on 07-12-2012 9:17 PM
Hi all,
I'm trying to implement SSO between SAP GUI and an ABAP system. Eventually, the SSO will include AS Java and ABAP WebGUI as well.
So far I have deploy the SSO Server on an AS Java 7.3 system. The SSO Server has the root certificate and the user CA certificate configured. The Login Module is SecureLoginModuleLDAP. The Login Module in the NetWeaver Administrator is configured for my MS AD.
On the ABAP system, I have configured the ABAP instance profile as described in http://scn.sap.com/docs/DOC-29687. I have created the PSE for SNC manually and modified the SNC name for my test user in SU01.
On the client side, I have the SSO Client and SAP GUI installed. When I login with my MS AD user, I can see the Kerberos Token activated. I can also authenticate myself on the MS AD using the SSO Client and obtain a certificate. SNC_LIB points to <Library path>\secgss.dll. SSF_LIBRARY_PATH points to <Library path>\secssf.dll.
The problem is that when I try to logon to the ABAP system using SNC with the SAP GUI, I have an error message saying "SAP System Message: S". There is also a few entries in SM21; "Delete session 001 after error 044".
This does not seem like a popular error on SCN as I did not find much past cases.
Any help will be much appreciated.
Cheers
I suggest you check in the work process log (e.g. dev_w0) for the error reason. Look for error message at the time of the attempted logon.
Thanks,
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Tim,
I went through the trace in the dev_w* log. SNC was initialized successfully.
N SncInit(): Initializing Secure Network Communication (SNC)
N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)
G GetWritePermissionForShm( pLocation = 281, pEnforce = 0 )
G RelWritePermissionForShm( pLocation = 277, pEnforce = 0 )
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=E:\usr\sap\EBG\DVEBMGS00\SLL\secgss.dll
N
N Fri Jul 20 11:27:39 2012
N File "E:\usr\sap\EBG\DVEBMGS00\SLL\secgss.dll" dynamically loaded as GSS-AP
N
N Fri Jul 20 11:27:40 2012
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2
N SncInit(): found snc/identity/as=p:CN=EBG, OU=LAB, O=CLOCKWORK, C=CA
N
N Fri Jul 20 11:27:41 2012
N SncInit(): Accepting Credentials available, lifetime=Indefinite
N SncInit(): Initiating Credentials available, lifetime=Indefinite
M ***LOG R1Q=> p:CN=EBG, OU=LAB, O=CLOCKWORK, C=CA [thxxsnc.c 266]
M SNC (Secure Network Communication) enabled
Anyway, I think I have resovled the "SAP System Message: S" issue.
When I installed the SSO Client on my computer, it creates the system variable SNC_LIB automatically and point it to "C:\Program Files (x86)\SAP\FrontEnd\SecureLogin\lib\secgss.dll".
When I went through the documentation in http://help.sap.com/saphelp_nw73ehp1/helpdata/en/b4/a040e5f0fe4ceeb7a4d6144f4d0f28/content.htm, it suggests another secgss.dll in a different location.
I compared the version of these two *.dll files and their versions are different. The one that comes with the SSO Client is a newer release.
After I have changed the path for the SNC_LIB, the "SAP System Message: S" error disappears. Now I get a different error but that's a different issue.
Cheers
Hi Verono,
please send me a screenshot of the Secure Login Client UI (like the screenshot from Matthias)?
--> I want to see the entries available.
What is exactly the use case you want to archieve?
If you have configured Secure Login Server to provide X.509 user certificates, are you able to get a certificate on the client side (Secure Login Client)?
Thanx,
Frane
Hi Frane,
Please refer to the screenshots below.
The use case that I want to achieve is to use a Microsoft Active Directory for authentication. After users are authenticated, they can be single sign-on to AS ABAP system and AS Java.
I think the certificate that I see in the SSO Client is obtained from the SSO Server, so I believe the SSO Server was configured properly to provide X.509 user certificate to the SSO Client.
Thanks,
Verono
Hi all,
I have resolved my problem.
First of all, when the SSO Client was installed, the Kerberos option was chosen as default. I noticed that the example provided by Matthias in http://scn.sap.com/docs/DOC-29687. There was only a X.509 certificate present in the SSO Client, whereas in my screenshots above there were both the Kerberos and the X.509 certificate. I uninstalled the SSO Client and re-installed it using the custom install option and uncheck the Kerberos option.
Now, when I log in using the SSO Client I could only see my X.509 certificate verified against my Microsoft Active Directory. When I log on to my ABAP system with SNC enable, I encountered another error. "GSS-API(min): A2210223:Server does not trust my certificate path target".
I have misunderstood the PKI requirement of this exercise. I generate the SNC PSE using the ABAP system instead of using the SSO Server. I then generated an SAP server certificate in the SSO Server under Server Configuration > Certificate Management with my SNC name defined in the profile parameter snc/identity/as. This certificate was then imported to my ABAP system using STRUST.
After the system was restarted, I was able to single sign-on to the ABAP system using SNC.
Cheers
Hi Manna,
Have you reviewed the dev_w0 as suggested by Tim above?
What I had done was changing the path of SNC_LIB in the system variable to point to the correct version of the secgss.dll. This was the root cause of my issue but you should probably review the dev_w* trace to see exactly what is causing the error.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
25 | |
12 | |
9 | |
6 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.