Solved: SNC with and without SSO to Windows AD

nelis · ‎07-15-2010

Hi,

Firstly, are there any SNC solutions using the Windows SAPgui that permit Windows AD(or Novell eDirectory) authentication without SSO from a SAP ABAP Unix/Linux server based environment ? I've searched around and it appears all use Kerberos which is SSO.

Secondly, I am having a hard time convincing people that SSO over SNC is secure as there is always the worry about leaving desktops unlocked etc, how do you convince them otherwise ? I thought maybe providing references from large SAP based customers might help, can anyone provide any ? I don't need contact information, just well known SAP establishments that use it.

Many thanks.

Regards,

Nelis

Former Member · ‎07-15-2010

@ Nelis:

Firstly... you will not find customers publicly confessing to this approach, but will find some complaints down the line if you search on SDN for the term "poor man's SSO" or even "stupid"...

There are two "hacks" to either synchronize the password or to store it and feed it to the logon screen, but these are very insecure and not scalable. It will be faster and cheaper to go for a real solution.

Secondly... you can go to the EcoHub (see the tab above) and search for "SNC" to find vendors of these libraries and then check their reference customers.

Finally.... if the user does not lock their PC then the "attacker" can send mails to the helpdesk or look in the file system for one called "passwords.xls", etc, etc.

@ Franklin: You can use SNC with NWAS Java when it acts as client or server in application server communications, but not from the browser.

Cheers,

Julius

Former Member · ‎07-15-2010

Hi ,

Thats the same situation I am in :

I have convinced them saying SNC works only for ABAP stacks we will be having problems with JAVA stacks.

From your statement it looks like you have plans to use ABAP database integrated with active directory to have the single sign on.

I would think asking them to connect AD to EP( Java only ) - UME will be a better option so that you can get services for single sign on for both ABAP systems and Java only systems by creating the trusts from Enterprise portal.

Please read this topic : SPNego for Kerberos Authentication (New)

at this link -->http://help.sap.com/saphelp_nw70ehp2/helpdata/en/43/65c078b39b0398e10000000a1553f6/frameset.htm

The above page has lot of information regarding Kerberos.

Former Member · ‎07-15-2010

@ Nelis:

Firstly... you will not find customers publicly confessing to this approach, but will find some complaints down the line if you search on SDN for the term "poor man's SSO" or even "stupid"...

There are two "hacks" to either synchronize the password or to store it and feed it to the logon screen, but these are very insecure and not scalable. It will be faster and cheaper to go for a real solution.

Secondly... you can go to the EcoHub (see the tab above) and search for "SNC" to find vendors of these libraries and then check their reference customers.

Finally.... if the user does not lock their PC then the "attacker" can send mails to the helpdesk or look in the file system for one called "passwords.xls", etc, etc.

@ Franklin: You can use SNC with NWAS Java when it acts as client or server in application server communications, but not from the browser.

Cheers,

Julius

Former Member · ‎07-15-2010

Hi Julius,

Can you please let me know if my approach is correct if the customer is insisting that they do not want to have Producer and consumer portal setup, they just want one EP-Java only( have all the content + business packages) + AD integrated to it with final goal to have a single sign on from EP to the complete landscape.

From your reply I understood that if the application server is installed as JAVA+ABAP stack SNC is possibel is that a correct staement?

Edited by: Franklin Jayasim on Jul 15, 2010 9:27 PM

Former Member · ‎07-15-2010

SNC is possible for server to server communication where the AS Java can be the client or the server.

But the client cannot be the browser of the end user...

The ancient way of doing this is via RFC logon data in connections.

The antequated way which is easy to implement is via SSO2 tickets.

State-of-the art is to centrally manage the users and provision them to the backend and authenticate them centrally.

There are many threads about this and "SAML" is your search terms.

Cheers,

Julius

tim_alsop · ‎07-16-2010

>


> Hi,
> 
> Firstly, are there any SNC solutions using the Windows SAPgui that permit Windows AD(or Novell eDirectory) authentication without SSO from a SAP ABAP Unix/Linux server based environment ? I've searched around and it appears all use Kerberos which is SSO.
yes, there are. The way they work (when SSO is not required) is as follows:
1. user logs onto windows workstation using Kerberos authentication (via eDirectory or MS AD)
2. user starts SAP GUI via SAP Logon and presses Logon button
3. user gets a new SignOn screen where they can enter an AD or eDriectory account/password. This authentication will cause Kerberos tickets to be issued
4. The SAP GUI software is configured to use SNC, so the SNC library will be able to use the credentials issued at step 3 to authenticate the user to SAP ABAP, and possibly encrypt the session or add integrity.
> 
> Secondly, I am having a hard time convincing people that SSO over SNC is secure as there is always the worry about leaving desktops unlocked etc, how do you convince them otherwise ? I thought maybe providing references from large SAP based customers might help, can anyone provide any ? I don't need contact information, just well known SAP establishments that use it.
If you use a solution such as described in answer 1 above, you can enable SSO later (for all users or some users) and then SNC will be possible with Kerberos for authenticating users without them needing to re-authenticate.
> 
> Many thanks.
> 
> Regards,
> Nelis