Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SAP SSO (SNC) for ABAP - multi domain?

Former Member
0 Kudos

Hi everyone,

we are using SAP SSO (SNC) for ABAP to logon to a SAP System (B) via kerberos (conected with Domain (A) and in the internal LAN it's working fine. Now, we want to configure kerberos of the SAP System (B) to connect to furthermore Domain (C). We want to use both Domains to logon in the SAP System via SSO (SNC). Is this possible? and how? I think the parameter (snc/identity/as) in the rz10 is a problem or? If you have some ideas or a solution, it would be nice if you share this with me.

Domain (A) Domain (C)

| /

| < SAP SSO > /

| /

SAP System (B)

Thank you.

12 REPLIES 12

tim_alsop
Active Contributor
0 Kudos

Hi,

If you are using an SNC library which supports cross domain authentication, your SAP system can have identity in domain (B) and users are logging onto workstations in domain (A) and domain (C), then as long as domain B trusts domain A and C, the users will be able to logon. This is because of cross-domain Kerberos tickets which are issued by the domain controllers when resources are requested in a different domain.

Tim

Former Member
0 Kudos

Hi,

>

> If you are using an SNC library which supports cross domain authentication, your SAP system can have identity in domain (B) and users are logging onto workstations in domain (A) and domain (C), then as long as domain B trusts domain A and C, the users will be able to logon. This is because of cross-domain Kerberos tickets which are issued by the domain controllers when resources are requested in a different domain.

>

> Tim

Hi,

thank you, for your replay.

How i can determine that my SNC Library support cross domain authentication? We use SLES 10 and the build in kerberos and the other components are from the Marketplace. Or where i can find a SNC Library that support cross domains?

If i have the right SNC Library, how i must change the parameters in the RZ10 for support cross domain authentication? or i don't must change there nothing?

Tobias

tim_alsop
Active Contributor
0 Kudos

> How i can determine that my SNC Library support cross domain authentication? We use SLES 10 and the build in kerberos and the other components are from the Marketplace. Or where i can find a SNC Library that support cross domains?

You can look at http://ecohub.sap.com/catalog/#!solution:trustbrokersecureclient

>

> If i have the right SNC Library, how i must change the parameters in the RZ10 for support cross domain authentication? or i don't must change there nothing?

The issue is a Kerberos protocol issue, not an SNC configuration issue. There is no way to configure SNC to support multiple domains, since SNC is just an interface in SAP software, used to call an SNC library, the SNC library knows about the low level cryptographic protocol (e.g. Kerberos).

Former Member
0 Kudos

Hi Tobias and Tim,

Do we have solution today for this case?

tim_alsop
Active Contributor
0 Kudos

yes, the solution is described above. It is also possible to have users in Domain (A) and users in Domain (C) logon to the SAP system (B) if there is NO trust between domains.

Thanks

Tim

Former Member
0 Kudos

Thanks Tim for your prompt responds, appreciated.
I read the post "Single Sign-On with Kerberos" related to the product NW SSO 2.0. http://scn.sap.com/docs/DOC-40178

but I did not clarify with the author yet regarding multi-domain support. May I ask if you are mentioning the similar solution?

Kind Regards,

Jinlong

0 Kudos

Hello Jinlong,

As Tim already mentioned, the first step to have your scenario working is to ensure that both domains __trust each other__. This is a must.

Additionally to that, if I correctly understood, you're using SAP Netweaver Single Sign-On 2.0 product as your SNC product to achieve this, correct? In that case, you can follow the SAP NWSSO2.0 guide, section 3.5.2.1.5 - Using Kerberos for SNC with Users in Different Domains. There are some minor particularities in your setup so your SAP can recognize both domains, explained in the guide.

At last, the SAP NWSSO2.0 guide can be found under: http://help.sap.com/nwsso

I hope this helps.

Best Regards,
Guilherme de Oliveira

tim_alsop
Active Contributor
0 Kudos

I also said that it is possible without domain trust. The most common scenario is that the domain where the principal resides for the SAP system trusts the domain(s) where the users authenticate. However, it is also possible to setup Kerberos where the domain that the user authenticates against is NOT trusted by the domain used by the SAP system. This requires that the product being used supports this...

Former Member
0 Kudos

Thanks Tim, I got your idea. If needed, I will contact you.

Kind Regards,

Jinlong

Former Member
0 Kudos

Hi Guilherme,

Thanks for your detailed info, I got the SAP guide and found the relevant info you mentioned.

Kind Regards,

Jinlong

0 Kudos

Hi Tim,

is it also possible to implement SSO over two AD domains, without the SAP NW SSO2 Product and just using "old" SNC lib (gx64krb5.dll) for single sign on?

User are stored in domainA.com, SAP ABAP system is running in domainB.com?

thanks christoph

tim_alsop
Active Contributor
0 Kudos

Hi

The gx64krb5.dll will not work without domain trust, like discussed above. It has various other technical limitations and is not supported by any company. I recommend you buy a commercial product from an SAP partner or from SAP themselves.

Thanks

Tim