Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Is there a way to enable SNC when using logon ticket SSO?

Go to solution
Former Member

‎06-01-2009 7:01 AM

0 Kudos

I knew that I can single sign on SAP R/3 from SAP GUI for windows with SNC enabled and I also knew that I can single sign on SAP R/3 from SAP Portal via logon ticket.

I guess logon ticket cannot guarantee the security of the network transport layer. My quesion is how I can enable SNC when I am using logon ticket for SSO?

Any information is highly appreciated!

Jack

1 ACCEPTED SOLUTION

Go to solution
tim_alsop
Active Contributor

‎06-01-2009 8:25 AM

0 Kudos

Logon tickets are typically used when a web browser is involved, and therefore network transport layer security is implemented using SSL. SNC is not used when browser is involved.

Thanks,

Tim

7 REPLIES 7

Go to solution
tim_alsop
Active Contributor

‎06-01-2009 8:25 AM

0 Kudos

Logon tickets are typically used when a web browser is involved, and therefore network transport layer security is implemented using SSL. SNC is not used when browser is involved.

Thanks,

Tim

Go to solution
Former Member
In response to tim_alsop

‎06-01-2009 8:40 AM

0 Kudos

Hello Tim,

Initially, I have the same feeling that SSL can protect the data communication between SAP GUI and SAP R/3 when SAP GUI is framed in a web browser. However, if you investigate further, you may doubt if this is really true.

SAP embeds the SAP GUI in IE by using an activeX control. After that all the communication are between SAP GUI and SAP Server. SSL doesn't involved in this conversation so that cannot protect the communication.

Besides, embeded SAP GUI only applies to Microsoft IE, not for firefox. If you open SAP GUI from firefox, you will launch SAP GUI directly without a web browser.

I think only in one situation your statement is true. That is "embed SAP GUI for HTML with SSL."

What do you think?

Go to solution
tim_alsop
Active Contributor
In response to tim_alsop

‎06-01-2009 8:45 AM

0 Kudos

Jack,

I didn't mean to imply that SSL was used to secure SAP GUI sessions - for SAP GUI the session is secured only with SNC. SSL is used when web browser is involved, so only used when Web GUI is used to logon to an ABAP system using a browser.

What do you mean by "SAP GUI is framed in a web browser" ? Are you referring to the webgui ? If you are then this is implemented as an ITS Service in SAP NetWeaver and is accessed using browser, so SSL is used to secure access to webgui.

The activex control that you refer to is only used to "launch" SAP GUI on Windows and then SAP GUI is responsible for the network security, so SNC is required for this security.

In summary - If you are looking to secure SAP GUI sessions you need to use SNC and if you are wanting to secure browser communications you need to use SSL.

Thanks,

Tim

Go to solution
Former Member
In response to tim_alsop

‎06-01-2009 8:59 AM

0 Kudos

Tim,

Thank you for the quick response.

The SAP GUI I refer is SAP GUI for windows because there is no ITS involved.

Let me make it clearer,

I want to SSO SAP R/3 from SAP Portal via logon ticket, at the same time, I want to secure the SAP GUI sessions with SNC. I read many documents but cannot find out how I can do it.

thanks

Jack

Go to solution
tim_alsop
Active Contributor
In response to tim_alsop

‎06-01-2009 9:04 AM

0 Kudos

Jack,

Thankyou. I now understand what you are trying to do, but I think you already have the answer... If a user logs onto windows and gets authenticated to portal, then launches SAP GUI (Windows SAP GUI) from portal, then SNC will handle the authentication, not a logon ticket. The logon ticket would only authenticate the SAP GUI user if SNC was not enabled/used for SAP GUI. Since SNC is requried for added security, the logon ticket is only used for browser authentication.

In my experience, most companies solve this problem by setting up authentication with portal and separately setting up SNC with authentication, integrity, confidentiality etc. If the user is recognised as same SAP user when they logon via portal and also when they logon via GUI, then the user experience will be as required, and the logon/session will be secured.

Thanks,

Tim

Go to solution
Former Member
In response to tim_alsop

‎06-01-2009 9:31 AM

0 Kudos

Tim,

I got your point too so I am giving your points as well.

I will solve this problem from the people management perspective, not from technical perspective.

There is one last question though.

For special users I will use SNC to protect the communication, so I need to disable the UID/PWD as well as the logon ticket access to SAP R/3. I knew how to disable UID/PWD access but I cannot figure out how to disable logon ticket for certain users. It seems Logon ticket has a higher priority than SNC logon.

Do you have any idea?

Jack

Go to solution
tim_alsop
Active Contributor
In response to tim_alsop

‎06-01-2009 9:35 AM

0 Kudos

> 

> For special users I will use SNC to protect the communication, so I need to disable the UID/PWD as well as the logon ticket access to SAP R/3. I knew how to disable UID/PWD access but I cannot figure out how to disable logon ticket for certain users. It seems Logon ticket has a higher priority than SNC logon.
> Jack

I am only aware of a way to disable external authentication for specific users, and since SSO2 ticket and SNC authentication are both external authentication you cannot disable one and not the other.

I am also not aware of any priority for different methods of logon - as far as I know, if user logs on with SNC then SNC is used, and if user logs on with logon ticket this is used instead.

I hope I have been helpful.

Thanks,

Tim