you see your client kerberos token? Click on the blue hook on your Windows task bar.

If this is ok - I would guess that you didn't configure the principal service name in the right way (--> secure login library).

If you need more technical help, I have to point you to our service guys 😞 I am not an expert on troubleshooting. They will help you!

Component: BC-IAM-SL

Matthias

Former Member
‎06-15-2012 11:51 AM
0 Kudos

Dear Matthias,

Thanks for your reply. Can you share any document on how should I maintain the user mapping in the SAP system.

My user in SAP system is basis and windows domain name is

companyname-basis@<OURDOMAIN>.LOCAL.

Service principal created by us is SAP/KerberosBID and user name is KerberosBID in domain.

I have successfully created the Certificate in SAP system as per the secure login library Installation / Configuration guide.

In SU01, I have maintained the SNC name as p:CN=companyname-basis@<OURDOMAIN>.LOCAL for the user basis.

I logged on to windows system as companyname-basis@<OURDOMAIN>.LOCAL. I have configured the SNC name in SAPGUI as p:CN=SAP/KerberosBID@<OURDOMAIN>.LOCAL.

Can you confirm whether the SNC name maintained by us in SU01 and SAP GUI is correct.

Regards,

Nalla

Kaempfer
Advisor
Advisor
‎06-15-2012 12:21 PM
0 Kudos

My user in SAP system is basis and windows domain name is

companyname-basis@<OURDOMAIN>.LOCAL

Your configuration is right for the Kerberos scenario without Secure Login Server.

Did you make this step -> docu secure login library (most customer forget this step for Kerberos)?

Create Kerberos Keytab

To create a Kerberos keytab in the PSE, enter the following command. The Service Principal

Name and the password of the Microsoft Windows account are required.

snc crtkeytab –s SAP/Kerberos<SID>@<DOMAIN> -p <password>

You can check the SNC configuration on the server side with the command snc.exe

For the kerberos installaton scenario, it should look like this:

su01 should look for your scenario (without certificates) :

Regards

Matthias

Former Member
‎06-15-2012 4:53 PM
0 Kudos

Dear Matthias,

It started working. SNC_LIB was pointing to some different dll in my front end pc. After I change to the location of secure login folder (C:\Program Files (x86)\SAP\FrontEnd\SecureLogin\lib\secgss.dll) and as mentioned in the sap note 1635019 - I executed snc4 transaction, now it started working.

Thanks a lot for your support.

Regards,

Nalla

Kaempfer
Advisor
Advisor
‎06-15-2012 5:05 PM
0 Kudos

Hi Nalla,

good work! I guess this was the old library of the component SNC Client Encryption. This library do not support SSO - only SNC encryption!

Regards

Matthias

Former Member
‎07-09-2012 9:48 AM
0 Kudos

Dear Matthias,

We have purchased the NW SSO package and successfuly configured SSO for SAPGUI using secure login library and secure login client documentation

We have followed the Windows AD Kerberos option mentioned in the secure login library setup guide  as per your suggestion. Thanks a lot for that.

Now we have to configure the SSO for NWBC for HTML and NWBC for Desktop to get authenticated with Windows AD user id. I am confused after reading the NW SSO Server configuration guide. I don't know exactly what step I have to follow in that document to achieve the SSO with Windows AD.

We are going to use NWBC for HTML and Desktop to access only ABAP backend system. No portal system is involved in our landscape.

As you suggested in previous reply I will deploy NW SSO Server either in Solman or I will install a separate Java stack system. But I need your guidance on what steps to be followed  to achieve the SSO with Windows AD in the NW SSO Server guide after installing the server component.

I belive I am trying to achieve below scenario. Correct me if I am wrong.

Regards,

Nalla

Answers (1)

Answers (1)

Kaempfer
Advisor
Advisor
‎07-09-2012 12:40 PM
0 Kudos

Hi Nalla,

this is why I asked at the beginning, if you only would like to have SSO for SAP GUI for Windows or also for other UI's 🙂

So NWBC is comination of Web and SAP GUI (very simply spoken).

The scenario which you show in the picture above is the Web client. You use this scenario especially for users using SAP GUI for Java or users who need a certificates but don't want to install secure login client. I would not recommend this, if you have Windows PC on the client side and if this is an intranet sceanrio.

You need to check this deployment option (out of the Kerberos Ticket the solution provides automatically a certificate which can be used for NWBC and Web applications):

https://scn.sap.com/docs/DOC-29687

-> this deployment option works for SAP NWBC, SAP GUI and Web applications

Regards

Matthias

Show replies
Show replies
Former Member
‎07-09-2012 2:07 PM
0 Kudos

Dear Matthias,

Thanks for your quick reply.  I understand from above explanation that my NWBC for HTML, web url will not need NW SSO client to be installed.

Please excuse me if I ask some silly questions till I complete my configuration for this setup. I am trying to understand the Basics so that it will help me to configure it properly.

But how my SAP ABAP Server URL will use the NW SSO server to get authenticate with Windows AD?

Step 1:

            I need to login to NW SSO Server web client URL first and get authenticated, so that  my browser will get a certificate.

Step 2:

       Then I should go to my NWBC URL so that it will login without any password using the already available browser certificate.

Correct me if I am wrong.

Regards,

Nalla

Former Member
‎07-09-2012 2:07 PM
0 Kudos

Dear Matthias,

Thanks for your quick reply.  I understand from above explanation that my NWBC for HTML, web url will not need NW SSO client to be installed.

Please excuse me if I ask some silly questions till I complete my configuration for this setup. I am trying to understand the Basics so that it will help me to configure it properly.

But how my SAP ABAP Server URL will use the NW SSO server to get authenticate with Windows AD?

Step 1:

            I need to login to NW SSO Server web client URL first and get authenticated, so that  my browser will get a certificate.

Step 2:

       Then I should go to my NWBC URL so that it will login without any password using the already available browser certificate.

Correct me if I am wrong.

Regards,

Nalla

Kaempfer
Advisor
Advisor
‎07-09-2012 3:05 PM
0 Kudos

If you work with certificates, you have the following delpoyment options

a) Secure Login client +Secure Login Server -> my recommendation

--> this is a real SSO integration. THere is no need for the user to type in user and password to get a certificate if you use the integration with MS AD --> https://scn.sap.com/docs/DOC-29687

b) Zero footpring version: Secure Login Server --> here the user needs to type in user and password to get a certificate -> no secure login client required --> I need to check if this option is working also for NWBC -> I only know customers using this for SAP GUI

Your description above is the option b.

YOU: But how my SAP ABAP Server URL will use the NW SSO server to get authenticate with Windows AD

--> Secure Login Client take the existing Kerberos ticket on the client and send it to the secure login server. Secure Login server validates the Kerberos ticket and send back a certificate --> version a

My recommendation: Use Secure Login Client in combination with Secure Login server for internal scenarios and integrate this with the MS AD authentication.

Regards

Matthias

Ask a Question