cancel
Showing results for 
Search instead for 
Did you mean: 

SSO Issue between R/3 & Portal

lokesh_kamana
Active Contributor
0 Kudos

Hi All,

I am trying to configure SSO between R/3 & Portal server.Portal server is the issuing system & R/3 server is the accepting system.

J2E is the SID of my portal server.

and the client is 000 which is even there in config tool.

When i on the trace in SM50 i am getting the following error.

N RSEC: The entry with identifier /RFC/KW_SERVER

N was encrypted by a system

N with different SID and cannot be decrypted here.

M *** ERROR => LgIGroupX: NiServToNo(sapmsAIO) failed, (rc=NIESERV_UNKNOWN) [lgxx.c 4157]

N *** ERROR => HMskiCheckValidity failed. [ssoxxkrn.c 856]

I am not able to understand the trace .Please let me know how to resolve the issue.But i am not able to understand why it is showing the SID wrong in the logon ticket.

Is there anyway to find the SID in the encrypted logon ticket.

Thanks & Regards,

Lokesh Kamana

Accepted Solutions (0)

Answers (3)

Answers (3)

lokesh_kamana
Active Contributor
0 Kudos

HI all,

i have restarted the R/3 & portal server still facing the issue.

I am attaching the trace in SM50 afte the restart.

-


trc file: "dev_w0", trc level: 1, release: "700"

-


*

  • ACTIVE TRACE LEVEL 1

  • ACTIVE TRACE COMPONENTS all, MJ

*

N SsfSapSecin: putenv(SECUDIR=D:\usr\sap\ECC\DVEBMGS04\sec): ok

N

N =================================================

N === SSF INITIALIZATION:

N ===...SSF Security Toolkit name SAPSECULIB .

N ===...SSF trace level is 0 .

N ===...SSF library is D:\usr\sap\ECC\DVEBMGS04\exe\sapsecu.dll .

N ===...SSF hash algorithm is SHA1 .

N ===...SSF symmetric encryption algorithm is DES-CBC .

N

N Thu Jan 21 14:02:21 2010

N ===...sucessfully completed.

N =================================================

N

N Thu Jan 21 14:02:22 2010

N MskiInitLogonTicketCacheHandle: Logon Ticket cache pointer retrieved from shared memory.

N MskiInitLogonTicketCacheHandle: Workprocess runs with Logon Ticket cache.

N

N Thu Jan 21 14:04:21 2010

N RSEC: The entry with identifier /RFC/DTZ_800

N was encrypted by a system

N with different SID and cannot be decrypted here.

M * ERROR partner 'wc40-alt.medialogik.com:sapgw04' not reached

M * ERROR timeout during allocate

M * ERROR timeout during allocate

N

N Thu Jan 21 14:15:50 2010

N *** ERROR => HMskiCheckValidity failed. [ssoxxkrn.c 856]

Thanks & Regards,

Lokesh Kamana

Former Member
0 Kudos

For SSO configuration from portal to R/3 these are the Following Steps.

Go to portal System Admin->system Config->Keystore Admin press button "Download verify .der file".

Now goto Tcode : STRUSTSSO2 again

Import Certificate (downloaded from portal)

Add to certificate list

Add to ACL

Check Tcode : RZ10

Select Profile : Instance Profile and radio box : Extended Maintainance

Check 3 parameters If they exist with proper value if not

then you need to create those with corresponding value.

a) login/accept_sso2_ticket = 1

b) login/create_sso2_ticket = 2

c) icm/host_name_full = <Backend_Host>.<domain>

HI please follow these steps . if u follow u can configure SSO correctly.

Because If u r changing RZ10 parameter entry then to reflect effect u need to restart the R/3 server.

and in Portal if want to create the Backend System

Go to System Admin --> System Configuration --> in System Landscape --> in portal Content create folder (system name) --> right click on folder and create system from Template --> select SAP system with load balancing --> system name and system id enter the details.

Now your System is created.

Now open the System object --> in display --> Select System Aliases, naming conevntion

for aliases is like SIDCLNT100 (EC6CLNT100 100 is my Client) . and save it.

Now Select again Object in Display.

Now in Property Category ---> select Connector -->

Give the following details

Application Host = Hostname of r/3

Logical System Name = System Aliases Created in System Aliases

Remote Host Type = 3

SAP Client = 100 or 800 client in which u have login in R/3

System ID = SID of R/3 (Ex: EC6)

System Number = Sytem Number of R/3 (ex : 00)

Server Port = Port Number of Message server of R/3 (ex : 3200)

System Type = R/3

Now Save the Changes.

Again in Property Category --> select Internet Transaction Server (ITS)

ITS Host Name = <Hostname>.<Domain.ext>:<Port> (Ex : hostname.domain.com:8000)

ITS Path = /sap/bc/gui/sap/its/webgui/!

ITS Protocol = HTTP or HTTPS

Now save the Changes.

Now in Property Category --> select User Management

Authenticated Ticket Type = Sap Logon ticket

Logon Method = SAPLOGONTICKET

User Mapping Type = admin,user

Save the Changes.

Now in Property Category --> select Web Application Server (Web AS)

WebAS Host Name = <Hostname>.<Domain.ext>:<Port> (Ex : hostname.domain.com:8000)

Web AS Path = /sap/bc/bsp/sap

Web AS Protocol = HTTP or HTTPS

now save the Changes.

Once The R/3 configurations are done and the r/3 server is restrated. in display go to connection tests

select the three Check boxes and select TEST.

if the Connections are configured then the tests will be successful

thanks

Former Member
0 Kudos

Hi Lokesh,

To trace the contents of the SAP Logon ticket deploy the SSOSupport par file on the portal attached to SAP Note 701205.

The note describes how to use this component. This gives you all the details about what is sent in the Logon Ticket.

As such if you intend to troubleshoot raise log level of SM50 for security components to 2 and reproduce the issue. The trace should tell you what is happenin with the ticket.

Cheers!!

Former Member
0 Kudos

Hi,

Just check transaction strustsso2 in your ABAP system and make sure that the portal certificate file is imported correctly to both the cetificate list (top) and ACL (bottom). You should also be able to see the client and SID when you do that.

Hope this helps,

SImon