Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

User session SNC or not?

Go to solution
Former Member

‎04-09-2008 1:37 PM

0 Kudos

Hi All

I have activated SAPGui SNC logon via kerberos and I would like to know if user has logged on with SNC or by standard user/pass method. Is it possible to see this in the system?

I have tried audit and system trace but it is not helping.

Thanks in adv.

Sindri

1 ACCEPTED SOLUTION

Go to solution
WolfgangJanzen
Product and Topic Expert
Product and Topic Expert

‎04-09-2008 4:11 PM

> 

> I have activated SAPGui SNC logon via kerberos and I would like to know if user has logged on with SNC or by standard user/pass method. Is it possible to see this in the system?

The user him-/herself can see this in the system using the menu path "System" > "Status".

If SNC is used, the user's SNC name is displayed in the section "Usage Data" (right on top).

In newer ABAP systems you can (as admin) check on the sessions of other users using transaction SM04; there's a menu item "User" > "Technical Information" which displays a long list of technical data, one of them is "snc_count". If it's set to a non-zero value, then SNC is used. Unfortenately you cannot see the SNC name of the user.

Cheers, Wolfgang

PS: Tim made a good comment which you should take a closer look at - unless you want / have to leave both choices open (for the user to decide).

6 REPLIES 6

Go to solution
tim_alsop
Active Contributor

‎04-09-2008 1:54 PM

0 Kudos

Sindri,

I asked similar question last year. Check the post [here|;

I am interested to know why you want to know ? Surely if somebody can logon via SNC you don't want to allow them to logon using a less secure method ? Have you tried setting logon/password_change_for_sso to 3 so that when they logon for first time using SNC their SAP password is deactivated, thus stopping them from being able to logon using a less secure method from that point onwards.

Regards,

TIm

Go to solution
WolfgangJanzen
Product and Topic Expert
Product and Topic Expert

‎04-09-2008 4:11 PM

> 

> I have activated SAPGui SNC logon via kerberos and I would like to know if user has logged on with SNC or by standard user/pass method. Is it possible to see this in the system?

The user him-/herself can see this in the system using the menu path "System" > "Status".

If SNC is used, the user's SNC name is displayed in the section "Usage Data" (right on top).

In newer ABAP systems you can (as admin) check on the sessions of other users using transaction SM04; there's a menu item "User" > "Technical Information" which displays a long list of technical data, one of them is "snc_count". If it's set to a non-zero value, then SNC is used. Unfortenately you cannot see the SNC name of the user.

Cheers, Wolfgang

PS: Tim made a good comment which you should take a closer look at - unless you want / have to leave both choices open (for the user to decide).

Go to solution
Former Member
In response to WolfgangJanzen

‎04-11-2008 11:33 AM

0 Kudos

Many thanks Wolfgang, this is exactly what I needed.

I cannot disable user/pass logon while I am distributing all prereqs to all workstations. It will be done later.

Regards

Sindri

Edited by: Sindri Onundarson on Apr 11, 2008 12:34 PM

Go to solution
WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
In response to WolfgangJanzen

‎04-11-2008 1:05 PM

0 Kudos

> I cannot disable user/pass logon while I am distributing all prereqs to all workstations. It will be done later.

Well, but for exactly this reason the profile parameter login/password_change_for_SSO was introduced: by setting it to value 3 the password will automatically be "deactivated" (actually: deleted) if the user has managed to logon by other means (e.g. SNC) and if the system has detected the requirement to change the password (i.e. either because it is "initial" respectively has been reset by the admin, or because it needs to be changed regularily).

That's what Tim Alsop was stating, already.

Notice: this "password deletion" is performed on a per-user level (and only if the user has "proven" that he do not need passwords for authentication).

Cheers, Wolfgang

Go to solution
Former Member
In response to WolfgangJanzen

‎04-14-2008 10:40 AM

0 Kudos

The problem is that I am not only distributing SSO. I am also distributing other application together with SSO and unfortunately it invalidates the usage of the parameter as user must at some point log on both with SSO and standard UIDPW method. I can make use of this parameter later on.

Regards

Sindri

Go to solution
Former Member

‎04-09-2008 5:08 PM

0 Kudos

If I understand you correctly and your requirement is only to know which users have logged on using SNC and deactivated the password, and which have not, then I think report RSUSR200 (which is submitted by a transaction with the same name in higher releases) can tell you this at the current point in time.

It evaluates field CODVN to check for an 'X', which means "deactivated password".

Cheers,

Julius