Hi,

Solution is to install kerberos libraries all over.

This means changing NTLM to kerberos on SAP GUI clients.

/Thomas

Hi Ingo

- Which libraries are configured on the SAP Server backed ?

Can't quite remember (will check), but it is for sure a 64 bit library.

- what are the workflow scenarios that you are looking for ?

The user shall logon to his laptop using his AD credentials. SSO shall be setup for BOE so that no further logon is required (done). It shall be possible to create and refresh reports using universes ocnnecting to BW. The AD credentials shall be mapped to SAP BW users, so that the BW user credentials are passed to BW when executing the reports, thus ensuring proper row level security.

- are you trying to get a server side trust going ?

If this is required to do above, then yes.

- are you trying to combine windows AD with SAP authentication for InfoView ?

Yes

- are you trying to combine windows AD with SAP authentication for Universe Designer ?

No

/Thomas

Hello Ingo

We are trying to implement what you have described in the blog.

We are using gsskrb5.dll (32 bit version) which we found in note 352295. This was the only library that we could load without getting a load library error.

But looking into the documentation I am wondering whether the library is really useful.

The sapcrypto.dll library we can not load.

/Thomas

Hi,

The screenshot on page 8 says p:tomsgroupsso-botest. (Our first try was without p:)

´This is what provides the error.

Anyway, what we want to do is exactly what you describe in:

/people/ingo.hilgefort/blog/2009/07/03/businessobjects-enterprise-and-client-side-snc-part-1-of-2

Namely: "Most customers use SNC to combine the user authentication of for example Windows AD with the SAP credentials"

You write the following:

"

To configure BusinessObjects Enterprise to use SNC you the following tasks are needed:

- Configuring BusinessObjects Enterprise servers to start and run under an appropriate user account

- Configure the SAP system to trust your BusinessObjects Enterprise system

- Configure the SNC settings in the Central Management Console of BusinessObjects Enterprise

- Map SAP users as aliases to Windows AD users.

"

So we are trying our best to do as described, but after having enabled SNC as desribed in the blog we are no longer able to import roles and therefore we can't complete the last point on above list.

/Thomas

Hello Ingo

We do logon to universe designer using SAP credentials (When I say sso I simply mean that we select the sso option when defining the connection to a BW query). This works fine as long as we don't enable SNC.

But when we enable SNC as per your description, the CMC is no longer able to connect to the BW system to import roles.

This is what is illlustrated in the screenshots on the document.

So yes, we are attempting server side trust.

And we are trying to follow your blog instructions.

/Thomas

Hello Ingo

Essentially we want to enable AD authentication and sso so that infoview logon is authenticated using AD and sso. Then we wish to create universes with sso to BW so that BW authorization is leveraged for row level security. For this to happen I believe we need to map the AD user credential to SAP credentials within CMC.

May be we got it all wrong here, but we have tried to apply the instructions from the 2 links you provided earlier in this thread, but are stuck with SNC names.

/Thomas

Hello Ingo

This was the first we tried (ie. p:tomsgroup\sso-botest), but then we got the error message that can be seen in the screenshot of page 8.

Seems as if p:tomsgroup\sso-botest is translated into "tomsgroupsso-botest "add" TOMSGROUP.DOM"

Best regards

Thomas

Hi Ingo

Tried with trace and got some log files.

/Thomas

https://sapmats-de.sap-ag.de/download/download.cgi?id=76PHK5RHWU8BAVPSRQ6GRFLIH0OWF32ZEQ4RZIOR8IR3KR...

Hello Ingo

Tried regedit, but couldn't find the setting. Could you elaborate?

/Thomas

Hi Ingo

Yes, we changed the setting to p:sso-botest.

After having done this we changed the pane of the authentication setup to "role import".

It was when we did this that we earlier got the errors described in this thread.

Now there is no error. Instead we simply get a message: no data received.

So the SAP plugin of BOE does not receive the list of roles from SAP.

/Thomas

Thanks

Now we don't get a connection error.

But in the role import pane the message is "no data retrieved", hence we are not able to load any SAP roles.

And as a result we can't map AD accounts to SAP accounts.

/Thomas

Note, by the way, that the three dll configurations in the first image in the doc all point to the same library (even if the names are different).

Sorry for the confusion.

/Thomas

Hello Again

Having had other things to attend to for a while, we have now returned to this issue.

We have tried to implement as described in the blogs. See also below link.

But we get the same error. Our main doubt reg. the various settings is the "SNC name".

https://sapmats-de.sap-ag.de/download/download.cgi?id=VQUDD1R9VLI6NXS7QH90CATWPMNKBXWWSLLNQQI77V7COU...

Best regards

Thomas

Hi All

The message appears after having inserted SNC name in the entitlements pane of the SAP authentication part of CMC.

We have replaced the gssapi32.dll with a 32 bit version of gsskrb5.dll. Now the software is able to load the dll, but the message now reads:

Connect to SAP gateway failed Connect_PM GWHOST=bwtest, GWSERV=sapgw00, ASHOST=bwtest, SYSNR=00 LOCATION CPIC (TCP/IP) on local host ERROR SNCERR_BAD_NT_PREFIX SncPImportPrName() parsing error name="sso-botest" TIME Fri Mar 26 09:52:58 2010 RELEASE 640 COMPONENT SNC (Secure Network Communication) VERSION 5 RC -35 MODULE sncxxall.c LINE 2200 DETAIL SncPSetNewName COUNTER 1

br

Thomas

Yes environment variable (SNC_LIB) was configured, but system was not restarted.

But the problem remains, even after restart.

/Thomas

OK

Coming back to the server side trust.

We have copied the gssapi32.dll library that were in use in the SAP system to the BOE server.

But when we configure SNC we get a load library error.

What could be the cause of this?

Best regards

Thomas

OK, just saw that there are some check boxes in live-office and widgets for SSO. UNot sure about universe designer, but it's not all that important.

Found a thread with a nice walk-through:

Will try this tomorrow. My confusion was the SNC name.

But how can I verify that SNC is working properly? Is there some sort of "ping" that can be executed and a log file to be inspected?

Best regards

Thomas

And even further to this:

How do I ensure that universe designer, live-office and BI widgets have SSO and SNC BW access as well.

Best regards

Thomas

Hi Ingo

One question: The distinguished name of the BW server that I have to insert under SNC settings in the CMC is unclear to me.

I have not used a DN formatted name anywhere in my settings. Where can I investigate what to enter here?

Best regards

Thomas

Hi Ingo

Got it, thanks

Will try tomorrow morning and update the thread.

Best regards

Thomas

Hi Ingo

OK, I am slowly getting the picture.

I can disregard everything in the installation guide pertaining to sapcrypto. (sapgenpse, STRUST transaction etc.)

All I need to do is to configure my SIA (or an additional SIA) to use an existing SNC account (It could be an existing BW user).

Then move on to use SNC0 and configure my system ID, SU01 to configure a followed by the CMC stuff.

In the blog you attached you mention that this is only client side trust.

So if publications are needed I am still not home free, or?

/Thomas

Hi Ingo

OK, May be I have not understood a thing here, but how can I make these libraries co-exist?

I have tried installing the sapcrypto library on the BW server (Which works OK), but this implies changing the

"snc/gssapi_lib" parameter, and hence the old SNC library is no longer in use. Thereby I can't logon using SAP GUI.

/Thomas

Hi Ingo

Thanks for replying.

I am not currently worrying about Crystal and Xcelsius. I just want to ensure that we can have server side trust allowing AD credentials to be mapped to BW users for use in connections towards BW. At the same time we want the legacy SAP GUI to work with SNC setup as allways.

I understand then that I need to leverage kerberos SNC for both these tasks. Ie. not install the sapcrypto library.

Where do I get this kerberos SNC library?

/Thomas

Hi Thomas,

which makes perfect sense because SAP Cryptographic Library is used for a SERVER to SERVER communication and even licensing wise you can not use SAP Cryptographic Lib for a CLIENT to SERVER communication.

In case you would like to establish an actual CLIENT to SERVER workflow with SNC you need to leverage the NTLM / Kerberos implementation or buy software from a 3rd party SNC vendor like Secude.

Keep in mind that only Crystal Reports and Xcelsius do support a CLIENT to Server (THICK client) workflow today for SNC>

ingo

Hi

SNC was working already (Not sure if SNC is the right word though). A system PSE was setup on the server, and SNC was enabled in the SAP logon pad for each SAP server in the environment.

We followed the instructions to install the sapcrypto library on the BW server. Initally we had problems because snc was already enabled and hence the server could not startup as the loading of the sapcrypto library requires the cred file. After disabling snc we could startup and then proceed to create and SNC pse.

But after enabling of snc the SNC conifguration in the SAP logon config no longer works. We have tried entering the DN formatted name (DN=BW, OU= ...) but it does not work.

Best regards

Thomas

How did you configure SNC to work with the SAP GUI before the BOBJ SNC setup?

Regards

Stratos