Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

sapgui kerberos saprouter (no vpn)

former_member782872
Discoverer
0 Kudos

Is there a way to do sso (kerberos) from sapgui from external customers using saprouter?

5 REPLIES 5

tim_alsop
Active Contributor
0 Kudos

Eduardo,

When using SAP GUI with SNC, the SNC library used is completely separate and independant of any SNC library used by a sap router. Basically, SAP GUI SNC communicates with SAP ABAP SNC and SAP Rotuer SNC communicates iwth SAP Router SNC. You can even use differnet SNC libraries and protocols for SAP router SNC compared to SAP GUI & SAP ABAP SNC.

if you need to secure a connection from SAP GUI to SAP ABAP system, then you need to use an SNC library on both ends which is SAP certified (assuming your SAP server is on UNIX or Linux). In this case there is no SAP router used/involved, but you might have SAP router installed anyway for other reasons. The SAP GUI SNC security is end-to-end.

Thanks,

Tim

0 Kudos

Hi Tim,

Thanks for fast reply.

The facts involved are:

a) SAP hosted on remote server (isp, I don't know the specific reasons, but the customer is the customer...)

b) Dedicated private connection between hosted SAP and internal customer network (only AD access)

c) Internal network workstations already usign SapGui/SNC/SSO/Kerberos/AD

How to allow external customers use SapGui (windows, ho html) with similar configuration (but no vpn)?

Can I use kerberos lib for WinGui as same as c) and saprouter cryptolib?

Workarounds or some product from partner?

Regards

tim_alsop
Active Contributor
0 Kudos

Eduardo,

If kerberos is installed on SAP ABAP system at customer and they are using an SNC library for internal use (you dind't mention which one) you can use same SNC library used on internal network on the remote workstations running SAP GUI. Thes users would also need to authenticate to AD using cached credentials or using a separate Kerberos authentication before they logon to SAP GUI and connect to the customers SAP ABAP system.

I don't see any need for SAP Router, or for SAP Cryptolib.

It is only possible for a SAP system to use one SNC library at a time, and it semes they already have an SNC library which they are using for internal users to logon.

In summary:

1) need to check correct ports are open on firewall

2) confirm if user can authenticate with AD on remote comptuer before they logon to SAP

It would be easier for me to help you if you had a detailed network diagram showing the connectivity involved. I want to make sure you understand how to solve this, and you would need to make sure the solution is secure.

Thanks,

Tim

0 Kudos

Tim,

We are using gsskrb5.dll

Ports for access to SAP o AD (kerberos)???

Thanks a lot of Tim

a summary of facts

A workaround is open the kerberos port as you said it (or a routing table between sap and ad) or using third party product

Edited by: Eduardo Goicovich on Nov 4, 2010 4:44 PM

Former Member
0 Kudos

is encryption your main moto or just sso.......

for encryption, i will suggest IPsec on host.......

for sso.. NTLM......(kerbros will also include encryption, but look like it's not required in your case........

hope i understood correct

regards,

Surpreet