cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP under SNC environment with Microsoft AD on NW 7.0

Go to solution
Former Member

on ‎04-28-2010 8:58 AM

0 Kudos

Hi,

I have Configured LDAP on NW 7.0 WebAS ABAP stack to work with Microsoft 2008 Active Directory. After configuring LDAP I can able to sync users from AD to SAP database and ofcourse all the users from AD have been created in the SAP database after executing the report. But the problem is all the users created with out password in SAP database.

When I researched found that We cannot map password to users in WebAS ABAP from AD. For that to work I have to configure SNC in the same system for secure communication without Password. Using a config docs and help.sap.com I have configured SNC on the Same NetWeaver System where I have configured LDAP.

Now my Questions are.

1. How to confirm that configured SNC is working fine and did correct configuration?

2. How to Integrate LDAP to work in SNC environment with Microsoft AD.

Acc. to SAP note # 505296 When I gave SNC data in the LDAP RFC the connection is getting failed with error "Error Details SNC disabled for conversation 66505689, tp = LDAP_Host name / CPIC-CALL: 'ThSAPC"

and as of note I cant find ldap_rfc.cfg in the Kernel directory or in any other location to add L= .. option.

Also suggest me which SNC name should I mention in SM59 SNC data for LDAP RFC connection.

We are using NetWeaver 7.0 with ABAP+JAVA stacks on Windows 2003 Server with MS-SQL Server database. Please Suggest the next step to make LDAP work and how to solve the RFC error when activated SNC data inSM59? Does this require any additional configuration?

I have used cryptographic library to configure SNC. Some prople suggests that we must use Kerberos library for this to work. Is that correct? But I read Cryptographic is also for initial authentication.

I have set SNC_LIB and SECUDIR env variable on front end where SAP GUI exist and when I try to login getting error like

"GSS-API(maj): No credentials were supplied

GSS-API(min): No credentials found for this name (not logged on) (User Couldn't acquire DEFAULT INITIATING Credentials"

Please suggest some solution have been trying from a week almost.

Thanks,

Ajay.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-04-2010 11:42 AM
0 Kudos

Dear Ajay,

The below Note might be useful for you.

https://service.sap.com/sap/support/notes/505296

Regards

Shailesh Mamidwar

Show replies
Show replies
Former Member
‎05-05-2010 11:15 AM
0 Kudos

Hi Shailesh,

Thanks for the reply. I have already read that note. But actually I have used cryptographic library to configure SNC and when I activated SNC in the LDAP RFC as of that note RFC connection test fails. I cant find the ldap_rfc.cfg profile in the entire system to ass L option as indicated in the SAP note. Some ppl are suggesting to use kerberos not crypto library to configure SNC, but I cant find the configuration steps for kerberos Library. If you have any SSO configuration steps for AS ABAP stack please suggest me.

Thanks,

Ajay.

Answers (3)

Answers (3)

former_member189546
Active Contributor
‎05-06-2010 3:01 PM
0 Kudos

hello Ajay,

Best to use SAPCRYPTOLIB see note 597059

However SAPCRYPTOLIB is not licensed for use in client-server

communication If you want to encrypt

all SAPGUI - SAP server communication, either use SNC with Kerberos

or SNC with a third party product.

regards,

John Feely

Show replies
Show replies
Former Member
‎05-06-2010 4:40 PM
0 Kudos

Hi John,

I cannot see the note you have mentioned. Its giving a message like "The requested SAP Note is either in reworking or is released internally only".

I have already tried with Crypto library but it was giving error during log on but Application server enabled SNC fine. I have a question. For my SAP host name name have a DN of long name like

CN=HOSTNAME,OU=SAP,OU=xxx,OU=xxx,OU=US-XXX,DC=COMP,DC=int. Which is long, when I mention this DN for the parameter snc/identify/as=... and go to STRUST transaction it is giving the SNC name only up to

CN=HOSTNAME,OU=SAP,OU=xxx,OU=xxx,OU=US-XXX. It is cutting DC=COMP,DC=int. SO what I did is I have just given

CN=HOSTNAME,DC=COMP,DC=int for the above parameter excluding the middle OUs. Does this show any effect on authentication? If yes what is the solution for this?

Can I use the full name even though it excludes DC=COMP,DC=int in STRUST transaction?

Thanks,

Ajay.

Former Member
‎05-10-2010 5:19 PM
0 Kudos

HI

NTLM configuration

is in note

https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=352295

download the

win32sso.ZIP or

win64sso.ZIP

depends on windows version you have.

In the note

there is PDF in the note

follow the configuration in the PDF

It just copy the gx64ntlm.dll

and configure some Profile paramter.

and then it shold work

Former Member
‎05-11-2010 7:09 AM
0 Kudos

Hi Royi,

Thanks for the note you have provided, but As I read from the configuration guide they mentioned about NTLM cnfig like "It does not provide mutual authentication, and it does not offer data integrity or data privacy protection for the communication." but kerberos and crypto SNC do. So is it ok to configure NTLM?

I am trying to configure Kerberos SNC SSO but facing problem during configuration. Please check the link below and suggest.

Thanks,

Ajay.

Former Member
‎05-11-2010 9:22 PM
0 Kudos

Hi Royi,

Thanks for the note you have provided, but As I read from the configuration guide they mentioned about NTLM cnfig like "It does not provide mutual authentication, and it does not offer data integrity or data privacy protection for the communication." but kerberos and crypto SNC do. So is it ok to configure NTLM?

I am trying to configure Kerberos SNC SSO but facing problem during configuration. Please check the link below and suggest.

Thanks,

Ajay.

Hi Ajay.

If you configure NTLM if you don't have the same user for abap and in the LDAP.

I can be user X in the abap that mapped to user Y in ldap.

It don't sycronize any user data or roles,

you trying to config SSL (sapcryptolib)? if so you create the certificate in strustsso2 TCODE?

you try to sycronize LDAP USER to SAP?

about the Kerberos SNC SSO I don't know how to configure it because I don't try to.

NTLM is ok for you If your security men approve It.

Thanks

Roy

Former Member
‎06-10-2010 7:20 AM
0 Kudos

Hi Royi,

I have configured SNC using Kerberos which is very simple now.

Thanks.

Former Member
‎12-04-2012 12:27 PM
0 Kudos

Hi Ajay,

I am also configure SSO using Secure Login Libraries ie., SAPCRYPTOLIB. I stuck in RFC and LDAP connector.

I would be highly appriciate if you provide me further steps to achieve this SSO between Windows ADS users and SAP Users.

Thanks

Ahsan.

Former Member
‎12-09-2012 5:09 AM
0 Kudos

Hi Ahsan,

These are 2 different configurations and are simple. For SNC (ABAP stack) just follow the procedure mentioned in the guide attached to the same note where you have downloaded the library. Just search for the SAP Note with kerberos lib, you will also find the guide.

For LDAP, create RFC with "LDAP_SERVER NAME" and reg server program as same RFC name. RFC test will fail until u activate ldap library. So just go to LDAP transaction and you will see 3 tabs. click on every tab and you will easily understand what to enter as inputs. Thats it activate ldap connector here and save every thing (need to map n sync with ldap). Run report "RSLDAPSYNC_USERS" in SE38.

Thanks,

Ajay.

Former Member
‎12-09-2012 5:11 AM
0 Kudos

RFC connection fails until you activate LDAP Connector (not library) in Tx LDAP.

former_member189546
Active Contributor
‎05-05-2010 6:52 PM
0 Kudos

Hello,

Please refer the SNC configuration guides for more details.

http://service.sap.com/security

-> Media Library

-> Literature

-> SNC User's Guide

The issue arises as the credentials for the user that is running the

SNC cannot be found. These are indicated by the USER and SECUDIR

environmental variables in the system. You can check if these are set

correctly by the following

How to check the current setup of credentials:

- start SE38

- run report RSBDCOS0

- execute the commands

'sapgenpse'

'sapgenpse seclogin -l'

Then, check the results and correct the issues becoming visible, like:

- correct setting of profile parameters USER and SECUDIR

- invalid credentials exist and need to be removed

- valid credentials for the actual user must be provided

regards,

John Feely

Show replies
Show replies
Former Member
‎05-06-2010 10:48 AM
0 Kudos

Hi John,

Thanks for the reply.

I am not that familiar with SNC configuration. I have disabled SNC for now and I let you know the result once I try the options you have suggested.

Meanwhile do you suggest using Cryptographic library for SNC or kerberos? Which one is suitable for me? Could you check section 4.8 in SNC user guide. I have decided to configure using NTLM SSO. Do you think Crypto library work for me that I have already configured? One more thing is that we want to configure SSO to many systems from GUI not for single system.

Please suggest.

Thanks,

Ajay.

Former Member
‎05-01-2010 3:35 PM
0 Kudos

Hello

You don't have to install cryptographic library for using SSO by SNC -

the cryptographic library is for SSL communication.

you have to work with cryptographic library??

if not the SNC is more simple.

Thanks

Roy

Show replies
Show replies
Former Member
‎05-04-2010 6:30 AM
0 Kudos

Hi Roy,

We have configured LDAP but cannot sysnc passwords for users from AD to SAP. For that we need to work with SNC to enable OS authentication. To achieve this what I need to be configure?

SNC with Cryptographic library or with kerberos or any other menthod?

how do I configure sso for this set up?

Thanks,

Ajay.

Ask a Question