01-11-2012 9:04 AM
Hello,
I am just configuring SSO between NW Portal 7.3 and an system with ABAP stack. With the new Portal it seems that you just call the "trusted systems" configuration in the NWA an connect there with the other system. This works and the ticket is visible in the other system. The instance profile of the other ABAP stack was already changed for another SSO scenario.
When I call ESS the following error message occurs: "Es wurde ein nicht interpretierbares SSO-Ticket empfangen"
Did someone has the same problem with the NW Portal 7.3?
Is it necessary to restart the ABAP system afterwards?
Greetings, Vanessa
01-11-2012 10:41 AM
01-11-2012 10:41 AM
01-12-2012 10:30 AM
Hello Olivier,
thanks for your reply. I restarted the ICM stack but the problem stays the same. We thought that the problem occurs because we the servers are in two different domains and so we moved the portal to the same domain. But also here... the problem is still the same.
Greetings, Vanessa
01-12-2012 12:00 PM
Hi Vanessa,
Please check your SSO tickets. The receiver is not able to interpret the sent ticket. Make sure the encryption is same for both sending and receiving systems.
you can switch the trace on and check the trace for additional information on the error. T-Code SMICM->-goto->trace level->set.
after the work is done, reset the trace level and display the trace from :T-Code SMICM->-goto->trace file->display.
Regards,
Srihari
Edited by: Srihari Rao on Jan 12, 2012 5:30 PM
01-12-2012 5:20 PM
Hi Vanessa,
Domain is not a problem for ESS because it uses JCO RFC to connect to the ECC system. Therefore the MYSAPSSO2 is not sent as an HTTP cookie and does not depend from the DNS domain.
It would be a problem with SSO for BSP or AWD applications...
Srihari Rao is right : you should check the encryption used on both systems.
Regards,
Olivier
01-13-2012 8:39 AM
Thanks a lot for your really valuable informations.
I can see in the portal 7.3 that "Trusted System SSO Certificate Information" is
[Subject DN]: CN=ABC
[Issuer DN]: CN=ABC
[Not valid before]: 1. Oktober 1997 00:00:00 GMT
[Not valid after:]: 1. Januar 2038 00:00:00 GMT
[Sign Algorithm]: SHA-1/DSA
[Public-Key Algorithm]: DSA
[Public-Key Format]: X.509
[Serial Number]: 0
[Version]: 1
[Fingerprint]: 61:E4:93:05:57:EA:F1:14:55:34:A9:70:20:15:C4:EE
and in SSO Certificate Information the Sign Algorithm is SHA/DSA,
Sign Algorithm SHA/DSA(1.2.840.10040.4.3)
Public-Key Algorithm DSA
Public-Key Format X.509
Serial Number 0
Version 1
Should this be correct (I don't know if there is a difference betrwwen SHA-1 and SHA) or how can I change one of the values?
Thanks a lot,
Vanessa
01-13-2012 9:27 AM
Hi Vanessa,
SHA-1is next version of SHA, but corrects an error in the original SHA hash specification. Please get SHA-1 cerificate for your server. The receiving system (trusted system) is looking for SHA-1 while the sender(your server) is sending SHA.
Regards,
Srihari
01-13-2012 1:41 PM
01-11-2012 10:45 AM
09-11-2015 10:56 AM
Hello Vanessa,
i have the same problem with the SSO Error. Can you tell me how have you solved this problem and how you set the SSH-1 certificate at the sender (NetWeaver)?
Best regards,
Dejan