02-15-2010 7:07 PM
Hi.
I am working on sso configuration between ad,abap and portal.
I did use spnego for my portal sso connection and It works, now I want to use sso to Enabling SAPGUI to logon on R/3 .
Is it possible and how?
Any ideas are most welcome.
Cheer
Reza
02-15-2010 8:14 PM
Reza,
Hello again !
If you search this forum you will find that this exact same question gets asked regularly. Basically it is implemented using SNC interfaces and a GSS-API library that uses Kerberos credentials from the workstation logon (just like the spnego method is using same credentials at browser).
I suggest you search the forum first and if you have any doubts or questions, please update this thread or close this thread if you are satisifed with what you found elsewhere on SDN.
Thanks,
Tim
02-15-2010 8:14 PM
Reza,
Hello again !
If you search this forum you will find that this exact same question gets asked regularly. Basically it is implemented using SNC interfaces and a GSS-API library that uses Kerberos credentials from the workstation logon (just like the spnego method is using same credentials at browser).
I suggest you search the forum first and if you have any doubts or questions, please update this thread or close this thread if you are satisifed with what you found elsewhere on SDN.
Thanks,
Tim
02-16-2010 1:12 PM
Hi Tim.
I did search for information and I did find a lot of info. And I think is it ok and good, but my question is.
My R/3 server is on a Linux server.
Is it possible to use u201CSingle Sign-On with Microsoft Kerberos SSPu201D on Linux or I should use
u201CSingle Sign-On with Client Certificatesu201D.
Any help
Thanks Reza
02-16-2010 1:19 PM
Hi,
Yes, it is possible to use an SNC library that supports x.509 certificates, or you can use an SNC library which supports Kerberos tickets. Both are available from SAP partners. If you want to use x.509 certificates, then you need to issue these certificates to users, but Kerberos tickets are already being issued to users when they logon to their domain account, and you are already using Kerberos with your browser SSO (via SPNEGO login module).
An example product which supports Linux and uses Kerberos can be found on SAP EcoHub at http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokersecureclient
Thanks,
Tim
02-16-2010 1:22 PM
Reza,
If you visit http://forums.sdn.sap.com/search.jspa?objID=f208&q=snclinuxkerberos and click on first link shown you will also find the answer you need.
Thanks,
Tim
02-16-2010 2:01 PM
Tim,
If I did understand you right, you saying that I can use u201CSingle Sign-On with Microsoft Kerberos SSPu201D on Linux but I need a u2018third part productu2019?
Thans agin
Reza
02-16-2010 2:28 PM
Reza,
Yes, this is correct. However, if you are brave and have the required skills you can download an open source implementation of Kerberos, compile it on your Linux server, configure it to work with SAP and use this library. You will not get any support and if SAP is not able to start due to some issue with the SNC library you will be stuck. The commercially available products have additional features and the vendors provide support to allow you to be confident that your users are always able to logon.
Regards,
Tim
02-16-2010 2:51 PM
Tim,
Thanks a lot for your fast reply. So it is not any way to configure SSO on Linux without changing any Kerberos cod or using u2018third part productu2019?
Any another ideas, what about using u201CSingle Sign-On with Client Certificatesu201D?
Reza
02-16-2010 3:32 PM
Reza,
I thought I had explained this already.
If you want to use Kerberos, you have two options:
a) Use third party, SAP certified product.
b) Develop your own library using open source implementation of Kerberos.
if you want to use x.509 certificates, you have one option:
a) Use a product from the software vendor that provides an SNC library which support x.509 certificates. I cannot mention the name of this company in this forum. For this option you would need to install client software that issues certificates for the user, but if you use Kerberos instead (see above) you would be able to use the kerberos ticket already available after the user logs into the AD domain.
Thanks,
Tim
02-16-2010 4:51 PM
The SAP EcoHub will point you to vendors for certified SNC products (I think Tim knows one of them well )
[http://ecohub.sdn.sap.com/irj/ecohub/solutions?query=snc|http://ecohub.sdn.sap.com/irj/ecohub/solutions?query=snc]
Frank.