04-25-2016 10:34 AM
Hi Team,
We have a .NET application which is connecting to SAP ABAP system using .NET Connectors and JAVA connectors.
Now we are trying to implement Secure communication between .NET application and SAP.
All our SAP systems are configured with SNC with out SSO using SNC client encryption for SAP GUI -> SAP ABAP app servers.
Same way we are connecting to SAP application with the parameters, SNC_MODE, SNC_QOP, SNC_Partenr name, SNC Library.
But we are unable to connect because the SNC client encryption library file is 32 bit and our .NET application is 64 bit.
Please advice how we can connect our .NET application --> SAP server using 32 bit library files? or do we have any 64 bit library files which support above scenario( we are not looking for SSO).
Thanks,
Krishna
04-25-2016 11:46 AM
Hi Krishna,
What role does your client have? Do you want the .NET application to connect to the backend with a PC user's identity?
Or will your .NET application connect with a technical user?
If this is a typical machine to machine communication scenario with a technical user involved you could do X.509 based SNC by using Common Cryptolib both on client and on server side.
Regards,
Lutz
04-25-2016 11:46 AM
Hi Krishna,
What role does your client have? Do you want the .NET application to connect to the backend with a PC user's identity?
Or will your .NET application connect with a technical user?
If this is a typical machine to machine communication scenario with a technical user involved you could do X.509 based SNC by using Common Cryptolib both on client and on server side.
Regards,
Lutz
04-25-2016 12:30 PM
Hi Lutz,
My .NET application is installed on windows server with local computer account "Administrator".
and we are passing sap backend server connection details as " User name, password, Host, Client, Sys no, SNC_MODE,SNC_QOP, SNC_PARTNERNAME,SNC_LIBRARY"
We are trying for SNC with kerberos authentication protocol (without SSO). Is it possible to connect with SNC using kerberos authentication protocol?
Thanks,
Krishna
04-25-2016 1:35 PM
For this you cannot use the SNC client encryption library (which is free) and you must use a licensed SNC library instead, either from SAP or from a SAP partner. The kerberos protocol can then be used to authenticate and secure the connection between .net app and SAP ABAP system on back end, and using 64-bit SNC library since your .net application is 64-bit. The free SCE library is only 32-bit.
04-25-2016 1:47 PM
Hi Tim,
yes, since SCE is 32 bit i am using NW SSO 1.0 secure login client library files.
I have installed Secure login client in my .NET application server and specified Library path as " C:\Program Files\sap\FrontEnd\SecureLogin\lib\secgss.dll" . But still getting same issue "Can not connect to target SNC partner name = "p:CN=SAP/KerberosSC2@DOMAIN.COM".
Thanks,
Krishna
04-25-2016 1:56 PM
Hi Krishna, this sounds comparable to a typical ABAP-to-ABAP SNC scenario with a fixed technical user. So this could be solved like ABAP-to-ABAP SNC (or AS-JAVA-to-ABAP-RFC): with X.509 certificate and CCL.
Have look at this thread . Nowadays one would replace the secude libraries by the Common Cryptolib.
Regards,
Lutz
04-25-2016 2:03 PM
Hi Lutz, would it be possible to encrypt the communication in the same scenario you mention there, but using the MIT Kerberos 5 library? (instead of Common Cryptolib).
04-25-2016 2:07 PM
Except that using certificates means you can't have end to end identity, e.g. if architecture is as follows:
Web browser/workstation --> .net app server --> AS ABAP
With above, if you use Kerberos end to end, then the AS ABAP system will know the identity of the user logged onto workstation. If you use certificates between .net app server and AS ABAP then this won't be possible.
When I help customers with this exact scenario I find they prefer the end to end identity since it gives better control over the access to data on the back end ABAP system.
04-25-2016 2:12 PM
Did you buy an NW SSO 1.0 license ? if you didn't you can't use this library.
04-25-2016 2:58 PM
Hi Tim,
Our Scenario is like exactly you mentioned above. We are using web browse to connect .NET app server and we provide SAP backend system details like usernname, password, client etc to connect.
Web browser/workstation --> .net app server --> AS ABAP
From SAP server end SNC is configured similar to between SAP GUI -> AS ABAP
Similar to above we are configuring .NET app --> AS ABAP using NW SSO Secure login client at Client side. Instead of 32 bit SCE file we are using NW SSO Secure login client 64 bit SECGSS.dll file at .NET application side (We had Licensed NW SSO 1.0 product and Recently it is expired but using Dump file which was licensed one )
When connecting we are getting below dump.
**** Trace file opened at 2016-04-25 18:51:01 (UTC+05:30 India Standard Time)
SAP .NET Connector 3.0 with file version 3.0.5.0 running on 64-bit .NET Framework 4.0.30319.42000
Program: C:\Users\kginnela\Desktop\NCO test\NCO test\bin\Debug\NCO test.vshost.exe
Working dirctory: C:\Users\kginnela\Desktop\NCO test\NCO test\bin\Debug
Operating system: Windows 7 Enterprise 64-bit Service Pack 1
Processor: 4x AMD64 (or x64)
SAP release: 720, Kernel release: 720, Kernel patch level: 111
Hostname: INPUNKGINNELA1, IP address: 10.82.23.21, IP_v6 address:
Default trace level: None
>> Error entry 2016-04-25 18:51:01.936
Failure to create pool for destination 6be87c8c-4a9a-4450-ba85-00181306983d [NAME=6be87c8c-4a9a-4450-ba85-00181306983d USER=kginnela CLIENT=501 LANG= ABAP_DEBUG=NONE TRACE=NONE ASHOST=USALVWSSC703D SYSNR=00 SNC_MODE=1 SNC_QOP=8 SNC_LIB=C:\Program Files\sap\FrontEnd\SecureLogin\lib\secgss.dll SNC_PARTNERNAME=p:CN=SAP/KerberosSC2@DOMAIN.COM]
SAP.Middleware.Connector.RfcCommunicationException:
LOCATION CPIC (TCP/IP) with Unicode
ERROR GSS-API(maj): Miscellaneous failure
GSS-API(min): A2210223:A2210223
target="p:CN=SAP/KerberosSC2@DOMAIN.COM"
TIME Mon Apr 25 18:51:01 2016
RELEASE 720
COMPONENT SNC (Secure Network Communication)
VERSION 5
RC -4
MODULE sncxxall.c
LINE 3345
DETAIL SncPEstablishContext
SYSTEM CALL gss_init_sec_context
COUNTER 3
at SAP.Middleware.Connector.CpicConnection.CpicReceive(Int32 timeout)
at SAP.Middleware.Connector.CpicConnection.Read(Byte* buffer, Int32 offset, Int32 count)
at SAP.Middleware.Connector.RfcConnection.ReadBytes(Byte* buffer, Int32 count)
at SAP.Middleware.Connector.RfcConnection.ReadRfcIDBegin(Int32& length)
at SAP.Middleware.Connector.RfcConnection.ReadUpTo(RFCGET readState, RfcFunction function, RFCID toRid)
at SAP.Middleware.Connector.RfcConnection.RfcReceive(RfcFunction function)
at SAP.Middleware.Connector.RfcConnection.ConnectAsClient(RfcConfigParameters options)
at SAP.Middleware.Connector.RfcConnectionPool..ctor(RfcDestination destination, Boolean forRepositoryCalls)
>> Error entry 2016-04-25 18:51:02.128
NAME=6be87c8c-4a9a-4450-ba85-00181306983d USER=kginnela CLIENT=501 LANG= ABAP_DEBUG=NONE TRACE=NONE ASHOST=USALVWSSC703D SYSNR=00 SNC_MODE=1 SNC_QOP=8 SNC_LIB=C:\Program Files\sap\FrontEnd\SecureLogin\lib\secgss.dll SNC_PARTNERNAME=p:CN=SAP/KerberosSC2@DOMAIN.COM
SAP.Middleware.Connector.RfcCommunicationException:
LOCATION CPIC (TCP/IP) with Unicode
ERROR GSS-API(maj): Miscellaneous failure
GSS-API(min): A2210223:A2210223
target="p:CN=SAP/KerberosSC2@DOMAIN.COM"
TIME Mon Apr 25 18:51:01 2016
RELEASE 720
COMPONENT SNC (Secure Network Communication)
VERSION 5
RC -4
MODULE sncxxall.c
LINE 3345
DETAIL SncPEstablishContext
SYSTEM CALL gss_init_sec_context
COUNTER 3
at SAP.Middleware.Connector.CpicConnection.CpicReceive(Int32 timeout)
at SAP.Middleware.Connector.CpicConnection.Read(Byte* buffer, Int32 offset, Int32 count)
at SAP.Middleware.Connector.RfcConnection.ReadBytes(Byte* buffer, Int32 count)
at SAP.Middleware.Connector.RfcConnection.ReadRfcIDBegin(Int32& length)
at SAP.Middleware.Connector.RfcConnection.ReadUpTo(RFCGET readState, RfcFunction function, RFCID toRid)
at SAP.Middleware.Connector.RfcConnection.RfcReceive(RfcFunction function)
at SAP.Middleware.Connector.RfcConnection.ConnectAsClient(RfcConfigParameters options)
at SAP.Middleware.Connector.RfcConnectionPool..ctor(RfcDestination destination, Boolean forRepositoryCalls)
at SAP.Middleware.Connector.RfcConnectionPool.GetPool(RfcDestination destination, Boolean forRepository, Boolean create)
at SAP.Middleware.Connector.RfcDestination.GetClient(Boolean forRepository)
at SAP.Middleware.Connector.RfcDestination.Ping()
Please help what is wrong with the connection and how it can be resolved.
Thanks,
Krishna
04-26-2016 12:57 PM
Hi Tim,
Please let me know if my above configuration is correct? am i missing anything here? Do we need establish trust relationship between .NET application and SAP by importing PSE in each other system?
what are parameters required from .NET application code.
appreciate your help on this.
Thanks,
Krishna
04-26-2016 2:11 PM
Hi Lutz,
I am trying to configure SNC with window integrated authentication kerberos protocol between .NET application and AS ABAP server.
Thanks,
Krishna
04-26-2016 2:18 PM
As I mentioned above, this is a comment scenario that I have helped many customers with. It is easy if you use the correct protocol/libraries.
04-26-2016 2:32 PM
Tim Alsop wrote:
As I mentioned above, this is a comment scenario that I have helped many customers with. It is easy if you use the correct protocol/libraries.
So here Secure login client doesn't support my scenario? .NETapp --> AS ABAP
Thanks,
Krishna
04-27-2016 10:22 AM
Hi Tim, one question which comes out of my only theoretical knowledge of this scenario:
doesn't this scenario need something like Kerberos Constrained Delegation on the .net server side? The .net server either needs to impersonate the user or the SAP server to allow end to end identity, doesn't ist?
Regards,
Lutz
04-27-2016 10:44 AM
yes, impersonation needs to be enabled on IIS so that the Kerberos TGT of the user at the workstation can be used by SNC library on .net server to authenticate to ABAP backend system. The session between .net server and ABAP system will be authenticated using the users credentials and encrypted if SNC is configured to encrypt the session.
05-05-2016 11:25 AM
Thanks Tim and Lutz for your valuable information and time. We are able resolve the issue.
We have used Secure login library files at Client side i.e in .Net application server. We have downloaded Secure login library file and extracted in .NET application server and in SNC_LIB pointed to the SECGSS.dll located in SLL folder.
Thanks.
Krishna
04-25-2016 1:45 PM
04-25-2016 1:48 PM
Yes TIM, in that thread i found solution like i can use Secure login client 64 bit library file at client side. But i am still getting same error.
04-27-2016 9:00 PM