cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP under SNC environment with Microsoft AD on NW 7.0

Go to solution
Former Member

on ‎04-26-2010 1:59 PM

0 Kudos

Hi Experts,

I have Configured LDAP on NW 7.0 WebAS ABAP stack to work with Microsoft 2008 Active Directory. After configuring LDAP I can able to sync users from AD to SAP database and ofcourse all the users from AD have been created in the SAP database after executing the report. But the problem is all the users created with out password in SAP database.

When I researched found that We cannot map password to users in WebAS ABAP from AD. For that to work I have to configure SNC in the same system for secure communication without Password. Using a config docs and help.sap.com I have configured SNC on the Same NetWeaver System where I have configured LDAP.

Now my Questions are.

1. How to confirm that configured SNC is working fine and did correct configuration?

2. How to Integrate LDAP to work in SNC environment with Microsoft AD.

Acc. to SAP note # 505296 When I gave SNC data in the LDAP RFC the connection is getting failed with error "Error Details SNC disabled for conversation 66505689, tp = LDAP_Host name / CPIC-CALL: 'ThSAPC"

and as of note I cant find ldap_rfc.cfg in the Kernel directory or in any other location to add L= .. option.

Also suggest me which SNC name should I mention in SM59 SNC data for LDAP RFC connection.

We are using NetWeaver 7.0 with ABAP+JAVA stacks on Windows 2003 Server with MS-SQL Server database. Please Suggest the next step to make LDAP work and how to solve the RFC error when activated SNC data inSM59? Does this require any additional configuration?

Thanks,

Ajay

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎04-26-2010 2:36 PM
0 Kudos

> But the problem is all the users created with out password in SAP database.

Correct, actually it's not "you cannot", is "you don't need to" instead.

Working as trusted systems with logonticket, SAP doesn't verify the password as long as user name is identical on both system and they're trusted system to each other. For instance, you have 2 instances: ECC ABAP and Portal ESS/MSS with SSO configured to use LDAP, certificates imported on both sides as trusted system. User has different password on ECC ABAP and LDAP, but userID is the same. So, with logonticket, ECC ABAP accepts requests of this user from Portal without verifying its identity again.

>1. How to confirm that configured SNC is working fine and did correct configuration?

>2. How to Integrate LDAP to work in SNC environment with Microsoft AD.

I don't see it's relevant that using LDAP to map user IDs and using SNC SSO in your case. If you want to enable NW 7.0 WebAS ABAP stack users log in SAP without providing credentials as long as they already log in their PC with qualified domain user, it's more likely to use SNC SSO, and it doesn't require to have user ID identical between SAP and LDAP. Please refer to this link:

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/0d/482bb8013243f1b6e2439091e3022f/content.htm

Show replies
Show replies
Former Member
‎04-27-2010 7:50 AM
0 Kudos

Hi Fan,

We are totally configuring on ABAP stack. As you told for SNC sso on ABAP stack, doesnt we require LDAP to be configured?

then how could the users to be synced with Microsoft AD? and doesnot LDAP play any role in user authentication?

I have used exactly same procedure as in the below link to configure SNC.

http://developers.sun.com/docs/javacaps/configuring/jcapscfgsnetsap.ggrqn.html

Is this procedure correct to work with SNC SSO on ABAP stack?

I have also read the link u sent. It seems the procedure is almost same I think. This is my first time SNC configuration.

Please also tell how to confirm SNC working fine?

I have configured and provide canonical name in SU01, now how to log in? its asking to enter password when I enter its giving u have no password for the users I sysnced from Microsoft AD.

should I compulsory supress the login screen?

Thanks,

Ajay.

Former Member
‎04-27-2010 4:04 PM
0 Kudos

Simply put, to enable SNC SSO:

1. activate SNC parameter and secu library

2. now SAP trusts the specific domain you provided in parameter, you need to map users in SU01 --> SNC tag

3. enable SNC option in logon pad

Comparing to the SSO logonticket, this SNC is more like user mapping since some work you need to in SU01.

Regards,

Former Member
‎04-28-2010 1:50 PM
0 Kudos

I have used cryptographic library to configure SNC. Does this work or we need to configure with kerberos library?

I have set SNC_LIB and SECUDIR env variable on front end where SAP GUI exist and when I try to login getting error like

"GSS-API(maj): No credentials were supplied

GSS-API(min): No credentials found for this name (not logged on) (User Couldn't acquire DEFAULT INITIATING Credentials"

Please suggest steps to perform to solve this problem.

Thanks,

Ajay

Former Member
‎06-10-2010 7:21 AM
0 Kudos

Configured with Kerberos SNC.

Answers (0)

Ask a Question