on 08-08-2016 3:04 PM
What is the recommended procedure for the end user running SAP Secure Login Client 3.0, Kerberos authentication, to temporarily disable SSO?
The scenario I am trying to address is for the user to stay on a Windows session, but disable SSO logon in case a different person clicks on the SAPGUI SSO connection, consequently having access to the SAP system using the SSO credentials of the Windows user.
Thank you,
Daniel Leal
Hi Daniel,
here are my recommendations, i hope this is helpful for you.
#1: Avoid disabling SNC in any case, connection must be secured with SNC.
#2: It is possible to logon to SAP GUI connection without SSO (but SNC) which leads to a logon dialog (right click - context menu)
#3: one can open the Secure Login Client and logout from Kerberos profile and login as a different windows user by having valid AD credentials. Then he or she opens the SAP GUI and connects via SSO with his account. After the work is done, logout from Kerberos profile to revert back to the original user (ideal scenario for a SAP Basis admin who needs to support a user via screen sharing, without requiring the user to logout or to change anything in the normal SSO setup)
Regards,
Carsten
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you for the reply, Carsten.
We are in the same page as far as SNC, i.e., we prefer not to disable the secure connection
For #2, you are correct, but in our specific case, we would like to completely disable the "SNC Logon with Single Sign-On" option, so nobody could use the SSO credentials to access the SAP system.
For #3, your statement is also correct, but in this case, either the credentials of the new user logged to the Secure Login Client would be used, or somebody else could just simply logout the new user, which would revert the Secure Login Client kerberos token to the user who originally authenticated in the Windows PC.
What ideally I am trying to find, is to enable the end-user to completely disable SSO, for example, completely logout from SAP Secure Login Client, and later on to login again. When I test to logout from the Secure Login Client (File >> Logout), my user gets logged in again.
Best regards,
Daniel
Two more options you may consider, and we could detail on demand:
- use our new Encryption Only + emergency mode, which requires CCL 8.5 and some X.509 PKI on server side,
- or turn on SSO Mode = 2 or higher for Secure Login Client, which forces Windows authentication for any SNC connection.
-- Stephan
Hi Daniel,
thanks. I may not fully understand your question
What is it you are trying to archive? To completely disable SSO but stay with SNC encryption - only temporary? What is the use case behind this requirement and what type of authentication would you expect in such cases? As you said you want to disable #2 nevertheless, you would be fine with the AD credentials, or? In this case I would recommend the SSO Mode 2 mentioned by Stephan.
Cheers,
Carsten
Thank you for the reply, Stephan.
At this point we do not have the pre-reqs for the first option
The SSOMode=2 registry setting appeared to be promising, but when testing, it looks like it works only for Business Client connections defined in the Local workspace. It did not appear to have any impact on connections that are centrally defined in other workspaces. Is this the expected behavior or am I missing something?
Thanks,
Daniel Leal
Thanks, Carsten. Paraphrasing my previous entry, I would like to give the ability to an end-user to disable SSO temporarily, so somebody else could work on the Windows session, but would not be able to logon to a SAP system via SSO.
It looks like I am describing a "kiosk" type of scenario, which appears to require certificate authentication as previously mentioned by Stephan. The difference in our specific case is to provide the ability to flip between "kiosk" and regular settings on demand, as needed by the end user.
I was hoping to find a simple way to enable/disable the SAP Secure Login Client, but it looks like this option is not currently available.
Best regards,
Daniel Leal
I will take it back, Stephan. Setting the registry entries HKCU\Software\SAP\SecureLogin\Common\Kerberos\SSOMode=2 and HKLM\SOFTWARE\Policies\SAP\SecureLogin\Common\Kerberos\SSOMode=2 did not cause any change in behavior to either Local or Centrally configured Business Client connections.
Thanks,
Daniel Leal
Business Client - using SNC? Or HTTPS with SPNEGO? Only SNC is controlled by Secure Login Client.
You may have to kill and restart SLC after changing SSOMode. But then you should immediately see that the Kerberos profile is grey, and SLC´s login UI appears once an SNC connection is launched.
NWBC then will prompt for Windows credentials for any new connection. This is what I´d call a kiosk mode.
-- Stephan
User | Count |
---|---|
83 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.