SSO & SAPGUI

Former Member · ‎11-24-2010

Hello,

I am studying how to set up SSO in our SAP landscape. We are currently in SAP netweaver 7.01 Ehp4 but we do not have the SAP portal. We have CUA set up for our project systems. All our users are accessing to SAP through SAPgui interface.

We have as well an Active DIrectory Microsoft but not connected to SAP. (We do not wish to do it if possible due to internal usage restriction)

Each time I find documentation on SSO, it is always describing a solution with a portal or a Web based access configuration.

I have heard of Kerberos (Microsoft ?) + CUA & SAPgui access without portal. Is it possible ?

For SSO :

- Is it possible to SSO without LDAP connection and only CUA ?

- Is CUA mandatory or not to set a SSO ?

Please if you can clarify that for me thanks !

tim_alsop · ‎11-24-2010

Hi,

As you know, SAP GUI for Windows or Java authentication is normally using a userid and password entered by user and stored in SAP user store on ABAP system. The only way to use a different authentication method is to use the SNC support included in SAP GUI and SAP ABAP. The SNC library should support Kerberos, if you want to use it with Active Directory. The user will then logon to Windows domain, open SAP Logon, press the Logon button and will be authenticated to SAP using the credentials obtained during their initial Windows workstation logon.

You do not need CUA, but if you have a complex landscape, the CUA tool can be useful to manage users in SAP systems. This is not a prereq for using SNC with SAP GUi for Kerberos authentication.

If your SAP system is on Windows Servers, you can use the SNC library provided by SAP and this will give you what you need. If however, your SAP system is on UNIX or Linux you need to buy a SAP certified product. There are a few listed in the SAP EcoHub. Just search in EcoHub for Kerberos Active Directory SNC.

Let me know if this is not clear, or if you have any further questions.

Thanks,

Tim

Former Member · ‎11-24-2010

Hello Tim,

Thanks for your quick & helpful reply.

Pllease find additionnal questions to be sure that I have really understood :

When you talk about kerberos, is it mandatory to use it with Active Directory or not ?

Is there any other technical solution than Kerberos to use SNC library ? Where can I find them ?

Does it means that using SNC requires something else to work or does SAP provide his own protocol ?

What is not clear :

Our SAP systems are on AIX systems, It means that Kerberos is not the right solution ?

I need to find the equivalent for AIX systems ?

So it is totally independant from the OS of our laptop ?

Thanks

tim_alsop · ‎11-24-2010

Hi again,

I am pleased it helped.

I was half expecting you to ask additional questions It is best to be sure you understand, and easy to get confused.

The Active Directory product uses Kerberos protocol to authenticate users, so if you don't use Kerberos, you won't be able to work well with Active Directory domain authentication, and hence provide SSO to users. This is because the user has already authenticated themselves using Kerberos when they logon to their workstation. The solution I am describing just takes advantage of this fact and means the user doesn't need to re-authenticate using a different protocol.

You said 'any technical solution than Kerberos to use SNC'. I am not sure what you are asking for. Are you wanting to understand how Kerberos works with SNC ?

SNC is an interface, not a protocol. The SNC interface is used by SAP ABAP to make it support external authentication methods, e.g. Kerberos. On SAP ABAP you just configure instance profile to tell SAP ABAP where the SNC library is found (after you have installed it) and then on workstation you just need to configure saplogon.ini so that SAP GUI uses SNC authentication. On workstation you also need to install the SNC library first. I mentioned where you get these libraries from in my last message.

Why is Kerberos not right solution for AIX ? My company sells this exact solution you are looking for to many SAP customers who have SAP on AIX servers. It is supported on AIX 5,6 or 7.

There is no dependancy on OS of laptop/workstation.

Thanks,

Tim

Former Member · ‎11-24-2010

Thanks a lot.

It's clear on mechanism but on alternative solution not.

What happen if you use Kerberos authentification in SNC Library without Microsoft Active Directory !

User will be required to log once in SAP with his password and after just click on other SAP system without login ?

You wrote that for AIX SAP server a third party is mandatory. I should understand that SNC library activated+ Kerberos authentification + Microsoft ACTIVE DIRECTORY does not work ?

tim_alsop · ‎11-24-2010

Philippe,

I am not 100% clear what you are asking. Are you saying that you understand how Kerberos can be used, but not sure if there are any alternatives ? if you are, then you need to understand that SNC interface requires a GSS-API library, and this library will implement a protocol. Most GSS-API libraries implement Kerberos, but you can find GSS-API libraries that use x.509 certificates. if you were to use x.509 certificates for SAP GUI logon, then the user would have to have a certificate to use. This might work for you if you already have smart cards in use within your company. I think you will find though, that most SAP customers who want to use Active Directory with SAP for SSO, use Kerberos and not x.509, since this is easier and cheaper and also has other benefits compared to using x.509 certificates.

If Active Directory is not available, the use of Kerberos would require another Kerberos authentication server to use instead.

If you are asking about Active Directory being available, because you think there might be a problem with Active Directory ? If this is the case, the user won't be able to logon to their computer, and access other services in the Windows network. Companies that implement Active Directory typically deploy many domain controllers to ensure that there is no downtime. Products which use Kerberos often support multiple domain controllers by trying a different DC if the first one is not online, or broken for some reason.

I mentioned that if you have SAP on AIX, there is no SNC library from SAP company. Instead, you have to buy a SAP certified product that provides an SNC library. I work for a company that has such a product.

You said in your last thread that SNC library activated + Kerberos + Active Directory does not work. I can assure you that this DOES work. It is very common and works very well. I can give you a demonstration if you are interested ?

Thanks,

Tim

Former Member · ‎11-24-2010

Hello Phil,

What i understood is that you only need SSO and not Encryption of data send from SAP GUI to SAP server

now for SSO you use only NTLM....... Kerberos's DLL files are required in case you want to encrypt data.

regards,

Surpreet

tim_alsop · ‎11-24-2010

>


> Hello Phil,
> 
> What i understood is that you only need SSO  and not Encryption of data send from SAP GUI to SAP server
> 
> now for SSO you use only NTLM....... Kerberos's DLL files are required in case you want to encrypt data.
> 
> regards,
> Surpreet

Actually, this is not true.

When you use SNC with any protocol (Kerberos, x.509, NTLM) the authentication (mutual authentication) is the minimum quality of protection required. The use of integrity and encryption are optional, and will be used depending on how SAP GUI is configured and which SNC instance profile parameters you add to SAP ABAP system.

Also, NTLM is old NT domain authentication protocol, and you should not use it if you can use Kerberos instead. it is unlikely that in todays networks anybody would still need to use NTLM, unless they have Windows NT PDC/BDC and have not upgraded to Active Directory. Yes, Active Directory supports NTLM as well, but only for backwards compatibility.

I hope this is clear now ?

Former Member · ‎11-25-2010

Hello,

When i wrote : "I should understand that SNC library activated+ Kerberos authentification + Microsoft ACTIVE DIRECTORY does not work ?"

I ask that in the context of my company with AIX OS for SAP server.

From my point of view it should works correctly independantly from OS SAP server.

In a first step, I would like to activate just SNC customizing and installing Kerberos authentification without AD microsoft. Wil it works or not ?

tim_alsop · ‎11-25-2010

Hi,

You cannot enable SNC with a Kerberos enabled SNC library, unless you have a Kerberos server to use. So, if you do not want to use Active Directory, you must find another Kerberos authentication server to use instead. Then, each user would have to authenticate using this server before they logon to SAP.

Why do you not want to use MS AD ?

Thanks,

Tim

Former Member · ‎11-25-2010

Thanks a lot. It is clear for me.

The AD is not plug on SAP today. It is not the same project if I have to plug it to SAP systems (ie provisionning process)

Now I have to investigate on that. Thanks

tim_alsop · ‎11-25-2010

Phillippe,

The AD authentication for SAP Logon can be implemented completely separately from any provisioning integration.

if you want to implement SNC for AD authentication now, you can work on idM, provisioning and any other requirement at a later date without the authentication being effected. They are both complimentary.

Thanks,

Tim

Former Member · ‎11-25-2010

It means that AD is updated by CUA ? I think that our AD can only be the master.

tim_alsop · ‎11-25-2010

Philippe,

As mentioned previously, CUA is not prereq for SSO with SNC

Also, CUA does not update AD. CUA is updating SAP ABAP and is used for SAP user administration.

How can AD be a CUA master ?

Are you saying you have setup AD so that this is the central repository for users in your company ? if you are, then this is very common. However, it has nothing to do with CUA or SSO.

Thanks,

Tim