on 03-22-2010 1:22 PM
Hello
We have configured the SAP BW server with the sapcrypto library, and configured as suggested in the installation manual.
But following this we are not able to use SNC logon from the SAP GUI.
Any suggestions for troubleshooting next step?
Best regards
Thomas
Hi,
Solution is to install kerberos libraries all over.
This means changing NTLM to kerberos on SAP GUI clients.
/Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ingo
- Which libraries are configured on the SAP Server backed ?
Can't quite remember (will check), but it is for sure a 64 bit library.
- what are the workflow scenarios that you are looking for ?
The user shall logon to his laptop using his AD credentials. SSO shall be setup for BOE so that no further logon is required (done). It shall be possible to create and refresh reports using universes ocnnecting to BW. The AD credentials shall be mapped to SAP BW users, so that the BW user credentials are passed to BW when executing the reports, thus ensuring proper row level security.
- are you trying to get a server side trust going ?
If this is required to do above, then yes.
- are you trying to combine windows AD with SAP authentication for InfoView ?
Yes
- are you trying to combine windows AD with SAP authentication for Universe Designer ?
No
/Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Ingo
I guess we're then back where we started.
In the manual the suggestion is to install the sapcrypto library.
But when this is done on the SAP instance, then SAP GUI SSO no longer work (This has been in place at the customer site for a long time).
So the question is: Can I (and how) combine server side trust with classical SAP GUI sso?
/Thomas
Hi Thomas,
we are going back and forth on the same topic.
SAP Crypto is clearly mentioned in the installation guide for Server Side trust and not for the SAP GUI. I asked previously in this threat what the goal is and it was about InfoView and not about SAP GUI.
so let me ask this question again - what is the goal here ?
(1) SSO with Windows AD and SAP authentication in InfoView ?
or
(2) SSO via SAP Logon / SAP GUI
(1) is a web based authentication
(2) is a thick / rich client authentication
ingo
Hello Ingo
Sorry for the confusion.
Please observe that the customer wishes to be able to use infoview (with AD SSO and SAP user mapping) along side use of SAP GUI (for other tasks such as BW administration, HR and what have you).
And this SAP GUI still need to run with SSO same way as allways.
But when I follow the instructions of the installation guide and install sapcrypto, the client side GUI sso stops working. This was the original reason for the thread and this was reported in the first post.
So how do I implement server side trust while retaining the original SAP GUI sso installation.
/Thomas
Hi,
Please observe that the customer wishes to be able to use infoview (with AD SSO and SAP user mapping) along side use of SAP GUI (for other tasks such as BW administration, HR and what have you).
>>> that requires two different SNC libraries as SAP Cryptographic can not be used for SAP GUI logon.
You need to configure 2 different SNC Libs on the backend.
ingo
Hello Ingo
We are trying to implement what you have described in the blog.
We are using gsskrb5.dll (32 bit version) which we found in note 352295. This was the only library that we could load without getting a load library error.
But looking into the documentation I am wondering whether the library is really useful.
The sapcrypto.dll library we can not load.
/Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Thomas,
looks like we are going back and forth a little bit.
The library is 32bit - which most likely wouldn't work with the 64bit SAP Backend.
- Which libraries are configured on the SAP Server backed ?
- what are the workflow scenarios that you are looking for ?
- are you trying to get a server side trust going ?
- are you trying to combine windows AD with SAP authentication for InfoView ?
- are you trying to combine windows AD with SAP authentication for Universe Designer ?
Server Side Trust means SAP Cryptographic Library on the server side.
Windows AD / SAP User with InfoView means SAP Cryptographic Library on the server side.
Windows AD / SAP User with Universe Designer >> not supported.
ingo
Hi,
The screenshot on page 8 says p:tomsgroupsso-botest. (Our first try was without p:)
´This is what provides the error.
Anyway, what we want to do is exactly what you describe in:
/people/ingo.hilgefort/blog/2009/07/03/businessobjects-enterprise-and-client-side-snc-part-1-of-2
Namely: "Most customers use SNC to combine the user authentication of for example Windows AD with the SAP credentials"
You write the following:
"
To configure BusinessObjects Enterprise to use SNC you the following tasks are needed:
- Configuring BusinessObjects Enterprise servers to start and run under an appropriate user account
- Configure the SAP system to trust your BusinessObjects Enterprise system
- Configure the SNC settings in the Central Management Console of BusinessObjects Enterprise
- Map SAP users as aliases to Windows AD users.
"
So we are trying our best to do as described, but after having enabled SNC as desribed in the blog we are no longer able to import roles and therefore we can't complete the last point on above list.
/Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Ingo
We do logon to universe designer using SAP credentials (When I say sso I simply mean that we select the sso option when defining the connection to a BW query). This works fine as long as we don't enable SNC.
But when we enable SNC as per your description, the CMC is no longer able to connect to the BW system to import roles.
This is what is illlustrated in the screenshots on the document.
So yes, we are attempting server side trust.
And we are trying to follow your blog instructions.
/Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
configuring the CMC to do SNC in the entitlement screen is not Server Side Trust. Server Side Trust does actually not include to configure the CMC on the entitlement system tab with SNC. if thats what you looking for that is client side SNC.
in addition look at the previous comments where several screenshots were missing the "p:" in the configuration
Ingo
Hello Ingo
Essentially we want to enable AD authentication and sso so that infoview logon is authenticated using AD and sso. Then we wish to create universes with sso to BW so that BW authorization is leveraged for row level security. For this to happen I believe we need to map the AD user credential to SAP credentials within CMC.
May be we got it all wrong here, but we have tried to apply the instructions from the 2 links you provided earlier in this thread, but are stuck with SNC names.
/Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Essentially we want to enable AD authentication and sso so that infoview logon is authenticated using AD and sso.
>>> That is called "Server Side Trust" and is in the documentation.
Then we wish to create universes with sso to BW so that BW authorization is leveraged for row level security. For this to happen I believe we need to map the AD user credential to SAP credentials within CMC.
>> The Universe Designer does not support client side SNC - I think we talked about that already. For the Universe Designer you will always have to logon with the SAP credentials.
Ingo
Hello Ingo
This was the first we tried (ie. p:tomsgroup\sso-botest), but then we got the error message that can be seen in the screenshot of page 8.
Seems as if p:tomsgroup\sso-botest is translated into "tomsgroupsso-botest "add" TOMSGROUP.DOM"
Best regards
Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
first of all the account has to be the same in all the configurations and it needs to be entered with a "p:" in front if it - see also Page 6.
Page 7 and 8 are showing that you are trying to configure the CMC with SNC.
so lets first of all clarify what you are actually trying to establish here ? are we talking about SERVER SIDE TRUST or CLIENT SIDE AUTHENTICATION WITH SNC ?
Ingo
Hi Ingo
Tried with trace and got some log files.
/Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
hi,
see here:
[Wed Jun 09 14:59:02 2010] 912 3144 secSAPR3: The following credentials are not valid and the system is therefore disabled: CLIENT=100 LANG=da ASHOST=bwtest SYSNR=00 SNC_MODE=1 SNC_QOP=1 SNC_LIB="E:\usr\NTAMD64\gsskrb5.dll" SNC_PARTNERNAME="p:tomsgroup/sso-botest" SNC_MYNAME="p:sso-botest" USER=sso-botest
the user is once shown with the domain and once without - that needs to be both times a domain account.
Ingo
Hello Ingo
Tried regedit, but couldn't find the setting. Could you elaborate?
/Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ingo
Yes, we changed the setting to p:sso-botest.
After having done this we changed the pane of the authentication setup to "role import".
It was when we did this that we earlier got the errors described in this thread.
Now there is no error. Instead we simply get a message: no data received.
So the SAP plugin of BOE does not receive the list of roles from SAP.
/Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks
Now we don't get a connection error.
But in the role import pane the message is "no data retrieved", hence we are not able to load any SAP roles.
And as a result we can't map AD accounts to SAP accounts.
/Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Note, by the way, that the three dll configurations in the first image in the doc all point to the same library (even if the names are different).
Sorry for the confusion.
/Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Again
Having had other things to attend to for a while, we have now returned to this issue.
We have tried to implement as described in the blogs. See also below link.
But we get the same error. Our main doubt reg. the various settings is the "SNC name".
Best regards
Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi All
The message appears after having inserted SNC name in the entitlements pane of the SAP authentication part of CMC.
We have replaced the gssapi32.dll with a 32 bit version of gsskrb5.dll. Now the software is able to load the dll, but the message now reads:
Connect to SAP gateway failed Connect_PM GWHOST=bwtest, GWSERV=sapgw00, ASHOST=bwtest, SYSNR=00 LOCATION CPIC (TCP/IP) on local host ERROR SNCERR_BAD_NT_PREFIX SncPImportPrName() parsing error name="sso-botest" TIME Fri Mar 26 09:52:58 2010 RELEASE 640 COMPONENT SNC (Secure Network Communication) VERSION 5 RC -35 MODULE sncxxall.c LINE 2200 DETAIL SncPSetNewName COUNTER 1
br
Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
as you can recognize you only have a simple name as the SNC Name and you are using the Kerberos implementation, which means ou need a domain account as SNC Name.
Take a look here:
SNC Part 1
/people/ingo.hilgefort/blog/2009/07/03/businessobjects-enterprise-and-client-side-snc-part-1-of-2
SNC Part 2
/people/ingo.hilgefort/blog/2009/07/03/businessobjects-enterprise-and-client-side-snc-part-2-of-2
Ingo
Yes environment variable (SNC_LIB) was configured, but system was not restarted.
But the problem remains, even after restart.
/Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
OK
Coming back to the server side trust.
We have copied the gssapi32.dll library that were in use in the SAP system to the BOE server.
But when we configure SNC we get a load library error.
What could be the cause of this?
Best regards
Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
OK, just saw that there are some check boxes in live-office and widgets for SSO. UNot sure about universe designer, but it's not all that important.
Found a thread with a nice walk-through:
Will try this tomorrow. My confusion was the SNC name.
But how can I verify that SNC is working properly? Is there some sort of "ping" that can be executed and a log file to be inspected?
Best regards
Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
And even further to this:
How do I ensure that universe designer, live-office and BI widgets have SSO and SNC BW access as well.
Best regards
Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
its all about SSO (not SNC) because the SNC is in the background - remember we are not talking about THICK CLIENt SNC here.
XC, CR and LO Part 1 of 4
/people/ingo.hilgefort/blog/2008/10/03/businessobjects-and-sap-part-1-of-4--creating-a-xcelsius-dashboard-on-top-of-sap-bi
XC, CR and LO Part 2 of 4
/people/ingo.hilgefort/blog/2008/10/07/businessobjects-and-sap-part-2-of-4--creating-a-xcelsius-dashboard-on-top-of-sap-bi
XC, CR and LO Part 3 of 4
/people/ingo.hilgefort/blog/2008/10/07/businessobjects-and-sap-part-3-of-4--creating-a-xcelsius-dashboard-on-top-of-sap-bi
XC, CR and LO Part 4 of 4
/people/ingo.hilgefort/blog/2008/10/10/businessobjects-and-sap-part-4-of-4--creating-a-xcelsius-dashboard-on-top-of-sap-bi
ingo
Hi Ingo
One question: The distinguished name of the BW server that I have to insert under SNC settings in the CMC is unclear to me.
I have not used a DN formatted name anywhere in my settings. Where can I investigate what to enter here?
Best regards
Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ingo
Got it, thanks
Will try tomorrow morning and update the thread.
Best regards
Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ingo
OK, I am slowly getting the picture.
I can disregard everything in the installation guide pertaining to sapcrypto. (sapgenpse, STRUST transaction etc.)
All I need to do is to configure my SIA (or an additional SIA) to use an existing SNC account (It could be an existing BW user).
Then move on to use SNC0 and configure my system ID, SU01 to configure a followed by the CMC stuff.
In the blog you attached you mention that this is only client side trust.
So if publications are needed I am still not home free, or?
/Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ingo
OK, May be I have not understood a thing here, but how can I make these libraries co-exist?
I have tried installing the sapcrypto library on the BW server (Which works OK), but this implies changing the
"snc/gssapi_lib" parameter, and hence the old SNC library is no longer in use. Thereby I can't logon using SAP GUI.
/Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ingo
Thanks for replying.
I am not currently worrying about Crystal and Xcelsius. I just want to ensure that we can have server side trust allowing AD credentials to be mapped to BW users for use in connections towards BW. At the same time we want the legacy SAP GUI to work with SNC setup as allways.
I understand then that I need to leverage kerberos SNC for both these tasks. Ie. not install the sapcrypto library.
Where do I get this kerberos SNC library?
/Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Thomas,
assuming you are ok with the THICK clients like Crystal Reports, Xcelsius and Universe Designer NOT to use an actual SNC based client logon you can use the SAP Cryptographic Lib for Server side trust and combine Windows Ad with SAP credentials and then for example logon with Windows AD credentials to InfoView.
for the SAP GUI you need to use a different SNC Library as the SAP Cryptographc Lib is not licensed for a THICK client logon process
Ingo
Hi Thomas,
which makes perfect sense because SAP Cryptographic Library is used for a SERVER to SERVER communication and even licensing wise you can not use SAP Cryptographic Lib for a CLIENT to SERVER communication.
In case you would like to establish an actual CLIENT to SERVER workflow with SNC you need to leverage the NTLM / Kerberos implementation or buy software from a 3rd party SNC vendor like Secude.
Keep in mind that only Crystal Reports and Xcelsius do support a CLIENT to Server (THICK client) workflow today for SNC>
ingo
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi
SNC was working already (Not sure if SNC is the right word though). A system PSE was setup on the server, and SNC was enabled in the SAP logon pad for each SAP server in the environment.
We followed the instructions to install the sapcrypto library on the BW server. Initally we had problems because snc was already enabled and hence the server could not startup as the loading of the sapcrypto library requires the cred file. After disabling snc we could startup and then proceed to create and SNC pse.
But after enabling of snc the SNC conifguration in the SAP logon config no longer works. We have tried entering the DN formatted name (DN=BW, OU= ...) but it does not work.
Best regards
Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
How did you configure SNC to work with the SAP GUI before the BOBJ SNC setup?
Regards
Stratos
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
82 | |
10 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.