Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Sync account in SAPGUI and CLient-OS

ronny_braun
Explorer
0 Kudos

Hello,

is there a chance to tell the saplogon procedure the name of an already (via card reader) authorized user and take it with into the login mask of the SAPGUI ?

The intention is to make sure that the user which has logged on to the client-os must be the same who is logging into the SAP-System.

The OS (WinXP) is of course able read the user-information from the card reader (Cardman by OMNIKEY).

Thanx

Ronny Braun

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Ronny,

Look into implementing Single Sign On.

https://www.sdn.sap.com/irj/sdn/itpractices?rid=/webcontent/uuid/01c62876-0a01-0010-f5a5-d39e7651b9f... [original link is broken]

Cheers,

Ben

14 REPLIES 14

Former Member
0 Kudos

Ronny,

Look into implementing Single Sign On.

https://www.sdn.sap.com/irj/sdn/itpractices?rid=/webcontent/uuid/01c62876-0a01-0010-f5a5-d39e7651b9f... [original link is broken]

Cheers,

Ben

0 Kudos

Thanks Ben,

perhaps i should have tould that we do NOT want a SSO-Solution for our System and that we have a mixed landscape (Server Solaris 9 with a pure ABAP Stack, Client WinXP).

The only thing we want is that the username should appear in the logon mask of the SAPGUI. The User has to authenticate himself furthermore in this logon mask.

Cheers

Ronny

0 Kudos

Ronny,

An easy way to make the username appear automatically would be to create an sap shortcut (third button from the right once logged on). This only works if the users work on the same computer each time or there is a portable desktop that saves the shortcuts.

Cheers,

Ben

0 Kudos

Ben,

That is indeed an easy way, but we have a logon group with a few app servers in it, and the user would take always the same server to logon to.

AND, more important, the user would be able to CHANGE the name in the logon mask.

thanx

ronny

0 Kudos

Ronny,

You are really trying to make this difficult here aren't you? j/k

Cheers,

Ben

0 Kudos

Ronny,

Since you have a mixed landscape, you can do this securely using SNC. In this case it would work as follows :

1. user logs onto windows workstation, and authenticates with Active Directory account, using any Active Directory supported authentication method (userid+pwd, smart card, biometrics, two-factor etc.).

2. user runs SAP GUI and attempts to logon

3. user is asked to authenticate, using Active Directory credentials (or, if you want SSO you can configure workstation software so that they are not asked to authetnicate at this time, and credentials already available from workstation logon are used).

4. the credentials used to authenticate the user attempting to logon are used to establish a security context with the SAP server on Solaris.

5. the Solaris server uses a table called USRACL, to map the external authenticated id of the user (known as the SNC name) onto a valid ABAP user, and then this ABAP user is used to log the user onto SAP via SAP GUI.

As you will hopefully understand now, you cannot do this with shortcuts, and it would certainly not be secure and flexible using this method, so I think your best solution would be to use SNC as described above.

To make SAP SNC work as decribed abvoe, you need a third party product. I can demonstrate this product to you via a web meeting if you are interested to see it working. If not, please let me know if you have any questions about the functionality offered by this product.

Take care,

Tim

0 Kudos

Tim,

I've heard about SNC and thought that it's used to secure the client-server-connection.

But if SNC provides an interface to bring the client-os user just into the logon mask, wouldn't that be a little to much effort ?

The thing is, that it absolutely doesn't matter if the winxp-user is a SAP-user.

The logon mask should be filled unconditionally with the winxp-username.

I hope I confused you at all ??!?

Thanx anyway

Ronny

0 Kudos

Ronny,

No, you have not confused me.

What you need to consider is that SAP GUI allows you to authenticate to a SAP system using a logon screen, via SNC, or using a SAP logon ticket (if launched from web browser).

Regarding the SAP logon screen - this screen is displayed by SAP code and there is no way to fill-in the userid field using the account name of user logged onto workstation (I understand this is what you are trying to do ?)

Maybe you need to also consider the security issues involved. I am sure you are aware that SAP GUI does not use cryptography without SNC being used, so the users password entered is passed across the network and checked by target SAP system. If you use SNC in the way I suggested you can improve the security as no passwords will be transmitted. Also, the user only has to remember the password they logged onto Windows with, and the SAP password is not used anymore.

Thanks,

Tim

0 Kudos

Ronny,

To me the best way to go is using one of the single sign on methods. However if you decide not to use those I have one other suggestion.

Look into GuiXT. It is basically a wrapper around the sapgui that allows different functions. I'm not an expert on it however one of the variables it has is windows user name. You could possibly use this to build an addon to the sapgui.

variables in GuiXT script and history directories

&user user's name BAKER

&client client 001

&database name of R/3 system C11

&winuser Windows user name (in GuiXT script directory and history directory)

Cheers,

Ben

0 Kudos

Tim,

I did not know that it's not possible to fill-in the userid field using the workstaions' account - or i need to change the SAP source code -:)

So we HAVE to use SNC across the Network to

a.) provide password encryption and

b.) sync usernames

i would like to meet your offer using netmeeting but until now i did not work with netmeeting yet, having internet access 'only' through a LINUX box.

thanx ronny

0 Kudos

Ronny,

I don't think I mentioned netmeeting, did I ?

I was suggesting we setup a web meeting, e.g. you just need internet access via a web browser.

Please use my business card on SDN to get my email address, and send me an email so we can coordinate this demonstration/discussion.

Thankyou,

Tim

0 Kudos

Ben,

that sounds really like the solution for our problem - I took at GuiXT and it should be able to manipulate our logon sreen.

I'll give this hint to our programers - they should make it that way.

Thanx very much !!

Ronny

Former Member
0 Kudos

What is authentication and Single Sign-On (SSO)?

Authentication describes processes and technology used to confirm that a system or person requesting to be associated with a user within a system is really the person or system they claim to be. Single Sign-On refers to technology (and sometimes processes) which allows systems to rely on authentication that has already taken place (even in another system) instead of compelling the user to authenticate again. For this reason, SSO is just a special form of authentication, where the user himself does not need to present his information again.

There are many different methods depending on your system landscape.

Cheers,

Ben

tim_alsop
Active Contributor
0 Kudos

Ronny,

Can you advise what operating system your SAP system is running on. So far I understand that you have SAP GUI on Windows XP, but what platform is SAP application server hosted on ?

The reason for asking, is that if your SAP app server is running on Windows Server 2000 or 2003, and you are logging onto Windows XP workstations using Active Directory domain, then you can use software supported and supplied by SAP. If your SAP systems are hosted on UNIX or Linux, then you need third party SAP certified software to meet your needs.

Thanks,

Tim