on 10-13-2007 4:52 AM
Hi, we installed ERP.60(ABAP + Oracle) on Windows2003 by local installation.
But we need Active Directory integration for SSO with Microsoft Kerberos SSP.
Is it possible to implement SSO?
If it is possible, Please tell me the step.
Best Regards
Dear friend
See single sign on you can implement.
If you u need to implement below i am going you lick.
1.You can find everything about SSO here,
http://help.sap.com/saphelp_nw04s/helpdata/en/e5/4344b6d24a05408ca4faa94554e851/frameset.htm
2.Here is the link for the docs on Single Sign On:
http://help.sap.com/saphelp_47x200/helpdata/en/5c/ced9382c378319e10000000a114084/frameset.htm
3./people/thomasalexander.ritter/blog/2005/03/07/bsp-stateless-modelbinding--proof-of-concept
/people/eddy.declercq/blog/2005/01/13/the-unfortunate-cookie
/people/mark.finnern/blog/2003/09/24/bsp-in-depth-confusion-between-stateless-stateful-and-authentication
Shailesh Tiwari
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
hi , shailesh.
Thank You for your response.
I read your recommended page, but I was not possible to solve my problem.
When I read follow the page about Single Sign-On with Microsoft Kerberos SSP ,
http://help.sap.com/saphelp_nw70/helpdata/en/59/e74eec7c394322869c752947412bb2/frameset.htm
It seems to have to set snc/identity/as = p:SAPService<SID>@<DOMAIN_NAME>.
But local installation created SAPService<SID> not as a domain user but as a local user.
So I need SAPService<SID> as a domain user.
or in other ways.
Do you have any good idea ?
Thanks & Regards
takehiro
hi,Markus
Thank you for your response.
Our server is already a member server of the domain.
I create a new domain user named "SAPService<SID>" and set parameter
snc/identity/as = p:SAPService<SID>@<DOMAIN_NAME>.
and set other snc parameters related single sign on.
And I try to restart Central Instance, but Central Instance cannot be restarted.
log file "dev_w0" wrote a part of snc
N SncInit(): Initializing Secure Network Communication (SNC)
N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)
N SncInit(): found snc/data_protection/max=1, using 1 (Authentication Level)
N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)
N SncInit(): found snc/data_protection/use=1, using 1 (Authentication Level)
N SncInit(): found snc/gssapi_lib=C:\WINDOWS\system32\gx64krb5.dll
N File "C:\WINDOWS\system32\gx64krb5.dll" dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N SncInit(): found snc/identity/as=p:SAPServiceSID@D_ERP
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]
N GSS-API(maj): No valid credentials provided (or available)
N GSS-API(min): No Kerberos SSPI credentials available for requested name
N Could't acquire ACCEPTING credentials for
N
N name="p:SAPServiceSID@D_ERP"
M *** ERROR => ErrISetSys: error info too large [err.c 944]
M Tue Oct 16 20:13:21 2007
M LOCATION SAP-Server sv01_SID_30 on host sv01 (wp 0)
M ERROR GSS-API(maj): No valid credentials provided (or available)
M GSS-API(min): No Kerberos SSPI credentials available for requested nam
M name="p:SAPServiceSID@D_ERP"
M TIME Tue Oct 16 20:13:21 2007
M RELEASE 700
M COMPONENT SNC (Secure Network Communication)
M VERSION 5
M RC -4
M MODULE sncxxall.c
M LINE 1432
M DETAIL SncPAcquireCred
M SYSTEM CALL gss_acquire_cred
M ERRNO
M ERRNO TEXT
M DESCR MSG NO
M DESCR VARGS GSS-API(maj): No valid credentials provided (or available);;;;
M ;;;;GSS-API(min): No Kerberos SSPI credentials available for requested nam;;;;
M ;;;;name="p:SAPServiceSID@D_ERP"
M DETAIL MSG N
It is thought that "snc/identity/as" parameter is wrong .
If your AD controller is on Windows 2003, you need to do some additional steps, check
http://help.sap.com/saphelp_nw2004s/helpdata/en/43/471720173f5f86e10000000a1553f6/content.htm
--
Markus
yes:
the installation defaults the user locations it's going to create to the one of the account installing the system.
in other words: if you start the installation using a computer local account the SAP accounts will default to computer local ones. If you are installating the system using a domain user, they are defaulting to this domain.
you can overwrite the defaults when revising the installation parameters from the dialog phase of SAPinst right before starting the installation phase.
This step was visible in former installations (< 700).
peter
You may need to use "ktpass.exe" to map the Windows principals to the kerberos principals before it will work (I had do to that on the *nix platforms too):
Check
--
Markus
the problem is that in a standard environment the local user SAPServiceSID is trying to access the domain for domain account validation.
This should not work without the tricks Markus is mentioning.
On standard windows configurations you need a domain account to access domain level objects (unless you remove all security and enable guest accounts on domain level)
regards
Peter
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.