cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO to SAP from .NET Web Service application

Former Member

on ‎04-27-2004 12:35 PM

0 Kudos

Hello,

I have created an ASP .NET Web Service application that employs the SAP .NET Connector to connect to the SAP R/3 4.6b. Presently this application uses a CPIC id to connect to SAP to expose the BAPIs and RFCs as the Web Methods of the Web Service.

Is it possible to have a Single Sign-On to SAP in this scenario?

If yes, what SSO technique would be most applicable?

The Web service is available in the intranet environment and it can be consumed by variety of the client applications running in the Microsoft environment.

Following are the examples of the applications that could consume the web service methods: (.NET web application, integration broker, SAP portal or another web service).

We have the Active Directory implemented throughout the company but I am not sure how that could be used to help me with the solution.

The ultimate goal is to have a web service that connects to SAP using the identity of the client. The proper authentication and authorization into SAP is very critical especially in the situations when the web services will write back into SAP. Another area of concern is the SAP client license management.

Any suggestions will be greatly appreciated.

Thanks,

Kris Zywicki

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

reiner_hille-doering
Active Contributor
‎04-27-2004 12:49 PM
0 Kudos

Hello Kris,

the problem with such a scenario is that there is no standard for Web Service authentication. Therefore there is not standard to identify a user that you can later use for SSO.

As web services are HTML-based, you could use various approaches for authentication - each giving you a way for .NET connector SSO:

1. Use a X.509 client certificate

2. Use NTLM/Kerberos authentication

3. Use a special cookie.

Because there is no standard, it depends on your client app which method you use. In a .NET WebService client all of the three are possible (with some coding).

For 1. and 2. you could use the procedure that is described in

https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sapportals.km.docs/documents/a1-8-4/how to use windows nt logon for single sign-on in an sap web application.article

For 3. you could use the MYSAPSSO2 approach. There is an article coming up this week. However, your client needs the MYSAPSSO2 ticket from somewhere, e.g. a SAP portal.

Show replies
Show replies
Former Member
‎04-28-2004 7:03 PM
0 Kudos

Hello Kris,

I was able to successfully implement a SSO prototype following Reiner's document. We were able to use NT Authentication, x.509 certificates, and a third party security application. The SSO to SAP is very flexible once you choose an authentication method for your .NET applciation.

One piece of feedback. I would be careful in the ASP.NET application section. The document says to use <identity impersonate="false"/> in your web.config. I was never able to successfully run the application with impersonate=false. The ASP.NET process needed to run as the domain user mapped in step two. For example, my web.config file had an entry similar to <identity impersonate="true" userName="CONTOSO\ASPNetUsr" password="mypassword"/>.

In step two "Configure a trust relationship...", the account CONTOSO\ASPNetUsr (domain user?) is mapped to a systemID of MYASP. I would think the calling ASP.NET application would need to 'run as' or 'impersonate' this domain user. If the .NET application, is running as LOCALMACHINE\ASPNET, how can SAP trust the .NET application?

Anyway, this was a point of confusion for me and could possibly be my Win2K IIS5 setup. Just thought I would pass along my findings.

Good luck.

dave

reiner_hille-doering
Active Contributor
‎04-29-2004 8:59 AM
0 Kudos

Hi Dave,

thanks for the feedback. Indeed it's important that your ASPNET_WP is running as a fixed user that is trusted by the SAP Application Servers. I'm currently not sure, but I think you are right that this account has to be a domain account. In the explamples we always talk about "CONTOSO\ASPNetUsr", which is a domain user.

Don't ask me where exactly you best specify which account should be used for ASP.NET. A good place is definitely the machine.config, section "processModel". In IIS6 it would be configured somewhere in the IIS manager. Perhaps I should spend some time to updated the section.

Your suggestion to put in into web.config with <identity impersonate="true" and a fixed account is also possible. We describe "impersonate="false"", because we assume that ASP is already configured to run as a valid domain account. We don't want ASP to impersonate the web client user, because this would definitly not work.

Makes sense?

Anyway, thanks again for the ideas,

Reiner.

Former Member
‎04-29-2004 3:18 PM
0 Kudos

Thanks for confirming. The are a couple different ways to impersonate a domain account, including storing the values in the registry. I am still pushing for IIS6, but not sure when that can happen.

Your response does make sense and from your message, it is clear the ASP.NET process needs to run as a trusted domain account. If you ever revise your document, you might want to emphasize this point in either section two or the "building ASP.NET application" section.

thanks,

dave

Former Member
‎05-06-2004 1:38 PM
0 Kudos

Reiner/Dave

Thanks so much for all the information.

My SAP R/3 system is running on Unix.

Can I still configure the SAP system for secure communications to use Kerberos from Windows clients?

If yes, what's required to enable SNC and use Kerberos on Unix SAP R/3 server.

Thanks Kris.

reiner_hille-doering
Active Contributor
‎05-06-2004 1:44 PM
0 Kudos

Yes, SNC can be used cross NT/Unix, but you need a SNC provider that is available on both platforms. If you use gsskerb5.dll, you need a kerberos implementation on UNIX. You can also use a different SNC provider-DLL, e.g. from Secude. In this case my article does not fully fit - you need to make some adoptions.

BTW: For the MySAPSSO2 based approach you don't need a SNC connection.

Regards,

Reiner.

Former Member
‎05-06-2004 2:16 PM
0 Kudos

Thanks a lot.

I will do some more investigation in both areas.

Kris.

Ask a Question