Skip to Content
avatar image
Former Member

Can users without Secure Login Client still logon to AS ABAP via SAPGui with NW SSO

Good afternoon - I have a question regarding NW SSO. We are considering buying a number of licenses, but perhaps not enough for every user to be able to logon using single sign-on. So some users would have the Secure Login Client on their PCs and others would not. For the ones who don't have the client installed, they would still be able to login to a system with SAPGui by entering their username and password, right? The reason for my question is that I know that during the setup of NW SSO we will make changes in the saplogon.ini file to indicate the SNC name of the application server, and then also have to make entries in tcode SU01 for the user's SNC name. I see on the SNC tab in SU01 that there is an option to allow password logon for SAPGui, so for the users who we have not purchased a license for, could we just check that box so that they could still enter their ID and Password in SAPGui as usual?

I would appreciate any help with this!

Regards,

Blair Towe

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Mar 21, 2013 at 06:49 PM

    Sure they can, just uncheck the Activate Secure Network Communication for users wishing to logon with username and password.

    Add comment
    10|10000 characters needed characters exceeded

  • May 29, 2013 at 11:52 AM

    Dear  Blair Towe,

    Profile parameters on AS ABAP provide the framework necessary to operate the AS ABAP using SNC protection. For the individual communication settings, for example, between SAP GUI and the application server, you must decide what level of protection you need and set the corresponding parameters accordingly. More info about the levels of protection is available here: Secure Network Communications (SNC)

    Here you will be able to find the documentation for the parameter settings: Profile Parameter Settings on AS ABAP 

    One of these parameters is snc/accept_insecure_gui. The default value for this parameter is “0”. Once the SNC is activated and the default value for snc/accept_insecure_gui is not changed, the AS ABAP will reject all SAP GUI connection requests that are not protected with SNC. If you change the parameter value to allow unprotected connections, then the SAP GUI configuration determines whether or not the connection uses SNC protection. If you want the AS ABAP to accept SAP GUI connections that are not protected with SNC only for certain UserIDs, the value of this parameter has to be set to “U“ (Accept unprotected logons for only those users who have the appropriate flag set in their user master record). Then you can use the SU01/SNC flag “Permit Password Logon for SAP GUI (User-Specific)” for the UserIDs who will use the UserID/Password authentication (no SSO). The SNC Name value in the User Profile for these users will be empty.

    In the SAP Note 1580808 - SAP Logon 7.20: "SNC logon w/o SSO" for connection entry you will be able to find the prerequisites for the SAP GUI in order to set this scenario. Details about the kernel requirements you will be able to find in the SAP Note 1561161 - Enabling SAP GUI password logon despite using SNC.

    Here you will be able to find the SNC Configuration for the SAP GUI: Configuring SNC: SAP GUI when Using SAP Logon

    Kind regards,

    Donka Dimitrova

    Product Management

    SAP NetWeaver Single Sign-On

    Add comment
    10|10000 characters needed characters exceeded

  • May 31, 2013 at 08:19 PM

    Blair,

    If you wish to use one standard SNC enabled saplogon.ini on all workstations you will also need the GSS-API dll on all workstations (i.e. secgss.dll or gsskrb5.dll ).  I don’t know if there are any license considerations if you purchase 800 NW SSO licenses then install the client dll on 1000 workstations.  The NW SSO client dll may be the same dll that is distributed with the free SNC Client Encryption product  -  not sure.

    If a user logs on with an SNC enabled sapgui but does not have the SNC name defined in SU01 they will get an error message “No user exists with SNC name p:xxx@xxx” .  They will be prompted for username and password and the session will be encrypted.

    Rob

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jun 26, 2015 at 02:56 PM

    Hey Blair,

    If you make the change to the SAPGUI INI for everyone, then everyone would need the secure login client, but for those users without the license, just make sure the SU01 SNC tab does not reflect any reference to their AD account.

    NICK

    Add comment
    10|10000 characters needed characters exceeded