AD Authentication in SAP BOX1 3.1

Similar Messages

• Windows NTLM Authentication on SAP 4.6c (Platform AIX)

  I am trying to use NCo 2.0 for C# .Net application with Web Service and C# Web UI.
  My Users are in AD domain and need to authenticate on IIS via AD (Integrated NTLM)
  I need to implement single sign on for SAP integrated application.
  As per NCo documentation: I need to set-up trust relationship between IIS and SAP, use this trusted user (DOMAIN\IUSR_SAPPOOL) and send active directory  id as external id in connection string. All transaction should run with external user id context.
  Can someone help me with following question.
  1. Does NTLM trust relationship / authentication on SAP running on AIX? or Do I have to setup kerberos authetication?
  2. What SNC library needed for SAP (AIX instance)?
  3. How can I configure NTLM authentication on SAP (AIX instance) The NCo 2.0 documents only explains SAP (MS instance) configuration.
  What option do I have to get Single Sign On working?
  Any help is highly appreciated.
  Regards and Thank you in advance.

  > Hi Reiner,
  > Thank you very much for response, this is helpful
  > information.
  If you consider an answer as helpfull, please mark it with the button on the left side :-).
  > My options are pretty much limited,
  > I can't use NTLM since, AIX will not accept trust
  > -- NTLM Auth will not work with AIX
  > -- Kerberos auth have to have third party tool like
  > CyberSafe for SNC trust relationship.
  As I wrote, you can use any SNC provider. Especially Secude would be interesting, as it is available on all platforms.
  > I planning to try using SSO as mentioned in "Enabling
  > Single Sign-On for ASP.NET Applications in Enterprise
  > Portal 6"
  > Is this approach works with EP 5.0?
  This is a completely different approach: In the stuff I was writing to you before I was assuming that IIS would do the authentication. The other approach is that SAP Portal does it. This also works - EP 5.0 should be fine - but it works completely different. E.g. you doesn't need a trusted connection for SSO with MYSAPSSO2 ticket.
  > If any one has "sapsecu.dll" please send me at
  > [email protected] with same size as stated in
  > this document.
  This DLL is not allowed to be exported into some countries because it contains strong cryptography. You usually get it via your local SAP subsiduary.
  > My SSO ticket did not get created after following
  > steps in document, I am suspecting either sapsecu.dll
  > or veryfy.pse is wrong?
  Did you find a MYSAPSSO2 cookie in the request?

• Windows Integrated Authentication to SAP R/3

  Hi,
  I dont know weather this issue has to be posted here or in WAS or GUI.
  Is there any way to do the Integrates Windows Authentication to SAP R/3. Once the Users logs in to the Network domain adn then to SAP GUI, the User should not prompt for User id and should directlt take in to the Role Menu.
  I know for Portal it is possible, but i am not sure for R/3. Please let me know if there is any documentation for the same.
  Thanks & Regards
  Sumanth

  Sumath,
  there are various variants to do so:
  If your R/3 is running on Windows (and in the same / trusted domain), you can use SNC with either NTLM or Kerberos authentication
  Otherwise you can log on with SAP Logon Tickets. You mentioned already that you know NTLM/Kerberos is feasible with EP. Now, if you simply integrate your R/3 systems in EP by means of SAP logon tickets you have essentially a smooth SSO for your users.
  Finally, you can use ITS up to 6.20 on Windows to SSO to R/3 (the latter on not neccessarily on Windows, too). Simply setup webgui, active SAP logon tickets and configure the PAS service to use Windows authentication.
  Whatever you decide on, al alternatives are a piece of cake to set up.
  Regards,
  Dominik

• Authentication tab SAP - BOxi Ent 3.1 and Int kit on AIX

  Hello
  Installation of BO-XI Enterprise 3.1 and SAP integration kit 3.1 on AIX. 
  Both products installed successfully. But on CM Console in authentication tab SAP
  is not appearing. Also when we try to  create new connection using universe designer
  from clients (Windows) we get following error
  u201CDBD: A runtime exception has occurred. (Licensed key checked failed.
  Check that you are licensed to access SAP data source)
  Regards
  Upendra

  Dear Stratos
  version libsapjco3 is 64 bit for aix
  eb components automatically deployed.
  At present we are using temporary license key.
  Following description may clear scenario.
  BO-XI Enterprise 3.1 and SAP integration kit 3.1 on AIX installed successfully.
  We are trying to create new connection to SAP BW system as data source using universe
  designer from clients (Windows) we get error from one client
  "DBD: An error occurred while trying to load the provider for transport sap.
  Failed to load library MDA_SAP. System error message u201Cthe specified module could not be foundu201D 
  From another client (PC) error come as
  u201CDBD: A runtime exception has occurred. (Licensed key checked failed. Check that you are licensed to access SAP data source)
  when we checked on CM Console in authentication tab SAP is not appearing.
  In short our BO system is not able to communicate with BW system.

• Authentication Option "SAP" is seen in CMC but........

  Hi All,
  I have a problem in entitling the SAP BI system in BO CMC.Aftre installing SAP IKIT, I could see the Authentication Option "SAP" under Authentication in CMC.But when I double click on the option SAP,I don't see any response.Could anyone please help me out in solving this.
  Thanks,
  Madan Koka

  In the CmcApp folder under tomcat -- there is a web.xml file . Can you search for and check if these entries exist?
  <context-param>       
  <param-name>config.logon.service.context</param-name>
  <param-value>/PartnerPlatformService</param-value>
  </context-param>   
  <context-param>  
  <param-name>config.logon.service.url</param-name>
  <param-value>/service/app/logon.do</param-value>
  </context-param>

• Single Sign On Authentication on SAP EP 6.0 SP15+ base on Novell

  Hi all,
  I saw that starting from NW SP15, the kerberos authentication for SSO on the Enterprise Portal is suggested instead of NTLM authentication with IISproxy using Windows AD as user repository.
  Now I have to investigate the possibility to achieve Enterprise Portal authentication in SSO against a Novell infrastructure.
  On my network users authenticates themselves using UserID/password stored in Novell eDirectory repository. I wonder if SAP certifies the SSO kerberos authentication also on the Novell environment and what are the requirements in terms of needed software pieces on Novell side (ex NMAS) and network infrastructure (Windows, Netware, other).
  Briefly I'd like to know:
  - Is there the possibility to achieve SSO authentication for EP if using Novell eDirectory? Is it a SAP certified solution? Is it supported for production sites? Are there available papers on configuration activities to be done?
  - Is the kerberos authentication the right way to achieve this?
  I'd like to add another piece of complexity. In reality I have a complicated network where a group of users (belonging to a company division) authenticates on a Novell realm using eDirectory, and a second group of users (belonging to another company division) authenticates on a standard Windows AD. The new interesting question is:
  - Can the EP SSO be configured with kerberos authentication using a multiple realms configurated in a priority list? I'd like to have to possibility to configure a list of KDC to be contacted on cascade one after the other to authenticate login requests.I gave a look to the WAS J2EE krb5.conf file and it seems that nothing prevent to configure the J2EE engine to configure multiple kerberos realm. I just wonder if it is supported.
  If some SAP EP gurus could give an answer I would really appreciate VERY much.
  Thank you,
  Giampietro.

  Hi Giampietro
  We are about to have a look on the same issue: Providing Kerberos-based (SPNego) SSO to the SAP NW portal using eDirectory.
  Reading the online help it seems that SAP only has testet this on Active Directory and I cannot see it as a certified solution nor find any configuration documents on this.
  However in 3 or 4 weeks we will try to use the "standard configuration" (from the online help) against eDirectory and basically the directory (AD, eDirectory etc) just have to provide a keytab file, userstore and a service user - this must be possible for Novell eDirectory as well as for MS AD. Of cause we expect some challenges, but it should be possible!
  If you gain any information or gain some experiences trying - please infor us.
  I will update this when we get any new information.
  BR
  Tom Bo

• How to remove user authentication for SAP Web Service?

  Hi there,
  I am using SAP Web Services in my flex application. Every time wsdl url is called, the username\password window pops up. I want to remove this.
  I searched in the forum and based on the discussions, I tried giving the user name password under Web Service Administration using SOAMANAGER, by selecting No Authentication option. But this did not work. I still get that pop up.
  I also tried giving the credentials in SICF, under Logon Data tab of the service. This too failed. I kept getting the pop up.
  Can someone pls let me know how can I remove this? If username password in mandatory to be passed, I can create a temporary username which will be used to access all of my webservices and use it. But I want to remove this authentication part when I am using the flex application ang calling the web service url from within it.
  Appreciate your help.....
  -Deepak

  Hi,
  It is a little bit tricky, because the interface has changed several times in different releases. I know that it is possible without authentification.
  I remember that i defined somewhere the default client, the username and password in the ERP system to use by this web service.
  Maybe it helps if you try the old transactions WSADMIN, WSCONFIG or WSADMIN2 ?
  Sorry that I cannot help you more. I hope it helps.
  Best regards,
  Joern

• How to disable web service authentication by sap-user string in url

  Hi Experts,
  I am publish some RFC function as webservice for my SAP AS ABAP, i set the authentication as basic. I can using http basic authentication to call the service and get the result. But it also accept passing user/password through the url string: http://localhost:8001/sap/bc/soap/wsdl11?services=BAPI_PO_CHANGE&sap-client=100&sap-user=myId&sap-password=myPassword
  I want to disable this, make it no user/password through url string. Can anyone tell me how to do it, thanks.
  Best regards,
  Peter

  Well, it's not a backdoor - but (extremely) bad style: an URL should never contain any authentication data (like UID & PWD) nor should it ever contain any (security) session ID (which, if valid, would allow to skip authentication).
  So, I agree with you / your customer: it should be (made) possible to configure the system to discard / ignore any authentication data which is contained in the URL.
  I recommend to submit a customer message to SAP (using message component BC-MID-ICF). You might refer to this SDN posting (by providing the URL) in the support ticket.
  PS: Basic Authentication is not much better but at least the information (UID & PWD) is not sent in the clear (although simply Base64-encoded) and not in the URL (but in the http header). Sending cleartext data in the URL is really the worst. The best is: use stronger authentication mechanisms (e.g. X.509 client certificates, Kerberos, Biometric authentication mechanisms, etc.).

• Oracle 10g Rel 2  - Proxy connection authentication with SAP User ID

  Dear Experts,
  We are currently doing some research and planning to upgrade SAP R/3 4.6C to ECC 6 and upgrading Oracle from version 9.2 to 10.2
  In upgrading to Oracle vers. 10g Rel 2, we got advised that Oracle has apparently introduced a new proxy connection authentication, in which the SAP user ID is given limited privileges (create session only) ??
  If you have any information on this or known any impact about this issue, please advise us.
  Thanks in advance.

  Thanks for your help, Kaushal.
  I also found the SAP Note 834917 (Oracle Database 10g: New database role SAPCONN and it seems to be on a right direction to cope with that problem.
  - For Oracle releases earlier than 10gR2, the CONNECT role includes extensive database authorizations and the more restrictive CONNECT as of 10gR2.
  - To overcome this restriction, SAP need to find a way to compensate this, so does it come SAPCONN.
  - SAPCONN is the new SAP-specific database role, which is defined to support the normal SAP applications operations (CONNECT, RESOURCE and SELECT_CATALOG_ROLE).
  Once again, thanks.

• What is windows authentication for SAP?

  Hi All,
      Could you please expalin me on what is windows authentication and why do SAP need it ?
  I hav got a message from BASIS consultant saying that SAP/ PM accounts needs windows authentication nad we need to mail him for that....what did he mean and what happens if we dont?
  Thank you,
  Regards.

  read in the net..

• Authorisation (not authentication) on SAP-Systems (R/3 & WAS)

  Dear ladies and gentlemen,
  is there a possibility to separate authentication from authorisation in communications from SAP XI to SAP-Systems (R/3 or WAS)?
  Concrete: can we authenticate via RFC-Adapter with userid / pw from communication channel (directory) and authorise use of business functionality (like booking invoices) on SAP-Business-System with another userid sended with the business data?
  Thanks,
  Daniel

  Hi,
  >>>can we authenticate via RFC-Adapter with userid / pw from communication channel (directory) and authorise use of business functionality (like booking invoices) on SAP-Business-System with another userid sended with the business data?
  you could do it by sending a userid in your message and
  then use it in R3 to check authorizations
  Regards,
  michal

• Authentication Query- SAP Authoring Environment connectivity to Portal KM

  Hi,
  We have to use SAP Authoring Environment tool to upload the LSO training content into Portal.
  We installed, configured and connected to the Portal KM using AE successfully.
  We noticed one thing after connecting to the Repository Explorer in AE, system prompts to enter the user id and password for ECC system. After supplying right ECC user details system directly showing the Portal KM Master Repository content without asking to enter the Portal user id and password.
  Can anyone share how can we see the Portal KM Master Repository content without supplying the Portal user details?
  Thanks
  Phani

  Thanks for your response.
  No, it is not anonymous portal.
  If you try to open the same portal url outside the AE, system prompts the user to enter user id and pwd.
  But if it is inside AE, as I mentioned earlier after giving ECC user details and click on OK button system directly showing the Portal KM Master Repository without asking Portal user id and pwd.
  Thanks
  Phani

• Problem in CMC login with SAP authentication type

  Hi,
  We have installed the SAP Integration kit successfully for BO XI R2 & when I logon to CMC i am able to enable the SAP authentication and import the roles from the SAP BW system as well. But when I try to login into CMC using the 'Authentication type' as SAP it doesn't display the textboxes for entering  System ID and Client details. Can you please tell me how to fix this?
  Also I see that the CMC & Infoview authentication type drop down list are not the same. The CMC has the authentication types available as 'SAP,LDAP & Enterprise' where as Infoview has 'Enterprise, LDAP & AD'.
  Is this an issue with the Plugins? do i need to do some settings on the Tomcat ?
  Please help me out in this..
  Thanks in advance!
  Phani.

  Thanks for your update Jac...yes thats correct. Also I had to include authPlugExt.properties file in the tomcat/shared/classes, which i did not include previously. The SAP infoview is working fine now.
  Just one more question, in CMC login doesn't the SAP authentication require sap system & client id as its inputs? (in XI R2). I noticed that I was able to login with SAP user id's (without mentioning system details) , that have been added when I have imported the SAP roles to BO.

• SAP Authentication doesn't come on CMC and Infoview page

  Hello Guru,
  I am new to BOE installation. I have installed BOEnterprise 3.1, FP 3.5 & SAP IK 3.1, FP 3.5. I am not getting Authentication as "SAP" on CMC and Infoview.
  I don't have PartnerPlatformService in my installation directory as well as the drive where i installed BO Enterprise.
  1. C:\Program Files (x86)\Business Objects\BusinessObjects Enterprise 12.0\warfiles\WebApps
  2. C:\Program Files (x86)\Business Objects\Tomcat55\webapps
  I am not able to find war files and PartnerPlatformService on the above two paths. Is it the main reason behind the SAP Authentication ? What changes do i have do to to get SAP as Authentication ? If i don't have PartnerPlatformService anywhere then from where do i find it and how to deploy it ?
  Regards,
  Komik Shah

  Hi Ingo,
  Thanks!!! I checked SAP JCO file deployment before and it is available on server.
  I also read the document prepared by you for installation of SAP IK. I followed all the steps but still not getting SAP as Authentication.
  What i see as difference is "I don't have PartnerPlatformService" in my BO Enterprise installation directory and that is why it is not seen on the C drive where i installed Business Objects. I have other customers where i have installed BO Edge series and i can see SAP as Authentication and there i could also find PartnerPlatformService in Installation Directory as well as C drive.
  If i don't have "PartnerPlatformService" in my BO Enterprise directory then how should i get it ?
  Thanks again for your help
  Regards,
  Komik Shah

• SAP Authentication Method Missing

  Dear Experts, I have been having this problem for sometime. I have redone the whole work again just to make sure I'm not missing anything. Any help is appreciated.
  I'm on BO XI R2, with Tomcat 5.0,27, Windows 2003 environment, Java connector 2.1.8,
  I'm missing SAP authentication method in the Java InfoView. I have Enterprise, LDAP and WinAD in the list but not SAP authentication. While my Java Infoview for SAP works just fine.
  Also with IIS, the .NET InfoView does have SAP authentication and it works fine as well.
  Kindly assist me in fixing this.
  BTW, which configuration file in tomcat hold this info about authentication methods?

  8 --> Configured the Kerberos Windows AD Authentication in BOE System (these includes the steps to apply it on IIS and Java Application Servers (Tomcat)) by following the
           instructions in BusinessObjects Enterpriseu2122 XI Release 2 Deployment and Configuration Guide, Chapter 13
  9 --> Installed Live Office Client 11.5.8.826 (server and client component on the same machine)
         a) Enabled Live Office client components (by running the enable_addin.exe utility)
         b) Running side-by-side Live Office installations (enable the Live Office Add-In)
  10 --> Install Xcelsius 2008, Version 12.1.0.247
  11 --> Install BusinessObjects XI Release 2 Integration Kit for SAP SP1
  12 --> Install BusinessObjects XI R2 Service Pack 2 for Integration Kits
  13 --> Make sure that BOE Sample Reports is imported to the installed BOE system
  14 --> Configured and Tested IIS for SAP Authentication with SSO for SAP InfoView in BI system and
             SAP Enterprise System to point to the installed BOE system
  15 --> Configure Tomcat (Web.config files) to use BOE Cluster Name & SAP Authentication with SSO
            enabled for SAP InfoView site when it is used from the SAP Enterprise Portal
  16 -->Tested to logon to Live Office with SAP Authentication. SAP Authentication is missing in the Live
           Office like Java InfoView
  Kindly point out to me where I'm going wrong?