03-10-2015 8:22 PM
Our SAP systems at my company are not SSO. But we have recently developed quite a few ASP.NET web applications that use the SAP .NET Connector to read and write data into and out of SAP. We would really like to have these transactions be executed by each user using their own SAP login. I know we need to use RfcCustomDestniation, but we'd rather not force users to login.
Tried doing a unit test setting these parameters:
Dim newDest As RfcCustomDestination = ECCConnection.CreateCustomDestination()
newDest.SncMode = "1"
newDest.SncPartnerName = "p:CN=SAPServiceS71"
newDest.Client = "001"
newDest.SncMyName = "p:CN=USERXYZ@AD.COMPANY.COM"
Couldn’t find the sap crypto library since it was looking in Program Files (x86) instead of plain Program files. So I added this:
newDest.SncLibraryPath = "C:\Program Files\SAP\FrontEnd\SecureLogin\lib\sapcrypto.dll"
Now I hit a new road block. Error during SncPDInit. No specific error message is given other than --
STOP! -- initial call to gss_indicate_mechs()
Any insights? Is my 64-bit machine a problem? I'm only guessing that because the SncLibraryPath was pointed at the 32-bit library in my Environment Variables, but my web app is 64-bit using 64-bit connector.
03-10-2015 8:23 PM
Full error below:
LOCATION CPIC (TCP/IP) on local host with Unicode
ERROR GSS-API(maj):
STOP! -- initial call to gss_indicate_mechs() failed
TIME Tue Mar 10 10:41:22 2015
RELEASE 720
COMPONENT SNC (Secure Network Communication)
VERSION 6
RC -1
MODULE sncxxdl.c
LINE 578
DETAIL SncPDLInit
SYSTEM CALL gss_indicate_mechs
COUNTER 2
03-12-2015 2:37 PM
Hello,
Just to confirm, is your SAP system configured for SNC SSO or not?
Thanks
Shaik
03-13-2015 1:15 PM
I have a single instance in our non-production environment that has SSO set up. We are trying to develop a proof of concept before moving forward with SSO.
10-28-2015 7:08 PM
Hello,
I am trying to achieve the same thing and have the exact same error as you do. Could you please indicate if you solved your problem ?
I am trying to login with SSO to our SAP server. We already have a working SSO configuration using SAP GUI. I am using the v3 of the .Net connector in 64bits. My app is only made for x64 architecture (desktop app, not ASP). Logging manually works fine. My parameters are correct (SncMode,SncPartnerName,Client,SncMyName and SncLibraryPath)
Hint : Architecture doesn't seem to be a problem, I am pointing to the same directory as you, and it is indeed the 64bit version of sapcrypto.dll. If I change the path to the x86 Program Files dir, I get an error saying "Error 193 = "C:\Program Files (x86)\SAP\FrontEnd\SecureLogin\lib\sapcrypto.dll is not a valid Win32 application".
One other thing, on the SAP server side, tech tells me that we are indeed using Kerberos for SSO.
10-28-2015 7:15 PM
Please check my comment below, dated Mar 16, 2015 2:58 PM. I suspect this is the reason for your problem.
Thanks
Tim
10-28-2015 7:23 PM
Frederic Wojnarowski wrote:
One other thing, on the SAP server side, tech tells me that we are indeed using Kerberos for SSO.
The SAP Cryptolib which is free for use only supports x.509 certificates. The SAP Cryotlib that is included with the licensed SAP SSO product only supports using Kerberos for Client -> Server (e.g. SAP GUI --> SAP ABAP) and not for applications like .net Servers. This is why you are getting the error in gss_indicate_mechs()
10-29-2015 6:55 PM
Thanks for your help, but I am not trying to create a .net server app. I am coding a .net SAP client app...
10-29-2015 7:33 PM
ok. Anyway, I have used SNC with many .net applications on desktops and on servers, using Kerberos and not had any issues - works well.
11-04-2015 5:18 PM
Frederic,
SNC is designed to be independent of concrete credentials. Each SNC provider product comes with one or a set of supported credential types; in case of SAP Single Sign-On Secure Login Client (the frontend part) and SAP CommonCryptoLib (the backend part which is installed with the NetWeaver Kernel) you have the choice of using Kerberos and/or X.509 certificates.
The same SAP CommonCryptoLib instance on NetWeaver can handle both peer credential types, Kerberos and X.509, in parallel.
A server to server SNC connection with SAP CommonCryptoLib must use X.509 certificates. Unlike end user clients, the adminstrative efforts to configure X.509 on both sides are quite low, and is completely independent of Microsoft domain services.
If your .NET client app uses SAP NCO for RFC and SNC, then you have the choice of using Kerberos or X.509 on end user side once you run SAP SSO SLC on such client. The backend component is already in place.
Any SNC product should work if configured properly. The question is what you need (not just today, but also in future), and what effort you like to invest in rollout, configuration and operation.
-- Stephan
03-16-2015 2:58 PM
It looks like you are trying to use the SAP Cryptolib as the SNC library, which only supports Kerberos protocol (with proprietary SNC name format) and x.509 certificates for incoming SNC connections, and x.509 certificates for outbound connections.
So, you need to use an SNC library on the .net server that supports Kerberos protocol for outbound connections, and an SNC library on the server running SAP NetWeaver that supports Kerberos for incoming connections.