Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP GUI SSO in multiple domain

former_member267987
Explorer

‎02-14-2014 10:16 AM

0 Kudos

Hello,

We have requirement to implement the SSO for ECC system using AD, We have domain installation for both the system but issue is that we are using different domain for Servers user (<SID>adm and SAPService<SID>) and End users exist on different domain, So my question is can we configure SSO using kerberos ??

  1. SAP systems are on Windows 2008 server.
  2. SAP Systems has version NW 7.31 and kernel 720_EXT.
  3. SAP system are in different domain ABC.
  4. Active Directory users are in domain DEF.
  5. Domain DEF has ABC and other subsidary domains.

I was checking over the net and found that we can achieve it by setting the trust between the servers but unable to find How to guide to achieve the same.

Also let me know if it include additional cost of any license and what is difference between various type of Kerberos,SPNEGO,NTLM, X.509 and what we can achieve with SAP Netweaver Single Sign On 2.0 server, Does it include extra license cost ?

5 REPLIES 5

Former Member

‎02-14-2014 6:22 PM

0 Kudos

Ask your Windows admins to establish the trust, they can do it on a server (machine) level or domain level. NWSSO is a separately installed product. Since you are on heterogeneous Windows architecture you can use the library provided in SAP note 352295 although the library might not work with recent Active Directory landscapes, encryption keys, etc. In case it doesn't, you will have to require NWSSO or a SSO product from a certified SAP partner.

former_member267987
Explorer
In response to Former Member

‎02-15-2014 2:33 PM

0 Kudos


Thanks Samuli,

Could you please direct me the detailed SAP documents and which way trust (one way ) will work,

Also if we can establish it using Kerberos then why we require Netweaver SSO product ?

Pawan

Former Member
In response to Former Member

‎02-16-2014 4:13 AM

0 Kudos

I don't think SAP has documented the procedure since it's not SAP specific, it's generic to Windows. You might want to search MSDN or Microsoft KBAs to get help. Regarding what kind of trust needs to be setup, see this discussion thread. It's not a question of whether you can use Kerberos or not. The library provided in SAP note 352295 supports Kerberos, it is more a question if that library is compatible with your AD infrastructure/setup. NWSSO or a 3rd party product is required if the provided library doesn't work, for whatever reason.

MichaelShea
Product and Topic Expert
Product and Topic Expert
In response to Former Member

‎02-17-2014 7:41 AM

0 Kudos

To add some perspective as someone who writes documentation, if SAP officially documents a procedure of another company's software, depending on the legal framework, SAP can be held accountable for that documentation. You can see how that can be a problem. Microsoft can change how their software works without notifying SAP.

Former Member

‎02-17-2014 8:05 AM

0 Kudos

Hi Pawan,

With respect to setting trust relationship between domains you must contact your Windows Admin and check the requirements and explain the purpose.

See if you can simulate your idea before going in any other direction, this always is a good way to handle requirements and also good for knowledge base.

Cheers,

Nagarajan Viswanathan