11-04-2010 1:11 PM
Is there a way to do sso (kerberos) from sapgui from external customers using saprouter?
11-04-2010 1:22 PM
Eduardo,
When using SAP GUI with SNC, the SNC library used is completely separate and independant of any SNC library used by a sap router. Basically, SAP GUI SNC communicates with SAP ABAP SNC and SAP Rotuer SNC communicates iwth SAP Router SNC. You can even use differnet SNC libraries and protocols for SAP router SNC compared to SAP GUI & SAP ABAP SNC.
if you need to secure a connection from SAP GUI to SAP ABAP system, then you need to use an SNC library on both ends which is SAP certified (assuming your SAP server is on UNIX or Linux). In this case there is no SAP router used/involved, but you might have SAP router installed anyway for other reasons. The SAP GUI SNC security is end-to-end.
Thanks,
Tim
11-04-2010 1:48 PM
Hi Tim,
Thanks for fast reply.
The facts involved are:
a) SAP hosted on remote server (isp, I don't know the specific reasons, but the customer is the customer...)
b) Dedicated private connection between hosted SAP and internal customer network (only AD access)
c) Internal network workstations already usign SapGui/SNC/SSO/Kerberos/AD
How to allow external customers use SapGui (windows, ho html) with similar configuration (but no vpn)?
Can I use kerberos lib for WinGui as same as c) and saprouter cryptolib?
Workarounds or some product from partner?
Regards
11-04-2010 1:56 PM
Eduardo,
If kerberos is installed on SAP ABAP system at customer and they are using an SNC library for internal use (you dind't mention which one) you can use same SNC library used on internal network on the remote workstations running SAP GUI. Thes users would also need to authenticate to AD using cached credentials or using a separate Kerberos authentication before they logon to SAP GUI and connect to the customers SAP ABAP system.
I don't see any need for SAP Router, or for SAP Cryptolib.
It is only possible for a SAP system to use one SNC library at a time, and it semes they already have an SNC library which they are using for internal users to logon.
In summary:
1) need to check correct ports are open on firewall
2) confirm if user can authenticate with AD on remote comptuer before they logon to SAP
It would be easier for me to help you if you had a detailed network diagram showing the connectivity involved. I want to make sure you understand how to solve this, and you would need to make sure the solution is secure.
Thanks,
Tim
11-04-2010 2:12 PM
Tim,
We are using gsskrb5.dll
Ports for access to SAP o AD (kerberos)???
Thanks a lot of Tim
a summary of facts
A workaround is open the kerberos port as you said it (or a routing table between sap and ad) or using third party product
Edited by: Eduardo Goicovich on Nov 4, 2010 4:44 PM
11-08-2010 1:56 PM
is encryption your main moto or just sso.......
for encryption, i will suggest IPsec on host.......
for sso.. NTLM......(kerbros will also include encryption, but look like it's not required in your case........
hope i understood correct
regards,
Surpreet