Hi Guru,

Thanks for your replay.

We configured NTLM:

log on the user and use his NT user/password to get into the backend (e.g. R/3).

now we have to implement same thing for ITS. I mean to say, user will type the URL in the browser..

http://host/scripts/wgate/webgui/!

is it possible to use the NT user and password? or do we need to pass parameters.

Could please help me steps need to follow

All our servers ITS and R/3 are in same domain

Regards

Radha

Hello Radha

That means you have to check out the Plugable Authentication Service (PAS). That is an additional service on the ITS side, that would forward the authentication to the backend and allow the user to log in.

in short:

1.) IIS web server configuration has to be changed from anynonimous or basic authentication to NTLM. This way web server is verifying NT user/password.

2) The URL to call would be .../scripts/wgate/sapntauth/!, which is the service of the PAS module.

3) sapntauth would receive a ticket from the backend R/3 and forwards it to the user

4) this ticket can now be used to log on to .../scripts/wgate/webgui/!?_language=XX&client=XXX

To allow this you also have to setup SNC between ITS and R/3. And this SNC can be setup with sapcrypto.dll according to the documentation you mentioned.

A good source to start with the PAS modules is

http://help.sap.com/saphelp_erp2004/helpdata/en/fc/5a273aeaa07123e10000000a114084/frameset.htm

best regards

Gerd

hi Guru,

we have problem here, if we configure SNC (Cryptographic Library)between ITS and application server. We can't use GUI SSO. We want configure SSO on both ITS and GUI (using ggssntlm.dll). We are trying to configure SSO on ITS, If you have any document please help me.

Thanks in Advance

Regards

Radha

If you don't want to use or cannot use sapcryptolib you can choose gssapi32.dll.

But then your NT Domain (or rather Active Directory) setup has to be checked and probably changed:

so your SncNameAGate would change to

e.g.: SncNameAGate=p:DOMAIN\itsadm

Of course in this case the AGate has to be started with user DOMAIN\itsadm.

An example that might help can be found at

http://help.sap.com/saphelp_erp2004/helpdata/en/79/56113ad44fa931e10000000a114084/frameset.htm

Hi Guru,

Our application server is already configred SSO using gssntlm.dll, so we have to configure SSO on ITS using gssntlm.dll.

could you please help me.

I configure SSO using gssntlm.dll.we are getting the following error.

The Internet Transaction Server (AGate) was not able to authenticate the WGate when connecting.

Regards

Radha

that sounds like your SNC setup between WGate and AGate is still wrong. Maybe your sncnamewgate on the WGate and the AGate side are different?

Hi Guru,

Still I am getting confuse. Could you please send step by step SSO configuration between R/3 and ITS using NTLM.

I am getting the same error,

Authentication Failure

The Internet Transaction Server (AGate) was not able to authenticate the WGate when connecting.

A security alert has been created in the access log.

The AGate.trc trace file may contain further information about this problem.

Regards

Radha

...

the problem seems to be:

you specified SNCNameWGate, but you have not setup NTLM between WGate and AGate.

If you want to set up SNC between AGate and R/3 you only have to specify SNCNameAGate.

If you want to setup NTLM between WGate and AGate, then you have to set it up correctly, so AGate would recognize the WGate.

hi Guru,

Thanks for your information. I got getting the following error ..

Cannot Complete Connection To R/3 System

The Internet Transaction Server was able to establish a connection to

the R/3 System, but the connection could not be completed because of

thefollowing error Cannot get Dynpro information.

we Specify the AGate's SNC information in the system access control

listfor SNC (table SNCSYSACL, view VSNCSYSACL, TYPE=E)

we Create a generic entry for the AGate in the extended user access

controllist (table USRACLEXT)

Regards

Radha

Hi Guru,

I find the errors for above problem...

I find some errors:

agate0_sapbasis.trc

[Thr 8024] SncInit(): Initializing Secure Network Communication (SNC)

[Thr 8024] PC with Windows NT (mt,ascii,SAP UC/sizet/void* =

8/32/32)

[Thr 8024] SncInit(): Trying environment variable SNC_LIB as a

gssapi library name: "D:\Program Files\SAP\ITS\6.

20\programs\gssntlm.dll".

[Thr 8024] File "D:\Program Files\SAP\ITS\6.20\

programs\gssntlm.dll" dynamically loaded as GSS-API v2 library.

[Thr 8024] The internal Adapter for the loaded GSS-API

mechanism identifies as:

Internal SNC-Adapter (Rev 1.0) to SAP's GSS-API v2 over

NTLM(SSPI) Adapter

[Thr 2756] Tue Aug 23 10:10:34 2005

[Thr 2756] ***LOG Q0I=> NiPRead: recv (10054: WSAECONNRESET:

Connection reset by peer) [ninti.c 1098]

Agate trace :

2005-08-23T11:53:52.457 p002372 t4820 s020E39D8 [w3xxwork.c,

1318]: E WorkDoWork: WorkDoEstablishSession()

failed, rc=0xfffffffe

Thanks in Advance.

Regards

Radha