cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Can users without Secure Login Client still logon to AS ABAP via SAPGui with NW SSO

blair_towe2
Participant

on ‎03-21-2013 6:33 PM

0 Kudos

Good afternoon - I have a question regarding NW SSO. We are considering buying a number of licenses, but perhaps not enough for every user to be able to logon using single sign-on. So some users would have the Secure Login Client on their PCs and others would not. For the ones who don't have the client installed, they would still be able to login to a system with SAPGui by entering their username and password, right? The reason for my question is that I know that during the setup of NW SSO we will make changes in the saplogon.ini file to indicate the SNC name of the application server, and then also have to make entries in tcode SU01 for the user's SNC name. I see on the SNC tab in SU01 that there is an option to allow password logon for SAPGui, so for the users who we have not purchased a license for, could we just check that box so that they could still enter their ID and Password in SAPGui as usual?

I would appreciate any help with this!

Regards,

Blair Towe

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

Former Member
‎06-26-2015 3:56 PM
0 Kudos

Hey Blair,

If you make the change to the SAPGUI INI for everyone, then everyone would need the secure login client, but for those users without the license, just make sure the SU01 SNC tab does not reflect any reference to their AD account.

NICK

Show replies
Show replies
robert_wagener
Explorer
‎05-31-2013 9:19 PM
0 Kudos

Blair,

If you wish to use one standard SNC enabled saplogon.ini on all workstations you will also need the GSS-API dll on all workstations (i.e. secgss.dll or gsskrb5.dll ).  I don’t know if there are any license considerations if you purchase 800 NW SSO licenses then install the client dll on 1000 workstations.  The NW SSO client dll may be the same dll that is distributed with the free SNC Client Encryption product  -  not sure.

If a user logs on with an SNC enabled sapgui but does not have the SNC name defined in SU01 they will get an error message “No user exists with SNC name p:xxx@xxx” .  They will be prompted for username and password and the session will be encrypted.

Rob

Show replies
Show replies
donka_dimitrova
Contributor
‎05-29-2013 12:52 PM
0 Kudos

Dear  Blair Towe,

Profile parameters on AS ABAP provide the framework necessary to operate the AS ABAP using SNC protection. For the individual communication settings, for example, between SAP GUI and the application server, you must decide what level of protection you need and set the corresponding parameters accordingly. More info about the levels of protection is available here: Secure Network Communications (SNC)

Here you will be able to find the documentation for the parameter settings: Profile Parameter Settings on AS ABAP 

One of these parameters is snc/accept_insecure_gui. The default value for this parameter is “0”. Once the SNC is activated and the default value for snc/accept_insecure_gui is not changed, the AS ABAP will reject all SAP GUI connection requests that are not protected with SNC. If you change the parameter value to allow unprotected connections, then the SAP GUI configuration determines whether or not the connection uses SNC protection. If you want the AS ABAP to accept SAP GUI connections that are not protected with SNC only for certain UserIDs, the value of this parameter has to be set to “U“ (Accept unprotected logons for only those users who have the appropriate flag set in their user master record). Then you can use the SU01/SNC flag “Permit Password Logon for SAP GUI (User-Specific)” for the UserIDs who will use the UserID/Password authentication (no SSO). The SNC Name value in the User Profile for these users will be empty.

In the SAP Note 1580808 - SAP Logon 7.20: "SNC logon w/o SSO" for connection entry you will be able to find the prerequisites for the SAP GUI in order to set this scenario. Details about the kernel requirements you will be able to find in the SAP Note 1561161 - Enabling SAP GUI password logon despite using SNC.

Here you will be able to find the SNC Configuration for the SAP GUI: Configuring SNC: SAP GUI when Using SAP Logon

Kind regards,

Donka Dimitrova

Product Management

SAP NetWeaver Single Sign-On

Show replies
Show replies
Former Member
‎03-21-2013 6:49 PM
0 Kudos

Sure they can, just uncheck the Activate Secure Network Communication for users wishing to logon with username and password.

Show replies
Show replies
blair_towe2
Participant
‎03-21-2013 7:02 PM
0 Kudos

Samuli - Thanks for the fast response. I believe the setting you are talking about is located in the saplogon.ini file. We try to distribute only one copy of this file so that all PCs have the same version. Is it possible to use the "Permit password Logon for SAP GUI (user-specific)" as another alternative around the issue? This would allow us to control this in the SAP system rather than at the desktop level.

Regards,

Blair Towe

Former Member
‎03-21-2013 7:08 PM
0 Kudos

That setting allows the user to logon without SNC but if SAP GUI is configured to use SNC, it will.

blair_towe2
Participant
‎03-21-2013 7:17 PM
0 Kudos

So if SAPGui is configured to use SNC via the saplogon.ini file, but the user does not have an SNC name entered in tcode SU01 on the SNC tab, would they be presented with the logon via username and password, or would they receive an error because their user master record contains no SNC name?

I believe we will have enough licenses, since we are looking at purchasing 800 licenses and in our ECC Production system the number of active, unlocked users is around 750, and this is the system with the largest number of users. I am just trying to understand how, if I do have an insufficient number of licenses, I can still accomodate those who we would not be able to grant the ability to use NW SSO without purchasing more licenses.

Regards,

Blair Towe

Former Member
‎03-21-2013 8:31 PM
0 Kudos 
So if SAPGui is configured to use SNC via the saplogon.ini file, but the user does not have an SNC name entered in tcode SU01 on the SNC tab, would they be presented with the logon via username and password, or would they receive an error because their user master record contains no SNC name?

They would receive an error and they wouldn't be able to logon, the logon screen would be in status error with all buttons disabled.

Former Member
‎03-21-2013 11:45 PM
0 Kudos

Apparently this is no longer true, see SAP note 1561161. I do not currently have access to a SNC enabled SAP system to verify. However, for the proposed solution to work, the client setting "SNC logon without SSO" still needs to be set which was something you didn't want to do.

https://service.sap.com/sap/support/notes/1561161

Ask a Question