cancel
Showing results for 
Search instead for 
Did you mean: 

allow unencryped users to login for SNC client encryption enabled system

Former Member
0 Kudos

Hi,

We have successfully configured SNC client encryption with password logon and it is working fine.

Below are the list of parameters we have defined in instance profile.

snc/accept_insecure_gui =1

snc/only_encrypted_gui =1

With the above parameter all the connections which are trying to connect to the SAP system are encrypted.

Scenario 1 - If user logs in with SNC enable SAPGUI configuration it works perfectly fine

Scenario 2 - if user logs in without SNC enable SAPGUI configuration it gives a popup message "Unencrypted logons are not allowed"

Now, There is a requirement from client and they want to provide a exception for few users to login "unencrypted"

Please let me know what are the options do I have to allow unencrypted connection for few users?

Regards

Junaid Alam

Accepted Solutions (0)

Answers (4)

Answers (4)

Former Member
0 Kudos

Are you sure the requirement is to permit a non-encrypted connection. Perhaps what you are referring to is the requirement to enable a password based logon for some users which can also be performed via SNC protected logins and connections?

Or perhaps your problem is that the connections are established from clients which are outside of your infrastructure where you could implement SNC. Eg RFC connections from external connections via SAP routers? A known one is SAP OSS connection, but do you really have other DIAG or RFC connections to outside of your infrastructure?

Cheers,

Julius

Former Member
0 Kudos

Hi All,

Thanks for your recommendations and help on this issue

Based on the recommendation and further research I have come to a conclusion that for allowing secured and unsecured connections it is mandatory to set the parameter "snc/accept_insecure_gui" value to 1.

Since the scenario we are using is SNC client encryption without SSO parameter (password logon) parameter "snc/accept_insecure_gui" =0 is behaving differently and it is rejecting SNC connections.

As Lutz mentioned, the parameter documentation is misleading and behaves differently. For this to work we had to use additional parameter snc/only_encrypted_gui = 1.

Let me know if we have any other option?

Regards

Junaid

LutzR
Active Contributor
0 Kudos

Hi Alam,

Everything is fine with your snc/accept_insecure_gui = 1. For the meaning of snc/accept_insecure_gui have a look at my response to Michael Shea above.

For the options I see with or without snc/only_encrypted_gui = 1 have a look at my new post even further up.

I would like to make you aware that you are quite alone using SNC client encryption. I was definitely the first one who ever tested Bex Analyzer and Analysis for Office with SNC without SSO in spring 2014. This was obvious. Both were completely broken in multiple ways and it took SAP until early 2015 to fix it all and only in combination with GUI 7.40. BW client developers and testers simply had never ever heard of this SNC option. But current versions of these three clients are quite reliable nowadays (concerning SNC ).

So if you plan to use other clients than these three (GUI, BEx, AfO) be aware of risks, use current client versions, test early and immediately contact SAP in case of problems.

And: once in a while use wireshark, netmon or comparable to check if traffic is really encrypted because we found that kind of issue too.

Feel free to contact me using the "send direct message" function in the communications corner. It would be great if you would keep me up to date concerning your experiences.

Keep a stiff upper lip!

Regards,

Lutz

Former Member
0 Kudos

Hi Lutz,

Thanks for details and sharing you experience to with with BW tools with SNC without SSO.

We have SAP system regionally based such as LAR, ASIA, NAR & EMEA.

Right now our plan is to secure BW system only for NAR not for the other region. The information you have provided is really and keep in touch and I will send you a direct message in case of any questions specific to this scenario.

Regards

Junaid

donka_dimitrova
Contributor
0 Kudos

Hello Alam,

Parameter snc/accept_insecure_gui takes these values:

1 Accept insecure communication

Use this value if both insecure and secure communication is to be allowed for SAP GUI.

0 Disallow insecure communication

Use this value only if secure communication is to be allowed only (no insecure communication) for SAP GUI.

U User-defined (User Management SU01)

Use this value if insecure or secure communication for SAP GUI application is to be configured in the user management tool (SU01).

We recommend that you set this value to 1. If you want to enforce higher security, change this value to 0 (for all) or U (user dependent).

For more details see: 6.4.1 SNC Parameters for the SAP Cryptographic Library in our implementation guide: http://help.sap.com/download/sapsso/secure_login_impl_guide_en.pdf

I hope this is helpful!

Regards,

Donka Dimitrova

LutzR
Active Contributor
0 Kudos

Hi Donka, name and documentation of paramater snc/accept_insecure_gui are misleading. Documentation of this parameter was never adapted to SNC without SSO scenarios. This parameter is of no value in an SNC client encryption scenario. This was verified with product management and development. I will discuss this with as soon as his CEI starts.

Regards,

Lutz

MichaelShea
Advisor
Advisor
0 Kudos

I look forward to the discussion. I will read up on the topic.

LutzR
Active Contributor
0 Kudos

Hi Michael,

Suggestion for a better explanation of snc/accept_insecure_gui:

This parameter is only relevant in case of parameter snc/enable = 1.

1 Allow password based authentication

Use this value if authentication to GUI using uid/pwd should be allowed. This value is obligatory if SNC client encryption or any other SNC without Single Sign On scenario is used.

0 Disallow uid/pwd authentication / enforce Single Sign On

Use this value if all users shall authenticate to GUI using Single Sign On without any exception

U User-defined (User Management SU01)

Use this value if authentication method for SAP GUI application is to be configured in the user management tool (SU01). U is some kind of depracated since user accounts can be maintained without assigning a password for quite a while.

We recommend that you set this value to 1. If you want to enforce Single Sign On, change this value to 0 (for all) or U (user dependent) or alternatively deactivate the users' passwords.
Be aware that enforcing Single Sign On may be the only way to enforce encrypted date transfer.

What do you think?

Regards, Lutz

LutzR
Active Contributor
0 Kudos

Dear Alam, you probably do not want those few clients to communicate unencrypted, but you probably want some non AD member clients to be able to connect at all, do you?

We are probably experiencing the same issue. We want to use encrypted access everywhere but not all users/PCs are AD members.

Currently there is no satisfying solution.

With  snc/only_encrypted_gui =1 not even SAP support can access your system currently. The only company that can set parameter snc/only_encrypted_gui =1 without losing support access is SAP itself.

So currently you will have to revert snc/only_encrypted_gui =1 to 0 with the consequence that you cannot enforce encryption where it is technically possible anymore.

The only solution I see is that SAP completes implementation of RFC 2743 by implementing chapter 1.2.5: Anonymity Support. But currently SAP is not willing to do this.

Regards,

Lutz

Message was edited by: Lutz Rottmann

Short addition: snc/accept_insecure_gui =1 has only effect in SNC with Single Sign On scenarios.

Former Member
0 Kudos

Hi Lutz,

Thanks for the explanation.

That is exactly our requirement. There are few machines on which they might be non-AD account which needs to connect unsecured using SAPGUI. Also, there are JCO connections which are connecting non-Ad accounts.

I am planning to use 2 SAPGUI configuration files

1) SAPGUI configuration SNC enabled (This will be distributed to all users as they use citrix client to connect)

2) SAPGUI configuration without SNC enabled (For the users who are using non-ad accounts)

Our requirement is to make sure every connection dialog or RFC or JCO any type of connection is secured. In some scenarios where it is not possible we are requesting for a security variance for our compliance team.

Do you think are we on the right path?

Regards

Junaid Alam.

LutzR
Active Contributor
0 Kudos

Hi Alam,

what you can do without changing snc/only_encrypted_gui =1 back to 0:

Give those non AD  users  acces to some kind of remote desktop / terminal server solution that resides inside the domain. Let them use GUI there and they can use SNC client encryption. Secure remote desktop traffic with SSL. You could also do this with SAP support: Give SAP support access to a remote desktop instead of direct GUI access.


What you have to do in case you change snc/only_encrypted_gui =1 back to 0:

Users must not be able to define system connections, so install SAP Logon Pad only. If you do not have full control over clients there is little you can do. We were thinking about using the GUI logon user exit to do some SNC checks programmatically but this would be too complex for our scenario. There might be options to monitor unencrypted access in secure audit log but I am not up to date on this.

For RFC and JCO there might be a solution with self signed certificate based SNC if it is kind of machine to machine RFC ( e.g. Portal to ABAP). This will not work with RFC Clients like BEx Analyzer, Analysis for Office or ABAP in Eclipse.

Regards,

Lutz

Former Member
0 Kudos

Hi Lutz,

Apologies for the delayed response and thanks for explanation it a lot more clear now.

We are planning to proceed with parameter value snc/accept_insecure_gui =1 so it allows both types of connections secured and unsecured. We  are going to perform the SAPLOGON configuration with SNC and push it to the user community.

For the few users who will be using non-SNC connections we will manually create the connection and allow them unencrypted until we find a solution. We have already signed a security variance with the internal security compliance team for few users until we find the solution to secure them.

Again, Thanks for your help.

Regards

Junaid