> 1. Do you know any relaible products & cost of owning this 3rd party solution.

Sorry, but I cannot give any recommendations or comments on partner products.

But I'm sure you'll get some feedback by other SDN members.

> 2. If my Portal systems are running on Win2003 servers will same SNC solution be apicable.

Well, you should choose a SNC product that is also available on this platform (which should be fairly easy). But please be aware that SNC can only be used for ABAP servers - not for Java servers (like EP). However, some (PKI-based) products provide support for both, SNC and X.509 client certificates. The X.509 client certificates can then be used for SSO at the EP (as well as at any other NWAS - ABAP and Java). That's, of course, not the only possible solution approach which provides SSO for both "worlds" (http and non-http communication). There are also SNC products available which are Kerberos-based; and those vendors also provide custom JAAS login modules which can be deployed on a NWAS Java / EP.

> 3. How can i convince my superiors ...

Well, I don't know.

Now, you got already one reply / offer from someone who represents a vendor providing a PKI-based solution.

I'm sure that <a href="https://forums.sdn.sap.com/profile.jspa?userID=120626">Tim Alsop</a> will soon also reply to this posting. He is representing a company which offers a Kerberos-based solution.

And of course, all others are also invited to present their offerings (in an appropriete way, complying with the <a href="https://wiki.sdn.sap.com/wiki/display/HOME/RulesofEngagement">Rules of Engagement</a>).

> i got suggestion from Jansen that logon ticket won't work without a portal front end

Sorry to disagree. All I've stated was that you will not get any SAP Logon Tickets back if you use SAPGUI (for Windows) as frontend. However, I've pointed out that you can use SNC to obtain SSO functionality, in that case.

Thanks for clarification - no, I'm not feeling offended.

PS: my firstname is 'Wolfgang' (not: 'Janzen')

"SAP GUI for HTML" requires an ITS (as of NWAS 6.40 the ITS functionality is contained in the NWAS ABAP, so-called "internal ITS").

In case of the internal ITS it is just an ICF service (to be activated via transaction SICF) - with the URI /sap/bc/gui/sap/its/webgui

But please notice: "SAP GUI for Windows" and "SAP GUI for HTML" have different capabilities (especially regarding integration with MS Office products).

Regards, Wolfgang

Unfortenately, that authentication mechanism is not available for ABAP systems.

However: in many cases "LDAP authentication" is referring to the usage of MS ADS. In that case you can consider to use the SNC library descibed in [SAP Note 352295|https://service.sap.com/sap/support/notes/352295] (if your ABAP system is running on the Windows platform) when using SAPGUI.

Using WebGUI this is only possible if either using an external ITS (6.20, see [SAP Note 493107|https://service.sap.com/sap/support/notes/493107]) or when using an Enterprise Portal (or at least a NWAS Java) which supports SPNEGO authentication.

I advise to perform a search in this forum with the keyword 'SPNEGO' or 'Kerberos'.

You'll find many hits ...

Cheers, Wolfgang

Naveen,

Actually, when you access MS Exchange or any Windows application that recognises the user logged on at workstation you are using Kerberos protocol for authentication, NOT LDAP protocol.

I hope you don't mind me correcting you, but many people confuse LDAP with Kerberos because MS AD is a Kerberos authentication server and also provides a Directory that is accessible via the LDAP protocol. The LDAP protocol is used to access Directory objects, and you can even authenticate using Kerberos to obtain a secure LDAP session - via the SASL GSS-API mechanism. Generally though, when using MS AD the authenticating protocol is Kerberos, not LDAP since Kerberos is more secure and better suited to SSO due to the tickets issued being cached after initial authentication.

Thanks,

Tim

Naveen,

When you mention that you want SSO for your users when they logon to SAP Web AS, I assume you want/need what is known as Integrated Windows Authentication (IWA for short). With IWA when a user logs onto Windows workstation using a domain account they are authenticating themselves to the WIndows Active Directory domain. Then when the user opens a web browser and accesses a SAP applicaiton hosted on SAP WebAS they are not asked to auithenticate again ? If this is what you are looking for then you need to use IWA, which is implemented in Java engine using an SPNEGO login module. There is no SASL requirement, so I am sorry I mentioned it - the reference I made to SASL was to explain that SASL protocol combined with GSS-API can be used to authenticate and provide a secure session with an LDAP directory. In your case you are wanting to authenticate users and get SSO, not have secure access to your directory.

So, from above you will see that you need to configure a login module in Java engine. When you have done this you will need to consider web accessible applications which are on ABAP stack, and this is done using a redirect on intiial authentication. It is explained many times elsewhere in this forum so I suggest you search for appropriate keywords such as SPNEGO and Java and you will find links which will help you setup this redirection.

Just for completeness, the company I work for has a product which we sell which does what you are looking for. The product is called TrustBroker Adapter. You can also use the SPNEGO login module provided by SAP, but our product is different in many ways, including the support for various Keberos protocol extensions and encryption types - our product does not use the Kerberos included with Java JDK which is notorius for being old and bug ridden

Thanks,

Tim

Naveen,

I was not clear that you were looking for a solution with SAP GUI since the parts of your thread which I read didn't mention that. sorry for any confusion.

Anyway, with SAP GUI you are not going to use Java engine for this, and you can instead use SNC. The SNC library you need cannot be obtained from SAP since you have SAP on AIX, so you need a commerical SAP certified library instead. This is what our company sells, and [is explained here|http://www.cybersafe.com/links/snc.htm].

If you want to see a demo of how our product works with SAP Logon, please check [this link|http://www.cybersafe.com/d2] where we show the installation of our product on SAP server which is UNIX based and a demonstration is also shown so you can see a user logon to windows workstation and then opening SAP Logon and clicking on an entry to logon to SAP system.

You will notice that the only software requires is installed on each Windows workstation and on the SAP server which in your case is AIX.

Note: The SPNEGO references earlier in this thread are related only to Web access, and you are not looking for a Web based solution.

Thanks,

Tim

Naveen,

Short answer is "YES".

I think it is appropriate if you want to discuss our product more that we do that outside of SDN. If you are interested to discuss further and perhaps arrange an evaluation can you contact me using the email address in my SDN business card.

Thanks,

Tim

Just for completeness:

there is more than just one certified SNC solution which would be suitable for the described scnenario.

See: http://www.sap.com/ecosystem/customers/directories/SearchSolution.epx

Sunita,

The SAPCRYPTOLIB is an SNC library that uses x.509 certificates. In your other thread related to your requirements you said you didn't want to use x.509 certs.

Thanks,

Tim

> ... there are other options to address your requirements (user authentication via Kerberos or Windows logon info to enable secure SSO to SAP via SAPGUI or other SAP user interfaces). You can implement SNC without installing a 3rd-party library on the SAP server (AIX), using SAPCRYPTOLIB. ...

Well, SAPCRYPTOLIB can be used as SNC library, that part is true.

But (due to the OEM license) it must only be used to establish an SNC-protected server-to-server communication; it is not suitable to achieve a SSO solution (user authentication based on SNC) since SAPCRYPTOLIB must not be used with SAPGUI or RFC clients installed on the frontend PC.

Yes, SAPCRYPTOLIB offers certificate-based cryptographic services - but without providng the Public Key Infrastructure (PKI) itself. You can only create self-signed certificates but you cannot perform Certification Authority (CA) operations. For server-to-server communication that is not critical since you can mutually exchange the certificates. However, that approach does not scale - it will not be appropriete for hundreds or thousands of users.