on 04-28-2010 8:58 AM
Hi,
I have Configured LDAP on NW 7.0 WebAS ABAP stack to work with Microsoft 2008 Active Directory. After configuring LDAP I can able to sync users from AD to SAP database and ofcourse all the users from AD have been created in the SAP database after executing the report. But the problem is all the users created with out password in SAP database.
When I researched found that We cannot map password to users in WebAS ABAP from AD. For that to work I have to configure SNC in the same system for secure communication without Password. Using a config docs and help.sap.com I have configured SNC on the Same NetWeaver System where I have configured LDAP.
Now my Questions are.
1. How to confirm that configured SNC is working fine and did correct configuration?
2. How to Integrate LDAP to work in SNC environment with Microsoft AD.
Acc. to SAP note # 505296 When I gave SNC data in the LDAP RFC the connection is getting failed with error "Error Details SNC disabled for conversation 66505689, tp = LDAP_Host name / CPIC-CALL: 'ThSAPC"
and as of note I cant find ldap_rfc.cfg in the Kernel directory or in any other location to add L= .. option.
Also suggest me which SNC name should I mention in SM59 SNC data for LDAP RFC connection.
We are using NetWeaver 7.0 with ABAP+JAVA stacks on Windows 2003 Server with MS-SQL Server database. Please Suggest the next step to make LDAP work and how to solve the RFC error when activated SNC data inSM59? Does this require any additional configuration?
I have used cryptographic library to configure SNC. Some prople suggests that we must use Kerberos library for this to work. Is that correct? But I read Cryptographic is also for initial authentication.
I have set SNC_LIB and SECUDIR env variable on front end where SAP GUI exist and when I try to login getting error like
"GSS-API(maj): No credentials were supplied
GSS-API(min): No credentials found for this name (not logged on) (User Couldn't acquire DEFAULT INITIATING Credentials"
Please suggest some solution have been trying from a week almost.
Thanks,
Ajay.
Dear Ajay,
The below Note might be useful for you.
https://service.sap.com/sap/support/notes/505296
Regards
Shailesh Mamidwar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Shailesh,
Thanks for the reply. I have already read that note. But actually I have used cryptographic library to configure SNC and when I activated SNC in the LDAP RFC as of that note RFC connection test fails. I cant find the ldap_rfc.cfg profile in the entire system to ass L option as indicated in the SAP note. Some ppl are suggesting to use kerberos not crypto library to configure SNC, but I cant find the configuration steps for kerberos Library. If you have any SSO configuration steps for AS ABAP stack please suggest me.
Thanks,
Ajay.
hello Ajay,
Best to use SAPCRYPTOLIB see note 597059
However SAPCRYPTOLIB is not licensed for use in client-server
communication If you want to encrypt
all SAPGUI - SAP server communication, either use SNC with Kerberos
or SNC with a third party product.
regards,
John Feely
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi John,
I cannot see the note you have mentioned. Its giving a message like "The requested SAP Note is either in reworking or is released internally only".
I have already tried with Crypto library but it was giving error during log on but Application server enabled SNC fine. I have a question. For my SAP host name name have a DN of long name like
CN=HOSTNAME,OU=SAP,OU=xxx,OU=xxx,OU=US-XXX,DC=COMP,DC=int. Which is long, when I mention this DN for the parameter snc/identify/as=... and go to STRUST transaction it is giving the SNC name only up to
CN=HOSTNAME,OU=SAP,OU=xxx,OU=xxx,OU=US-XXX. It is cutting DC=COMP,DC=int. SO what I did is I have just given
CN=HOSTNAME,DC=COMP,DC=int for the above parameter excluding the middle OUs. Does this show any effect on authentication? If yes what is the solution for this?
Can I use the full name even though it excludes DC=COMP,DC=int in STRUST transaction?
Thanks,
Ajay.
HI
NTLM configuration
is in note
https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=352295
download the
win32sso.ZIP or
win64sso.ZIP
depends on windows version you have.
In the note
there is PDF in the note
follow the configuration in the PDF
It just copy the gx64ntlm.dll
and configure some Profile paramter.
and then it shold work
Hi Royi,
Thanks for the note you have provided, but As I read from the configuration guide they mentioned about NTLM cnfig like "It does not provide mutual authentication, and it does not offer data integrity or data privacy protection for the communication." but kerberos and crypto SNC do. So is it ok to configure NTLM?
I am trying to configure Kerberos SNC SSO but facing problem during configuration. Please check the link below and suggest.
Thanks,
Ajay.
Hi Royi,
Thanks for the note you have provided, but As I read from the configuration guide they mentioned about NTLM cnfig like "It does not provide mutual authentication, and it does not offer data integrity or data privacy protection for the communication." but kerberos and crypto SNC do. So is it ok to configure NTLM?
I am trying to configure Kerberos SNC SSO but facing problem during configuration. Please check the link below and suggest.
Thanks,
Ajay.
Hi Ajay.
If you configure NTLM if you don't have the same user for abap and in the LDAP.
I can be user X in the abap that mapped to user Y in ldap.
It don't sycronize any user data or roles,
you trying to config SSL (sapcryptolib)? if so you create the certificate in strustsso2 TCODE?
you try to sycronize LDAP USER to SAP?
about the Kerberos SNC SSO I don't know how to configure it because I don't try to.
NTLM is ok for you If your security men approve It.
Thanks
Roy
Hi Ahsan,
These are 2 different configurations and are simple. For SNC (ABAP stack) just follow the procedure mentioned in the guide attached to the same note where you have downloaded the library. Just search for the SAP Note with kerberos lib, you will also find the guide.
For LDAP, create RFC with "LDAP_SERVER NAME" and reg server program as same RFC name. RFC test will fail until u activate ldap library. So just go to LDAP transaction and you will see 3 tabs. click on every tab and you will easily understand what to enter as inputs. Thats it activate ldap connector here and save every thing (need to map n sync with ldap). Run report "RSLDAPSYNC_USERS" in SE38.
Thanks,
Ajay.
Hello,
Please refer the SNC configuration guides for more details.
http://service.sap.com/security
-> Media Library
-> Literature
-> SNC User's Guide
The issue arises as the credentials for the user that is running the
SNC cannot be found. These are indicated by the USER and SECUDIR
environmental variables in the system. You can check if these are set
correctly by the following
How to check the current setup of credentials:
- start SE38
- run report RSBDCOS0
- execute the commands
'sapgenpse'
'sapgenpse seclogin -l'
Then, check the results and correct the issues becoming visible, like:
- correct setting of profile parameters USER and SECUDIR
- invalid credentials exist and need to be removed
- valid credentials for the actual user must be provided
regards,
John Feely
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi John,
Thanks for the reply.
I am not that familiar with SNC configuration. I have disabled SNC for now and I let you know the result once I try the options you have suggested.
Meanwhile do you suggest using Cryptographic library for SNC or kerberos? Which one is suitable for me? Could you check section 4.8 in SNC user guide. I have decided to configure using NTLM SSO. Do you think Crypto library work for me that I have already configured? One more thing is that we want to configure SSO to many systems from GUI not for single system.
Please suggest.
Thanks,
Ajay.
Hello
You don't have to install cryptographic library for using SSO by SNC -
the cryptographic library is for SSL communication.
you have to work with cryptographic library??
if not the SNC is more simple.
Thanks
Roy
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Roy,
We have configured LDAP but cannot sysnc passwords for users from AD to SAP. For that we need to work with SNC to enable OS authentication. To achieve this what I need to be configure?
SNC with Cryptographic library or with kerberos or any other menthod?
how do I configure sso for this set up?
Thanks,
Ajay.
User | Count |
---|---|
94 | |
11 | |
11 | |
10 | |
9 | |
8 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.