07-06-2007 3:25 PM
Hello,
is there a chance to tell the saplogon procedure the name of an already (via card reader) authorized user and take it with into the login mask of the SAPGUI ?
The intention is to make sure that the user which has logged on to the client-os must be the same who is logging into the SAP-System.
The OS (WinXP) is of course able read the user-information from the card reader (Cardman by OMNIKEY).
Thanx
Ronny Braun
07-06-2007 3:31 PM
Ronny,
Look into implementing Single Sign On.
https://www.sdn.sap.com/irj/sdn/itpractices?rid=/webcontent/uuid/01c62876-0a01-0010-f5a5-d39e7651b9f... [original link is broken]
Cheers,
Ben
07-06-2007 3:31 PM
Ronny,
Look into implementing Single Sign On.
https://www.sdn.sap.com/irj/sdn/itpractices?rid=/webcontent/uuid/01c62876-0a01-0010-f5a5-d39e7651b9f... [original link is broken]
Cheers,
Ben
07-06-2007 3:45 PM
Thanks Ben,
perhaps i should have tould that we do NOT want a SSO-Solution for our System and that we have a mixed landscape (Server Solaris 9 with a pure ABAP Stack, Client WinXP).
The only thing we want is that the username should appear in the logon mask of the SAPGUI. The User has to authenticate himself furthermore in this logon mask.
Cheers
Ronny
07-06-2007 3:48 PM
Ronny,
An easy way to make the username appear automatically would be to create an sap shortcut (third button from the right once logged on). This only works if the users work on the same computer each time or there is a portable desktop that saves the shortcuts.
Cheers,
Ben
07-06-2007 3:52 PM
Ben,
That is indeed an easy way, but we have a logon group with a few app servers in it, and the user would take always the same server to logon to.
AND, more important, the user would be able to CHANGE the name in the logon mask.
thanx
ronny
07-06-2007 3:55 PM
Ronny,
You are really trying to make this difficult here aren't you? j/k
Cheers,
Ben
07-06-2007 3:55 PM
Ronny,
Since you have a mixed landscape, you can do this securely using SNC. In this case it would work as follows :
1. user logs onto windows workstation, and authenticates with Active Directory account, using any Active Directory supported authentication method (userid+pwd, smart card, biometrics, two-factor etc.).
2. user runs SAP GUI and attempts to logon
3. user is asked to authenticate, using Active Directory credentials (or, if you want SSO you can configure workstation software so that they are not asked to authetnicate at this time, and credentials already available from workstation logon are used).
4. the credentials used to authenticate the user attempting to logon are used to establish a security context with the SAP server on Solaris.
5. the Solaris server uses a table called USRACL, to map the external authenticated id of the user (known as the SNC name) onto a valid ABAP user, and then this ABAP user is used to log the user onto SAP via SAP GUI.
As you will hopefully understand now, you cannot do this with shortcuts, and it would certainly not be secure and flexible using this method, so I think your best solution would be to use SNC as described above.
To make SAP SNC work as decribed abvoe, you need a third party product. I can demonstrate this product to you via a web meeting if you are interested to see it working. If not, please let me know if you have any questions about the functionality offered by this product.
Take care,
Tim
07-06-2007 4:11 PM
Tim,
I've heard about SNC and thought that it's used to secure the client-server-connection.
But if SNC provides an interface to bring the client-os user just into the logon mask, wouldn't that be a little to much effort ?
The thing is, that it absolutely doesn't matter if the winxp-user is a SAP-user.
The logon mask should be filled unconditionally with the winxp-username.
I hope I confused you at all ??!?
Thanx anyway
Ronny
07-06-2007 4:20 PM
Ronny,
No, you have not confused me.
What you need to consider is that SAP GUI allows you to authenticate to a SAP system using a logon screen, via SNC, or using a SAP logon ticket (if launched from web browser).
Regarding the SAP logon screen - this screen is displayed by SAP code and there is no way to fill-in the userid field using the account name of user logged onto workstation (I understand this is what you are trying to do ?)
Maybe you need to also consider the security issues involved. I am sure you are aware that SAP GUI does not use cryptography without SNC being used, so the users password entered is passed across the network and checked by target SAP system. If you use SNC in the way I suggested you can improve the security as no passwords will be transmitted. Also, the user only has to remember the password they logged onto Windows with, and the SAP password is not used anymore.
Thanks,
Tim
07-06-2007 4:39 PM
Ronny,
To me the best way to go is using one of the single sign on methods. However if you decide not to use those I have one other suggestion.
Look into GuiXT. It is basically a wrapper around the sapgui that allows different functions. I'm not an expert on it however one of the variables it has is windows user name. You could possibly use this to build an addon to the sapgui.
variables in GuiXT script and history directories
&user user's name BAKER
&client client 001
&database name of R/3 system C11
&winuser Windows user name (in GuiXT script directory and history directory)
Cheers,
Ben
07-06-2007 4:39 PM
Tim,
I did not know that it's not possible to fill-in the userid field using the workstaions' account - or i need to change the SAP source code -:)
So we HAVE to use SNC across the Network to
a.) provide password encryption and
b.) sync usernames
i would like to meet your offer using netmeeting but until now i did not work with netmeeting yet, having internet access 'only' through a LINUX box.
thanx ronny
07-06-2007 4:45 PM
Ronny,
I don't think I mentioned netmeeting, did I ?
I was suggesting we setup a web meeting, e.g. you just need internet access via a web browser.
Please use my business card on SDN to get my email address, and send me an email so we can coordinate this demonstration/discussion.
Thankyou,
Tim
07-06-2007 4:47 PM
Ben,
that sounds really like the solution for our problem - I took at GuiXT and it should be able to manipulate our logon sreen.
I'll give this hint to our programers - they should make it that way.
Thanx very much !!
Ronny
07-06-2007 3:34 PM
What is authentication and Single Sign-On (SSO)?
Authentication describes processes and technology used to confirm that a system or person requesting to be associated with a user within a system is really the person or system they claim to be. Single Sign-On refers to technology (and sometimes processes) which allows systems to rely on authentication that has already taken place (even in another system) instead of compelling the user to authenticate again. For this reason, SSO is just a special form of authentication, where the user himself does not need to present his information again.
There are many different methods depending on your system landscape.
Cheers,
Ben
07-06-2007 3:42 PM
Ronny,
Can you advise what operating system your SAP system is running on. So far I understand that you have SAP GUI on Windows XP, but what platform is SAP application server hosted on ?
The reason for asking, is that if your SAP app server is running on Windows Server 2000 or 2003, and you are logging onto Windows XP workstations using Active Directory domain, then you can use software supported and supplied by SAP. If your SAP systems are hosted on UNIX or Linux, then you need third party SAP certified software to meet your needs.
Thanks,
Tim