cancel
Showing results for 
Search instead for 
Did you mean: 

SSO problem with login screen

roman_bilek
Explorer
0 Kudos

Hello,

we have landscape in which are relevant 3 systems: AC1,AB1 and HR1. AC1 is portal, AB1 and HR1 are SAP system. If I have loged into portal, this is authentification between AC1 and AB1. Then the data are from HR1. This is lokk into our architecture into shortcut.

Now the problem:

======================

We are in situation, in which we are successfully loged in our enterprise portal. But if I want to choose the aplication ESS (employee self services) I will see the logon popup in which wants the portal the authentification for HR1(001) system. Crazy is that if I choose ESS again in this moment (without logging) I see the correct data from ESS.

I think, that the comunnication between AC1 and HR1 is correct, but I don't why I see the logon popup in first moment.

I have tested the SSO2 in HR1 and AB1 -- everythink is OK.

Please, is here some admin, which have similar experience and which wants to help me? Thank you in advance!

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi Roman,

Please refer to the following SAP notes which gives relevant information regards SSO.

1733442 - Approaches to set SSO using Active Directory in AC 10.0

1152343 - Configuring CUP for Single Sign On with Enterprise

1252589 - Compliant User Provisioning 5.3 - Redirection URL for SSO

I hope this helps.

Regards,

Yukti

Answers (3)

Answers (3)

roman_bilek
Explorer
0 Kudos

The problem was solved by refreshing of the certificates in STRUSTSSO2 transaction. Other step was in change of the settings for specific webdynpro (Tcode SICF). There is necessary to set the alternative logon procedure and choose SAP logon as the first choice.

roman_bilek
Explorer
0 Kudos

Hi Yukti & Shreya,

thank you very much for your help, but if we have looked in these notes - everything is OK. We tried to start logging in transaction SM50 in HR1 system. If I try to make login procedure again, I see this relevant log in the dev_wX log:

...

N  dy_signi_ext: LOGON TICKET logon (client 001)
N  mySAPUnwrapTicket: was called.
N  HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.
N  HmskiFindTicketInCache: Try to find ticket with cache key: 001:AA72785E027C140E22D28FEF902820A5 .
N  HmskiFindTicketInCache: Couldn't find ticket in ticket cache.
N  ==> krn_Ssf_GetOwnCertificate()
N  ==> krn_SsfV2_para_GetProfile()
N  krn_SsfV2_para_GetProfile: SsfOpenProfile 'SAPSYS.pse' OK
N  <== krn_SsfV2_para_GetProfile()==0 (SSF_KRN_OK)
N  ==> krn_SsfV2_para_PutCert()
N  ==> krn_SsfV2_para_writecert()
N  krn_SsfV2_para_writecert: SsfCerttoASN1 OK, length=720
N  <== krn_SsfV2_para_writecert()==0 (SSF_KRN_OK)
N  <== krn_SsfV2_para_PutCert()==0 (SSF_KRN_OK)
N  <== krn_Ssf_GetOwnCertificate()==0 (SSF_KRN_OK)
N  ==> krn_Ssf_ParseCertificate()
N  ==> krn_SsfV2_para_GetCert()
N  krn_SsfV2_para_GetCert: SsfCertfromASN1 OK
N  <== krn_SsfV2_para_GetCert()==0 (SSF_KRN_OK) SsfCertfromASN1 == 0
N  <== krn_Ssf_ParseCertificate()==0 (SSF_KRN_OK)
N  mySAP: Got the following SSF Params:
N         DN      =CN=HR1, OU=I0220046613, OU=ABB, O=ABB, C=CZ

N         EncrAlg =DES-CBC
N         Format  =PKCS7
N         Toolkit =SAPSECULIB
N         HashAlg =SHA1
N         Profile =SAPSYS.pse
N         PAB     =SAPSYS.pse
N  Got the codepage 4102.
N  Got ticket (head) AjExMDAgAAxwb3J0YWw6QklMRUuIABNiYXNpY2F1. Length = 520.
N  Convert ticket content from SAP_CODEPAGE >1100< to >4102<
N  MskiValidateTicket returns 0.
N  Got content client = 000.
N  Got content sysid = AC1     .
N  Got date 201207250950 from ticket.
N  Cur time = 201207250950.
N  Computing validity in hours.
N  Computing validity in minutes.
N  CurTime_t = 1343296200, CreTime_t = 1343296200
N  validity: 28800, difference:      0.000.
N  Ticket is without recipient information.
N  Ticket contains no RFC Payload info.
N  Ticket contains no language info.
N  HmskiInsertTicketInCache: Trying to insert logon ticket in ticket cache.
N  HmskiInsertTicketInCache: Inserted new ticket into logon ticket cache with cache key: 001:AA72785E027C140E22D28FEF902820A5 .
N  HmskiInsertTicketInCache: Inserted new ticket into logon ticket cache with cache info: <USER>=BILEK       ,<CLIENT>=000,<LANGUAGE>=  .
N  mySAPUnwrapTicket returns 0.
N  DyISigni: client=001, user=BILEK       , lang=E, access=H, auth=T
N  usrexist: effective authentification method: SAP logon ticket
N  Get_RefUser(001,BILEK) =>
N  password logon is generally enabled (default)
N  productive password is still valid (expiration period=0 / days gone=0)
N  password change not required (expiration period=0 / days gone=373)
N  usrexist: update logon timestamp (M)
N  save user time zone = >      < into spa
N  system default timezone for client >001< is: >CET   <
N  DyISignR: return code=0 (see note 320991)
N  dy_signi_ext: LOGON TICKET logon (client 001)
N  mySAPUnwrapTicket: was called.
N  HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.
N  HmskiFindTicketInCache: Try to find ticket with cache key: 001:AA72785E027C140E22D28FEF902820A5 .
N  HmskiFindTicketInCache: Logon ticket found in ticket cache.
N  HmskiFindTicketInCache: Ticket information in ticket cache is: <USER>=BILEK       ,<CLIENT>=000,<LANGUAGE>=
N  HmskiFindTicketInCache: Ticket information in ticket cache read successfully.
N  DyISigni: client=001, user=BILEK       , lang=E, access=H, auth=T
N  usrexist: effective authentification method: SAP logon ticket
N  Get_RefUser(001,BILEK) =>
N  password logon is generally enabled (default)
N  productive password is still valid (expiration period=0 / days gone=0)
N  password change not required (expiration period=0 / days gone=373)
N  save user time zone = >      < into spa
N  system default timezone for client >001< is: >CET   <
N  DyISignR: return code=0 (see note 320991)

...

Problem is still here. If remove the cookies from browser and I try to choose the ESS application, I see the logon page:

As you see the parts for User and Password are grey, so i cannot set something. If I choose the Log On button (or again choose the ESS part) I will be in the ESS application and this works fine.

I think, that the communication between HR1 and AC1 portal works fine, but I haven't got any idea why I see this logon page in first.

Do you have some ideas? Thank you very much in advance.

Roman

Former Member
0 Kudos

Hi Roman,

I think the problem is with your SSO configuration. I have few questions. Hope that will help.

1. Have you have chosen logon method as SAPLOGONTICKET while creating connection to backend system?

2. Have you set parameters

login/create_sso2_ticket value as 2

login/accept_sso2_ticket value as 1 at the backend system?

3. The simplest mistake is not using FQDN. So are you using fully qualified domain name (http://host.domain.com:port) while using portal?

4. Make sure the same user exists for both the portal and backend system.


Best Regards,

Prem

Former Member
0 Kudos

Hi Roman,

Please check these Notes :

1733439 : How to auto forward to GRC Application after login into Portal using SSO

1451616  :CUP- Password Self Service - requires password to be entered

817529    :Checking the SSO configuration

1083421  :SSO2 Wizard

Can you please confirm which GRC version and Support Pack level you are using.

Regards,

Shreya Gupta