Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to configure SAP NetWeaver Single Sign-On for SAP GUI for Windows with Kerberos integration

Kaempfer
Advisor
Advisor
‎08-17-2012 1:17 PM
Matthias comment on 15.04.2013

SAP released (RTC) the a new version of SAP NetWeaver Single Sign-On (version: 2.0). The screenshots in this blog are from version SAP NetWeaver Single Sign-On 1.0. So if you install the new version, some screens will be look different, since SAP improved the UI. 
There is a complete new option available for Kerberos (SPNego for ABAP): http://scn.sap.com/docs/DOC-40178

Introduction

SAP NetWeaver Single Sign-On provides various possibilities to configure/implement a single sign-on scenario. At the moment (there are coming more), there are the following scenarios available

The components of SAP NetWeaver Single Sign-On can be combined depending on the business case. This how to guide describes only how to configure the solution for SAP GUI for Windows with a Kerberos integration. If you are using SAP GUI and Web based applications, you should check the version with the certificates (out-of-the-box -> no external PKI required) especially for intranet use cases. Furthermore SAML (third option) provides Web single sign-On capabilities without the need to deploy anything on the client side.

If you are interested to implement the second option - please read this blog:

http://scn.sap.com/community/netweaver-sso/blog/2012/08/17/how-to-configure-sap-netweaver-single-sig...

Detailed worklflow of the scenario

Prerequisites and information

You need to download the product SAP NetWeaver Single Sign-On from SAP marketplace (-> you need a valid license)

System name: TDI install an 😧

Operation system: Windows (but the solution works of course also if the system is running on Linux/Unix -> see PAM)


Guide

1. Install the Secure Login Library (ON THE SERVER)

Create the folder D:\usr\sap\TDI\SLL

Change to folder D:\usr\sap\TDI\DVEBMGS00\exe\

sapcar –xvf SECURELOGINLIB.SAR –R D:\usr\sap\TDI\SLL

Change to the folder D:\usr\sap\TDI\SLL and verify the Secure Login Library status using the command snc.exe.
Verify if the PSE directory is defined to D:\usr\sap\TDI\DVEBMGS00\sec(existing)

      

5.

2.   2. Check for Microsoft Environment Variable SNC_LIB and for the Kerberos Entry in MS Active Directory

5.  

Check if SNC_LIB is set to C:\Program Files (x86)\SAP\FrontEnd\SecureLogin\lib\secgss.dll

If not, please add the entry (FOR SAP GUI for Windows)

With the next steps we take a look at the Kerberos Configuration in Microsoft Active Directory. Call Start -> Run. Enter adsiedit.msc to call the MS Support-Tool for Active Directory. Press the OK button.

Open the tree Domain -> DC=fair .. (change to your enviroment) and OU=SCI266 (change to your enviroment). Click on CN=Kerberos TDI (change to your enviroment) with the right mouse button and select Properties .

The value of the attribute servicePrincipalName is set to SAP/KerberosTDI. Close the application without any savings.

rte

3. Ceate and Configure the Secure Store Environment (pse.zip) --> on the server

Make sure that you are in the folder D:\usr\sap\TDI\SLL.
Create the security store (pse.zip) with the following command:

snc crtpse –x 1234567890 (use here a secure password instead!!!)

Verify if the secure security store is available using the command snc.exe. You will see that PSE does now exist […pse.zip (existing)]

Make sure that you are in  the folder D:\usr\sap\TDI\SLL.Create Kerberos KeyTab with the following command:

snc crtkeytab –s SAP/KerberosTDI@fair.sap.corp -p abcd1234 (-> use the correct password in your enviroment).

Verify if Kerberos KeyTab entries are available using the command snc.exe. Everything is fine if 4 entries for Kerberos KeyTab are listed.

4. Configure SNC for SAP ABAP Server

Start transaction RZ10. Import the profiles of the active servers by selecting Utilities ->Import profiles -> Of active servers.

Select the Instance profile of the TDI system TDI_DVEBMGS00_MADR… and select Extended maintenance. Press the Change button.

Verify the listed snc parameters with the table of snc parameters on the next page.

You need to change the following snc parameters:

snc/enable           1

snc/gssapi_lib     D:\usr\sap\TDI\SLL\secgss.dll

snc/identity/as     p:CN=SAP/KerberosTDI@fair.sap.corp

(change this to your enviroment)

Information on related profile parameters:

Parameter

Description

snc/enable

Set this parameter to activate SNC on the AS ABAP.

1: SNC is activated

snc/gssapi_lib

Specify the path and file name of the GSS-API V2 shared library.

D:\usr\sap\TDI\SLL\secgss.dll

snc/identity/as

Specify the SNC name of the AS ABAP with this parameter.

Format:

<name type>:<external name> or

<name type>/<product>:<external name>

p:CN=SAP/KerberosTDI@fair.sap.corp

snc/force_login_screen

Set this parameter to display the logon screen even if SNC is enabled.

0: the logon screen is only displayed when necessary

1: the logon screen is displayed for every logon

snc/permit_insecure_start

Set this parameter to permit the starting of programs without using SNC-protected communications, even when SNC is enabled...

1: start program without SNC protected communication

snc/accept_insecure_rfc

Set this parameter to accept unprotected incoming RFC-connections on an SNC-enabled AS ABAP.

1:accept all unprotected RFCs

snc/accept_insecure_gui

Set this parameter to accept SAP GUI connections that are not protected with SNC on an SNC-enabled AS ABAP.

1: Except unprotected logons

snc/accept_insecure_cpic

Set this parameter that unprotected incoming CPIC connections on an SNC-enabled AS ABAP are be accepted.

1: Accept unprotected connections

snc/r3int_rfc_qop

Use this parameter to set the quality of protection for internal RFCs that use SNC protection.

8: Use the value from snc/data_protection/use

snc/r3int_rfc_secure

Use this parameter to specify that SNC should be used for internal RFC communications initiated by the AS ABAP.

0: Internal RFCs are unprotected

snc/data_protection/use

Use this parameter to set the default level of data protection for connections initiated by the AS ABAP. This parameter applies to CPIC and RFC connections only.

3: Data privacy protection

snc/data_protection/min

Use this parameter to set the minimum data protection level required for SNC communications.

2: Data integrity protection

snc/data_protection/max

Use this parameter to set the maximum data protection level for connections initiated by the AS ABAP.

3: Data privacy protection

Now you restart the application server in order to activate the new SNC parameters.

5. Install the Secure Login Client

Please install the secure login client on the PC/laptop where the SAP GUI is available. Please use the wizard an choose the complete option.

Start the Secure Login Client with the application icon in the taskbar.

The entry in the Secure Login Client should look like this:

6.

6. Configure SNC for SAP GUI Application

Please create you entry in SAP GUI to connect to the system.

Set the flag for Activate Secure Network Communication. Enter the SNC Name to p:CN=SAP/KerberosTDI@fair.sap.corp.

7. Configure SNC User Mapping in SAP User Management

Start transaction SU01 and enter SCI264 (choose your user who will access the system via SAP GUI (end user on the microsoft client)) for the User.

Maintain the field SNC name. SNC name: p:CN=SCI264@FAIR.SAP.CORP

Now you can test your scenario. You should be able to use SSO from the SAP GUI for Windows to a SAP system.

103 Comments
Labels in this area
Popular Blog Posts