Clarifications regarding logon groups

Similar Messages

• Regarding Logon Groups

  hi friends,
                  can any one please solve this problem for me?,
  In my EP 6.0 system i configured the SLD and I created the Jco destination,when i tested it it's giving error like"ERROR:Logon Group PUBLIC not found"
  can u please where can i get the logon group?.

  Hi,
  *You can find that option by logging into SLD " Log on to SDL through portal i.e. http://<servername>:<portnumber>/sld"*
  Follow these steps below then.:-
  It might sometimes happen that Message Server and Logon Group is not configured to configure them, follow the process
  For Message Server:
            i.            Log on to SDL through portal i.e. http://<servername>:<portnumber>/sld
            ii.            Choose Technical System. Click it.
            iii.            You will observe New Technical System button, click it.
            iv.            System Type: Select Web AS ABAP , if you want to connect to R/3 System and incase you are using Java application use Web AS Java
            v.            General: Log on to R/3 System through SAP Log on pad. Go to System à Status, check for SID, Installation Number and Database Host Name.
            vi.           Central Servers: Give Host Name and Port Number and Instance Number.
  For Logon Group:
           a.            Click on Add New Logon Group, this will open a row in the table.
           b.            Log on to R/3 through Logon pad and get Logon Groups ids and the transaction code is "SMLG".
           vii.            Application Servers: Click on Add Application Server and then give Host Name and Instance Number of R/3 System.
           *viii.           *Clients: Give Client number (System id) and Logical Client Name (which we can get from SMLG code). And click finish.
  Hope this helps.
  Regards,
  Shailesh Nagar

• Issue with parallel operation of SAP NW SSO 2.0 and SNC Client Encryption (Logon Groups)

  Hi!
  One of our customers is using the SNC Client Encryption solution to ensure encryption using SNC (based on Kerberos Technology) for their SAP GUI Dialog connections. They have lots of SAP backends DEV, QAS, PRD all with the SNC Client Encryption SNC Lib installed. The profile parameter snc/identity/as contains the following value: p:CN=SAP/<ServiceAccount>@<DOMAIN>.
  Example: p:CN=SAP/[email protected]
  The customer is using one AD Service Account "SNCServiceUser" with one registered SPN "SAP/SNCServiceUser" for all systems (yes, this is not recommended... but the case).
  Important: All users use group entries in the SAP Logon (saplogin.ini). Means, for SAP logon the SNC name can not be manually configured on the SAP Front End. With group logons, the application server's SNC name is dynamically requested by the message server each time a SAP GUI connection is started. The SNC Name is greyed out in this case as dynamically obtained from the applications servers profile parameter snc/identity/as.
  Now our customer implements SAP NetWeaver Single Sign-On 2.0 within his landscape. Based on the Secure Login Server 2.0 (SP3) he likes to use X.509 based authentication to his AS ABAP backends using SAP GUI SNC while others still use SNC Client Encryption.
  Replacing the SNC Library on the AS ABAP
  The Secure Login Library 2.0 (SP3) has been installed on one of the ABAP systems and the SNC Client Encryption SNC Library (which is based on SSO 1.0) is no longer used, thus we changed the parameter snc/gssapi_lib to point to the new SNC library. We removed the old PSE.ZIP containing the keytab and created the new SAPSNCSKERB.PSE incl. the keytab and proper credentials. To ensure parallel operation, we kept the snc/identity/as value as is =  p:CN=SAP/[email protected].
  After restarting the system with initialized Secure Login Library 2.0, still the SNC client encryption works fine for existing users.
  The problem
  We created on the Secure Login Server an SNC certificate for the AS ABAP which has the following X.509 Distinguised Name Fomat: CN=SAP/[email protected] This is to avoid having to change the snc/identity/as to an "real" X.509 DN which would lead to non-working SNC Client Encryption for all the other users using SAP GUI and logon groups.
  As soon as we install the PSE via STRUST on the system the SNC Client Encryption solution stops working with error „Server refuses kerberos key exchange“.
  As part of an pilot implementation we have installed Secure Login Client 2.0 (SP3) on some test PCs. The test PC with SLC is able to perform Single Sign-On with SNC based on X.509 (incl. Encryption) to the ABAP system.
  Seems the SAP System now only tries to do X.509 based authentication thus key exchange fails. The problem is, we cannot change the snc/identity/as value because of the logon groups. If we were able to do so, we would in any case set the server identity to X.509 DN and in addition create the SAPSNCSKERB.PSE incl. keytab. This should work, as confirmed by SAP see this post.  
  Any ideas how to solve this and have both solutions in parallel?
  Appreciate any help.
  Regards,
  Carsten

  Hi all,
  we was able to fix the issue. It was an issue with the customers cluster configuration and the  $SECUDIR variable. This tricky issue leads to non working or sporadic working SNC Client Encryption...
  This was how the configuration looks before:
  Environment variable $SECUDIR is defined:
  "/ABCDEF<SID>/usr/sap/<SID>/DVEBMGSxx/sec“
  sapgenpse seclogin -l -v
  running seclogin with USER="<SID>adm"
  Credentials for username '<SID>adm':
  0 (LPS:OFF):
           (LPS:OFF): /ABCDEF<SID>/usr/sap/<SID>/DVEBMGSxx/sec/SAPSNCSKERB.pse
  1 (LPS:OFF):
           (LPS:OFF): /usr/sap/<SID>/DVEBMGSxx/sec/SAPSNCS.pse
  After changing the $SECUDIR to "/usr/sap/<SID>/DVEBMGSxx/sec“ and re-creating the credentials, it worked like a charm.
  As a result of this we can confirm, this configuration and SNC Client Encryption works with CommonCryptoLib in parallel to the SSO configuration.
  And Valerie was right with 2. SLC starting from V. 1.0 SP2 PL3 was able to convert the CN= part of the SNC Name into an SPN, was my mistake. In addition SNC Client Encryption starting from Version 1 SP1 PL1 does this also.. just to make this clear
  Thread closed hope this helps someone
  Carsten

• How to create Logon groups for JAVA Systems

  Hi,
  I am implementing an BI JAVA Landscape. We do have 1 Central Instance(CI) and 2 Dialog Instances (DI) JAVA Standalone. Everything based on NW04s
  I have set up a Web Dispatcher to do a load balancing. The Web Dispatcher is connected to the Message Server (MS) of the JAVA CI to get all the information about the Engines.
  I am now looking to create Logon groups to distibute the load according the application used applications. I am not sure if there is a possibility to set up logon groups (server groups) directly somewhere in the J2EE engine, or if I have to set this up in the WebDispatcher konfiguration files?!
  Thanks in advance and best regards,
  Dominik

  We're trying to do something similar with NetWeaver CE 7.1.
  According to [this documentation|http://help.sap.com/saphelp_nwce10/helpdata/en/45/3dbe11a82b6bf1e10000000a1553f6/frameset.htm] there are 3 steps to doing this for NetWeaver CE 7.1:
  1. Logon Groups
  2. Web Dispatcher profile changes
  3. HTTP Provider property changes
  We've set up a Logon Group in the NetWeaver nwa and associated the two instances (one host) with it.
  "[Configuring Logon Groups Using Configuration Files|http://help.sap.com/saphelp_nwce10/helpdata/en/45/3c3f0cad9f4c2de10000000a1553f6/frameset.htm]" says: "...to create the files using HTTP Provider service."
  There it doesn't say exactly how to generate those 3 text files; it says: "1. Create the icrgroups.txt and urlinfo.txt files that define the logon groups. For more information, see the documentation of SAP Web Dispatcher." ; but, has no link to what it says to see.  So, I manually go to ["SAP Web Dispatcher", "Assigning Logon Groups"|http://help.sap.com/saphelp_nwce10/helpdata/en/b4/9aa8862e714e6db8e74e48e5d3283b/frameset.htm].  But, it all pretty much breaks down there because it's referring to apparently non-NetWeaver CE 7.1 stuff (as near as I can tell); for instance, how do the transactions SMLG and SICF relate to NetWeaver CE 7.1, or am I in the wrong place?
  I tried to press ahead with files similar to the examples here, but I hit this error in the Web Dispatcher:
  [Thr 5132] *** WARNING => ICT: path prefix /Curam/ not allowed in this context. Only prefix / allowed. [ictxxptab.c 764]
  [Thr 5132] *** WARNING => When a file is specified in wdisp/J2EE/url_map_location only URL prefix '/' is supported. See also SAP note 1033470. [icrxx.c 2925]
  The note reference looks hopeful, but I cannot read it; I get:
  Note 1033470  
  The requested SAP Note is either in reworking or is released internally only
  Does anyone have a copy of this Note or knows if it's helpful?
  Has anyone done this with NetWeaver CE 7.1?
  Tahnks,
  William

• How to create logon group in a JAVA only system?

  We have a JAVA-only CI and several JAVA-only application servers.
  They are all for a single EP7.
  How to make sure that no end EP7 user can use CI ?
  Thanks! Points!

  Hi Jeff,
  You might want to check the following documentation for setting up logon groups on your AS Java environment using NW Administrator tool: <a href="http://help.sap.com/saphelp_nw04s/helpdata/en/a9/775a421b5ec153e10000000a1550b0/frameset.htm">Logon Groups Configuration</a>
  You can also check this <a href="https://www.sdn.sap.com/irj/sdn/thread?threadID=384105">thread</a> which might apply to your environment.
  Hope this helps.
  Regards,
  Joseph

• Connection to ECC with SAP Logon Group failing

  I'm creating a new system connection to an ECC backend using a logon group (transaction SMLG in ABAP stack).  I have created the connection with the wizard as a SAP_R3_LoadBalancing connection and given it the appropriate Group, Logical System Name, Message Server, Remote Host Tppe and SAP Client.  Also I've given it an Alias.
  SSO is working correctly between the portal and ECC.
  The System Connection Tests > Connection Test for Connectors works, as can been seen::
  Test Connection with Connector
    Test Details:
  The test consists of the following steps:
  1. Retrieve the default alias of the system
  2. Check the connection to the backend application using the connector defined in this system object
    Results
  Retrieval of default alias successful
  Connection successful
  However, if I try to connection to this system with the Alias, it fails.  If I change the alias to a system with a standard R3 connection with a specified hostname, it works.  The /etc/services is correct and contains the appropriate entries.  Any ideas?
  Regards,
  Graham

  Hi Srikishan,
  Thanks for the response. When user from CRM logged in another language than EN for eg. FR, clicks on external link in CRM, takes to EN, only if that language FR is not installed in ECC, else it will take to the same language in which CRM user logged in. This cannot be controlled in SSO configuration. Is this correct?
  In case if FR is installed in both the systems, ie CRM and ECC, but user wants to log only to EN when clicked the external link(to ECC) from CRM, how we can configure this, Is any parameter can control or SSO setup configuration available? Please advice.
  Regards,
  Shahul Hameed

• Problem while creating logon group in sapgui

  Dear all,
     To create logon group in SAP GUi, I am trying with group options
  When we hit the generate list with proper entries, in some machines
  It is showing login groups. But in some machine it will show
  sapmsPRD message not reachable or unknown.
              We try with service file (in local machine), we enter
  The port  sapmsPRD 3600 or sapmsPRD 3200
  The above technique is success in some machine in some machine is not.
  Regards,
  satish

  You need to enter in the services file
  sapms<SID>      3600/tcp
  If you use DNS in an active Directory domain you may need to
  ipconfig /flushdns
  to make the local system re-read its service file.
  Markus

• Logon groups not visible/usable

  Hi,
  I'm experiencing problems with using logon groups for load-balancing connections to my NSP 7.01.
  Ultimately I want to create a JCo Connection from my CE 7.1.1 to the ABAP system and CE forces me to use a load-balancing connection using a message server and a logon group. But in order to test the proper configuration of my ABAP system, I'm simplifying the scenario but just attempting to log on to the system via Sapgui with load balancing.
  Here's my setup:
  It's a local scenario where both Sapgui and the AS ABAP reside on the same server.
  The system has SID NSP and SysNr 02.
  The proper services (sapmsNSP 3602/tcp plus sapdp02, sapgw02)  and hosts entries are present on the server.
  Everything else works fine
  The instance knows itself  as tron7661_NSP_02 (I had to correct some errors in the standard installation
  Profile file NSP_DVEBMGS02_TRON7661 contains: rdisp/enqname = tron7661_NSP_02, rdisp/myname = tron7661_NSP_02
  In transaction SMLG, I created a logon group HUGO, assigning instance tron7661_NSP_02 with attribute "Ext. RFC enabled" = true and everything else left blank.
  When I press the "Test" button, I get message "Internal error (SIMULATION:INACTIVE_SERVER)" (Message no. RZ783). I can confirm and save anyway. A green LED is displayed in the "Status" column for my logon group.
  After restarting the server, I would expect the new logon group to be usable when creating a new entry in Saplogon.
  In Saplogon, I choose "Create new entry", connection type "Group/Server Selection", and enter the host name of my message server TRON7661.
  As a result, a single entry "tron7661   (tron7661_NSP_02, DIA UPD ENQ BTC SPO ICM)" appears in the field "Group/Server".
  This entry represents not a logon group, but a single application server.
  (When I try this for other SAP systems and message servers in my landscape, I always get the logon groups configured for this systems plus an entry for the application server.)
  Do you have any idea what might be wrong here?
  Thank you and best regards,
  Thorsten
  P.S.: I have found and reviewed thread /message/208613#208613 [original link is broken] but found nothing helpful in it.

  Hi Raja,
  Thank you very much! -- Thomas' blog solved my problem. It was in fact just a matter of running the report that makes the configured logon group usable.
  Best regards,
  Thorsten

• Configuring Logon groups for JAVA instances using NWA method

  Hello,
  we have a BI dual System landscape ( CI ABAP+ JAVA plus 2 dialog instance ABAP+JAVA, based on NW04s. I have set up a Web Dispatcher to do a load balancing for JAVA instances. I configured the logon groups according this documentation using NWA (http://help.sap.com/saphelp_nw04/helpdata/en/45/3dbe11a82b6bf1e10000000a1553f6/content.htm).
  The following points are still quite unclear for me:
  1. according documentation I should specify the following profile parameters:
  [Define the special HTTP URLs, which SAP Web Dispatcher uses to send to the AS Java to retrieve the logon groups information]
  wdisp/J2EE/group_info_location = [?] /JavaEE/public/icf_info/icr_groups
  wdisp/J2EE/url_map_location = [?] /JavaEE/public/icf_info/icr_urlprefix
  Wich values should i take here actually? These one or /J2EE/icr_groups and /J2EE/icr_urlprefix ?
  2. Also I have to configure (in visual administrator) the GroupInfoRequest and UrlMapRequest properties of the HTTP Provider service running on server processes. They recommend to use /J2EE/icr_groups and /J2EE/icr_urlprefix. Should it be the same values as defined in those profile parameters?
  3. I have defined the instance IDs and exacte Alias in the groups definitions in nwa. Is it possible to proof somehow while using my URL http://<host>:<port>/TestApp~test/<application_resource> either im web dispatcher (traces?) or on a web site on which DI I actually land to be sure that my load balancing works properly and i don't land on my Central Instance?
  Thanks a lot in advance for your advices.
  best regards,
  Polina

  Understood, Install the web dispatcher and configre the ABAP Message Server Port and ms/http_port (T-CODE:SMMS). Test this link
  http://host:port/sap/public/icf_info/icr_groups
  and this would retrieve the list of ABAP (SMLG) cofigured groups.
  For java load balancing, icm of that host will send the incoming requests to JAVA Dispatcher. The load balancing happens on the basis of server nodes and can be found in the web dispatcher session dispatching table.
  There are no necessary parameters required for java load balancing except the number of server nodes you'll hookup to that dispatcher.
  There is an option called service based, where we configure the j2ee hosts to accept the connections for the services which are running but I haven't seen much customers using this option.
  Bottom line: No changes are required for java side and enable the "ext rfc" option for abap logon groups and rest will be taken care by Web Dispatcher.
  Use connection pooling and high timeouts to acheive the better througput and use the SSL termination on Web Disp.

• Logon groups configuration for JAVA instances using NWA method

  Hello guys,
  we have a BI dual System landscape (CI ABAP+ JAVA plus 2 dialog instance ABAP+JAVA, based on NW04s. I have set up a Web Dispatcher to do a load balancing for JAVA instances. I configured the logon groups according this documentation using NWA (http://help.sap.com/saphelp_nw04/helpdata/en/45/3dbe11a82b6bf1e10000000a1553f6/content.htm).
  The following point is still quite unclear for me:
  I have defined the instance IDs (of DIs installed on linux servers) and exacte Alias in the logon groups definitions in NWA. Is it possible to proof somehow (while accessing my URL http://<host>:<port>/TestApp~test/<application_resource> ) either in web dispatcher ->Web Administration Interface(Application Server Monitor ?) or somewhere else on which Dialog Instance I actually land to be sure that my load balancing works properly and i don't land on my Central Instance?
  Thanks a lot in advance.
  best regards,
  Polina

  ok, I have understood what you ment in the first passage Thanks!
  When I put javascript:document.cookie in my Internet Explorer Address Bar i got the following information: 
  PortalAlias=portal; saplb_STD_JAVA=(sapt20p_T20_20)207175450; JSESSIONID=(sapt20p_T20_20)ID1892984750DB11747115157906231437End; saplb_test=(lx003207_T20_20)206509050; saplb_*=(lx003207_T20_20)206509050
  what does here saplb_STD_JAVA mean?
  you can use following URLs to access any particular Java Server node of any server.
  https://<host name>:<https port>/irj/portal;saplb_*=<Java serer node number> https://<host name>:<https port>/irj/portal;sapj2ee_irj=<Java server node number>
  What is the difference between saplb_* and sapj2ee_irj?
  Thanks in advance.
  regards,
  Polina

• Logon Group in a Cluster

  Hi,
  I have CI - 02 on one host and dialog instance -03  on another host.
  I have created a logon group by name public and assigned these 2 instances.
  My question is if one instance got down how the user will automatically switch over.
  It's cluster environment already installed.
  Let me know if u need information.
  Regards,
  Saravanan.S

  Hi,
  If I undestand correctly, you have a CI on cluster (MSCS ?) and a SA on a third host.
  Your logon group includes both the CI and the SA.
  It means that your users are, eithe connected on the CI or the SA.
  With this architecture, you don't have High Availability.
  If you user is connected on the CI and there is a cluster fail over, the user will be disconnected if the CI node failed.
  If your user is conencted on the SA and there is a SA failure, the user is disconncted.
  For HA, it's better to have at least 2 SA on 2 different hosts and to include only the 2 SA in the logon group.
  Regards,
  Olivier

• Define Logon group in Webservice SOAMANAGER configuration

  Hi All,
  I've setup a webservice through an ABAP RFC. This webservice is called from a .NET application. A initial test is done and the webservice is working propperly. For loadbalancing reasons I would like to set the Logon Group when calling this webservice. I think this is done in the SOAMANAGER as it is visible in the SICF transactions. Only I can't edit the Logon group in SICF because the webservice is configured in SOAMANAGER.
  Simply, does anyone know how to set the logon group when configuring a webservice in SOAMANAGER?
  Hope anyone can help.
  Kind regards,
  Koen Schouten

  Hi Schouten,
  As per my assumption you need to configure the below path ?
  Please revert me if this is the requirement which you need.
  Thanks,
  Seshadri.

• About logon groups

  Hi all,
  We are using SAP GUI 710, Here no option(groups) to create logon group for user individually, so how can i create logon group for users? please help me in this regards,
  thanks,
  praveen

  Assuming you have already created the logon groups in SMLG...
  Add sapms<SID> 36xx/tcp to your local services file.
  ex..my system is BP0 00 so...sapmsBP0 3600/tcp
  Then go to Saplogon 7.10 > New Item > User Specified Systems...
  In Connection Type drop down - select Group/Server Selection
  Enter fields...
  Description - Verbage to be presented on the Saplogon Gui screen
  System ID - <your SID>
  Message Server - hostname, full hostname or IP of the SAP Server
  SAPRouter - skip it for now
  Group/Server - press the drop down menu and it should find your logon group(s)
  If not add a SAPRouter string....my format is..
  /M/<hostname, full or IP>/S/<port# - normally 3600>/<logon group name>
  then try the drop down menu from the Group/Server field again...
  Good Luck...
  Jim

• Set FQDN in Logon Group

  Hi Gurus,
  In SMLG - Maintain Logon Groups, is there possible to set fully qualified domain name (FQDN) instead of IP address to Logon Group?
  This is because if I only set the Public IP for this Logon Group, internal user in LAN is not able to use this Logon Group to access R3.
  Anyone has any idea? Please help.
  Thanks,
  HauChee

  Hi Hau,
  (Sorry if Hau is not your first name !)
  It is not possible to enter a FDQN as the help is :
  IP address
  (Numeric) IP address of the application server. This should be specified only if the application host belonging to the instance has to be addressed from the frontend side using a different IP address than that used for communication within the application host. This could be the case if, for example, the communication from application host to application host uses a different network than that used for the communication from the frontend to application host
  I think you need the 2 different saplogon groups AND you need to find a way from the portal to check if the laptop is connected internally or externally. The portal would then choose the right saplogon group :
  Also, I don't really understand the need : I think it would be much nicer for your users to use directly sapgui when connected internally than webgui.
  webgui, IMHO is just an acceptable way to work when not in house.
  Regards,
  Olivier

• URL logon groups are empty in SMMS

  hello,
  i'm trying to configure http load balancing with message server.
  i've created a logon group and assigned it to url webgui in SICF
  it seems to work but in sape note 751873 it is said that logon groups and corresponding urls could be loaded and checked in transaction SMMS using functions via Goto -> Expert functions -> HTTP
  the problem is that, here in SMMS, my url logon groups list is always empty...
  is it normal?
  regards

  Hi Olivier,
  In case you use Integrated ITS in a Portal environment you should have a closer look at notes 1029194 and 1040325.
  Thanks and regards,
  Dieter