cancel
Showing results for 
Search instead for 
Did you mean: 

Single Sign on from CRM 2007 to BI 7.0 fails

Former Member
0 Kudos

Hello, everything works fine in our CRM Development Solaris/Oracle and Test servers using the same setup. CRM is disp+work release 700 version 159 and our BI system is 700 version 133.

For the setup I exported and imported the CRM certificate to the BI backend system using transaction STRUSTSSO2. The certificate has been added to the u2018Cerfiticate listu2019 and ACL for both clients 000 and our BI production client.

After logging in to CRM production web gui via http with the same userid in CRM/BI and clicking on Reports -> Opportunity Pipeline Analysis (which call the WAS on BI) I am getting a userid/password challenge. My userid has both SAP_ALL and SAP_NEW Profiles in both CRM and BI.

Transaction SM59 in our CRM systems for our rfc connection to our BI client is using a userid/password that has both SAP_ALL and SAP_NEW Profiles and is a User Type u201Ccommunicationsu201D. Clicking on Remote Login does not challenge us. The test connection is successful.

Turning on tracing in SM50 -> Security -> Trace level 3 on the BI Production system, it appears SSO is working after clicking on the report. I see messages of u201Cacceptedu201D in the dev_rfc trace file on the BI system. But itu2019s not. I get a userid/password challenge. I checked in my browser and I have the MYSAPSSO2 cookie set for our domain. Our servers are in the same domain behind the DMZ.

The only difference between the CRM dev/tst servers is that I set up both http and https in production, but again I am using the http url for the CRM login/BI login.

Using https to our CRM system then clicking on Reports -> Opportunity Pipeline Analysis I get the message u201CBI system destination 'BWP_090' cannot be reachedu201D.

The details of the error state to check the SM59 connection. But it must be releated. The same url for the report is being called http://<production server>.domain:<port>/sap/bw/BEx

I am perplexed

Edited by: Stephen Faehn on Feb 24, 2009 2:06 PM

Interesting, comparing rfc trace files from our CRM Test system to our CRM Production system I see in production rfc trace file:

CRM_WEB_UTIL_CREATE_URL NOT FOUND

There are 5 notes when searching for CRM_WEB_UTIL_CREATE_URL at the service market place. Note 1148435 addresses this class and "cannot be called via RFC", fix is in SAP_ABA 700 SAPKA70016 . However we are already on this release and a remote compare via transaction SE80 shows no differences between the systems.

CRM_WEB_UTIL_C

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

This has been resolved.

On the backend BI system I changed service /sap/bw/BEx -> Logon Data. I filled in the client, user and password for the background service user. Never had to do that in BI Development nor QA/Test instances. Thought this might have to do with the client settings, but I changed our BI QA instance and set it to Production but could not reproduce the problem.

Former Member
0 Kudos

> On the backend BI system I changed service /sap/bw/BEx -> Logon Data. I filled in the client, user and password for the background service user.

That is also a "chaining" of sorts, as you can configure the authentication method (and sequence) for the service, which can call RFC's on the inside. Defining the generic SERVICE type user in SICF instead of the COMMUNICATION (obsolete!) type user (in SM59?) probably did the trick.

Generally, I would recommend using SYSTEM type users in SM59 and SERVICE type users in SICF with authority only for their documented tasks ideally.

It is possible (and not uncommon) to discover that the DEV and QAS (and a multiple of other DEVs and QASs...) are not respecting the cardinality of the connections and the user contexts in the same way as production clients do... and the user becomes easily locked or cannot be "tuned" to have the correct authorizations or everything runs under the same user so there is no need to authenticate again.

> Never had to do that in BI Development nor QA/Test instances.

Compare the config in transaction SICF for the services for the user entered and the authentication method. Both of these also "cascade" through the hierarchies of the services, so check higher up as well...

> Thought this might have to do with the client settings, but I changed our BI QA instance and set it to Production but could not reproduce the problem.

Generally, the SCC4 client type "T" (=> Test) is used to simulate a productive system and productive client. I don't think it will make a difference, but try it.

Cheers,

Julius

Edited by: Julius Bussche on Mar 13, 2009 8:09 PM

User type comment added.

Former Member
0 Kudos

Dear Steve,

Now, in our project, it relates CRM 7.0 and BW 7.0. Planning to integrate BW BEx reports into CRM Web Interface via both TRANSACTION LAUNCH and DISPLAY BW Reports in CRM. So we need to configure the SSO between CRM and BW. This is my first case based on this requirements. Please kindly advise me how to do it. I tried this in following steps, the exception 'BI system destination ** cannot be reached' always casted.

1.Config the parameters login/accept_sso2_ticket and login/create_sso2_ticket = 0 in both systems

2. Export CRM certificate from client '000'

3. Import CRM certificate into BW via client '000'

4. Add CRM certificate into ACL of BW via client '200'(BW application client)

5. Export BW certificate from client '000'.

6.Import BW certificate into CRM via client '000'

7.Add BW certificate into ACL of CRM via client '300'(CRM application client)

Any suggestions are appreciated.

Best Regard.

Gerald

Former Member
0 Kudos

Hi,

Did you resolve this..Can you please help me with the steps if this is resolved.i am also facing the similar problem.

Satish kumar

Former Member
0 Kudos

did you check the parameters ?

login/accept_sso2_ticket

login/create_sso2_ticket

Former Member
0 Kudos

Hello, forgot to mention that. Yes they are set.

Also, our BI systems are dual stack. When running Connection Tests from the Java Stack to the abap stack all tests work just fine.

Thanks

Former Member
0 Kudos

Are you using any trusted RFC to "chain" the SSO anywhere?

Former Member
0 Kudos

please check transaction sso2 in BI and verify if you see any red/yellow lights there.

also logon to CRM via http and in the same browser window call a biw report (by typing in the complete URL) and see what happens. Also check the validity of the cetificate.

Former Member
0 Kudos

Hello Julius, I am unsure of what you mean by "Chain the RFC".

The RFC from CRM to BI as I can tell is only used in CRM for BI reporting.

Thanks

Former Member
0 Kudos

Hello SG, transaction SSO2 in the BI system using RFC Destination to itself is all green.

Thanks for the information.

When using the URL to the report http://<servername>.<domain>.<port>/sap/bw/BEx after logging into CRM , I get a userid/password challenge.

I am still seeing in the dev_rfc file CRM_WEB_UTIL_CREATE_URL FUNCTION_NOT_EXIST after clicking on the url in CRM.

Former Member
0 Kudos

> Hello Julius, I am unsure of what you mean by "Chain the RFC".

If you are not using trusted RFC or "chaining" systems in this way, then I assume that it is not the cause of your question....

Cheers,

Julius