08-12-2011 4:06 AM
Hi Experts,
I configured SPNEGO and works fine with my EP. Now I want to configure SSO for SAPGUI as the same way using the domain users.
I found this link
Single Sign-On with Microsoft Kerberos SSP
http://help.sap.com/saphelp_nwpi71/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm
My SAP OS is AIX, ADS (windows 2003 Server), clients (windows 7).
I am a bit confused with this:
In the instance profile of the primary application server instance, set the profile parameters:
○ snc/enable = 1
○ snc/gssapi_lib = <DRIVE>:\%windir%\system32\<library>
○ snc/identity/as = p:SAPService<SID>@<KERBEROS_REALM_NAME>
If my OS is AIX how I can put <DRIVE>:\%windir%\system32\<library>
Also SAPService<SID> does not exists, so can I use SAPJSF user as I did for my SPNEGO configuration?
On the other hand I know windows7 is not using DES encryption anymore so there could be a problem with this configuration?
Any clue?
Regards
08-12-2011 8:12 AM
Jorge,
The library you have found is ONLY for when SAP NetWeaver is on Windows Servers. If you have SAP on AIX or any other Unix or Linux, then you need to use a product from a SAP partner. I recommend this one - http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokersecureclient
Thanks,
Tim
08-12-2011 8:12 AM
Jorge,
The library you have found is ONLY for when SAP NetWeaver is on Windows Servers. If you have SAP on AIX or any other Unix or Linux, then you need to use a product from a SAP partner. I recommend this one - http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokersecureclient
Thanks,
Tim
08-12-2011 12:00 PM
Tim,
I sell this one
I rephrased for you...
Jorge has to know why you recommend this specific one.
Regards,
Olivier
08-12-2011 12:05 PM
That's easy to answer.
it is the leading product in this space and this is backed up by the many 5-star reviews on EcoHub, from existing, very happy customers. Compare with the number of reviews from customers for the other products and you will see a big difference. The other SAP partners who offer similar solutions, also do not focus on SAP application authentication and security, but the vendor of this product does. Hopefully you can see now, why I recommended it.
Thanks,
Tim
08-12-2011 12:32 PM
Hi Tim,
Correct disclosure is still appropriate, even if SAP does not have a Kerberos based SNC SSO for SAPGUI for Windows and external products are needed.
Cheers and nice (relaxing) weekend to all,
Julius
08-12-2011 2:03 PM
Hi, Tim,
The company does not want to buy this software, if I want to configure SSO for SAPGUI for windows having AIX as my SAP OS it's not possible?
Regards.
08-12-2011 2:07 PM
Jorge,
It is possible, but only if you use open source Kerberos and build and support it yourself. If users cannot logon for some reason then you will not get help from SAP.
Thanks,
Tim
08-12-2011 2:15 PM
You may or may not be able to read more about this in [SAP note 150380|https://service.sap.com/sap/support/notes/150380]...
Cheers,
Julius
08-12-2011 2:33 PM
Hi Julius,
Thank you and the other experts for the valuable information.
Now I understand that SAP does not support Kerberos, but if I want to do it anyway. Do you know where a I can find the library for AIX?
Also the user SAPService<SID> does not exists so, can I use SAPJSF as I did in SPNEGOAddon? This one is created in ADS as my communication user.
Regards.
08-16-2011 12:53 PM
Hi Tim,
I am sure that your product is excellent but I do think that you have to tell people openly that you work for this vendor.
Most people here help for free with no financial interest.
Regards,
Olivier
08-16-2011 1:02 PM
Olivier,
I used to (a long time ago) mention my company, but then I was told by SDN moderators that I should not do that and instead, I should update my SDN business card, which I have done. I have also been told many times that it is good to reference SAP EcoHub on SDN forums. it seems I cannot keep everybody happy, but I do my best to be honest and open in most posts I make.
Lets not clutter this thread with chat about issues unrelated to the question asked.
Thanks,
Tim