I had the same problem and it was caused by me not calling the portal with a fully-qualified domain name.

Example: http://myportal:50000/irj

instead of http://myportal.mycompanydomain.com:50000/irj

.....I won't forget that in a hurry, as I spent all day on the problem!

John,

Thanks for the reference. We did exactly what you have, but still does not work for us. I still need to logon twice (once to portal and once to ITS ESS).

Please help me to verify our setting. Thanks.

On the ITS side :

A) The global.srvc file is defined as :

~appserver appserver.company.com

~client 240

~clientcert 1

~cookies 1

~designs sap_streamline

~exiturl

~hostsecure itsserver.compamy.com

~hostunsecure itsserver.company.com

~language

~login

~logingroup

~menu2002 1

~messageserver

~multiinstanceservices 1

~mysapcomgetsso2cookie

~mysapcomusesso2cookie 1

~mysapcomssonoits 1

~password

~portsecure 443

~portunsecure 81

~routestring

~runtimemode pm

~systemname "SID"

~systemnumber 20

~theme 99

~timeout 15

~urlarchive /scripts/sapawl.dll

~urlimage /sap/its/graphics

~urlmime /sap/its/mimes

~usertimeout 24

~webgui_theme 2002

~xgateway sapdiag

~xgateways sapxgadm,sapdiag,sapxgwfc,sapxginet,sapxgbc,sapextauth

On the portal side :

A) We have created a system call SID_ITS and its defined properties are :

Connector :

Application Host - appserver.company.com

Remote Host Type - 3

SAP Client - 240

SAP System Name - SID

SAP System Number - 20

Server Port - 3220

System Type - SAP_R3

ITS :

ITS Description - ITS for SID

ITS Host Name - itsserver.company.com:81

ITS Path - /scripts/wgate

ITS Protocol - http

User Management :

Logon Method - SAPLOGONTICKET

R/3 Reference System - 0

User Mapping Type - admin, user

Others :

Session Cookie Name - JSESSIONID (default)

Session URL Name - jsessionid (default)

B) System Aliases - A few aliases are created for this system as per ESS installation instruction

C) UM Configuration -

Data Source - Database Only

On the SAP side :

The portal signature has been uploaded to the R/3 "SID" system using SSTRUSTO2 transactions and it is proven that we could use SSO to access "SID" from the portal directly.

Thanks for your help!!

I als tried to implemented SSO from EP6 to other application by using SAPLOGONTICKET method. Everthing works fine except the ITS SSO. The ITS still gives me a sign-on screen. The portal and ITS are on diiferent servers (Windows 2000).

I also defined the parameters for global.srvc.

Should i do something specific with the ITS-URL inside the portal? Now i use http://<name of its-server>:83/scripts/wgate/webgui/!

Should i add something to this URL?

regards

Bertil Rebergen

Hi Bertil,

if you have already set the "~" parameters according to what my co-posters have written, please check teh following:

1) are EP6 and ITS running in the same DNS domain? (say: portal.company.com and its.company.com) If not, the saplogonticket won't get forwarded to ITS

2) Are you using the full qualified host name (i.e. host.domain.com) for the ITS? neither IP address nor unqualified host name will work.

3) Has the R/3 system behind ITS configured to accept a SAP Logon Ticket logon? (check with transaction SSO2)

4) Have you imported the EP's public key certificate on R/3 (again SSO2)?

5) Any error messages? You could for instance perform a system trace in SM50 on the R/3 connected to ITS. Switch on "security trace" and set trace level to "2".

Regards,

Dominik

Hi Domonik,

I checked the things you mentioned but still it doesn't work.

This is the ouput on the R/3 when using SSO2:

Own System Data

SAP System C34 Client 090

Profile Parameters login/accept_sso2_ticket = 1

Logon Tickets Are Accepted

Certificate List

The Certificate List Is Used To Verify the Digital Signature for the Logon Ticket

E:\usr\sap\C34\DVEBMGS34\sec\SAPSYS.pse

Owner CN=PCD, OU=Merlijn, OU=PinkRoccade Civility, O=SAP Trust Community, C=DE

Issuer CN=PCD, OU=Merlijn, OU=PinkRoccade Civility, O=SAP Trust Community, C=DE

Serial Number 00

Systems for Which C34 Accepts Verified Logon Tickets

The Access Control List Defines Which Systems the Verified Logon Tickets Are Accepted From

Table TWPSSO2ACL

SAP System PCD Client 000

Owner CN=PCD, OU=Merlijn, OU=PinkRoccade Civility, O=SAP Trust Community, C=DE

Issuer CN=PCD, OU=Merlijn, OU=PinkRoccade Civility, O=SAP Trust Community, C=DE

Serial Number 00

Application server PSE:

ID: CN=C99

Namespace:

Profiles: E:\usr\sap\C34\DVEBMGS34\sec\SAPSYS.pse

OK: file available, length: 1.908

OK: local PSE identical to original in database

OK: security toolkit available

Version

SSFLIBSO Version 1.555.10 ; SECUDE(tm) Version 5.4.27C (c) SECUDE GmbH 1990-2001#SAPSECULIB - digital signature / without encryption

OK: signature tested successfully

The trace doesn't give me any errors

Do i need to install something on the ITS server?

regards

Bertil

Hi Bertil,

if I may assume that "PCD" is your portal, then the SSO2 configuration in R/3 looks fine.

You said, SM50 does not show up anything interesting. YOu should at least see "something" in there if you try to enter via ITS. If ITS sends the SSO2 ticket to R/3 for authenticating the user you should see some lines that describe the ticket evaluation process.

Have you tried an ordinary (password based) logon over ITS? In this case, you should see your logon attempt in SM50. Maybe you simply caught the wrong work process? (every process listed in SM50 keeps its own trace file).

Additionally, you should check, if your browser really sends the SAP Logon Ticket to ITS. You can use a network sniffer (like Ethereal or TCP DUMP) for this. As an alternative, try "HTTP Watch" (http://www.simtec.ltd.uk/), but this one is a commercial tool). You should see a line in the HTTP header sent from your client to ITS that contains a line cookie: MYSAPSSO2=AjE.......

Regards,

DOminik

Hi Dominik,

When i use the portal to startup the connection to the ITS (by using a R/3 transaction) i get the logon screen of the R/3 system.

When i use the command 'javascript:document.cookie' inside the browser before and after logging into the R/3 system i get the following text:

sapj2ee_*=1808186064; JSESSIONID=ID1808186064DB0.5967332475447783End

I would expect something like MYSAPSSO2 ... or not?

Bertil

Bertil,

yes, I would also suppose a mysapsso2 cookie to be present. If you browser doesn't possess this cookie, then SSO naturally won't work.

So, the question is: Why is the cookie not being forwarded to ITS. I still strongly suppose my idea no. 1 (same DNS domain). What are the exact URLs you use for calling EP resp. ITS?

Regards,

Dominik

Guys,

I have the same issue. I checked your previous posting and I did exactly what you describe, but it still does not work. Our DNS domain is the same as ITS.

Please help!! Any other idea that where I can check. Thanks in advance.

Hi Dominik,

This is the URL to the portal: http://nebula:50000/irj

The R/3 system is Galileo. Inside the portal i defined a system Galileo with the following specs:

Usermanagement:

Logon Method: SAPLOGONTICKET

R/3 reference system: - Select -

User mapping type - select -

Internet Transacton Server:

ITS Description : its server

ITS Host Name : its-srv.lt.nl

ITS PATH : :81/scripts/wgate/webgui/!

I have been to the TechED in Munich. There i described the problem and they told me to use the DNS domain also to adress the portal itself. So i changed the URL for the portal to http://nebula.lt.nl:50000/irj

Quess what?

If I now logon to the portal I am not able to logon. If i put in correct login userdata the portal gives me just the same logon screen again with all the userdata deleted!!!

Does this have anything with the SSO problem? We have put this problem inside SDN (see /thread/17767 [original link is broken] )

Hope this information helps

would be great if you could help.

Bertil

Message was edited by: Bertil Rebergen

Hi Bertil,

I am facing the same issue during configuration of SSO ( Logon tickets ) between Portal - R3 via ITS. Were you able to make it work ? When I enter "javascript:document.cookie" on the Portal Browser window , I get "sapj2ee_*=1723218202; JSESSIONID=ID1723218202DB0.8816322719526332End", which means that the Logon cookie is not passing to the ITS . Any suggestions or clues would be greatly appreciated.

Thanks,

-Mayur

Hi Nagesh,

Even after setting these parameters in the Global.serv file, I am still getting the ITS Login screen. I have a feeling that the Logon ticket is not being passed from my browser to ITS. Any solution for that ?

I have verified the Domain Names and they are both on the same domain.

Any suggestions ?

-Mayur