- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
EBP SNC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-26-2009 3:59 PM
Hi experts,
I have a question. Please, It´s posslible set the login to the system EBP 3.5 using the SNC on side of fat client? I allready have the SNC activated on this system, but at SAP LOGON I have to still insert password and user name.
Do you have any idea?
Thank you
Regards
Jakub Vaněk
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-26-2009 6:07 PM
Jakub,
Yes, this is possible. It is implemented in different ways, depending on whether your SAP ABAP AS is on Windows Server or on a UNIX or Linux system. If you are using Windows to host SAP ABAP AS, then you can use an SNC library provide dby SAP that uses the Kerberos protocol. This library would be installed on each workstation and used by SAP GUI during authentication, and also used by SAP ABAP system to determine the SNC name of user who is logged onto the workstation. If your SAP ABAP AS is hosted on UNIX or Linux, then you need to use a product from a SAP partner. For this, you can search SDN, or look at SAP EcoHub (http://ecohub.sap.com)
Thanks,
Tim
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-27-2009 8:46 AM
My SAP is running on Windows. I allready have activated SNC on system R3 and it´s tunning fine.
In t_code SU01 on R3 system on card SNC i have status "SNC is active on this application server".
I set the same parameters on system EBP like R3 but in t_code su01 on EBP on card SNC is not status active, there is only status"Unsecure logon is allowed (snc/accept_insecure_gui)".
But there is one fact. On system EBP are users login to SAP over SSO thin client from web browser.
May be the problem?
Thanks
Regards
JV
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-27-2009 9:11 AM
JV,
There is more than one SNC library available from SAP, for use on Windows. You need to make sure you are using the correct library if you want SAP GUI SSO using Active Directory credentials, via SNC.
Also, you need to install the SNC library on the workstations where SAP GUI is running, and configure saplogon.ini to use this library when logging onto SAP.
If SNC is not active on your EBP system, I suggest you check the instance profile parameters such as snc/enable and snc/gssapi_lib. Make sure these are correct, and make sure there are no errors shown in work process logs when SAP is started.
Thanks,
Tim
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-27-2009 9:27 AM
Tim,
On EBP system is set par. snc/enable value 1 and snc/gssapi_lib value $(DIR_EXECUTABLE)\sapcrypto.dll.
On R3 system si the same snc/enable but snc/gssapi_lib is value C:\.........\gssapi32.dll
Regards
JV
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-27-2009 9:30 AM
JV,
If you want to use SAP GUI SSO, then you cannot do this using sapcrypto.dll. The gssapi32.dll is more suited to the kind of SSO you are looking to implement, so I suggest you change your EBP setup to use the same SSO library and then you can implement SAP GUI SSO with both EBP and R3 systems.
The workstations where SAP GUI is installed will also need the same or equivalent gssapi32.dll library, so that SAP GUI can authenticate the user to the SAP ABAP AS using the Kerberos protocol.
Thanks,
Tim
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-27-2009 9:59 AM
Please can you describe me what is the Kerberos protocol and how can I implement it on user's
Windows workstation.
Thanks
Regards
JV
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-27-2009 10:03 AM
JV,
When a user logs onto Windows workstation, and logs onto a Microsoft domain (using Active Directory) they are authenticating using the Kerberos protocol. During this domain logon, Kerberos credentials are issued for user and cached in memory.
All you need to do is use the correct SNC library on workstation (and same/compatible library on server) so that the Kerberos credentials of user who is logged on are used to authenticate them to SAP system.
Thanks,
Tim
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-27-2009 10:14 AM
Oh thank you I'm clever now:).
So if on side of server is par. snc/gssapi_lib value /usr/SAP......../gssapi32.dll used
so on side of workstation have to be used the same library gssapi32.dll?
Ok, and to what path in windows should be this library placed? And should be set this path in Environment variables at windows station?
Regards
JV?
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-27-2009 12:31 PM
Hi Jakub,
have a look at
SAP Note 595341 - Installation issues with Single Sign-On and SNC
There is an attachement which contains the Library for Windows Clients.
This comes as an msi package which (if I remember this correctly) also set a system variable SNC_LIB=C:\WINNT\system32\gsskrb5.dll (or wherever the thing is placed).
In your SAPGUI you would then have to activate SNC, and enter the SNC Name (e.g. p:SAPService<SID>@<DOMAIN>)
For a step by step guide, see http://help.sap.com/erp2005_ehp_04/helpdata/EN/44/0ebf6c9b2b0d1ae10000000a114a6b/frameset.htm
Best regards,
Jochen
- SAP Managed Tags:
- Security
