Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

How to configure SNC for SAP GUI

Former Member
0 Kudos

Hi,

I have a few questions about configuration of SNC only for SAP GUI.

There are a lot of information in SDN, saphelp etc and I think I know the most import. But I still have some questions. Would be great to talk to some one who have allready implemented SNC for SAP GUI.

For one test server I have configured SSO with Kerberos (working fine). Now we want to use SNC for the SAP GUI without SSO and without Kerberos. How is this possible?

Can we use SNC for the GUI, but no SNC for RFC?

Thank you very much

Timm

1 ACCEPTED SOLUTION

tim_alsop
Active Contributor
0 Kudos

Timm,

I am not 100% clear what you are looking for. From your post I am not clear if you have SNC working, and with which library, and you also ask if you can use SNC without SSO... I will try to answer your questions, but if I have missunderstood anythng please let me know.

To configure SNC for SAP GUI you first need to make sure you have an SNC library installed on the workstation where SAP GUI is installed, and then you can configure an entry in saplogon.ini file. The configuration tells SAP GUI to negotiate SNC for this logon attempt. Other entries in saplogon.ini might be configured to not use SNC and both non-SNC and SNC enabled entries can work at same time.

if you are using RFC you can use this without SNC but must pass userid+password, and you can use it with SNC. The apps that use RFC normally use a configuration file called saprfc.ini. Depending on what you put in this file will determine if SNC is used or not.

it is possible to use SNC without SSO, but not when you are using the Kerberos/SNC/GSS-API libraries provided by SAP. If you want to disable SSO (e.g. authenticate the user when they logon to SAP) you need to use an SNC library from a SAP software partner.

Thanks,

Tim

11 REPLIES 11

tim_alsop
Active Contributor
0 Kudos

Timm,

I am not 100% clear what you are looking for. From your post I am not clear if you have SNC working, and with which library, and you also ask if you can use SNC without SSO... I will try to answer your questions, but if I have missunderstood anythng please let me know.

To configure SNC for SAP GUI you first need to make sure you have an SNC library installed on the workstation where SAP GUI is installed, and then you can configure an entry in saplogon.ini file. The configuration tells SAP GUI to negotiate SNC for this logon attempt. Other entries in saplogon.ini might be configured to not use SNC and both non-SNC and SNC enabled entries can work at same time.

if you are using RFC you can use this without SNC but must pass userid+password, and you can use it with SNC. The apps that use RFC normally use a configuration file called saprfc.ini. Depending on what you put in this file will determine if SNC is used or not.

it is possible to use SNC without SSO, but not when you are using the Kerberos/SNC/GSS-API libraries provided by SAP. If you want to disable SSO (e.g. authenticate the user when they logon to SAP) you need to use an SNC library from a SAP software partner.

Thanks,

Tim

Former Member
0 Kudos

Hi Tim,

thank you for the quick answer.

Two important points:

1. I can enable SNC within the profile parameter, so the GUI must use SNC, but the RFC communication works as before?!

2. "If you want to disable SSO (e.g. authenticate the user when they logon to SAP) you need to use an SNC library from a SAP software partner." Where can I find more information about this? How to configure, which products etc.?

Thank you very much

Timm

tim_alsop
Active Contributor
0 Kudos

>

> Hi Tim,

> thank you for the quick answer.

>

> Two important points:

>

> 1. I can enable SNC within the profile parameter, so the GUI must use SNC, but the RFC communication works as before?!

For this you would need to have two entries for same system in your saplogon.ini file. One will be for SNC and the other will be for non-SNC connection.

> 2. "If you want to disable SSO (e.g. authenticate the user when they logon to SAP) you need to use an SNC library from a SAP software partner." Where can I find more information about this? How to configure, which products etc.?

it is against policy to mention specific vendors on these forums, so I suggest you check http://www.sap.com/eapcatalog and search for snc kerberos and then contact the vendors listed.

>

> Thank you very much

> Timm

Former Member
0 Kudos

Thanks again.

But what about RFC connections between systems?

GUI should always use SNC for authentication, but RFC connections should work without RFC in the first implementation.

Former Member
0 Kudos

but there are also only SNC with SSO solutions?!?

http://preview.sap.com/catalog/results.jsp?q=SNC&q_cat=&ss=1&x=2&y=10

tim_alsop
Active Contributor
0 Kudos

Timm,

RFC connections between systems are controlled by various snc/ instance profile params, and it is normal for these to be setup so that SNC secured and non-SNC secured RFC connections between systems are allowed at the same time. The answer I gave earlier was related to RFC being used by an application on Windows workstation, which runs a function module on an ABAP system somewhere on your network, in which case saplogon.ini needs to have two entries.

The solutions mention on SAP website may mention they are for SSO because this is what they are sold for, but the SAP documentation does not mention the full range of features supported by the products. For the full details you need to contact the vendor to find out what they provide in addition to providing SSO.

Thanks,

Tim

Former Member
0 Kudos

It is of course possible to use SNC without SSO. The solution uses X.509 certificates valid for a short time that are thrown away after the authentication. You'll have to contact me for more details as the moderators do not want commercial endorsements in the forums...

tim_alsop
Active Contributor
0 Kudos

Timm,

As you know, SNC uses a GSS-API library. The GSS-API standard requires that credentials are already available before it can be used to establish a security context. It is therfore easy to authenticate a user and obtain credentials before establishing a security context via GSS-API (e.g. using SAP SNC). using this any product can authenticate a user before or when SAP SNC authentication is attempted and the credentials issued at that time would be used by SAP SNC to authenticate the user to the SAP system.

From above you can see that this can be done with any SNC mechanism, not just x.509 as Peter suggested. My experience is with Kerberos where non-SSO is quite common requirement, but in same company other people might want SSO so you can implement both methods depending on the specific users/workstation involved.

Thanks,

Tim

Former Member
0 Kudos

Tim,

I believe you're mixing me with a colleague of mine called Peter Adams ;).

Irrespective of what the GSS API definition actually says it is of course possible to postpone the actual authentication to the moment it is needed. This has the added benefit of asking the user for credentials only if those credentials are really needed and not bothering him if he doesn't access critical servers.

Is is also possible for a client using SAPGUI to use more than one SNC library at the same time but I wouldn't bother with it unless it is really necessary.

Cheers!

Former Member
0 Kudos

Hi,

Per help.sap.com, we have to use a third party SNC library for SNC from SapGUI. Is this a requirement or we can use SAP's sncgss32.dll for SSO (using NT authentication) . Did you get this working?

Thanks,

Sundaram

0 Kudos

Sundaram,

I would like to suggest that if you want to benefit from SDN you open a new thread when you have a question, rather than using a thread which is already marked as answered. If you need to refer to an existing thread you can do so using the URL for the other thread.

Thanks,

Tim