Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Can we find the auth method used after a user has authenticated ?

tim_alsop
Active Contributor
0 Kudos

When a user is authenticated to an SAP ABAP system, they can use a userid and password, SNC or an SSO2 ticket. Is there a report, or some other way to get a list of user authentications over a period of time (e.g. during last 7 days) and indicate whether the user has authenticated using SNC, using an SSO2 ticket or via a SAP userid and password ?

I hope the answer is yes, but so far I have been unable to find a way to do this.

Regards,

Tim

1 ACCEPTED SOLUTION

tim_alsop
Active Contributor
0 Kudos

I didn't receive any answer to this thread. There are points waiting to be awarded to somebody who can help ?

Thanks,

Tim

18 REPLIES 18

tim_alsop
Active Contributor
0 Kudos

I didn't receive any answer to this thread. There are points waiting to be awarded to somebody who can help ?

Thanks,

Tim

Former Member
0 Kudos

Hi Tim,

I am not too worried about the points, but to help you close the thread...

I assumed at the time that you were wanting to reconstruct some event, so you have already interogated the available audit logs and server statistics? There are already reason codes and logon types available there. Did they not help you further?

That you have asked again, indicates that you are looking for a reporting / analysis possibility for when users have more than 1 way of authenticating, and you want a monitoring possibility to see which they are using. Is that correct?

I have an idea for how you could do that, but am not sure whether it would work or be supported. If you are interested, then I will contact you and if it works without any side affects, then we can share it here. If it doesn't, then just think of it as one of the not-so-good ideas which also did not get any points (correctly so)...

Cheers,

Julius

tim_alsop
Active Contributor
0 Kudos

I have used sm19 to enable auditing on my SAP system, and when I logon using SNC or via HTTP I can see in audit file (using sm20) that the SAP user and client is shown, but there is no mention of the SNC name or HTTP logon method used to authenticate the SAP user. e.g. I would like to know that an SSO2 ticket was used to authenticate the user, or if SNC was used, what the SNC name was.

Bernhard_SAP
Employee
Employee
0 Kudos

Hi Tim,

I only know the possibility of creating logontraces (as per note #495911). But this will not be a longterm-solution, except you have enormous discspace available, as the traces get pretty large if they are switched on for a longer time (level 2).

But for shortterm monitoring (for instance for 1 hour) they can be quite useful...

rgds,

Bernhard

0 Kudos

Bernhard,

I would like to thankyou for your information.

For my requirement, I was looking for an audit solution, so using tracing is not (as you said) appropriate. I hope that SAP eventually add some functionality to improve auditing of authentication, but until then we will have to inform our customers to use what is available.

Thanks again,

Tim

ChristophFritz
Explorer
0 Kudos

Hi Tim,

I'm sure you meanwhile found the answer - but maybe this helps other users finding your posting to solve their problem  (as I also spent some time to get the information)

I found a kernel function LOGIN_INFO in BADI CL_SSFT_SYSTEM_SIGNATURE providing this Information ..

* Determine how user has logged on: P=Password, S=SNC, X=X.509, E=External   CALL 'LOGIN_INFO' ID 'OPCODE'    FIELD co_session_info                     ID 'AUTH_TYPE' FIELD rf_auth_type.  "#EC CI_CCALL   IF sy-subrc <> 0.     CLEAR rf_auth_type. "unknown how user has logged on   ENDIF.

If the value of rf_auth_type is 'S' the logon is SNC + SSO ... If you  log on with UserID/Password and SNC nwtwork encryption the value is 'P'.

Best Regards

Christoph

0 Kudos

Christoph,

Thank you. We found the same code in the SYSTEM_SIGNATURE function 🙂

Regards,

Tim

0 Kudos

What is the type for the rf_auth_typ field?

Thanks,

Tom

Former Member
0 Kudos

Do you run these functions with SE37 or have you developed a custom report?  Also these functions don't seem to exist in our ECC 6.0 system.   Tim, it would be interesting to learn more details about your solution.

0 Kudos

Jason Schweitzer wrote:

Do you run these functions with SE37 or have you developed a custom report?  Also these functions don't seem to exist in our ECC 6.0 system.   Tim, it would be interesting to learn more details about your solution.

I cannot share details about our solution on public SCN forums. Sorry, but it is not allowed since I represent an SAP partner, so our solution details must be discussed outside of SCN public forums.

0 Kudos

These are kernel function "C calls". You cannot see them in SE37 or test them. They are not documented and have no object references nor export / import parameters. You should actually not call them and it is not supported (when there are problems). See the documentation on the ABAP keyword "call cfunc" for official explanation.

Slightly more stable is the ABAP functions behind the SM04 technical information menu option.

Correct solution is the SM19 security audit log.

Cheers,

Julius

0 Kudos

I don't think SM19 will work here. I assume we want to determine authentication method for current session. You could read latest audit record for this user and use it for determination. But what will you do if there are two concurrent sessions? For example one Fiori app where SSO from portal was used and one GUI session where username/password was used. Now you have to map them to specific audit records. This can be trick and unreliable.

The original request is to provide a report over selected period. If SM19 does not have enough information that it's not any good. Using that internal C function is dirty but still I don't know where it could be used. You need to have a point which gets executed after every logon and store this information in some custom table. I am not aware of any point like this.

Cheers

0 Kudos

Hi There,

I know its old thread but still would like to know whether you got solution what you are looking for.

because I am also looking for information on about tables or place where SAP stores the information about the authentication method which user used to logon to SAP system. for example like below

Logon successful (type=A, method=P ) - Means user logged on using SAP GUI using user name and password

Logon successful (type=A, method=H) - Means user logged on using SSO.


Please share me the information if you have answers.


Regards,

Krishna R

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

Martin Voros wrote:

I assume we want to determine authentication method for current session.

What's the rationale behind that?
What is intended?

Normally a user should be able to perform any action for which (s)he has sufficient authorizations for.

You can already configure web applications (by changing their ICF service configuration) to require distinct authentication methods, e.g. you can configure that a critical application requires X.509 client certificate / SAML authentication. Would that be sufficient?

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

Why do you need this information?

What kind of access control you like to implement?

If you want users to be restricted to distinct authentication methods, you should use the concept of Security Policies.

If you want to block unencrypted SAPGUI / RFC communication, have a kind look on SAP note 1690662.

0 Kudos

Hi Wolfgang, you should always keep in mind that system owners are in need for reporting (at least I am and I think this was Tim's original intention):

- How many users already heard the call to activate SNC in SAP Logon, specially if there is only encryption without SSO and ther is no control over clients' saplogon.ini?

- How many users logged on without SNC because their SLC installation is broken, they forgot their smartcards or they are some other kind of exceptional use case (like SAP Support users) or they simply think they know better?

- How many users are still using depracated SSO method xyz (e.g. SSO Ticket of some portal) that I would like to switch off?

We always need smooth transitions and no hard cut over and reporting helps us to decide if we need further communication to our users.

And then there are needs for risk based authorization / authentication solutions:

- An authentication via an internet-exposed-fiori-gateway-hub-with-trusted-RFC scenario might be considered less trusted than a direct certificate based access.

Note 1690662 is nice in theory, but we cannot activate this until we are shure that 99.9 percent of all users already use SNC. And currently we have no means to know if we have 1% or 99.9% (if we use encryption only). And as soon as we activate this parameters we loose support because SAP supporters are not able to connect anymore and users who forgot their smart card can go home - ha ha ha.

Do you know a production system that is snc/only_encrypted_gui enabled? I doubt this because SNC is so unreliable both for technical and orgaizational reasons.

So give us more reporting, reporting reporting!!!

Regards,

Lutz

0 Kudos

O.k. - the original inquiry was about an API. And the answer is: there is none (by intend).

Your inquiry is about reporting - and the answer is: the Security Audit Log is the right place.

Meanwhile the Security Audit Log (SAL) also contains the authentication method for SAL events of type "Successful logon".

In addition there are dedicated SAL events for the usage of non-encrypted SAPGUI / RFC connections (you seem to be aware of).

To answer your question about productive systems which are configured to use "SNC only".
Well, here at SAP there are many of such systems.
Even in most development systems (which we consider "productive") SNC is mandatory.
When I access a new system for the first time, I always use SNC - and then I choose to delete my password (in case there is one) when being prompted to either change that password or to delete it. Simply because I cannot memorize so many passwords (since I'm not "recycling" them). SNC is not unreliable at all - I'm using it daily and since years. My mail client is less reliable... (but I have no free choice).

0 Kudos

Hi Wolfgang,

I thought you were answering to Tim's original message (second sentence): [...]"Is there a report, or some other way to get a list of user authentications over a period of time (e.g. during last 7 days) and indicate whether the user has authenticated using SNC, using an SSO2 ticket or via a SAP userid and password ?"[...]. So this was about reporting. Sorry.


At SAP you are in quite a fairy-tale world concerning SNC. One domain, central client management, SAP system owners trusting AD security so you can do Kerberos bases SNC including SSO, external personnel that has access via virtual desktops. Quite idyllic. As soon as you leave this environment roads get very winding and full of potholes. E.g. SAP's GUI people implemented note 2138335 and the confirmed reason is that SNC ins unreliable (e.g. people forget or break their smart cards in an X.509-token scenario).

And as soon as you use an SAP fat client other than GUI with SNC but without SSO then you will find out that you are the first one who ever tested this (well the second, because I was the first one).

On these bumpy roads we are in need of every tool we can get. The reporting you mention has reached only a small fraction of systems of the real world. So we are in need of an API to write our own reporting in older systems.

SAP people unfortunately regularly underestimate SNC complexity in large real world environments because they have such a dreamlike IT infrastructure "at home".

I would be glad to invite you to a deeper dive into the real world using PM, email or a phone call if you like.

SAP is the only company in the world that can set the parameters of 1690662  because they have their supporters inhouse so they can use Kerbeors based SNC.

The most probable solution for reliable DIAG and RFC encryption would be if SAP fully implemented RFC 2743  including chapter 1.2.5: Anonymity Support.

Regards,

Lutz