CUP 5.3 SP04 SNC Name

Similar Messages

• GRC CUP - How to change SNC Name to lower case during user creation.

  Hi All,
  We are using GRC 5.3. CUP automatically creates user in R3 but SNC p:username'@'DOMAIN.COM is in upper case.
  1. During automated user creation.
  2. How change default DOMAIN.COM to lower case "domain.com"
  Currently we have to manually change is via SU01 after user has been created.
  Thank you
  Regards,
  Jacky

  Sorry please ignore this thread. I got the wrong details. Post cancelled

• How to set the snc name to abap server with IDM?

  HI all:
       I want to set the snc name from IDM , but I didn't konw  which attribute that I would be set.
  I there anyone konw this?
  thanks!

  Hi Shi,
  I'm guessing you don't know which attribute in the MX_PERSON class contains it?
  If this is what you meant, then there isn't a default attribute for that, you can either create one manually or let the synch process create it by enabling "automatic attribute creation" setting for the Identity Store.
  Eric

• No user exists with SNC name

  Hi,
  We have configured the SSO with kerberos, while trying to login getting the below error
  Please advice.
  Regards,
  Sam

  Hello,
  sorry my first answer was wrong (I deleted it).
  Normaly you get no such SNC names with a correct installed Secure Login Client.
  Could you please dump the enviroment variable SNC_LIB and SNC_LIB_64 here?
  best regards
  Alexander Gimbel

• SU01 SNC name update isssue

  Hi Guys,
          I am unable to update SNC name using LSMW recording method by providing USERID and SNC name. No errors found but not updating field. Anybody's help is appreciated
  Thanks
  Kal

  Hello
  Did you manage to solve this problem? I have the same issue with SNC and CUA.

• No user exists with SNC name "p:AD\USERNAME_1"

  Howdy,
  We have a peculiar problem with a user accessing one of our R/3 systems via SNC.
  In AD the user account was copied from USERNAME_1 to USERNAME_2. This has also been reflected in SAP(including the SNC Name). Since the AD change was done the user intermittently sees the following error message when logged onto windows as USERNAME_2 :
  No user exists with SNC name "p:USERNAME_1"  (USERNAME_1 no longer exists in AD or SAP)
  The two questions I haven't been able to answer are :
  1. How can the SAPGui still be trying to use USERNAME_1 to authenticate the user when they are logged onto windows as USERNAME_2?
  2. How could this happen intermittently within the SAME windows session? (would not have believed this was happening if i did not see it with my own eyes!)
  Cheers,
  Kye

  Hi Kye,
  As far as I know you have to set the SNC name at:
  SAPGui: System -> properties -> Network --> something like, p.e:    p:SAPserviceSIDTEST.COM
  The name the user has used when logging into windows must be typed exactly as it is given in SU01, SNC tab. Which in your case seems to be correct.
  When you reproduce the issue, do you see any error in the dev_w* trace files?
  Regards,
  Désiré

• CUP. Requestor Last/First Name autofill

  Dear colleagues!
  My business asked me about possibility of  autofill "Requestor Last/First Name" fields. So if I try to create request, system must fill requestor's fields automaticaly, for example, basing on my login. For my business I answered "No, it's impossible", but I still I have some doubts. Does anybody have assurance in this feature? It is very inconvenient to deprive customer of possibility to choise between auto and handle fill.
  Regards,
  Artem

  Excuse me, Frank, but when I sad "we don't use ldap" I meant that LDAP is using for other aims and managed by my colleagues. That's why I created pseudo-ldap. There is very poor chance that they allow me to make some changes
  Frank Koehntopp wrote:
  You use LDAP mapping to tell CUP which field of an LDAP person entry corresponds to which field in CUP. You have to enter the LDAP attribute names for User ID, first name, last name etc. (example: in AD, User ID usually is samAccountName).
  Regarding to you reply I should ask you, how could I do this mapping?
  In CUP there is no field of Requestor (here is the [list|http://narod.ru/disk/27322767000/list_ACfields.jpg.html])
  Appreciate you for help!

• Issue with parallel operation of SAP NW SSO 2.0 and SNC Client Encryption (Logon Groups)

  Hi!
  One of our customers is using the SNC Client Encryption solution to ensure encryption using SNC (based on Kerberos Technology) for their SAP GUI Dialog connections. They have lots of SAP backends DEV, QAS, PRD all with the SNC Client Encryption SNC Lib installed. The profile parameter snc/identity/as contains the following value: p:CN=SAP/<ServiceAccount>@<DOMAIN>.
  Example: p:CN=SAP/[email protected]
  The customer is using one AD Service Account "SNCServiceUser" with one registered SPN "SAP/SNCServiceUser" for all systems (yes, this is not recommended... but the case).
  Important: All users use group entries in the SAP Logon (saplogin.ini). Means, for SAP logon the SNC name can not be manually configured on the SAP Front End. With group logons, the application server's SNC name is dynamically requested by the message server each time a SAP GUI connection is started. The SNC Name is greyed out in this case as dynamically obtained from the applications servers profile parameter snc/identity/as.
  Now our customer implements SAP NetWeaver Single Sign-On 2.0 within his landscape. Based on the Secure Login Server 2.0 (SP3) he likes to use X.509 based authentication to his AS ABAP backends using SAP GUI SNC while others still use SNC Client Encryption.
  Replacing the SNC Library on the AS ABAP
  The Secure Login Library 2.0 (SP3) has been installed on one of the ABAP systems and the SNC Client Encryption SNC Library (which is based on SSO 1.0) is no longer used, thus we changed the parameter snc/gssapi_lib to point to the new SNC library. We removed the old PSE.ZIP containing the keytab and created the new SAPSNCSKERB.PSE incl. the keytab and proper credentials. To ensure parallel operation, we kept the snc/identity/as value as is =  p:CN=SAP/[email protected].
  After restarting the system with initialized Secure Login Library 2.0, still the SNC client encryption works fine for existing users.
  The problem
  We created on the Secure Login Server an SNC certificate for the AS ABAP which has the following X.509 Distinguised Name Fomat: CN=SAP/[email protected] This is to avoid having to change the snc/identity/as to an "real" X.509 DN which would lead to non-working SNC Client Encryption for all the other users using SAP GUI and logon groups.
  As soon as we install the PSE via STRUST on the system the SNC Client Encryption solution stops working with error „Server refuses kerberos key exchange“.
  As part of an pilot implementation we have installed Secure Login Client 2.0 (SP3) on some test PCs. The test PC with SLC is able to perform Single Sign-On with SNC based on X.509 (incl. Encryption) to the ABAP system.
  Seems the SAP System now only tries to do X.509 based authentication thus key exchange fails. The problem is, we cannot change the snc/identity/as value because of the logon groups. If we were able to do so, we would in any case set the server identity to X.509 DN and in addition create the SAPSNCSKERB.PSE incl. keytab. This should work, as confirmed by SAP see this post.  
  Any ideas how to solve this and have both solutions in parallel?
  Appreciate any help.
  Regards,
  Carsten

  Hi all,
  we was able to fix the issue. It was an issue with the customers cluster configuration and the  $SECUDIR variable. This tricky issue leads to non working or sporadic working SNC Client Encryption...
  This was how the configuration looks before:
  Environment variable $SECUDIR is defined:
  "/ABCDEF<SID>/usr/sap/<SID>/DVEBMGSxx/sec“
  sapgenpse seclogin -l -v
  running seclogin with USER="<SID>adm"
  Credentials for username '<SID>adm':
  0 (LPS:OFF):
           (LPS:OFF): /ABCDEF<SID>/usr/sap/<SID>/DVEBMGSxx/sec/SAPSNCSKERB.pse
  1 (LPS:OFF):
           (LPS:OFF): /usr/sap/<SID>/DVEBMGSxx/sec/SAPSNCS.pse
  After changing the $SECUDIR to "/usr/sap/<SID>/DVEBMGSxx/sec“ and re-creating the credentials, it worked like a charm.
  As a result of this we can confirm, this configuration and SNC Client Encryption works with CommonCryptoLib in parallel to the SSO configuration.
  And Valerie was right with 2. SLC starting from V. 1.0 SP2 PL3 was able to convert the CN= part of the SNC Name into an SPN, was my mistake. In addition SNC Client Encryption starting from Version 1 SP1 PL1 does this also.. just to make this clear
  Thread closed hope this helps someone
  Carsten

• Configure SSO for ITS to R/3 using SNC/Kerberos

  Our R/3 systems had been configured for SSO using SNC and Kerberos for awhile now.  We now have a requirement to configure SSO between ITS and R/3.  Since our R/3 env. has been using kerberos library, we won't be able to use SAP Cryptographic library.  I had modified the registry, environment and services in itsadmin to point to the kerberos library and principal names for agate and r/3 servers as described in SNC User Guide; also, I updated table SNCSYSACL with the Agate SNC name.  That seems to work fine.  From the trace file, it recognized GSS-API library for Kerberos and the SNC name for Agate.  However, when I tried to logon to R/3 from ITS, I still am being prompted with the logon screen to enter my SAP account/password.
  I found several whitepapers and documentations stating that ITS does support Kerberos for SSO but I couldn't find any procedure on how to implement it.  Following is the error I'm getting from the sapbasis.trc file but I can't find any document on this error:
  =====================================================
  [Thr 5284] SncInit(): Initializing Secure Network Communication (SNC)
  [Thr 5284]       PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/32/32)
  [Thr 5284] SncInit(): Trying environment variable SNC_LIB as a
        gssapi library name: "C:\WINNT\system32\gsskrb5.dll".
  [Thr 5284]   File "C:\WINNT\system32\gsskrb5.dll" dynamically loaded as GSS-API v2 library.
  [Thr 5284]   The internal Adapter for the loaded GSS-API mechanism identifies as:
    Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
  [Thr 2888] Sun Jan 15 22:44:59 2006
  [Thr 2888] <<- ERROR: SncSetParam()==SNCERR_PARAM_DENIED
  [Thr 2888] *** WARNING => NO Domain! domain==NULL means: No domain at all within the cookie. [sapss1_loctr 333]
  [Thr 2888] Sun Jan 15 22:45:29 2006
  [Thr 2888] *** WARNING => NO Domain! domain==NULL means: No domain at all within the cookie. [sapss1_loctr 333]
  =====================================================
  Does anyone know what am I missing?  Any help is greatly appreciated.
  Thank you!
  Diem

  Hi Markus,
  I also just installed/configured PAS for LDAP authentication using the "PAS for External Authentication Mechanisms" documentation.  I think the domain problem probably due to not having the external authentication mechanism install (in this case - PAS).  Does that sound right to you?
  I tried both options for ~extid_type parameter = "LD" and "UN".  I added the DN information to table USREXTID when ~extid_type="LD" but both options gave me error of "LDAP authentication failed".  I increased the trace level for sapextaut.trc but I don't see enough detail information.  Following are the errors/data from the trace file.  Can you please let me know how I can tell what string is being passed for authentication? 
  I'm quite sure the LDAP host and port data is correct since we've been using the same information for the SAP LDAP connector and we've been using our LDAP connector between MS AD and R/3 for a long time without any problem. 
  To logon to R/3 through ITS, I entered the AD account (CN attribute in AD) when I got the errors.
  Thank you very much for all your help.
  Diem Tran
  Trace:
  =====================================================
  2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth,  437]: W sapextauth: PAS session begins...
  2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth,  456]:     sapextauth: SncNameR3 is:    "p:na1adm/[email protected]"
  2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth,  462]:     sapextauth: SncNameAGate is: "p:[email protected]"
  2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  468]:     sapextauth: SNC_LIB is:      "C:\WINNT\system32\gsskrb5.dll"
  2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  568]:     sapextauth: XGatConnectSession leaving....
  2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  616]:     sapextauth: XGatHandleLogin called....
  2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  976]:     sapextauth: Entering XGatHandleLogin with LDAP...
  2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  993]: W Either ~login or ~password missing, returning XGDKRCloginrequired.
  2006-01-18T01:39:50.281 p001688 t4992 s00000000 [sapextauth,  398]:     sapextauth: XGatEventOpenSession called...
  2006-01-18T01:39:50.281 p001688 t4992 s0158B4E8 [sapextauth,  616]:     sapextauth: XGatHandleLogin called....
  2006-01-18T01:39:50.281 p001688 t4992 s0158B4E8 [sapextauth,  976]:     sapextauth: Entering XGatHandleLogin with LDAP...
  2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1059]:     sapextauth: LDAP port ist 389
  2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1261]: E sapextauth: LDAP authentication failed.
  2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1277]: E sapextauth: Wrong try for user Tran_Diem
  2006-01-18T01:39:59.140 p001688 t4992 s00000000 [sapextauth,  398]:     sapextauth: XGatEventOpenSession called...
  2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth,  616]:     sapextauth: XGatHandleLogin called....
  2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth,  976]:     sapextauth: Entering XGatHandleLogin with LDAP...
  2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1059]:     sapextauth: LDAP port ist 389
  2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1261]: E sapextauth: LDAP authentication failed.
  2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1277]: E sapextauth: Wrong try for user Tran_Diem
  =======================================================

• User mapping certificate in UME (J2EE) with ABAP system as Backend (SNC)

  I hope someone can help me with the user mapping concept (X.509 V3 certificates) for both "worlds" (ABAP and JAVA Stack).
  I know how to install and configure certificate based (X.509) login to SAP ABAP and SAP JAVA (J2EE) Stack (--> enable encryption for communication and Single Sign On).
  Situation:
  We have a ready installed and configured X.509 certificate authentication environment for the ABAP world (between SAP GUI and SAP Server System)
  and the user mapping was configured in the ABAP System (SU01). As the users are using certificates, the passwords are deactivated on the ABAP System.
  Now if you want to integrate a JAVA (J2EE) Sytem and you want to configure the UME to the ABAP System (as Backend), you have an administrative effort problem with the user mapping (X.509) in the UME configuration.
  1.) It is possible to assign manually the user public key to every user --> But to much effort
  2.) As the user does not have a password (deactivated in the ABAP system), the way to combine the automatic mapping with a user login does not work.
  3.) In the distinguished name of the user certificate there is no information about the SAP username itself
      --> you are not able to use any information of the DN to bind a user in the Login Module configuration.
  Now my question:
  Is it possible to use the sncname information from the ABAP System (still configured and available) for the UME configuration?
  As i know, it is possible to write an own Login Module. Does anybody has a customized Login module for this issue?
  At the end the best solution would be to enable the same user mapping mechanism on the JAVA world as on the ABAP world. --> Mapping the Distinguished Name to the SAP User

  We have developed a login module which is working with Kerberos auth, not x.509 auth, but still solves a very similar problem to the problem you are describing. As you know, when SNC is used to logon to ABAP stack, the SNC name of the user is mapped onto a SAP user via entries in the USRACL table. Our mapping login module takes the authenticated user principal name from the shared state and uses this to lookup the entry in USRACL table on ABAP stack, and from this it will know which SAP user  to use, and can update shared state with this info so that CreateTicketLoginModule will created an SSO2 ticekt for the mapped SAP user id.
  This means that mapping of users externally authetnicated identity onto SAP user/client can be managed in one place, e.g in ABAP stack using USRACL table entires and su01 t-code etc.
  I know it is not exactly what you wanted, since you are looking to use x.509 certifiates instead of Kerberos authentication, but I thought it was worth sharing so that you know the concept has already been implemeneted many times. Many of our customers use this login module when they have our product, for the same reasons that you have stated.
  Thanks,
  Tim

• SAP SNC Server Side Trust Setup Problems

  Single Server BOE instalation of BOE 3.1 SP4 to Windows 2008 R2 machine
  Sap version 720 Patch level 7
  We have used kbase article 1500150 and 1396213 to run thorugh the configuration and testing and all has checked out.
  We are unable to have the "roles" returned when any "DN" value is entered in the SNC name entry in the entitlement systems tab.
  We have turned on RFC tracing and have run the JCO test  The RFC trace file is below followed by the JCO test information.  JCO test was run twice, once with each DN just to make sure.
  Please help
  =======================RFC TRACE===========================
  ERROR file opened at 20111116 174146 Eastern Standard Time, SAP-REL 720,0,93 RFC-VER 3  MT-SL
  T:3988 Error in program 'CMS': ======> SAP_CMINIT3 : rc=20 > Connect to SAP gateway failed
  Connect_PM  GWHOST=torsbid01.cpr.ca, GWSERV=sapgw00, SYSNR=00
  LOCATION    CPIC (TCP/IP) on local host with Unicode
  ERROR       GSS-API(maj): No credentials were supplied
              GSS-API(min): No credentials found for this name (not logged
              on) (USER
              name="p:CN=BOEDEV, OU=BOBJ, O=CPR, C=CA"
  TIME        Wed Nov 16 17:41:46 2011
  RELEASE     720
  COMPONENT   SNC (Secure Network Communication)
  VERSION     5
  RC          -4
  MODULE      sncxxall.c
  LINE        1439
  DETAIL      SncPAcquireCred
  SYSTEM CALL gss_acquire_cred
  COUNTER     55
  T:2800 Error in program 'CMS': ======> SAP_CMINIT3 : rc=20 > Connect to SAP gateway failed
  Connect_PM  GWHOST=torsbid01.cpr.ca, GWSERV=sapgw00, SYSNR=00
  LOCATION    CPIC (TCP/IP) on local host with Unicode
  ERROR       GSS-API(maj): No credentials were supplied
              GSS-API(min): No credentials found for this name (not logged
              on) (USER
              name="p:CN=BOEDEV, OU=BOBJ, O=CPR, C=CA"
  TIME        Wed Nov 16 17:41:46 2011
  RELEASE     720
  COMPONENT   SNC (Secure Network Communication)
  VERSION     5
  RC          -4
  MODULE      sncxxall.c
  LINE        1439
  DETAIL      SncPAcquireCred
  SYSTEM CALL gss_acquire_cred
  COUNTER     4
  T:4760 Error in program 'CMS': ======> SAP_CMINIT3 : rc=20 > Connect to SAP gateway failed
  Connect_PM  GWHOST=torsbid01.cpr.ca, GWSERV=sapgw00, SYSNR=00
  LOCATION    CPIC (TCP/IP) on local host with Unicode
  ERROR       GSS-API(maj): No credentials were supplied
              GSS-API(min): No credentials found for this name (not logged
              on) (USER
              name="p:CN=BOEDEV, OU=BOBJ, O=CPR, C=CA"
  TIME        Wed Nov 16 17:41:46 2011
  RELEASE     720
  COMPONENT   SNC (Secure Network Communication)
  VERSION     5
  RC          -4
  MODULE      sncxxall.c
  LINE        1439
  DETAIL      SncPAcquireCred
  SYSTEM CALL gss_acquire_cred
  COUNTER     3
  ========================JCO TEST=======================
  E:\BusinessObjects\javasdk\bin>java -classpath E:\BusinessObjects\Tomcat55\share
  d\lib\sapjco.jar com.sap.mw.jco.support.JRfcTest
             SAP JCo Client Test             *
                   Possible SAP JCo-Tests
                    1. RFC_SYSTEM_INFO
                    2. CONNECTION
                    3. PERFORMANCE
                    4. INHOMOGENEOUS STRUCTURE/TABLE
                   15. TRANSACTIONAL RFC
                   99. Exit
                 Your Choice....... :2
                        SAP JCo TEST - CONNECTION TEST
                        Send message and wait for ECHO/INFO
                 CONNECTION PARAMETERS:
                   Server is R/2, R/3 or External (2/3/F/E): 3
                   Use load balancing (Y/N)Y...............: Y
                   R/3 system name.........................: BIN
                   Message server..........................: binmain
                   Selected group..........................: PUBLIC
                   Working with SNC (Y/N)N.................: N
                 RFC-SPECIFIC PARAMETERS:
                   Working with ABAP debugger (Y/N)N.......: N
                   Use SAPGUI (Y/N)N.......................: N
                   RFC trace (Y/N)N........................: N
                   JCo trace level (0-10)..................: 0
                 SAP LOGON DATA:
                   Client..................................: 000
                   UserID..................................: SAPCPIC
                   Password................................: XXXXXX
                   Language (E)............................: E
                 #Calls of this JCo Test...................: 1
                 Do You Want To Test With These Parameters (Y/N).. :N
                 CONNECTION PARAMETERS:
                   Server is R/2, R/3 or External (2/3/F/E): [3] :3
                   Use load balancing (Y/N)Y...............: [Y] :N
                   Host name of an application server......: [binmain] :torsbid01.
  cpr.ca
                   System number...........................: [53] :00
                   Working with SNC (Y/N)N.................: [N] :Y
                   SNC Library Name........................: [C:\Program Files\SEC
  UDE\SECUDE for R3\secude.dll] :E:\SAP\Crypto\sapcrypto.dll
                   SNC name of partner program.............: [s:sample@hs0335] :p:
  CN=BOEDEV, OU=BOBJ, O=CPR, C=CA
                 RFC-SPECIFIC PARAMETERS:
                   Working with ABAP debugger (Y/N)N.......: [N] :N
                   Use SAPGUI (Y/N)N.......................: [N] :Y
                   Automatically invisible SAPGUI (Y/N)N...: [N] :Y
                   RFC trace (Y/N)N........................: [N] :Y
                   JCo trace level (0-10)..................: [0] :10
                 SAP LOGON DATA:
                   Client..................................: [000] :200
                   UserID..................................: [SAPCPIC] :Crystal
                   Password................................: [******] :Welcome1
                   Language (E)............................: [E] :
                 #Calls of this JCo Test...................: [1] :
                 Do You Want To Test With These Parameters (Y/N).. :y
  >>>>>>>>>>>>>>>> SAP JCo TEST - CONNECTION TEST >>>>>>>>>>>>>>>>
  main [18:02:41:758]: [JAV-LAYER] INFO: JCo version is 2.1.10 (2011-05-10)
  main [18:02:41:758]: [JAV-LAYER] JCO.setProperty("jco.trace_level", "10")
  main [18:02:41:758]: [JNI-LAYER] RFC.nativeSetTraceLevel()                with r
  c = RFC_OK   leave, [SUCCESS]
  main [18:02:41:758]: [JAV-LAYER] JCO.setProperty("jco.trace_path", ".")
  Stack trace of call to JCO.setProperty("jco.trace_path", ".")
          at com.sap.mw.jco.JCO.setProperty(JCO.java:554)
          at com.sap.mw.jco.JCO.setTracePath(JCO.java:791)
          at com.sap.mw.jco.support.JRfcTest.correctProperties(JRfcTest.java:1047)
          at com.sap.mw.jco.support.JRfcTest.initCall(JRfcTest.java:1074)
          at com.sap.mw.jco.support.JRfcTest.runConnectionTest(JRfcTest.java:737)
          at com.sap.mw.jco.support.JRfcTest.main(JRfcTest.java:203)
  E:\BusinessObjects\javasdk\bin>java -classpath E:\BusinessObjects\Tomcat55\share
  d\lib\sapjco.jar com.sap.mw.jco.support.JRfcTest
             SAP JCo Client Test             *
                   Possible SAP JCo-Tests
                    1. RFC_SYSTEM_INFO
                    2. CONNECTION
                    3. PERFORMANCE
                    4. INHOMOGENEOUS STRUCTURE/TABLE
                   15. TRANSACTIONAL RFC
                   99. Exit
                 Your Choice....... :2
                        SAP JCo TEST - CONNECTION TEST
                        Send message and wait for ECHO/INFO
                 CONNECTION PARAMETERS:
                   Server is R/2, R/3 or External (2/3/F/E): 3
                   Use load balancing (Y/N)Y...............: Y
                   R/3 system name.........................: BIN
                   Message server..........................: binmain
                   Selected group..........................: PUBLIC
                   Working with SNC (Y/N)N.................: N
                 RFC-SPECIFIC PARAMETERS:
                   Working with ABAP debugger (Y/N)N.......: N
                   Use SAPGUI (Y/N)N.......................: N
                   RFC trace (Y/N)N........................: N
                   JCo trace level (0-10)..................: 0
                 SAP LOGON DATA:
                   Client..................................: 000
                   UserID..................................: SAPCPIC
                   Password................................: XXXXXX
                   Language (E)............................: E
                 #Calls of this JCo Test...................: 1
                 Do You Want To Test With These Parameters (Y/N).. :n
                 CONNECTION PARAMETERS:
                   Server is R/2, R/3 or External (2/3/F/E): [3] :3
                   Use load balancing (Y/N)Y...............: [Y] :N
                   Host name of an application server......: [binmain] :torsbid01.
  cpr.ca
                   System number...........................: [53] :00
                   Working with SNC (Y/N)N.................: [N] :Y
                   SNC Library Name........................: [C:\Program Files\SEC
  UDE\SECUDE for R3\secude.dll] :E:\SAP\Crypto\sapcrypto.dll
                   SNC name of partner program.............: [s:sample@hs0335] :p:
  CN=BOEDEVSERVER, OU=BOBJ, O=CPR, C=CA
                 RFC-SPECIFIC PARAMETERS:
                   Working with ABAP debugger (Y/N)N.......: [N] :N
                   Use SAPGUI (Y/N)N.......................: [N] :Y
                   Automatically invisible SAPGUI (Y/N)N...: [N] :Y
                   RFC trace (Y/N)N........................: [N] :Y
                   JCo trace level (0-10)..................: [0] :10
                 SAP LOGON DATA:
                   Client..................................: [000] :200
                   UserID..................................: [SAPCPIC] :Crystal
                   Password................................: [******] :Welcome1
                   Language (E)............................: [E] :
                 #Calls of this JCo Test...................: [1] :
                 Do You Want To Test With These Parameters (Y/N).. :y
  >>>>>>>>>>>>>>>> SAP JCo TEST - CONNECTION TEST >>>>>>>>>>>>>>>>
  main [18:04:58:041]: [JAV-LAYER] INFO: JCo version is 2.1.10 (2011-05-10)
  main [18:04:58:041]: [JAV-LAYER] JCO.setProperty("jco.trace_level", "10")
  main [18:04:58:041]: [JNI-LAYER] RFC.nativeSetTraceLevel()                with r
  c = RFC_OK   leave, [SUCCESS]
  main [18:04:58:041]: [JAV-LAYER] JCO.setProperty("jco.trace_path", ".")
  Stack trace of call to JCO.setProperty("jco.trace_path", ".")
          at com.sap.mw.jco.JCO.setProperty(JCO.java:554)
          at com.sap.mw.jco.JCO.setTracePath(JCO.java:791)
          at com.sap.mw.jco.support.JRfcTest.correctProperties(JRfcTest.java:1047)
          at com.sap.mw.jco.support.JRfcTest.initCall(JRfcTest.java:1074)
          at com.sap.mw.jco.support.JRfcTest.runConnectionTest(JRfcTest.java:737)
          at com.sap.mw.jco.support.JRfcTest.main(JRfcTest.java:203)
  E:\BusinessObjects\javasdk\bin>
  Edited by: Joseph Borojevic on Nov 17, 2011 12:07 AM

  The error in the logs:  u201CNo credentials found for this name (not logged on)u201Du201D  usually is a  problem with case.
  We used the sapgenpse get_my_name command and found that the id being referenced was being pulled incorrectly with wrong case. 
  The problem was the ID we logged into the remote sesison into the windows server with. 
  That ID is the ID that the commands are run under.
  The sapgenpse seclogin u2013p BOESERVER.pse command takes the ID of the user you are logged into the session with. 
  We re-ran the command when logged in with the user with the correct case and it worked

• SNC BOBJ SAP

  Hi
  I've connected server-side trust for BOBJ and SAP BI from documentation and generated .crt and .pse files.
  Does anyone know how to verify that it works ok?
  Is it from web intelligent? Like Single sign on directly to SAP?
  regards Jacob

  Hi,
  configuring the SAP authentication in the CMC with SNC does not validate it as you are only configuring Server side trust.
  if you are able to schedule a Web Intelligence report with SSO configured in the Universe and it works - then it is correct.
  You can also trace the details and you should see something like this in the trace:
  ASHOST=<server> SYSNR=XX CLIENT=XXX LANG=EN SNC_MODE=1 SNC_QOP=9 SNC_LIB=<path> SNC_PARTNERNAME=<snc name> SNC_MYNAME=<SNC Name> EXTIDTYPE=UN EXTIDDATA=<user name>
  Ingo

• Share an Epson C86 with a PC using CUPS on Snow Leopard 10.6.3

  Hi,
  I used to do this a lot in previous version of OS X but I am stuck with X.6.3.
  I would create a printer in OS X. Share it in the pref panel. Then would co in CUPS and find the queue name.
  Then I would go on a PC. Add a PS printer (Apple laserwriter or similar) create a TCP port and point it to the mac IP and queue name found in CUPS.
  Would always work like a charm. Even on Mac OS 7.5 and up....
  Can't get to print. Windows can't print to the shared printer in X.6.3. I do not want to use Bonjour for this. LPR used to work.
  Questions :
  Does CUPS 1.4.3 still support LPd/LPR on OS X. The documentation of CUPS says so...but does SL let it in?
  If not, how to enable it?
  Now I get a forbidden message when I try to access the admin section of CUPS sine I upgraded to X.6.3.
  Any help would be appreciated....because this is a no go to upgrade to SL...
  Thanks!

  eteen wrote:
  I resolbed the acces to the admin page. On X.6.2 and less, Icould acce the CUPS interface with my IP address recived from my router ex: 192.168.0.100.
  On x.6.3 I need to use localhost to acces the admin page.
  I've always used localhost (127.0.0.1) to access the CUPS page. Using the assigned IP has always been an issue Tiger, Leopard and now Snow.
  The terminal did accept the command but no printing using lpd lpr.
  I finally used IPP pri ting with succes.
  Lpd was the only way I could use my inkjet printer on OS 9 and less.
  If anyone has a way to reenable it on X.6.3 that would be welcome.
  Good to read that you got it working with IPP.
  I'm not sure that anything additional needs to be re-enabled for LPD/LPR to work. For a standard install of 10.6.3, after adding LPD to the "Browse Local Protocols" command via Terminal, I was able to print to my shared Canon MP980 inkjet from XP SP3.
  Maybe someone else can offer some insight...

• Setting bwcepubsvc.exe for SNC

  I was having trouble running my BW Publisher in SNC mode and found when i enabled my trace=1 in the registry that the service was NOT running in SNC mode from the output of the trace.
  In part the trace showed:
  Trace file opened at , SAP-REL 640,0,117 RFC-VER 3 815402 MT-SL
  *> RfcAcceptExt: -aMY_PROG_ID -gaersnd02.mycomp.com -xsapgw06 
  *> RfcInstallUnicodeStructure
  So, I am trying to find out how I can set the service to feed in SNC params.
  I looked at the registry entry and it does not have any SNC entries there.
  I'm wondering if I can add them to the registry or feed them through the bwcepubsvc.exe service properties in the Central Config Manager.
  Anyone see this before?
  Mike

  Ingo,
  Thanks for that input. I can see in the trace file that the program is picking up my values and trying to apply them.
  In my trace rfcxxxxxx.trc I see:
  *> RfcAcceptExt: "C:\Program Files\Business Objects\Common\3.5\bin\bwcepub.exe"
  -aMY_PROG_ID
  -gaersnd02.mycomp.com
  -xsapgw06
  -Lc:\windows\system32\gsskrb5.dll
  -Sp:fcabc821/@xyz.us.mycomp.com
  *> RfcRegisterProgram ...
  Server Program ID     = MY_PROG_ID
  Host name of Gateway  = aersnd02.mycomp.com
  Service of Gateway    = 3306
  RFC-Trace             = OFF
  SNC Own Name          = p:fcabc821/@xyz.us.mycomp.com
  SNC Library Name      = c:\windows\system32\gsskrb5.dll
  RFC Handle            = 1
  In my dev_rfc.trc I see:
  ERROR file opened at , SAP-REL 640,0,117 RFC-VER 3 815402 MT-SL
  T:9528 Error in program 'Dummy': <* RfcWaitForRequest [1] : returns 1:RFC_FAILURE
  And of course the tests in SM59 and /crystal/rptadmin fail as well.
  Questions:
  1) the SNC users manual says that snc_lib and snc_mode are required entries. snc_name is optional. You didn't give me params for snc_mode. I'm wondering why and are there other params that can be specified as well?
  2) the -S<SNC name for publisher> I am using is p:fcabc821/@xyz.us.mycomp.com which is the domain account and is the user found on the properties of the service bwcepubsvc.exe. Is this the same name that should be on the SM59?
  Thanks for your help. I think we are getting closer. Please advise.
  Mike

• SNC setup for connection SAPGUI - ABAP (no SSO)

  Hello Experts,
  I am trying to set up SNC for our ABAP systems (Web AS 7.0). The goal of this setup for now is to be able to secure the connection between SAP GUI (generally running on Win XP clients) and the ABAP systems (HP-UX).
  When I was looking through all the documentation and threads I mostly found issues regarding the setup of SSO combined with SNC. But we don't want to setup SSO (at least no right now), we only want to secure the channel and have the user log in just like he always does (w/ Username & PW).
  I have performed the following steps so far:
  - Created the SNC PSE (in <i>STRUST</i>, I used "<SID>snc" for DN, self-signed)
  - Installation of SAP Cryptolib
  - Updated profile with SNC parameters (along with environment variable <i>SECUDIR</i>)
  The system started up correctly but when I tried to logon using SNC I first got the error message "<b>Unable to load sncgss32.dll</b>". For this case I renamed the sapcrypto.dll file on the client system (where the GUI is located) to sncgss32.dll and copied it into the SYSTEM32 folder. I have also set the environment variable “SNC_LIB” to “sncgss32.dll”. After this was done, a new error message started to pop, saying that <b>”No credentials are supplied”</b>.
  My questions are the following:
  - I have read something about not using the Cryptolib for the Win XP clients and use GSSKRB5.dll instead. Is this also required when I don't want to setup SSO? And if yes, where will I get that file?
  - Do I have to create the credentials for the SNC? (with the SAPGENPSE program)
  - Is the SNC PSE Password required for any of the steps?
  - Is there anything necessary to be setup in SU01 in the SNC-tab for my purpose? I have read a lot about the SNC-Name but I am not really sure if it only affects SSO-aspects…
  - Or are there any other steps I am missing?
  Thanks in advance,
  Best regards,
  Jan Kaps

  > I am trying to set up SNC for our ABAP systems (Web AS 7.0).
  > The goal of this setup for now is to be able to secure the connection between SAP GUI (generally running on Win XP clients)
  > and the ABAP systems (HP-UX).
  >
  > When I was looking through all the documentation and threads I mostly found issues regarding the setup of SSO
  > combined with SNC. But we don't want to setup SSO (at least no right now), we only want to secure the channel
  > and have the user log in just like he always does (w/ Username & PW).
  Well, then I have bad news for you: that's not possible.
  Reason: SNC is based on GSS-API and that defines the philosophy: you can choose between certain Quality-of-Protection (QoP) levels which are:
    1. authentication only
    2. authentication + data integrity
    3. authentication + data integrity + confidentiality
  As you can see: there is no way to have "data integrity + confidentiality" without having "authentication". That's different from SSL where you basically have two QoP levels:
     1. server authentication + data integrity + confidentiality
     2. mutual authentication (server + client) + data integrity + confidentiality
  You can also see: using SNC does <u>not</u> necessarily mean that the data is encrypted (confidentiality).
  Regards, Wolfgang