on 08-04-2005 5:04 PM
Hi Gurus,
We configure the SSO using NTLM, It is working fine. Now I have to configure SSO over ITS.I am following cook book: configuration SNC the A gate / SAP System Connection ...
I done the W-gate configuration ... I was trying to configure Application server, I got problem.. I configure
snc/gssapi_lib gssntlm.dll... but in document snc/gssapi_lib sapcrypto.dll.. If I change this parameter NTLM will work ?.
I need some help ASAP. Could please give overview steps need to follow.
Regards
Radha
Hello Radha
not sure if I understand your question.
There different ways to use NTLM. One is as a mean to log on the user and use his NT user/password to get into the backend (e.g. R/3). That would be NTLM for SSO.
This setup is mainly done on the web server and by using the PAS modules on ITS (e.g. sapntauth.srvc).
The second way to use NTLM is to provide a trusted relationship between two systems - in your case between AGate and the backend SAP System. That would be NTLM for SNC. If you want to use NTLM for this you would use ssntlm.dll.
But in order to use the Plugable Authentication Service with NTLM you can still use the sapcrypto.dll as a mean to create the trusted relationship between AGate and the backend.
(btw. sapcrypto.dll provides higher security.)
Let me know if that answers your question.
best regards, Gerd
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Guru,
Thanks for your replay.
We configured NTLM:
log on the user and use his NT user/password to get into the backend (e.g. R/3).
now we have to implement same thing for ITS. I mean to say, user will type the URL in the browser..
http://host/scripts/wgate/webgui/!
is it possible to use the NT user and password? or do we need to pass parameters.
Could please help me steps need to follow
All our servers ITS and R/3 are in same domain
Regards
Radha
Hello Radha
That means you have to check out the Plugable Authentication Service (PAS). That is an additional service on the ITS side, that would forward the authentication to the backend and allow the user to log in.
in short:
1.) IIS web server configuration has to be changed from anynonimous or basic authentication to NTLM. This way web server is verifying NT user/password.
2) The URL to call would be .../scripts/wgate/sapntauth/!, which is the service of the PAS module.
3) sapntauth would receive a ticket from the backend R/3 and forwards it to the user
4) this ticket can now be used to log on to .../scripts/wgate/webgui/!?language=XX&client=XXX
To allow this you also have to setup SNC between ITS and R/3. And this SNC can be setup with sapcrypto.dll according to the documentation you mentioned.
A good source to start with the PAS modules is
http://help.sap.com/saphelp_erp2004/helpdata/en/fc/5a273aeaa07123e10000000a114084/frameset.htm
best regards
Gerd
hi Guru,
we have problem here, if we configure SNC (Cryptographic Library)between ITS and application server. We can't use GUI SSO. We want configure SSO on both ITS and GUI (using ggssntlm.dll). We are trying to configure SSO on ITS, If you have any document please help me.
Thanks in Advance
Regards
Radha
If you don't want to use or cannot use sapcryptolib you can choose gssapi32.dll.
But then your NT Domain (or rather Active Directory) setup has to be checked and probably changed:
so your SncNameAGate would change to
e.g.: SncNameAGate=p:DOMAIN\itsadm
Of course in this case the AGate has to be started with user DOMAIN\itsadm.
An example that might help can be found at
http://help.sap.com/saphelp_erp2004/helpdata/en/79/56113ad44fa931e10000000a114084/frameset.htm
Hi Guru,
Our application server is already configred SSO using gssntlm.dll, so we have to configure SSO on ITS using gssntlm.dll.
could you please help me.
I configure SSO using gssntlm.dll.we are getting the following error.
The Internet Transaction Server (AGate) was not able to authenticate the WGate when connecting.
Regards
Radha
Hi Guru,
Still I am getting confuse. Could you please send step by step SSO configuration between R/3 and ITS using NTLM.
I am getting the same error,
Authentication Failure
The Internet Transaction Server (AGate) was not able to authenticate the WGate when connecting.
A security alert has been created in the access log.
The AGate.trc trace file may contain further information about this problem.
Regards
Radha
...
the problem seems to be:
you specified SNCNameWGate, but you have not setup NTLM between WGate and AGate.
If you want to set up SNC between AGate and R/3 you only have to specify SNCNameAGate.
If you want to setup NTLM between WGate and AGate, then you have to set it up correctly, so AGate would recognize the WGate.
hi Guru,
Thanks for your information. I got getting the following error ..
Cannot Complete Connection To R/3 System
The Internet Transaction Server was able to establish a connection to
the R/3 System, but the connection could not be completed because of
thefollowing error Cannot get Dynpro information.
we Specify the AGate's SNC information in the system access control
listfor SNC (table SNCSYSACL, view VSNCSYSACL, TYPE=E)
we Create a generic entry for the AGate in the extended user access
controllist (table USRACLEXT)
Regards
Radha
Hi Guru,
I find the errors for above problem...
I find some errors:
agate0_sapbasis.trc
[Thr 8024] SncInit(): Initializing Secure Network Communication (SNC)
[Thr 8024] PC with Windows NT (mt,ascii,SAP UC/sizet/void* =
8/32/32)
[Thr 8024] SncInit(): Trying environment variable SNC_LIB as a
gssapi library name: "D:\Program Files\SAP\ITS\6.
20\programs\gssntlm.dll".
[Thr 8024] File "D:\Program Files\SAP\ITS\6.20\
programs\gssntlm.dll" dynamically loaded as GSS-API v2 library.
[Thr 8024] The internal Adapter for the loaded GSS-API
mechanism identifies as:
Internal SNC-Adapter (Rev 1.0) to SAP's GSS-API v2 over
NTLM(SSPI) Adapter
[Thr 2756] Tue Aug 23 10:10:34 2005
[Thr 2756] ***LOG Q0I=> NiPRead: recv (10054: WSAECONNRESET:
Connection reset by peer) [ninti.c 1098]
Agate trace :
2005-08-23T11:53:52.457 p002372 t4820 s020E39D8 [w3xxwork.c,
1318]: E WorkDoWork: WorkDoEstablishSession()
failed, rc=0xfffffffe
Thanks in Advance.
Regards
Radha
Hi Guru,
I was trying to enable SNC on apllication server, I am getting the following error. We are using undows 2003.
File "E:\usr\sap\RK1\SYS\exe\run\sapcrypto.dll" dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2
N *** ERROR => SncPSetNewName()==SNCERR_BAD_NT_PREFIX [sncxxall.c 2271]
N SncPImportPrName() parsing error
N name="CN=RK1,OU=Test,O=MyCompany,C=DE"
N <<- SncInit()==SNCERR_BAD_NT_PREFIX
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000035) [thxxsnc.c 223]
M *** ERROR => ThSncInit: SncInitU (SNCERR_BAD_NT_PREFIX) [thxxsnc.c 225]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 9413]
Regards
Radha
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
83 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.