cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO - Windows AD - CRM WebUI

Go to solution
former_member183829
Participant

on ‎05-17-2015 1:48 AM

0 Kudos

Hi,

My client wants to have SSO between Windows AD account (used for login in Desktop) and CRM WebUI.

Client uses SAP CRM 7.0 EHP3 and does not have any AS JAVA system in landscape.

I have read old wiki and blogs which mentions to achieve SSO to CRM WebUI via SAP GUI for Windows SNC feature.

However, client does not login in SAPgui.

Client directly opens CRM_UI with link of format

http://hostname:port/sap/bc/bsp/sap/crm_ui_start/default.htm

As we are having latest CRM version, is there a better way to configure SSO between Windows AD (LDAP) and CRM WebUI?

Any pointer would be useful.

Thanks.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-18-2015 11:44 PM
0 Kudos

Hello!  One way to do this would be to use SPnego for ABAP.

Read this SCN video and these notes!

We are trying to do this now.  it works most of the time, but there seem to be a few bugs but they may be AD related and not necessarily SAP.  I'm still figuring it out.

But that being said.....SPnego would fit your requirement.

You would need to buy the NW SSO2.0 license so that you could download the Secure logon Client (for each PC), Secure logon library (at the OS level where your SAP instance lives)

Follow the video below for detailed setup steps.

Basically follow the demo here:

http://scn.sap.com/docs/DOC-40178

http://scn.sap.com/community/sso/blog/2015/05/06/sp5-for-sap-single-sign-on-20-now-available

NEW SP05 info

Important Notes:

1832706 - SPNego ABAP: Fixes for Algorithms AES128, AES256, DES

1819808 - SPNego ABAP: Collective Corrections

1798979 - SPNego ABAP: Downport

1732610 - SPNego ABAP: Troubleshooting Note

1912175 - SAP Single Sign-On 2.0: Central Note

--> central note for SSO 2.0

Hope that gets you started.

NICK

Show replies
Show replies
former_member183829
Participant
‎05-19-2015 10:54 AM
0 Kudos

Hi Nick,


Thanks a lot for detailed reply. It certainly provides valuable input to begin with.

Can you please comment on below couple of doubts?

1) I saw those videos but was not sure once I implement all steps, do I have to go via SAPGUI to make SSO work. (E.g Windows login --> Sapgui --> CRM_UI)

Or I can directly access CRM_UI via URL once login in Windows desktop

http://hostname:port/sap/bc/bsp/sap/crm_ui_start/default.htm


Can you let me know if this works in your landscape?

2) I was under impression that NW SSO 2.0 license are only required if you plan to implement "Secure Login Server".

Is license required for Secure login Client and Secure login Library as well?

Thanks again !!

Cheers.

Former Member
‎05-19-2015 3:57 PM
0 Kudos

1) if you look close at the videos, they show you that webgui/nwbc works from a browser.  The same can be said for ICWEB.  For a modern CRM system, the shortest URL for ICWEB...CRM UI...is http://hostname:port/sap/crm_logon

And yes, it is supposed to work!  We are testing it and it works "most" of the time.  So we're in the very early stages of testing this, and trying to figure it out.

So no, you don't have to go from SAPGUI to URL.  You can go direct to the URL if it's all setup correctly.

2)  No, you have to buy it.  Yes, it comes with a lot of stuff that you might not need but you have to buy it.  In the case of SPnego for ABAP, you would never need the secure login server, just the secure login client and secure login libraries for the SAP OS level.

This solution is VERY dependent on MS AD.  So you need your AD folks to build IDs...and do some SETSPN correctly and associate those with the correct SAP hostname(s).

Like I said, we're still very early in testing, but that's all I know.  But you have to watch the videos very closely and you will see the "major" step.  And read the notes.

former_member183829
Participant
‎05-19-2015 4:57 PM
0 Kudos

Thanks Nick. I guess I am getting mixed up with other videos which I saw of using SNC for sapgui and then workaround to call CRM_UI.

I will have to see again all vidoes and read between the frames 🙂

I understand now that after ABAP- SPNEGO config I do not have to login to SAPGUI for enabling SSO in CRM_UI.

Couple of more clarifications required:

1) This solution requires installation of Secure login client on top of SAP GUI. (In video 3)

Does this mean that I need to have SAPGUI and Secure login client installed on all User machines for SSO (CRM URL) to work ?

(Basically, some of users only use URL to crm ui and do not ever login to SAPGUI and hence I do not want to install SAPGUI on all PCs and also I do not have any JAVA stack in landscape)

2) Does this mean that even if I do not want to use SPNEGO and want just plain SNC-SSO between SAPGUI and Windows AD, I need to buy NW SSO license?

(As this also requires Secure login client to enable SNC and am not sure in past whether there were licenses required for this)

Thanks again !!

Former Member
‎05-19-2015 5:04 PM
0 Kudos

1) No, you don't need SAPGUI at all in regard to giving users access to the CRM UI (ICWEB).  You just need the secure login client, and all the steps in AD to build the service user (SETSPN), RZ10 params, OS level commands to generate the keytab....maybe apply some notes...

For sure, no SAPGUI is required.

2) YES, you have to buy the license for anything SSO in regard to SNC SSO to SAPGUI, SPNEGO SSO for WEBGUI/NWBC/ICWEB since that is about an ABAP based system.

AS JAVA based SSO via SPNEGO can be accomplished at no cost at all.  But a CRM and ECC systems are ABAP so yes, for those you have to pay.  So a modern AS JAVA system like portal, etc you don't need to pay anything.  You can find the documentation for that, it isn't too hard to do.

Former Member
‎05-20-2015 10:27 PM
0 Kudos

Was that OK and do you have any more questions? 

former_member183829
Participant
‎05-21-2015 10:32 PM
0 Kudos

Hi Nick,

I guess you have clarified all doubts I had.

As you had mentioned that SAPGUI is not required but Secure login client is MUST on all Desktops. How did you get around this ? Usual push of software via  Windows update package ?

I am in process of arranging license and then will start implementation soon.

I will update you either ways: In case of any queries, or if I am able to configure all successfully.

Did you get around intermittent issue you had in SSO authentication ?

Cheers !!

Former Member
‎05-22-2015 3:28 PM
0 Kudos

Right now, we're just doing a proof of concept.  So rolled it out manually to about 12 desktops.

But you can easily make it part of a "SMS" push as a typical remote install.

Also, it bundles well with an existing SAPGUI package.  But yes, a "usual push of software via windows update package" will work.

Crazy thing....it just started working....and hasn't broken in a few days.  BUt that being said, I'm ready when it does break.  You can enable tracing (level 2 and security box) in SM50 for all work processes.  AND there is tracing capability in the SPNEGO tcode that is pretty good.

Our problem...was that it would actually work, in terms of getting you past the login screen for CRM UI, and let you reach the point where you could select your biz role (assuming you had more than one assigned), but once you pick you biz role, we would get a pop up to login...hit cancel a few times and you would get to the UI....but on other occasions, it would work perfect.  and it's been working perfect for a few days now...

But when it did break, there was no pattern.  Could be any user, on any PC, at any time of day.

I opened a message about it, but like I said, by the time SAP responded, it was working.  THey want a HTTPwatch trace, but again, it's working, I have nothing to show them.

If I were you, I would close this thread, and then, if you need help, open it in the SSO space:

http://scn.sap.com/community/sso

You'll get a whole of eyes on it that way.

Also, you can "friend" me on SCN and feel free to send direct message.  If I can respond I will!

NICK

Answers (1)

Answers (1)

helmut_petersen2
Member
‎10-14-2015 9:50 PM
0 Kudos

Why would the UI logon service not be able to read the SNC data from the windows PC like the GUI does. I remember that years ago there was a http logon service for SNC and one without SNC, but that was for R/3 http.

But The SNC technology has not changed, it's still free with windows and the CRM UI logon service should be able to read it.

Show replies
Show replies
Ask a Question