cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to configure SSO on SAPgui for html (webgui, no portal).

Go to solution
Former Member

on ‎08-05-2010 3:22 AM

0 Kudos

Dear forum,

I know this has been asked before, but I have not found a clear solution and I cannot see to get SSO for webgui to work.

THE SITUATION:

Our users use normal SNC logon to ECC6 Abap using SAPgui for Windows, which is all enabled and working.

Now we want to enable a few remote users to access 1 transaction (Cat2) via Sapgui for Html, using the integrated ITS. We do not want to set up EP, ESS etc for this which is over the top for what we require: just webgui via its. We have a dual-stack ECC6.0, on patch level EHP4+ SPS17, that should be enough I think to get something working.

THE PROBLEM:

After setting up the services in SICF and publishing services in SE80, we can reach the application ok using the webgui url:

http://<hostname>.<domain>:8000/sap/bc/gui/sap/its/webgui

At the moment this issues a normal logon prompt. We want to get rid of that so the user can log in without logon prompt.

login/accept_sso2_ticket = 1 and login/create_sso2_ticket = 2. We also set the FQDN in the hosts file, but the prompt still appears.

SSO2 check gives green light.

QUESTION:

Can anyone help? I'm not even sure if I'm on the right track here! Thanks in advance.

Patrick (alias Go-the-Dockers)

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎09-03-2010 6:14 AM
0 Kudos

Hello,

Christiano is correct. X.509 is the way to go unless you get a login ticket by other means.

Other means for example is EP or your <ECC6>:50000/nwa link.

If you open the HTML GUI via an Inranet web page, you could change the intranet page to loads <ECC6>:50000/nwa automatically in the background (e.g. a hidden frame). The logon ticket then enables your users to login to SAP without a password.

Regards,

Thomas.

Show replies
Show replies

Answers (1)

Answers (1)

Former Member
‎08-05-2010 3:38 AM
0 Kudos

Once I have logged in via webgui & logonidpassword, then I can go in again without being prompted for logon, unless we close IE completely. Then we would need to enter uidpw again to authenticate. We need to get rid of this initial logon prompt.

QUESTIONS

I do not understand how this is meant to work for initial authentication.

For example, Sapgui for Windows references a dll via the 'SNC_LIB' environment variable to help verify the logged on network user against the AD. What does Sapgui for html in an IE browser use??

Q1. Is it possible to configure initial authentication for integrated ITS webgui on ECC6 SP17 using NTLM?

If not, then maybe we have to use something else for initial authentication, like SPNego+Kerberos via the J2EE stack.

Q2. If we configured the j2ee stack of ECC6 to authenticate using SPNego/Kerberos (using port 50000), then how to give the user seamless access into the webgui transaction (ICM http port 8000) just by clicking a link?

I Your advice/helpful tips are greatly appreciated.

Show replies
Show replies
cris_hansen
Advisor
Advisor
‎08-05-2010 1:36 PM
0 Kudos

Hi Patrick,

If you want to have SSO from your local PC to your IE, then you need to use X.509 certificates.

You can review [this documentation|http://help.sap.com/saphelp_nwpi71/helpdata/en/b1/07dd3aeedb7445e10000000a114084/frameset.htm].

You also can visit the following SCN blogs:

/people/andre.fischer/blog/2010/03/31/single-sign-on-technologies-supported-by-the-sap-netweaver-application-server-as-a-service-provider-in-microsoft-based-environments

and

/people/andre.fischer/blog/2010/05/27/single-sign-on-for-sap-netweaver-leveraging-x509-certificate-auto-enrollment-in-microsoft-active-directory

At last, but not least, you can also play the preview from this SAP TechEd session:

http://www.sdn.sap.com/irj/scn/subscriptions/content?rid=/media/uuid/b0b64ecd-0362-2b10-5387-a8868f5...

Following this documentation you should be able to have the SSO working.

Now, about the fact that you are not prompted for the user/password after logoff (and not closing the web browser window), you can review the following SAP notes:

1058529 - Incomplete logoff for ITS applications

1039335 - Incomplete logoff from an ITS WebGUI application

735612 - Deleting the SAP logon ticket for ITS applications

I hope this helps.

Best regards,

Cristiano

Former Member
‎08-06-2010 5:24 AM
0 Kudos

THank you Cristiano, for a helpful post. Some good articles there.

I have a question though: aren't X.509 certificates a big hammer to crack such a small nut?

We are a small company, and we already use SPNego+Kerberos authentication for BW Web Reporting.

CATS via Webgui gives us a much easier-to-implement solution for our little requirement than full ESS/MSS, so... here is where we're at.

Here, I can get in using webgui/Sapgui for Html, without a prompt for a user+password. So in principle it can work:

1. I open an IE browser & go to the ECC6 java stack nwa, authenticating using SPNego./Kerberos

http://<ECC6 hostname>.<domain>:50000/nwa

2. From the nwa screen, we invoke SAPgui for Html using this ECC6 webgui url (the Abap stack is configured to accept & create logon tickets)

http://<ECC6 hostname>.<domain>:8000/sap/bc/gui/sap/its/webgui/?

... and we get into SAP.

Now we just need to tie things up into a single url that we can rollout to end-users. It seems we may need some redirect function. But how to do this for webgui service? Has anyone done this?

With best regards,

Patrick.

cris_hansen
Advisor
Advisor
‎08-06-2010 3:01 PM
0 Kudos

Hi Patrick,

I have a question though: aren't X.509 certificates a big hammer to crack such a small nut?

Well, I don't think so... It might be a little bit complicated to implement, but it is the solution for this case.

You may also have a look at SAP note 1257108 - you can see the SSO possibilities.

Regards,

Cristiano

Ask a Question