on 04-12-2013 12:06 PM
Hi,
I am trying to find a clean way of setting up Kerberos with NWBC. I have seen few discussion on SSO with NWBC and noticed different suggestions based on the current infrastructure which is already available at client place.
In my landscape, I have an NW Portal 7.3 and an SAP ERP system. Kerberos is already setup for the Portal and SSO is established between Portal and ERP. Hence, when a user logs into PC, they can launch the Portal and access backend ERP applications without the need to re-authenticate.
Now, NWBC comes into picture and the client wants to use it to access the ERP system. I am aware of Kerberos setup on the SAPGUI which could allow access to ERP system. Since the users would not be using the SAPGUI logon pad, where do I make the SNC settings? Do we need to make any changes to the logon Procedure for the NWBC service in SICF ?
I also came across an interesting blog by Andre Fischer where he mentions "The SAP NetWeaver Business Client supports Windows Integrated Authentication as the initial authentication if the SAP NetWeaver Portal services infrastructure used is configured to use the SPNego Login Module". I am not quite sure how to achieve this.
Can someone please share their experience.
Cheers,
Murali
As has been mentioned elsewhere in this thread, NetWeaver SSO 2.0 (now in ramp-up) supports SPNego Kerberos authentication from NWBC to the back-end ERP.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi everyone,
Nicholas is correct. See this blog for more details:
Also the NW SSO SCN Space:
NetWeaver SSO 2.0 at $52 a license is the equivalent of stealing in my opinion. SAP should be ashamed for charging for the ability to provide single sign on to it's applications.
The client base needs to push back and make SAP give it away for free !
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Great point. Just to share, there are 3rd party products, of course. One that is economical and that offers lots of additional benefits in the authentication space is from CyberSafe (https://products.cybersafe.com/). I'm in the process of implementing that now and it's been a great experience.
Hi Murali,
I came across these guides the other day, they may help you out:
http://scn.sap.com/docs/DOC-40178
I agree it is a bit confusing - that blog from is from 2007, so may be a bit out of date. I think in it he refers to the scenario where the NWBC is connecting to a portal first and therefore uses the SPNEGO configuration on the portal (J2EE) to enable the SSO from the desktop. If you try to connect directly to your ABAP system first you can't do SSO unless you use the new feature in NW SSO 2.0 that enables SPNEGO on the ABAP stack (this is shown in the link above).
I admit I have been confused by this too!
Hth,
Simon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Are we talking about NWBC for Desktop or NWBC for HTML ?
I have read some litterature about this and I think there is no SSO through Kerberos for NWBC for HTML for the moment.
Besides, the blog you are referring to applies to the NW SSO solution.
Check the comments of this blog:
Best regards,
Guillaume
Murali
I am about as confused in this subject. When I first started exploring NWBC SSO; I read the following paragraph and jump to the conclusion that NWBC could support login to SAPGUI for Windows via SNC. I thought it's just a matter of tweaking the parameter (i.e. Logon description with SNC[LOGDESC][LOGDYN]). Regrettably, after many combination of failures, I give up on that subject. Hopefully somebody could help shed some light here.
http://help.sap.com/saphelp_nw73ehp1/helpdata/en/6f/5b450ec1564316b2d95558678a484d/content.htm
I will be testing another method using SAP Logon tickets (procedure below) and SAML2. But I think the outline procedure should be quite similar.
http://help.sap.com/saphelp_nw73ehp1/helpdata/en/d0/dc33c460a243929b7ec120f55af101/frameset.htm
HTH
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Murali
Just FYI ... Our NWBC Single Sign On using SAML2 is a success. We're in the process of rolling it out to our PRD system. After I get through with the rendering issues (Ref: OSSN# 1736212), rest of the process is actually pretty straightforward. Of course, it all depends on which software provider that is used in the backend.
Cheers
Damean
User | Count |
---|---|
84 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.