cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to impleament Single Sign On on local installation Server

Former Member

on ‎10-13-2007 4:52 AM

0 Kudos

Hi, we installed ERP.60(ABAP + Oracle) on Windows2003 by local installation.

But we need Active Directory integration for SSO with Microsoft Kerberos SSP.

Is it possible to implement SSO?

If it is possible, Please tell me the step.

Best Regards

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎10-15-2007 8:12 AM
0 Kudos

Dear friend

See single sign on you can implement.

If you u need to implement below i am going you lick.

1.You can find everything about SSO here,

http://help.sap.com/saphelp_nw04s/helpdata/en/e5/4344b6d24a05408ca4faa94554e851/frameset.htm

2.Here is the link for the docs on Single Sign On:

http://help.sap.com/saphelp_47x200/helpdata/en/5c/ced9382c378319e10000000a114084/frameset.htm

3./people/thomasalexander.ritter/blog/2005/03/07/bsp-stateless-modelbinding--proof-of-concept

/people/eddy.declercq/blog/2005/01/13/the-unfortunate-cookie

/people/mark.finnern/blog/2003/09/24/bsp-in-depth-confusion-between-stateless-stateful-and-authentication

Shailesh Tiwari

Show replies
Show replies
Former Member
‎10-15-2007 4:53 PM
0 Kudos

hi , shailesh.

Thank You for your response.

I read your recommended page, but I was not possible to solve my problem.

When I read follow the page about Single Sign-On with Microsoft Kerberos SSP ,

http://help.sap.com/saphelp_nw70/helpdata/en/59/e74eec7c394322869c752947412bb2/frameset.htm

It seems to have to set snc/identity/as = p:SAPService<SID>@<DOMAIN_NAME>.

But local installation created SAPService<SID> not as a domain user but as a local user.

So I need SAPService<SID> as a domain user.

or in other ways.

Do you have any good idea ?

Thanks & Regards

takehiro

markus_doehr2
Active Contributor
‎10-15-2007 8:54 PM
0 Kudos

So - if your server is not a member server of the domain, there's nothing your can "make single" then (in the first place).

You can, however, create that one user in the AD and make it authenticate against it.

--

Markus

Former Member
‎10-16-2007 12:19 PM
0 Kudos

hi,Markus

Thank you for your response.

Our server is already a member server of the domain.

I create a new domain user named "SAPService<SID>" and set parameter

snc/identity/as = p:SAPService<SID>@<DOMAIN_NAME>.

and set other snc parameters related single sign on.

And I try to restart Central Instance, but Central Instance cannot be restarted.

log file "dev_w0" wrote a part of snc

N SncInit(): Initializing Secure Network Communication (SNC)

N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N SncInit(): found snc/data_protection/max=1, using 1 (Authentication Level)

N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)

N SncInit(): found snc/data_protection/use=1, using 1 (Authentication Level)

N SncInit(): found snc/gssapi_lib=C:\WINDOWS\system32\gx64krb5.dll

N File "C:\WINDOWS\system32\gx64krb5.dll" dynamically loaded as GSS-API v2 library.

N The internal Adapter for the loaded GSS-API mechanism identifies as:

N Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

N SncInit(): found snc/identity/as=p:SAPServiceSID@D_ERP

N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]

N GSS-API(maj): No valid credentials provided (or available)

N GSS-API(min): No Kerberos SSPI credentials available for requested name

N Could't acquire ACCEPTING credentials for

N

N name="p:SAPServiceSID@D_ERP"

M *** ERROR => ErrISetSys: error info too large [err.c 944]

M Tue Oct 16 20:13:21 2007

M LOCATION SAP-Server sv01_SID_30 on host sv01 (wp 0)

M ERROR GSS-API(maj): No valid credentials provided (or available)

M GSS-API(min): No Kerberos SSPI credentials available for requested nam

M name="p:SAPServiceSID@D_ERP"

M TIME Tue Oct 16 20:13:21 2007

M RELEASE 700

M COMPONENT SNC (Secure Network Communication)

M VERSION 5

M RC -4

M MODULE sncxxall.c

M LINE 1432

M DETAIL SncPAcquireCred

M SYSTEM CALL gss_acquire_cred

M ERRNO

M ERRNO TEXT

M DESCR MSG NO

M DESCR VARGS GSS-API(maj): No valid credentials provided (or available);;;;

M ;;;;GSS-API(min): No Kerberos SSPI credentials available for requested nam;;;;

M ;;;;name="p:SAPServiceSID@D_ERP"

M DETAIL MSG N

It is thought that "snc/identity/as" parameter is wrong .

markus_doehr2
Active Contributor
‎10-16-2007 12:38 PM
0 Kudos

If your AD controller is on Windows 2003, you need to do some additional steps, check

http://help.sap.com/saphelp_nw2004s/helpdata/en/43/471720173f5f86e10000000a1553f6/content.htm

--

Markus

Former Member
‎10-16-2007 12:55 PM
0 Kudos

hi, Markus

Thank you for your response.

I am sorry I forgot to write OS version.

AD:Windows2000sp4 ( mixed mode )

SAP:Windows2003R2x64(ERP6.0 ABAP+SQLServer).

Our AD controller is on Windows2000.

Thanks & Regards

takehiro

Former Member
‎10-16-2007 12:58 PM
0 Kudos

yes:

the installation defaults the user locations it's going to create to the one of the account installing the system.

in other words: if you start the installation using a computer local account the SAP accounts will default to computer local ones. If you are installating the system using a domain user, they are defaulting to this domain.

you can overwrite the defaults when revising the installation parameters from the dialog phase of SAPinst right before starting the installation phase.

This step was visible in former installations (< 700).

peter

markus_doehr2
Active Contributor
‎10-16-2007 1:10 PM
0 Kudos

The Kerberos implementation slightly differ between W2K and W2K3, you will need to find out by trying since there´s only few documentation available.

I´ve set up SSO with a Unix client (Linux, Solaris, HP-UX) but I´m not sure how W2K3 with SP1 will interact with a Windows 2000 AD.

--

Markus

Former Member
‎10-16-2007 1:18 PM
0 Kudos

Hi , Peter

Thank you for your response

Do you mean it is impossible to implement sso with Windows kerberos when we installed SAP by local installation ?

takehiro

Former Member
‎10-16-2007 1:31 PM
0 Kudos

Hi ,Markus

Thank you for your some good advice.

I'll try it in various ways.

Thank you.

takehiro

markus_doehr2
Active Contributor
‎10-16-2007 1:50 PM
0 Kudos

You may need to use "ktpass.exe" to map the Windows principals to the kerberos principals before it will work (I had do to that on the *nix platforms too):

Check

http://www.microsoft.com/technet/security/guidance/identitymanagement/idmanage/P3Intran_4.mspx?mfr=t...

--

Markus

Former Member
‎10-16-2007 2:09 PM
0 Kudos

the problem is that in a standard environment the local user SAPServiceSID is trying to access the domain for domain account validation.

This should not work without the tricks Markus is mentioning.

On standard windows configurations you need a domain account to access domain level objects (unless you remove all security and enable guest accounts on domain level)

regards

Peter

Ask a Question