cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RfcCustomDestination for individual ASP.NET users

Go to solution
former_member197445
Contributor

on ‎03-08-2015 3:29 PM

0 Kudos

OK, I'm usually the one answering questions in this group, but today I need clarification.  Our SAP systems at my company are not SSO.  But we have recently developed quite a few ASP.NET web applications that use the .NET Connector to read and write data into and out of SAP.  We would really like to have these transactions be executed by each user using their own SAP login.  I know we need to use RfcCustomDestniation, but we'd rather not force users to login.

Is SSO the answer, given that we really don't want to make the users have to login to SAP through the web app?  Can we use the SNC RfcConfigParameters without SSO, or do they go hand in hand?  Please enlighten me.  @Markus Tolksdorf, you seem to have a handle on this.  Can you give me some pointers, please?  Thanks.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

MarkusTolksdorf
Product and Topic Expert
Product and Topic Expert
‎03-09-2015 9:42 PM
0 Kudos

Hi Case,

Well, SSO is the answer if you don't want the users to logon again to the backend. For a convenient way you could use assertion tickets that you issue in the NCo application using the SAPSSOEXT library (helpful info in https://scn.sap.com/thread/240846) and establish trust from the backend to the .NET app. Adding SNC on top for encrypting the line always makes sense. You would also prefer HTTPS to plain HTTP if possible ... When using SNC without SSO (meaning that the SNC identity is not used for logging on), you can use any SNC client identity for achieving this, if not you'll need a system PSE. There are also other options for logging on using the EXTID mechanism (see programming guide appendix A), but all of them require that you logged on to the .NET app with a certain mechanism (certificate, Windows NTLM, ...) and forward the token and establish trust via a SNC system PSE. What you really can use is heavily depending on what you really can do in your environment.

Best regards,

Markus

Show replies
Show replies
former_member197445
Contributor
‎03-09-2015 10:43 PM
0 Kudos

Basis guys got SSO set up, so tomorrow I will be testing it out and report back.  Thanks for the guidance.

former_member197445
Contributor
‎03-10-2015 2:53 PM
0 Kudos

No luck on my first attempt.

Tried doing a unit test setting these parameters:

Dim newDest As RfcCustomDestination = ECCConnection.CreateCustomDestination()

newDest.SncMode = "1"

newDest.SncPartnerName = "p:CN=SAPServiceS71"

newDest.Client = "001"

newDest.SncMyName = "p:CN=USERXYZ@AD.COMPANY.COM"

Couldn’t find the sap crypto library since it was looking in Program Files (x86) instead of plain Program files.  So I added this:

newDest.SncLibraryPath = "C:\Program Files\SAP\FrontEnd\SecureLogin\lib\sapcrypto.dll"

Now I hit a new road block.

STOP! -- initial call to gss_indicate_mechs()

This seems to be related to Kerberos not allowing the inquiry.  Any insights?

former_member197445
Contributor
‎03-10-2015 3:00 PM
0 Kudos

Also, I should mention that my ASP.NET application is Windows authenticated, so if there's a way to get the Kerberos ticket and use that for SSO, that's basically what I'm trying to do.  Thanks.

MarkusTolksdorf
Product and Topic Expert
Product and Topic Expert
‎03-10-2015 8:11 PM
0 Kudos

Hi Case,

I guess, i need to delegate this to some of the security colleagues. I know that using Kerberos for that is sometimes tricky.

Best regards,

Markus

former_member200373
Participant
‎03-11-2015 9:43 AM
0 Kudos

Case,

could you open a ticket for component BC-IAM-SL? We need some trace files. We can put the solution to this thread.

Thanks,

Stephan

Answers (0)

Ask a Question