on 02-12-2016 10:29 AM
Hi everyone,
We have ECC 6.0 server with sap_basis 700 and abap stack only with windows 2012 server standard.
We want to configure SSO with gui. We have AD server, 2012 server standard.
Please suggest me can we configure SSO 2.0 with this configuration. If possible please share document to configure SSO 2.0.
Thanks & Regards
Thank you all for your valuable suggestions.
We are now able to login through single-sign on.
But we are login into 000 client.
Through rz10 in default profile we are not able to login into different client with single-sign on.
How to change the default login client for single sign-on.??
Thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Ashu,
SPNEGO for AS ABAP requires SAP_BASIS as of 7.02.
See the details in the SAP Note: 1798979 - SPNego ABAP: Downport
About the wizard see SAP Note: 2015966 - Single Sign-On Wizard to Configure SNC and SPNego
Regards,
Donka Dimitrova
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Donka,
We are getting error : SNCWIZARD T-code does not exist.
Still we proceed further, We installed Secure login library, maintained SECUDIR parameter, maintained SNC parameter's in RZ10 and restarted server. SNC is started in server, we generated Kerberos keytab with below command :
sapgenpse keytab -p SAPSNCKERB.pse -a SPN@DOMAIN
sapgenpse seclogin -p SAPSNCKERB.pse -O SAPServiceSID
We had deleted CRED_V2 FILE before generating keytab file.
While importing this pse in STRUST and save as for SNC SAPcryptolib.
Its showing below error:
Cannot determine public key algorithm of PSE.
Before this we had generated a user on AD server and defined SAP/SPN for this user in ADSI edit.
After login through above user and with SNC defined CN=SPN@DOMAIN, we are getting below error:
Miscellaneous failure.
A221021E: Server refuses kerberos key exchange.
Please help as we have very short time to implement SSO.
Please help, thanks in advance.
Regards
Hi Ashu,
you did some strange things wherever. If you have time, try to proceed according to this checklist. Maybe it helps.
Service Account in Active Directory
☐Make sure, the account is not locked, has a known and never changing password
☐Make sure „Use DES encryption“ is not checked
☐Make sure the Service Principal Name in AD has the following Syntax: SAP/<sAMAccountName>
☐Check with CLI on a domain system: setspn -l SAPService<SID> if you get returned your SPN
☐Check with setspn -X -F to avoid duplicate SPNs
Example:
Your SAPs System ID is SA1
Your User Account in AD is SAPServiceSA1
Output of setspn -l <account>
Registered ServicePrincipalNames for CN=SAPServiceSA1,<YOUR OU STRUCTURE>,DC=<..>,D C=<..>: SAP/SAPServiceSA1
SAP System
SNC Library
☐Ensure by executing „sapgenpse“ you are using a up-to-date CommonCryptoLib 8.4.48+
☐Make sure the environment variable $SECUDIR is properly defined and points to /usr/sap/<SID>/DVEBMGS<..>/sec
Most important Profile parameters (according to the example above):
☐snc/identity/as = p:CN=SAPServiceSA1
☐snc/gssapi_lib = $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)
Clean up your SECUDIR
☐Delete credentials for SAPSNCSKERB.PSE: sapgenpse seclogin -p SAPSNCSKERB.pse -d
☐Delete SAPSNCKERB.PSE
Proceed according to the manuals (for Domain names always use UPPERCASE):
☐Re-Create SAPSNCSKERB.pse (in your post above I noticed you are missing the „S“ in the file name)
☐Re-Create Credentials for the new PSE and make sure your SAPServiceSID user and/or SIDadm is able to use that credentials
☐List the credentials for the SIDadm using: sapgenpse seclogin -l (optionally with -O <SAPServiceSID>)
☐List the keytab and make sure you have 4 entries: sapgenpse.exe get_my_name -p SAPSNCSKERB.pse
Clean up your STRUST
☐Do NOT import the SAPSNCSKERB.pse into STRUST. Move to STRUST select SNC SAPCryptoLib and right click + delete
You do not need this in STRUST as it would only be required for X.509 based SNC. As the SAPSNCSKERB.pse does not contain any X.509 key pairs and certificates, you receive that error message (unable to determine public key algorithm).
Restart your ABAP System and check dev_w0 to ensure SNC was initialized correctly
SAP GUI Client
On the enable SNC. On the SNC Name enter: p:CN=SAP/SAPServiceSA1 which reflects your SPN syntax.
Regards,
Carsten
User | Count |
---|---|
83 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.