Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO with .NET applications

Former Member

‎06-20-2007 8:42 PM

0 Kudos

We have been able to get SSO working with between the SAPPortal and JAVA applications but we are not having the same luck with .NET applications.

There is not much documentation available on this topic. I have found a couple of whitepapaers and downloaded the examples available from SAP. However, we are still unable to get the SSO to work properly.

It looks like we may have an issue with the registration and use of sapssoext.dll and sapsecu.dll. But I am not entirely certain. I was also expecting to have to create the PSE on the .NET application server using sapgenpse, but I do not see this captured anywhere in the documentation either.

I have captured the current error we are seeing below. Any ideas?

Server Error in '/SAP_SSO' Application.

-

Ticket verifying failed. Return codes error=1 and ssf error=0

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Runtime.InteropServices.COMException: Ticket verifying failed. Return codes error=1 and ssf error=0

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[COMException (0x80040001): Ticket verifying failed. Return codes error=1 and ssf error=0]

[TargetInvocationException: Exception has been thrown by the target of an invocation.]

System.RuntimeType.InvokeDispMethod(String name, BindingFlags invokeAttr, Object target, Object[] args, Boolean[] byrefModifiers, Int32 culture, String[] namedParameters) +0

System.RuntimeType.InvokeMember(String name, BindingFlags bindingFlags, Binder binder, Object target, Object[] providedArgs, ParameterModifier[] modifiers, CultureInfo culture, String[] namedParams) +2501104

SSO_NSPC.SSO.evalLogonTicket(String ticket, String pab, String pab_password) +127

Default.PageLoad(Object sender, EventArgs e) +207

System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +15

System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +34

System.Web.UI.Control.OnLoad(EventArgs e) +99

System.Web.UI.Control.LoadRecursive() +47

System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1061

-

Version Information: Microsoft .NET Framework Version:2.0.50727.42; ASP.NET Version:2.0.50727.42

Thanks ahead of time or your help.

Michael

20 REPLIES 20

Former Member

‎06-29-2007 7:54 PM

0 Kudos

Bump.

Strehle
Advisor
Advisor

‎07-02-2007 1:51 PM

0 Kudos

The error comes from sapssoext.dll. Here you can extend trace output via environment variables:

SAP_EXT_TRC = <full path to filename>

name of trace file

SAP_EXT_TRL = 1 | 2 | 3

trace level , default is 1 , highest is 3.

then you should see what problem occurs

Former Member
In response to Strehle

‎11-22-2007 9:26 PM

0 Kudos

Hi,

I am involved in the same situation as mentioned above(using the SSO cookie in .NET). I did do the trace as you mention and I get the follwoing error ..

      • ERROR => Verify failed with rc = 7. [ssoxxsgn.c 142]

[Thr 2812] Priv.Addr.Book was not found.

Also I got the "verify.pse" from the portal which creates the SSO.

Any help will be appericated.

Thanks,

Sarab

Strehle
Advisor
Advisor
In response to Strehle

‎11-22-2007 9:34 PM

0 Kudos

Hi,

the PAB is the "verify pse file". The method signature for evaluation is following:

evalLogonTicket(string ticket, string pab, string pab_password)

The "pab" parameter means the full qulified path and name to a verify.pse file. Pab-Password is for an optional password of the PSE.

Both, PAB and PAB-password should be globally defined parameters in your app, only the ticket is different.

exampel:

evalLogonTicket("KFKLA...", "c:
inetpub
pab\ssodir\verify.pse", "secret")

=> remark. first param is only an example for a BASE64 encoded ticket.

regards,

-markus

Former Member
In response to Strehle

‎11-22-2007 10:04 PM

0 Kudos

Yes, I have defined it exactly like you mention. Here is the code that I am using

MyObj.CryptLib = "c:\ssodll\sapsecu.dll"

RetArray = MyObj.EvalLogonTicket (Cookie, "c:\sso\verify.pse", vbNull)

Let me know if this is okay.

Thanks,

Former Member

‎07-06-2007 2:16 PM

0 Kudos

Markus,

We added the two environment variables to the server where the application is running. No file was created. Is there some additional step that needs to be completed?

Thanks.

Michael

Strehle
Advisor
Advisor
In response to Former Member

‎07-06-2007 3:56 PM

0 Kudos

Hi Michael,

these variables work for sure, so the reason is, that they are not visible for the process.

The global environment variable are available for all processes. Therefore please set both environment variables as Windows system variabel and "restart Windows". After that you should see output file.

Please set a full qualified name to tracefile to a directory which is used for public use, so that no write error is the reason for not existing traces.

In case of furhter problems I recommend you to open a OSS message to "BC-SEC-SSF".

regards,

-markus

Former Member

‎07-06-2007 8:43 PM

0 Kudos

Markus,

Here is the output...

-

trc file: "c:\temp\sapsso.txt", trc level: 3, release: "640"

-

[Thr 992] *** ERROR => Couldn't load library sapsecu.dll. [ssoxxext.c 243]

[Thr 992] MySapEvalLogonTicketEx was called.

[Thr 992] Unconverted Ticket is the following: System.Web.HttpCookie

.[Thr 992] Initialized variables...

[Thr 992] *** ERROR => Init must be called first. [ssoxxext.c 316]

We had an issues registering the sapsecu.dll. Perhaps this is the issue?

Michael

Strehle
Advisor
Advisor

‎07-07-2007 11:46 AM

0 Kudos

Hi,

you can set the path + name of sapsecu with the propertiy: Cryptlib , e.g.

MyObj.CryptLib = "sapsecu.dll"

In your case

SSO_NSPC.SSO.CryptLib = "c:\path\subpath\sapsecu.dll"

Another default would be the environment variable SSF_LIB . You should also set this also as system environement. If you set simply "sapsecu.dll" Windows searches for DLLs in some pathes like

c:\windows

c:\windows\system32 and so on. in PATH pathes too.

After that you should see the loading in the traces - hope this helps you.

regards,

-markus

Strehle
Advisor
Advisor

‎07-07-2007 11:48 AM

0 Kudos

I forgot:

I hope it is clear, that you need either sapsecu.dll or sapcrypto.dll. You will get both in Service Marktplace download area.

Former Member

‎07-09-2007 4:37 PM

0 Kudos

Markus,

Thanks for all of your help on this. It looks like we are making some progress. We have a new error. Take a look at the details below.

We have not configured the PSE for the .net application. I am guessing this needs to be completed as well. Do you think this is where the error is coming from?

Thanks.

Michael

-

trc file: "c:\temp\sapsso.txt", trc level: 3, release: "640"

-

[Thr 2928] Mon Jul 09 09:52:52 2007

[Thr 2928] MySapEvalLogonTicketEx was called.

[Thr 2928] Unconverted Ticket is the following: System.Web.HttpCookie

.[Thr 2928] Initialized variables...

[Thr 2928] Preparing InContext...

[Thr 2928] Ticket is the following: System.Web.HttpCookie

.[Thr 2928] Profile is the following: SAPdefault

.[Thr 2928] Password is the following: (NULL)

[Thr 2928] Just before Validation...

[Thr 2928] Dump of InContext [ssoxxapi.c 156]

[Thr 2928] 00000000 34 31 31 30 c0 ad 63 0e a0 05 90 0e 18 b0 63 0e 4110..c.......c.

[Thr 2928] 00000010 15 00 00 00 00 00 00 00 00 00 00 00 ............

[Thr 2928] Copies from InContext->Format: PKCS7 [ssoxxapi.c 163]

[Thr 2928] Copies from InContext->pzcsProName: SAPdefault [ssoxxapi.c 166]

[Thr 2928] DecodeB64Len returns 0. iDecLength=16

[Thr 2928] *** ERROR => Decodeb64 returns 3. iDecLength=16 [ssoxxapi.c 185]

[Thr 2928] *** ERROR => ValidateTicket failed with rc=1281. [ssoxxext.c 360]

[Thr 2928] *** ERROR => MySapEvalLogonTicketEx returns 1281. [ssoxxext.c 665]

[Thr 2928] End of function MySapEvalLogonTicketEx.

Strehle
Advisor
Advisor
In response to Former Member

‎07-09-2007 5:05 PM

0 Kudos

Micheal,

now your framework runs, but the configuration of it is incomplete. You need a verify.pse. You can create it either from

-> ABAP -> with transaction STRUST

-> JAVA -> Visual Admin -> keystore service

Instead of "SAPDefault" you have to define the full path to the verify.pse. The PSE is your database for the PSE and public certs.

Your main problem is:

You set "System.Web.HttpCookie" as ticket. You have to set the content of this variable. A SAP Logon ticket has at least 400 bytes up to 4 Kbytes,., so the error here with B64Decode shows, that your string is no ticket.

A SAP Logon Ticket starts with MYSAPSSO2=

I recommend you to open a customer ticket on BC-SEC-SSF.

regards,

-markus

Former Member
In response to Former Member

‎09-27-2007 8:49 PM

0 Kudos

Hi Michael,

I'm having the same problem and still not able to get the sap logon information in my asp.net web application, can u please let me know whether you had a solution to this issue, thanks so much....

Former Member
In response to Former Member

‎09-27-2007 8:54 PM

0 Kudos

Savi,

Give me some more details and I will see if I can help you out. We have been able to get SSO working using the SAPLogonTicket with both JAVA and .NET applications.

Michael

Former Member
In response to Former Member

‎11-22-2007 10:00 PM

0 Kudos

Hi,

I am involved in the same situation as mentioned above(using the SSO cookie in .NET). I did do the trace as you mention and I get the follwoing error ..

      • ERROR => Verify failed with rc = 7. [ssoxxsgn.c 142]

[Thr 2812] Priv.Addr.Book was not found.

Also I got the "verify.pse" from the portal which creates the SSO.

Any help will be appericated.

Thanks,

Sarab

Strehle
Advisor
Advisor
In response to Former Member

‎11-23-2007 7:29 AM

0 Kudos

Sorry, but why is me answer not helping? Again, your path+name is needed as PAB parameter. The error "not found" means a misspelling or something else, you should post your code here.

Former Member
In response to Former Member

‎11-23-2007 3:38 PM

0 Kudos

Hi Markus,

I did put in a snipet of the code in my earlier post. Before I put the complete code in this post, here is what I am doing.

I want to use a .NET application to use the SSO. The IIS box and the portal do reside on seprate box's and are under different domain (to work around the interdomain cookie issue I put an entry in the host file of the computer I test on).

I sucessfully registered the required DLL and this is also evident from the trace file (also attached).

The asp code is as follows ...

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

<OBJECT RUNAT=SERVER ID=MyObj PROGID="SAPSSOEXT.SSO2Ticket"></OBJECT>

<HTML>

<HEAD>

</HEAD>

<BODY>

<%@ language="VBScript" %>

<%

Dim Cookie 'The cookie we retrieve from the request context

Dim RetArray 'Returnarray from the validation function.

' constants for SAPSSOEXT certificate parser

Const ISSUER_CERT_SUBJECT = 0

Const ISSUER_CERT_ISSUER = 1

Const ISSUER_CERT_SERIALNO = 2

Cookie = Request.Cookies("MYSAPSSO2")

if Cookie="" then

%>

<h2>Error!</h2><br>

No MYSAPSSO2 cookie found

<%

else

On error resume next

MyObj.CryptLib = "c:\ssodll\sapsecu.dll"

RetArray = MyObj.EvalLogonTicket (Cookie, "c:\sso\verify.pse", vbNull)

%>

<%if err <> 0 then %>

The following error occured:<br>

<%= err.Description %><br><br>

<% else %>

The authenticated user is <b><%=RetArray(0)%>.</b><br>

Additional data:

<% end if %>

</BODY>

</HTML>

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

The above throws an error and the trace is as follows.

The trace file is as follows ..

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

[Thr 2812] *** ERROR => Verify failed with rc = 7. [ssoxxsgn.c 142]

[Thr 2812] Priv.Addr.Book was not found.

[Thr 2812] *** ERROR => MskiDefaultVerify failed with rc = 458772. [ssoxxsgn.c 216]

[Thr 2812] *** ERROR => ValidateTicket returns 458772. [ssoxxapi.c 220] [ssoxxapi.c 220]

[Thr 2812] *** ERROR => ValidateTicket failed with rc=458772. [ssoxxext.c 388]

[Thr 2812] *** ERROR => MySapEvalLogonTicketEx returns 458772. [ssoxxext.c 697]

[Thr 2812] End of function MySapEvalLogonTicketEx.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Now, I can see, from the trace file that it can read the SSO cookie and I also see my username it takes from the cookie, but all this in the trace file.

I hope the above is clear.

Thank you for your instant response.

Thanks,

Sarab

Strehle
Advisor
Advisor
In response to Former Member

‎11-23-2007 4:13 PM

0 Kudos

c:\sso\verify.pse is not readable , that must be the reason, check your rights on the file for the user under which your service runs and the correct spelling

Former Member

‎07-16-2014 2:58 PM

0 Kudos

Hi All,

I am facing Ticket verifying failed. Return codes error=1 and ssf error=0 issue.

at evalLogonTicket(ssocookie, Verify_PSE_FILE_Path, null);

can some one tell me what can be the issue.

Thanks

Former Member
In response to Former Member

‎08-27-2015 2:02 PM

0 Kudos

This message was moderated.