Excellent, thank you. I think I was looking at something similar to what you are explaining. Is this sort of what you are suggesting or do you have a reference you could point me to? Thanks.

http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/00007511-5c0e-2d10-26bd-f30b7f433b9a

I have set up this redirect, the first time I used this note https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1250795. I have also set up the redirect creating my own app like the one suggested in the link above. I have then changed my service to do the redirect on error pages but no matter what I do I am still gettting 401 unauthorized. I am looking for any more direction in what could be going wrong. I also noticed that I can go to nwa from my client and it shows my name which tells me i am successfully logged in but if I then enter the url for my web service it does not authenticate.

Thanks so much.

Edited by: Katie Doody on Jul 18, 2011 5:24 PM

Hello, thanks again for your response. I have set the highest level of logging on and i can tell my redirect is working becuase if I use a different url that does not need the sap ticket, the redirect works fine. If I redirect to the enterprise service it fails and I don't get the wsdl page. I checked the logs and I do get this error:

• Error NiIRead:SiRecv failed for hdl 44 / sock 5840

It almost seems like something is timing out after two many invalid attempts. I am still not sure whether this is on the J2EE side issuing the ticket or the ABAP side not accepting the cookie? Do you have any ideas based on this error?

Thanks.

Hello, I am waiting to get access to those tools suggested but I now able to see MYSAPSSO being passed but when I get to the abap side it seems that either the credentials are not passed or maybe my user id does not have access. I get the error:

<b>Passing MYSAPSSO:</b>

285550; MYSAPSSO

2=AjExMDCIABNiYX

NpY2F1dGhlbnRpY2

F0aW9uAQAIRTEwMT

QxODcCAAMwMDADAA

<b>Trying to access my app after redirect:</b>

ECD..sap-client: 500..server: SAP NetWeaver Application Server / ABAP 701..

Logon Error

....

Logon failed.What has happened? Call of URL http://myserver:8001/sap/bc/srt/rfc/sap/zsd_hr_cats_ename/500/zsd_hr_cats_ename/zsd_hr_cats_ename terminated

due to error in logon data.Note<br>Logon performed in system ECD. No logon data provided.What can

I do? If you do not yet have a user ID, contact your system administrator. Error Code: ICF-LE-http-c:500-l:E-T:23-C:5-U:-P:-:7 HTTP 401 - Unauthorized</br>Your SAP Internet Communication Framework Team

Any suggestions of what might be happening are welcome. Thank you, Katie.

Edited by: Katie Doody on Jul 26, 2011 5:04 PM

Edited by: Katie Doody on Jul 27, 2011 10:15 AM

Hi,

Did you import the Java stack certificate in the Abap stack (strustsso2) ?

Test the MYSAPSSO2 cookie by calling a test BSP application (it00 by exemple).

Regards,

Olivier

Yes, the certificate was imported to the abap side. I think I am further along, at least in using SMICM. I am still waiting for approval to get the tools you suggested installed. I changed the java app to use a main.jsp like this blog below.

/people/holger.bruchelt/blog/2010/01/11/single-sign-on-to-bsp-pages

In following that blog to see if I am getting the response codes at the end of it. I can see that I am getting the 307 and then it is redirecting so I think I can make the assumption that I am getting the 401 from the java side and it is doing the redirect and getting to the abap side (SAP NetWeaver Application Server /ABAP 701) but without the cookie? I guess that would mean I am not getting my cookie from the java side or it is not passing the to the abap side. Please see the error below.

HTTP/1.1 307 Temporary Redirect..Content-Type: text/html; charset=utf-8..Content-Length: 18..loc

ation: http://myserver:50100/redirectApp/main.jsp?PROT=HTTP&BACK2HOST=myserver:8001&TO=/sap/bc/s

rt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_insert&sap-ffield=..server: SAP NetWeaver Appli

cation Server /ABAP 701....Temporary Redirect

I also just tried a test bsp out on sicf using:

http://myserver:50100/redirectApp/main.jsp?PROT=HTTP&BACK2HOST=myserver:8001&TO=/sap/bc/bsp/kyk/test

It is prompting me to log onto WAS and then I get an error in German "Die URL enthält keine vollständige Domainangabe" which I translated to "The URL contains no complete one domain".

Thank you for your help.

Edited by: Katie Doody on Jul 27, 2011 3:43 PM

Edited by: Katie Doody on Jul 27, 2011 4:15 PM

Hello, I tried calling http://myserver:8001/sap/bc/bsp/sap/it00?sap-client=500. It is prompting me for a logon. Can I therefore make the assumption that SSO is not working properly?

I even tried what was suggested early on by accessing a url where I know i am getting authenticated:

http://myserver:8001/nwa which greets me by name.

I then pasted http://myserver:8001/sap/bc/bsp/sap/it00?sap-client=500 in the browser and I am being aked for authentication.

Thanks,

Katie.

Thank you gentlemen, I realized from what you suggested that maybe NWA and Web AS are on different clients. I added the Web AS client to the trusted relationships using the same cert as that for NWA and it is now working. Now I just need to figure out how to get the adobe forms to work with it.

Thanks so much for all the help.

Hi Katie,

Nice to hear that SSO is now working. That was indeed the trustship relationship...

For your BSP you need to use the FQDN for the server. Otherwise you will get an HTTP 500 internal server error.

Regards,

Olivier

Hi, well ultimately what I am trying to do is call a abap function exposed as a web service from an offline adobe form. I can normally directly call the url and see the wsdl just to validate that the service is up and runing (in sicf). I want to be able to do this without having the user log in to use the web service anymore. In my security settings for one of my services in soamanager I have the authentication method set to "SAP Logon ticket". In SICF in the logon data tab I have the procedure set to "alternative logon procedure" , security requirement to "standard" , authentication set to "standard sap user"

and the login procedure set to "sso authentication".

Originally the web services were set up with a generic service user in sicf so logon was not needed. My goal is to have the user access the adobe form and pass their unique credentials using spnego and the redirect so we know which user is creating/modifying the information.

Thanks for the help.

Edited by: Katie Doody on Jul 21, 2011 4:09 PM

Edited by: Katie Doody on Jul 21, 2011 4:24 PM

Edited by: Katie Doody on Jul 21, 2011 4:43 PM

Hi Katie,

I think you should try to call a dummy BSP application thru a redirect Portal URL just to be able to do the spnego/kerberos authentication and get a valid SAP Logon Ticket. This ticket would then be sent with the web service call.

This is just an idea...

Regards,

Olivier

Hi, I have created the redirect app with a jsp page in it. So, would you be suggesting that I add another call within there? In the error pages section of my web service in sicf I have the redirect going to my redirect jsp which is then sent to my web service.

-

http://myserver:50100/redirectApp/redirect.jsp?to=http://myserver:8001/sap/bc/srt/rfc/sap/zsd_hr_cat...

-

Here is part of the the log from SMICM. It looks like I am making a connection but I am not sure what to look for to determine if the tickets is being sent and received.

-

Thr 4824] HttpSubHandlerClose: Call Handler: HttpSAPR3Handler (00000001404EABA0), task=TASK_CLOSE(3)

[Thr 4824] HttpSubHandlerClose: Call Handler: HttpJ2EEHandler (00000001404EAA70), task=TASK_CLOSE(3)

[Thr 4824] HttpJ2EEHandler called: task=3

[Thr 4824] Handler 3: HttpAuthHandler matches url: /sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_ins

[Thr 4824] Handler 4: HttpCacheHandler matches url: /sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_in

[Thr 4824] Handler 2: HttpSAPR3Handler matches url: /sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_in

[Thr 4824] Handler 0: HttpJ2EEHandler matches url: /sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_ins

[Thr 4824] HttpSubHandlerCall: Call Handler: HttpAuthHandler, task=1, header_len=647

[Thr 4824] >> start >> CsiGetInstance(0000000000E79950)

[Thr 4824] << end << CsiGetInstance(0000000000E79950) returned inst=00000000005A5030

[Thr 4824] >> start >> CsiExecute(00000000005A5030,000000000CB19CE0,85,1,000000000CB19CD0,000000000CB1BE10,0)

[Thr 4824] >> VsaScan(00000000005A72F0,000000000055D750,000000000055D790,00000000005B94F0,NULL) >>

[Thr 4824] << VsaScan(00000000005A72F0,000000000055D750,000000000055D790,00000000005B94F0,NULL) = 0 <<

[Thr 4824] << end << CsiExecute(CSI_RC==VSI_OK)

[Thr 4824] >> start >> CsiFreeInstance(00000000005A5030)

[Thr 4824] << end << CsiFreeInstance(CSI_RC==VSI_OK)

[Thr 4824] HttpSubHandlerItDeactivate: handler 0: HttpAuthHandler

[Thr 4824] HttpSubHandlerCall: Call Handler: HttpCacheHandler, task=1, header_len=647

[Thr 4824] HttpCacheHandler: 1 647 00000001404EACD0 0000000000000000

[Thr 4824] ISC: Cache Lookup. 1. try: browser independent.

[Thr 4824] ISC: hashed querystr = 7e8c2651 'null&*&'

[Thr 4824] HttpCacheMakeObjectKey() -> '/sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_insert&&&GZ=1&

[Thr 4824] MTX_LOCK 1635 0000000000E77AA0

[Thr 4824] MTX_UNLOCK 1766 0000000000E77AA0

[Thr 4824] IctCmOpen#3977 R '/sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_insert&&&GZ=1&1562C8E7&'.

[Thr 4824] MTX_LOCK 1635 0000000000E77950

[Thr 4824] MTX_UNLOCK 1766 0000000000E77950

[Thr 4824] IctCmOpen#11089 R '/sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_insert&&&GZ=1&1562C8E7&'

[Thr 4824] ISC: Cache Lookup. 2. try: browser specific key.

[Thr 4824] ISC: hashed querystr = 83bd39d4 'null&Mozilla/4.0 (compatible; MSIE 8.0;&'

[Thr 4824] HttpCacheMakeObjectKey() -> '/sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_insert&&&GZ=1&

[Thr 4824] MTX_LOCK 1635 0000000000E77AA0

[Thr 4824] MTX_UNLOCK 1766 0000000000E77AA0

[Thr 4824] IctCmOpen#3978 R '/sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_insert&&&GZ=1&4D93DB38&'.

[Thr 4824] MTX_LOCK 1635 0000000000E77950

[Thr 4824] MTX_UNLOCK 1766 0000000000E77950

[Thr 4824] IctCmOpen#11090 R '/sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_insert&&&GZ=1&4D93DB38&'

[Thr 4824] HttpCacheHandler: cache miss.

[Thr 4824] HttpSubHandlerItDeactivate: handler 1: HttpCacheHandler

[Thr 4824] HttpSubHandlerCall: Call Handler: HttpSAPR3Handler, task=1, header_len=647

[Thr 4824] HttpSAPR3Handler: url_tab_init: 1, force_dest: 0

[Thr 4824] ICT: IctLookupPathTable() -> 0

-

Thank you,

Katie

Edited by: Katie Doody on Jul 22, 2011 3:25 PM

Hi Martin, I am testing it that way and I get the generic error message that "IE cannot display the webpage". I can click on a button that offers possible issues:

u2022Internet connectivity has been lost.

u2022The website is temporarily unavailable.

u2022The Domain Name Server (DNS) is not reachable.

u2022The Domain Name Server (DNS) does not have a listing for the website's domain.

u2022There might be a typing error in the address.

u2022If this is an HTTPS (secure) address, click Tools, click Internet Options, click Advanced, and check to be sure the SSL and TLS protocols are enabled under the security section.

I have tried using the F12 and I am able to turn the profiler on and it just tells me that ieframe.dll is getting a dnserror. I also noticed I am able to look at the cookies in session. Do you know what the cookie name would be for the sap login ticket. Maybe I can see if it exists so I can determine if it is being created but not accpeted? I am not sure how else to figure out what is happening.

Thank you.

Hi Katie,

You should use kerbtray (free Microsoft utility) to see if you get a Kerberos ticket from the KDC (AD) and HTTPWATCH to see if you receive the MYSAPSSO2 cookie from the portal and if you send it to the abap system.

Regards,

Olivier

Hi Olivier, thanks I will look into those tools. I do have to say that we are not using portal. We have a dual stack and I am trying to use the redirect to authenticate to the java side and then pass the cookie to the abap side. I am just hoping I am not trying to do the impossible.

Thanks.