Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO with Windows ADS authentication against web based reports in BW 3.5

Former Member

‎04-30-2008 10:41 PM

0 Kudos

Hi experts,

I have the following scenario:

- Users logs on to Windows/Domain. (Users provide credencials)

- Users calls an URL referred to a Web Template in BW 3.5. (User provide credencials)

There is a solution in which the user only provide credencials once? SSO since Windows log on.

The idea is when users logs on to Windows/Domain, users can see reports without provide credencials again. Active Directory and BW 3.5.

Thnks a lot!

Gerardo.

10 REPLIES 10

tim_alsop
Active Contributor

‎04-30-2008 10:48 PM

0 Kudos

Gerardo,

If I understand correctly then BW runs in ABAP stack, so the web template will be configured in ICF framework in NetWeaver ? is this correct ? If so, you need to configure the service in ICF using SICF transaction so that it redirects to the J2EE engine, and on J2EE engine you need to install a login module to authenticate the user using credentials already at workstation available to browser. This login module needs to support the browser negotiate protocol, which is often referred to as SPNEGO. You can either use the SPNEGO login module provided by SAP or use a login module included in a 3rd party product (often more secure and having extra features than the login module provided by SAP).

Thanks,

Tim

Former Member
In response to tim_alsop

‎05-01-2008 5:26 PM

0 Kudos

Tim,

Yes is correct, I need to configure the ICF framework in the transaction SICF.

Now I begin to read notes and says that the SPNego login module works with windows 2000 and higher.

http://help.sap.com/saphelp_nw04s/helpdata/en/43/49a2aefd975f89e10000000a1553f6/frameset.htm (In prerequisites)

And now my problem is that the server is working on a windows NT.

It is that right? or I'm wrong?

You know a solution similar SPNego for windows NT?

Thanks a lot Tim,

Gerardo.

tim_alsop
Active Contributor
In response to tim_alsop

‎05-01-2008 5:30 PM

0 Kudos

Can you confirm which server is Windows NT ? Are you referring to the server where your SAP NetWeaver is installed ? If so, as long as NetWeaver 2004 or 2004s (now called 7.0) is installed you can use the SPNEGO login module provided by SAP. The reference to Windwos 2000 you referred to is the server where Active Directory is running, e.g. your domain controller needs to be Windows 2000 or 2003. If you are running your domain controller on NT then you need to use NTLM and the SAP login module only supports Kerberos. If you need NTLM please contact me offline since my company has a login module which you might find useful.

Thanks,

Tim

Former Member
In response to tim_alsop

‎05-01-2008 5:49 PM

0 Kudos

Ok Tim,

The Domain Controller is a Windows 2003.

SAP BW 3.5 is installed on a Windows NT 5.0.

And thanks for the offering, I think that I will need it too because there is other requirement where the active directory is in a Windows NT so I will contact you soon.

tim_alsop
Active Contributor
In response to tim_alsop

‎05-01-2008 5:52 PM

0 Kudos

Actually Windows NT 5 is same as Windows 2000.

I look forward to hearing from you soon.

Good luck,

Tim

Former Member
In response to tim_alsop

‎05-01-2008 5:55 PM

0 Kudos

Excellent, thanks a lot!

I will proceed with SPNego login module and inform you later.

Gerardo.

Former Member
In response to tim_alsop

‎05-02-2008 5:45 AM

0 Kudos

Hi Tim,

I have done a list of processes to solve my problem:

- Install the SAP J2EE Engine.

      - Add a new user for J2EE service in the Active Directory.

- Install the SPNego Login Module.

- UME Configuration.

      - Change UME DataSource (config tool in SAP J2EE Engine).

- Run the SPNego Configuration Wizard.

- Configure ABAP and Java communication.

      - Define RFC destination to J2EE.

Questions:

- I'm missing something? or I'm wrong in any step?

- The step you mentioned (using SICF transaction so that it redirects to the J2EE engine), is that necessary? and what url I need enter? this http://<server>:<port>/spnego ? I can't see that step clearly, can you explain me please.

Thanks a lot!

Gerardo.

tim_alsop
Active Contributor
In response to tim_alsop

‎05-02-2008 8:07 AM

0 Kudos

Gerardo,

I am sorry, but I am unable to help you with these specific questions. The reason is that the company I work for has a product which uses the Negotiate protocol to do what you are asking, and so I am familiar with how our product is configured, but not familiar with how it can be done with the SAP supplied login module. So, I hope somebody else on SDN can help you with your specific questions.

Thanks,

Tim

Former Member

‎05-05-2008 8:55 AM

0 Kudos

Hello Gerado,

please be aware that there are many solutions to the scenario you describe at the beginning - some based on technology provided for free by SAP, some based on certified solution by 3rd-party vendors. For example, you can also use client certificates to address your requirements.

To make the right choice, you'd have to look at your entire set of requirements for such an SSO solution. Most importantly, you need to decide whether you look for a SSO solution for this specific scenario or for a SSO solution to your entire SAP landscape.

Peter

Former Member

‎05-27-2008 11:56 PM

0 Kudos

Done!

I installed a Java Add-In to my system, I got the SAP J2EE Engine and I configured it.

Chears!