SAP released (RTC) the a new version of SAP NetWeaver Single Sign-On (version: 2.0). The screenshots in this blog are from version SAP NetWeaver Single Sign-On 1.0. So if you install the new version, some screens will be look different, since SAP improved the UI.
There is a complete new option available for Kerberos (SPNego for ABAP): http://scn.sap.com/docs/DOC-40178
Introduction
SAP NetWeaver Single Sign-On provides various possibilities to configure/implement a single sign-on scenario. At the moment (there are coming more), there are the following scenarios available
The components of SAP NetWeaver Single Sign-On can be combined depending on the business case. This how to guide describes only how to configure the solution for SAP GUI for Windows with a Kerberos integration. If you are using SAP GUI and Web based applications, you should check the version with the certificates (out-of-the-box -> no external PKI required) especially for intranet use cases. Furthermore SAML (third option) provides Web single sign-On capabilities without the need to deploy anything on the client side.
If you are interested to implement the second option - please read this blog:
Detailed worklflow of the scenario
Prerequisites and information
You need to download the product SAP NetWeaver Single Sign-On from SAP marketplace (-> you need a valid license)
System name: TDI install an 😧
Operation system: Windows (but the solution works of course also if the system is running on Linux/Unix -> see PAM)
Guide
1. Install the Secure Login Library (ON THE SERVER)
Create the folder D:\usr\sap\TDI\SLL
Change to folder D:\usr\sap\TDI\DVEBMGS00\exe\
sapcar –xvf SECURELOGINLIB.SAR –R D:\usr\sap\TDI\SLL
Change to the folder D:\usr\sap\TDI\SLL and verify the Secure Login Library status using the command snc.exe.
Verify if the PSE directory is defined to D:\usr\sap\TDI\DVEBMGS00\sec(existing)
5.
2. 2. Check for Microsoft Environment Variable SNC_LIB and for the Kerberos Entry in MS Active Directory
5.
Check if SNC_LIB is set to C:\Program Files (x86)\SAP\FrontEnd\SecureLogin\lib\secgss.dll
If not, please add the entry (FOR SAP GUI for Windows)
With the next steps we take a look at the Kerberos Configuration in Microsoft Active Directory. Call Start -> Run. Enter adsiedit.msc to call the MS Support-Tool for Active Directory. Press the OK button.
Open the tree Domain -> DC=fair .. (change to your enviroment) and OU=SCI266 (change to your enviroment). Click on CN=Kerberos TDI (change to your enviroment) with the right mouse button and select Properties .
The value of the attribute servicePrincipalName is set to SAP/KerberosTDI. Close the application without any savings.
rte
3. Ceate and Configure the Secure Store Environment (pse.zip) --> on the server
Make sure that you are in the folder D:\usr\sap\TDI\SLL.
Create the security store (pse.zip) with the following command:
snc crtpse –x 1234567890 (use here a secure password instead!!!)
Verify if the secure security store is available using the command snc.exe. You will see that PSE does now exist […pse.zip (existing)]
Make sure that you are in the folder D:\usr\sap\TDI\SLL.Create Kerberos KeyTab with the following command:
snc crtkeytab –s SAP/KerberosTDI@fair.sap.corp -p abcd1234 (-> use the correct password in your enviroment).
Verify if Kerberos KeyTab entries are available using the command snc.exe. Everything is fine if 4 entries for Kerberos KeyTab are listed.
4. Configure SNC for SAP ABAP Server
Start transaction RZ10. Import the profiles of the active servers by selecting Utilities ->Import profiles -> Of active servers.
Select the Instance profile of the TDI system TDI_DVEBMGS00_MADR… and select Extended maintenance. Press the Change button.
Verify the listed snc parameters with the table of snc parameters on the next page.
You need to change the following snc parameters:
snc/enable 1
snc/gssapi_lib D:\usr\sap\TDI\SLL\secgss.dll
snc/identity/as p:CN=SAP/KerberosTDI@fair.sap.corp
(change this to your enviroment)
Information on related profile parameters:
Parameter | Description |
snc/enable | Set this parameter to activate SNC on the AS ABAP. 1: SNC is activated |
snc/gssapi_lib | Specify the path and file name of the GSS-API V2 shared library. D:\usr\sap\TDI\SLL\secgss.dll |
snc/identity/as | Specify the SNC name of the AS ABAP with this parameter. Format: <name type>:<external name> or <name type>/<product>:<external name> p:CN=SAP/KerberosTDI@fair.sap.corp |
snc/force_login_screen | Set this parameter to display the logon screen even if SNC is enabled. 0: the logon screen is only displayed when necessary 1: the logon screen is displayed for every logon |
snc/permit_insecure_start | Set this parameter to permit the starting of programs without using SNC-protected communications, even when SNC is enabled... 1: start program without SNC protected communication |
snc/accept_insecure_rfc | Set this parameter to accept unprotected incoming RFC-connections on an SNC-enabled AS ABAP. 1:accept all unprotected RFCs |
snc/accept_insecure_gui | Set this parameter to accept SAP GUI connections that are not protected with SNC on an SNC-enabled AS ABAP. 1: Except unprotected logons |
snc/accept_insecure_cpic | Set this parameter that unprotected incoming CPIC connections on an SNC-enabled AS ABAP are be accepted. 1: Accept unprotected connections |
snc/r3int_rfc_qop | Use this parameter to set the quality of protection for internal RFCs that use SNC protection. 8: Use the value from snc/data_protection/use |
snc/r3int_rfc_secure | Use this parameter to specify that SNC should be used for internal RFC communications initiated by the AS ABAP. 0: Internal RFCs are unprotected |
snc/data_protection/use | Use this parameter to set the default level of data protection for connections initiated by the AS ABAP. This parameter applies to CPIC and RFC connections only. 3: Data privacy protection |
snc/data_protection/min | Use this parameter to set the minimum data protection level required for SNC communications. 2: Data integrity protection |
snc/data_protection/max | Use this parameter to set the maximum data protection level for connections initiated by the AS ABAP. 3: Data privacy protection |
Now you restart the application server in order to activate the new SNC parameters.
5. Install the Secure Login Client
Please install the secure login client on the PC/laptop where the SAP GUI is available. Please use the wizard an choose the complete option.
Start the Secure Login Client with the application icon in the taskbar.
The entry in the Secure Login Client should look like this:
6.
6. Configure SNC for SAP GUI Application
Please create you entry in SAP GUI to connect to the system.
Set the flag for Activate Secure Network Communication. Enter the SNC Name to p:CN=SAP/KerberosTDI@fair.sap.corp.
7. Configure SNC User Mapping in SAP User Management
Start transaction SU01 and enter SCI264 (choose your user who will access the system via SAP GUI (end user on the microsoft client)) for the User.
Maintain the field SNC name. SNC name: p:CN=SCI264@FAIR.SAP.CORP
Now you can test your scenario. You should be able to use SSO from the SAP GUI for Windows to a SAP system.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
21 | |
16 | |
13 | |
12 | |
11 | |
10 | |
9 | |
9 | |
8 | |
7 |