04-09-2008 1:37 PM
Hi All
I have activated SAPGui SNC logon via kerberos and I would like to know if user has logged on with SNC or by standard user/pass method. Is it possible to see this in the system?
I have tried audit and system trace but it is not helping.
Thanks in adv.
Sindri
04-09-2008 4:11 PM
>
> I have activated SAPGui SNC logon via kerberos and I would like to know if user has logged on with SNC or by standard user/pass method. Is it possible to see this in the system?
The user him-/herself can see this in the system using the menu path "System" > "Status".
If SNC is used, the user's SNC name is displayed in the section "Usage Data" (right on top).
In newer ABAP systems you can (as admin) check on the sessions of other users using transaction SM04; there's a menu item "User" > "Technical Information" which displays a long list of technical data, one of them is "snc_count". If it's set to a non-zero value, then SNC is used. Unfortenately you cannot see the SNC name of the user.
Cheers, Wolfgang
PS: Tim made a good comment which you should take a closer look at - unless you want / have to leave both choices open (for the user to decide).
04-09-2008 1:54 PM
Sindri,
I asked similar question last year. Check the post [here|;
I am interested to know why you want to know ? Surely if somebody can logon via SNC you don't want to allow them to logon using a less secure method ? Have you tried setting logon/password_change_for_sso to 3 so that when they logon for first time using SNC their SAP password is deactivated, thus stopping them from being able to logon using a less secure method from that point onwards.
Regards,
TIm
04-09-2008 4:11 PM
>
> I have activated SAPGui SNC logon via kerberos and I would like to know if user has logged on with SNC or by standard user/pass method. Is it possible to see this in the system?
The user him-/herself can see this in the system using the menu path "System" > "Status".
If SNC is used, the user's SNC name is displayed in the section "Usage Data" (right on top).
In newer ABAP systems you can (as admin) check on the sessions of other users using transaction SM04; there's a menu item "User" > "Technical Information" which displays a long list of technical data, one of them is "snc_count". If it's set to a non-zero value, then SNC is used. Unfortenately you cannot see the SNC name of the user.
Cheers, Wolfgang
PS: Tim made a good comment which you should take a closer look at - unless you want / have to leave both choices open (for the user to decide).
04-11-2008 11:33 AM
Many thanks Wolfgang, this is exactly what I needed.
I cannot disable user/pass logon while I am distributing all prereqs to all workstations. It will be done later.
Regards
Sindri
Edited by: Sindri Onundarson on Apr 11, 2008 12:34 PM
04-11-2008 1:05 PM
> I cannot disable user/pass logon while I am distributing all prereqs to all workstations. It will be done later.
Well, but for exactly this reason the profile parameter login/password_change_for_SSO was introduced: by setting it to value 3 the password will automatically be "deactivated" (actually: deleted) if the user has managed to logon by other means (e.g. SNC) and if the system has detected the requirement to change the password (i.e. either because it is "initial" respectively has been reset by the admin, or because it needs to be changed regularily).
That's what Tim Alsop was stating, already.
Notice: this "password deletion" is performed on a per-user level (and only if the user has "proven" that he do not need passwords for authentication).
Cheers, Wolfgang
04-14-2008 10:40 AM
The problem is that I am not only distributing SSO. I am also distributing other application together with SSO and unfortunately it invalidates the usage of the parameter as user must at some point log on both with SSO and standard UIDPW method. I can make use of this parameter later on.
Regards
Sindri
04-09-2008 5:08 PM
If I understand you correctly and your requirement is only to know which users have logged on using SNC and deactivated the password, and which have not, then I think report RSUSR200 (which is submitted by a transaction with the same name in higher releases) can tell you this at the current point in time.
It evaluates field CODVN to check for an 'X', which means "deactivated password".
Cheers,
Julius