Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SNC Without SSO - Multiple Domains

Former Member
0 Kudos

Hi Everyone,

We are trying to enable SNC without SSO and have some queries around. I have gone through different posts discussing views and solutions in this area and I noticed mostly they are addressing the context where SSO is involved.

With SAP GUI 7.2 SP 7 we have this feature in GUI where we can configure logon with user ID & Password without SSO.

In the below thread it is discussed that if we are passing the user id & password then there is no trust required between the domains though multiple domains are involved as the system recognizes the user with the user id and password supplied and authenticates.

http://scn.sap.com/thread/3305817;IDSactivation=I1B65C448A0A958040CFF12666DE075DF2I1788AD3215A01CC0E...

In our context there are multiple domains involved.

SAP System - Domain A

User Group 1 - Domain B (Scenario 1)

User Group 2 - Domain C  (Scenario 2)

User Group 3 - Work from home through VPN. (Scenario 3)

Domain A is used for hosting SAP Systems and the User ID/SPN of SAP Service is to be defined in the Domain B. Without trust between the Domains and no requirement of SSO can you please provide inputs if SNC can work in the three scenarios described above.

Please let me know if you require any further details here.

Thanks & Regards

Jay

8 REPLIES 8

tim_alsop
Active Contributor
0 Kudos

Yes, you can use SNC with an SNC library and without domain trust.

Do you want the user to enter their SAP user and password or AD user and password when SSO is not used ?

Former Member
0 Kudos

Hi Tim,

Thanks for prompt response. It would be SAP user & Password.

Every user may not have an AD Account in Domain where user ID/SPN of SAP Service is defined.

Regards

Jay

tim_alsop
Active Contributor
0 Kudos

Jay,

I thought you might want the user to enter their credentials for their AD user in their local domain (e.g. the domain they logged onto their workstation with). If you allow users to logon using an SAP password then they will have multiple passwords to remember, which increases password management and helpdesk costs.

Thanks

Tim

Former Member
0 Kudos

Hi Tim,  We can consider that approach of using AD user to authenticate as well. For that we need to check if all users have AD accounts in the Home domain or not and we need to pickup additional task of mapping the user accounts with AD accounts in SU01.  I think this mapping is not required if we use the SAP User ID & Password approach. Correct me if I am wrong.

Would be helpful if you can through some light if we have any technical limitations other than password management overhead in enabling it through SAP User ID & Password.

Thanks

Jay

tim_alsop
Active Contributor
0 Kudos

Jay,

There are two types of SNC library available. Firstly, there are SNC libraries that include support for mutual user authentication, data integrity and encryption. These libraries are often used for SSO. These libraries are most often sold with a license (e.g. they are NOT free), and can be made available from SAP partners or from SAP (the SAP NetWeaver Single Sign-On product). Secondly, there is at least one SNC library that I am aware of which is free, but it only offers encryption, and no user authentication. This library is called SNC Client Encryption and available from SAP.

The first type of SNC library would require mapping (e.g. in SNC tab in su01), but would reduce the number of passwords that a user needs to remember. Depending on which SNC library you use, the capabilities to allow SSO to be turned off and whether domain trust is required will differ. You would need to ask the SNC library vendor to get more details of this, and compare.

When the second type of SNC library is used (as described above), there is no user mapping required (e.g. in SNC tab in su01) since the library is not performing any user authentication. This kind of library would require you to use a SAP password during the logon. I am not sure if the SAP Client Encryption library allows the user to logon and get an encrypted session without having domain trust. Maybe somebody from SAP can confirm if the client encryption library supports this, or if domain trust is required for this client encryption library.

Thanks

Tim

Former Member
0 Kudos

Thanks Tim for providing the details to have clear picture on possible options we have here.



The current plan is to utilize the SAP Client Encryption library that is available from SAP and to enable encryption as a quick win for the communication between Gui and SAP Server. While trying for this we are looking for inputs on any technical difficulties w.r.t the different domains from where users access SAP System.


Any inputs here are highly appreciated.

Thanks

Jay



Former Member
0 Kudos

In the below blog this topic is discussed and as per that for domains other than Domain in which the SAP System service specific User ID/SPN is defined should trust this domain for this to work.

In the context explained above..

All other domains from where users login should trust Domain B. I am about to test this and will post my findings back.

If any one has already implemented this approach please share your inputs.

regards

Jay

tim_alsop
Active Contributor
0 Kudos

Based on my detailed understanding of how the Client Encryption library has been coded, and how it uses the Kerberos protocol, I think you will find that the SAP Client Encryption library won't allow you to configure encryption without any domain trust. However, you are welcome to try... I think you will have to go with a licensed SNC library that supports the functionality you require. You can then benefit from users having less passwords as well as having an encrypted DIAG protocol.