Kerberos to JDBC user mapping

Similar Messages

• Users mapping between EP and ABAP system

  Hello
  I'd like to ask for some guidance in my quest
  Current situation looks like this:
  I've configured UME in AS Java to work with LDAP as read only data source. Then I've configured SPNego to run SSO - It works, users from MS AD can log into portal.
  Now I have application in WD which authorizes via EP/AD - works fine.
  And next step is users mapping between AD and ABAP backend (serving some BAPI's for WD app)
  I've found a bunch of help pages starting from
  http://help.sap.com/saphelp_nwce711/helpdata/en/0b/d82c4142aef623e10000000a155106/frameset.htm
  But somehow it's quite complicated to achieve this mapping. I've tried to set RFC destinations logon type to user mapping but without succes.
  Can anyone point me to some more clear example or give path to configure this scenario? Is there a way of configuring this with NWA or some XML file editing is required?
  Any help will be appreciated.
  BTW: whole environment is in version 7.11
  Best regards
  Maciej

  There is no equivalent to SPNEGO on the ABAP side.
  If your goal is to propagate the user, then possible options are:
  -> Wait for SAML 2.0 or invest now in a SAML 1.0 provider.
  -> Use the same kerberos ticket for the EP as what your ABAP system will accept: route = SNC and 3rd party libraries.
  -> Issue SAP logon tickets for the ABAP system from the EP, and use these in your WDA.
  Another option is to expose the service with saved logon data in the ICF. If the service is just a wrapper for the BAPI, then you can also consider using trusted RFC between the service and the backend, but this might not be acceptable for your service.
  I have only done experimental stuff with this and some of the above is not released yet. Also consider the consequences, even if it "does work"...
  Cheers,
  Julius

• Authorizations required in Communication Channel for JDBC Lookup mapping

  Is there of list of required authorizations and or patch needed to use a JDBC Lookup in a message mapping?  We are using PI 7.1, and trying to use the new JDBC Lookup feature.  We currently have a user that is not an ower of the DB tables, this does work in our current solution of using UDFs, but we would like to avoid switching it to a user that has full access on the tables, e.g. SAPXI*
  Current environment: PI 7.1 (not EhP1)
  Thanks,
  Matt

  Do you know what those authorizations should be when using a standard JDBC Lookup mapping function?  Currently we have a custom UDF that calls the table via a <schema>.<table name> and the current user in the Receiver Comm Channel works just fine.  It appears that when using the standard SAP JDBC Lookup function it calls the table directly and the user in the Comm Channel no longer has the correct permissions.
  I would expact that the JDBC Lookup function would allow for a standard "Read" on any table as long as the user has that level of access...but not in this case.  I am going to bring it up to our SAP XI software development team and see what they say, but wanted to get some views from our other experts as well.
  Thanks,
  Matt

• User mapping certificate in UME (J2EE) with ABAP system as Backend (SNC)

  I hope someone can help me with the user mapping concept (X.509 V3 certificates) for both "worlds" (ABAP and JAVA Stack).
  I know how to install and configure certificate based (X.509) login to SAP ABAP and SAP JAVA (J2EE) Stack (--> enable encryption for communication and Single Sign On).
  Situation:
  We have a ready installed and configured X.509 certificate authentication environment for the ABAP world (between SAP GUI and SAP Server System)
  and the user mapping was configured in the ABAP System (SU01). As the users are using certificates, the passwords are deactivated on the ABAP System.
  Now if you want to integrate a JAVA (J2EE) Sytem and you want to configure the UME to the ABAP System (as Backend), you have an administrative effort problem with the user mapping (X.509) in the UME configuration.
  1.) It is possible to assign manually the user public key to every user --> But to much effort
  2.) As the user does not have a password (deactivated in the ABAP system), the way to combine the automatic mapping with a user login does not work.
  3.) In the distinguished name of the user certificate there is no information about the SAP username itself
      --> you are not able to use any information of the DN to bind a user in the Login Module configuration.
  Now my question:
  Is it possible to use the sncname information from the ABAP System (still configured and available) for the UME configuration?
  As i know, it is possible to write an own Login Module. Does anybody has a customized Login module for this issue?
  At the end the best solution would be to enable the same user mapping mechanism on the JAVA world as on the ABAP world. --> Mapping the Distinguished Name to the SAP User

  We have developed a login module which is working with Kerberos auth, not x.509 auth, but still solves a very similar problem to the problem you are describing. As you know, when SNC is used to logon to ABAP stack, the SNC name of the user is mapped onto a SAP user via entries in the USRACL table. Our mapping login module takes the authenticated user principal name from the shared state and uses this to lookup the entry in USRACL table on ABAP stack, and from this it will know which SAP user  to use, and can update shared state with this info so that CreateTicketLoginModule will created an SSO2 ticekt for the mapped SAP user id.
  This means that mapping of users externally authetnicated identity onto SAP user/client can be managed in one place, e.g in ABAP stack using USRACL table entires and su01 t-code etc.
  I know it is not exactly what you wanted, since you are looking to use x.509 certifiates instead of Kerberos authentication, but I thought it was worth sharing so that you know the concept has already been implemeneted many times. Many of our customers use this login module when they have our product, for the same reasons that you have stated.
  Thanks,
  Tim

• SAML AS JAVA user mapping. Can table VUSREXTID On AS ABAP be leveraged?

  The documentation on the SAML AS java user mapping refers to Mapping SAML Principals to SAP J2EE Engine User IDs - User Authentication and Single Sign-On - SAP Library custom development. In my case the users are managed on the AS ABAP system. Can I leverage the ABAP mapping mechanism using VUSREXTID, similar to the user mapping on the ABAP AS Mapping SAML Principals to AS ABAP User IDs - User Authentication and Single Sign-On - SAP Library without building my own java program?

  We have developed a login module which is working with Kerberos auth, not x.509 auth, but still solves a very similar problem to the problem you are describing. As you know, when SNC is used to logon to ABAP stack, the SNC name of the user is mapped onto a SAP user via entries in the USRACL table. Our mapping login module takes the authenticated user principal name from the shared state and uses this to lookup the entry in USRACL table on ABAP stack, and from this it will know which SAP user  to use, and can update shared state with this info so that CreateTicketLoginModule will created an SSO2 ticekt for the mapped SAP user id.
  This means that mapping of users externally authetnicated identity onto SAP user/client can be managed in one place, e.g in ABAP stack using USRACL table entires and su01 t-code etc.
  I know it is not exactly what you wanted, since you are looking to use x.509 certifiates instead of Kerberos authentication, but I thought it was worth sharing so that you know the concept has already been implemeneted many times. Many of our customers use this login module when they have our product, for the same reasons that you have stated.
  Thanks,
  Tim

• SSO to Exchange without user mapping

  I have Exchange configured for collabration groupware integration, and it works fine. I can get my calander entries without a problem when I have a user mapping set for the Exchange Transport. I have SSO enabled using the iis_proxy.dll authenticating via Active Directory also without a problem. I can also connect to OWA without any issue. The only thing I don't like is that I need a user mapping for the calander availabity.
  Does anyone know of a way to make this more automatic? I don't want the users to need to maintain their own mappings.

  We are in the exact same situation. I thought that the SSO22KerbMap ISAPI filter would do just that but the user mapping is required no matter what, unless I'm missing something in my config. The Exchange and Active Directory users are the same so a user mapping should not be required.

• How to set/get the values thru Wedbynpro coding for User mapping fields

  Hi All
  In system object we have the user mapping fields like District,city,plant,Salesmanager.
  now we want to set/get the values of these usermapping fields of system object thru webdynpro coding...
  if anybody have sample codes of the same then it would be great help to me
  Thanks in advance
  Thanks
  Trisha Rani

  Hi Kavitha
  Thanks for your reply
  My requirement is exactly as follows.
  1) i have created one portal system object in system administration and also i created usermapping fields in the system object from the usermanagement  in system object.
  i created the user mapping fields like Plant,SalesManager,District etc.
  i also created the system alias name for the same system object
  2)  Now i came to persoanlize link and mapped the system object to the portal user.
  while mapping to the system object we need to enter Mapping userId, Password , once we enter these values and we can also enter the values of usermapping fields which we defined while creating the system object ( for example District,Salesmanager,Plant etc)
  once we enter all the values and click on save then these usermapping  values to be mapped to the portal user.
  3) Now my requirement is , i  want to control the usermapping field values thru webdynpro coding for setting/getting the values.
  I need sample code of the same.
  Please let me know if u need more details on the same.
  Thanks
  Trisha Rani

• SSO and User Mapping at same time

  Hi,
  Can we use SSO and User mapping at same time between Portal and SAP Backend system?
  For some of the users the user id is different in both end.
  After implementing the SSO... Will it affect the existing user mapping? and the system alias created for that?
  If not, Can we use both SSO and user Mapping same time?
  Thanks,
  VB

  Hi VB,
  In this case I suggest you create 2 systems one you might have created for users who are having common user ids in portal & at the backend system.
  For the users whose ids are defeering you can create reference system and in user managemant property of that system
  Authentication Ticket Type - Select -SAP Logon TicketSAP Assertion Ticket
  Logon Method -  UWPW
  User Mapping Fields -  {100,200,300}Client;Language
  where 100,200,300 are the clients of the backend system.
  Assign this system in the ivews.
  Thanks,
  Vishal

• User Mapping to R/3 - admin.pwdprotection=false but still pwd field appears

  <br />
  Hello All,<br />
  I am doing SSO using user mapping to R/3 system from Portal as the ids are different for Portal and R/3.<br />
  I can access a transaction iview from R/3 successfully using user mapping(in SSO) but the problem is everytime a user changes his R/3 password, the mapped password is to be changed in Portal.Otherwise, unable to access transaction iview.<br />
  1) I have changed the property ume.usermapping.admin.pwdprotection=false in configtool but still in User Admin > User mapping for system access , the password field is populated and while accessing the R/3, the password is being verified. I have seen in another system where the password field is not being asked after modifying the property to false, only id field is present. From the end user, under Personalize > User Profile > User Mapping for system, no systems are present as expected for mapping. Logon method in system is uidpw and mapping type is "Admin".<br />
  Versions - Portal is NW7.0 SP18 and ECC is .0 EhP3.<br />
  anybody faced the same problem? Is there a note to fix it?<br />
  2)Also, in the User Admin > User mapping for system access , in the dropdown I can see the system aliases I have created in systems but not in System admin> sys config > Ume config > under User Mapping , I do not find any reference system. <br />
  After first restart it was not there, after some time it has come, later it was coming as configured but invalid beside the system in braces in dropdown like abc(configured but invalid). Once I unselected, now it is no more available in dropdown.<br />
  3) I have used diagtool to identify the problem. In the ticket, how do I see the mapped user?<br />
  I am seeing only the following details.From the log - <br />
  The created ticket is: <br />
  [ [Ticket [initialized]<br />
    Ticket Version  = 0<br />
    Ticket Codepage =  (Encoding=1100)<br />
    User = 121444<br />
    Issuing System ID     = EPD  ( Portal name)<br />
    Issuing System Client = 000<br />
    Creation Time = 200905150649<br />
    Valid Time    = 8 h 0 min<br />
    Signature (length=261 bytes)<br />
    InfoUnit id=32, name=portal_user, content=portal:121444, length=16<br />
    InfoUnit id=136, name=authscheme, content=basicauthentication, length=19<br />
    InfoUnit id=1, length=9<br />
    InfoUnit id=2, length=3<br />
    InfoUnit id=3, length=3<br />
    InfoUnit id=4, length=12<br />
    InfoUnit id=5, length=4<br />
    InfoUnit id=10, length=9<br />
  ]. <br />
  Authentication stack: [ticket].<br />
  <br />
  Does this have an entry for mapped user of target R/3 system also?<br />
  If I am not finding the userid/pwd in ticket, how is SSO working? based on user mapping only?<br />
  Thanks,<br />
  Isvarya<br />

  Thanks Anja for the quick response.
  My primary objective is to use SSO with logon tickets to backend which is independent of user passwords.
  regarding 1)
  From the link -
  http://help.sap.com/saphelp_nw70/helpdata/EN/f8/3b514ca29011d5bdeb006094191908/frameset.htm
  Features
  ●      Either users or administrators can perform user mapping.
  ¡        Users must always enter a password to validate their mapped user ID.
  This password is not stored, but is used to confirm that the user is entering a user ID with which he or she has access to the ABAP-based system.
  ○       Administrators can enter a password to validate their entries.
  The UME property ume.usermapping.admin.pwdprotection defines whether or not the administrator must enter a password. By default the administrator must enter one.
  is also in the same lines.
  But as per the SAP library link, I do not find a reference system  because of problem 2 in the initial post.
  Also, I have a screenshot of user admin where the password field itself is not present. If you can share your email id, I will send the scrnshot without pwd and mine with password.
  2)I have seen this note. But, none of the 3 cases mentioned are applicable to me..user mapping is working just fine..Only reference system is not populated. 
  3) Becuase of 1, I was expecting to see mapped id alone or mapped id along with system name in logon tickets.
  Thanks for the response.

• Authenticating agains AD with Kerberos, by a user with an explicit UPN

  Hello
  My situation :
  I have a 2008 functionnal level domain with a technical name, lets say tec.domain.com
  I have for this domain configured an alternate UPN : domain.com (that is only a DNS domain name, not an existing AD domain)
  My users have a SamAccountName like j.doe and a UPN like [email protected] (which is their email address, on our Exchange organization)
  Now, from a Linux server (running Apache and kerberos), i can do a kinit with [email protected], but not with [email protected]
  When i capture trafic, the DC answers "error-code: eRR-WRONG-REALM (68)", saying it is not able to handle the DOMAIN.COM realm.
  According to this article ( http://msdn.microsoft.com/en-us/library/Cc212351.aspx ) , my DC should be able to handle it, as far as i understand it.
  Am i missing something ?
  Thanks in advance.

  Hi,
  Thanks for your post.
  It seems like you could not enable Kerberos authentication for users logon using their alternative UPNs.
  Please refer to the similar thread:
  Authenticating to Active Directory using an alternate UPN
  http://social.technet.microsoft.com/Forums/en-US/f93e23d7-e910-4ae7-96ba-3a8038766f9f/authenticating-to-active-directory-using-an-alternate-upn?forum=winserverDS
  Regards.
  Vivian Wang

• Portal Runtime Error while performing User Mapping  to SAP SRM

  Please find below the error I received while User Mapping from  Enterprise Portal to SAP SRM :
  Portal Runtime Error
  An exception occurred while processing a request for :
  iView : pcd:portal_content/administrator/super_admin/super_admin_role/com.sap.portal.user_administration/com.sap.portal.user_mapping/com.sap.portal.userMappingAdmin/com.sap.portal.userMappingAdmin
  Component Name : com.sap.portal.usermanagement.admin.UserMappingAdmin
  User Mapping not fully available..
  Exception id: 04:21_23/06/05_0073_8097650
  See the details for the exception ID in the log file

  Hi,
  yes, Karsten is correct. Just some background:
  "User Mapping not fully available.." finally means that user mapping is configured to use strong encryption, but the main crypto key for user mapping is missing. Usually, that's because "SAP Java Cryptographic Toolkit" and/or "JCE policy files for unlimited strength encryption" are not installed (or the server hasn't be restarted afterwards). The note will most likely help
  Best regards
  Heiko

• Error while creating the user mapping

  hi friends i was gettig this error while editing the logon data in user mapping.
  An exception occurred while processing a request for :
  iView : pcd:portal_content/administrator/super_admin/super_admin_role/com.sap.portal.user_administration/com.sap.portal.user_mapping/com.sap.portal.userMappingAdmin/com.sap.portal.userMappingAdmin
  Component Name : com.sap.portal.usermanagement.admin.UserMappingAdmin
  User Mapping not fully available..
  Exception id: 12:54_19/02/07_0002_9709050
  See the details for the exception ID in the log file

  Hi Rajesh,
  Navigate to <b>User Administration---->User Mapping</b>
  Under Search, Search for your user id in users.
  You will get ID, Name with <b>Edit Link</b> and by the side "System" Drop Down Box which contains the name of the system Aliases that u created.
  <b>Click on Edit Link,</b> It will ask for user and password. Give the user and password for R/3 System and clicked save. After this you will get an info like, Logon Data Saved.
  ******Hope this helps you. Reward Points if you find this helpful.
  Regards,
  Eben. J <i></i><i></i><i></i>

• Error in User Mapping

  Hi All,
  I have created a system from Application integrator PAR file and has added on extrafield to the system as I have three fields to be mapped with the target application.
  On doing so when I try to preview the iView using this system for connecting the target application I am getting the following error.
  Portal Runtime Error
  An exception occurred while processing a request for :
  iView : pcd:portal_content/com.tcs.192207.192207/com.tcs.192207.192207_Roles/com.tcs.192207.home/com.tcs.192207.documentum/com.tcs.192207.documentum_01
  Component Name : com.sap.portal.appintegrator.sap.Generic
  Exception in SAP Application Integrator occured: Unable to process template 'userName=<MappedUser>&password1=<MappedPassword>&repositoryName=<<b>Repository</b>>', because 'Repository' is an invalid terminal property of the Root context..
  Exception id: 10:48_01/06/07_0027_203196350
  See the details for the exception ID in the log file
  I dont know what to write in place of the bold portion.
  I have added the extra mapping field with the name Repository
  I tried MappedRepository also that is also not working can sombody please help. I am getting null at the target application end for this extra field rest of the two I am able to recieve.
  Regards
  Sid

  Hi Sid,
  your template does not work because Repository is no standard parameter. You have to use a custom provider for this parameter. Refer to chapter 6 (Making Parameter Dynamic) of document <a href="https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/bf8cc890-0201-0010-00b1-8d04e5f4378a">"How to…Use the Application Integrator"</a>.
  Basically, you have to write a portal service which provides the parameter at runtime. If I understood you right the parameter Repository has to be set by the user in the user mapping dialog. Thus you can access the value using the IUserMappingService See the SAP Library for an <a href="http://help.sap.com/saphelp_nw70/helpdata/en/69/3482ee0d70492fa63ffe519f5758f5/frameset.htm">Example</a>.
  Best regards,
  Martin

• Issue with user mapping and SAP reference system

  Hello Gurus,
  I have this strange system behaviour when preparing my system for single sign-on using user mapping.
  Case 1.
  In the user management property category, I have the following defined.
  Authentication Ticket Type - SAP Logon Ticket
  Logon Method - UIDPW
  User Mapping Fields  -
  User Mapping Type - admin, user
  In the alias editor, I defined the default alias as SAP_PRD
  Result= when I go to identity management to assign the reference system (the default alias - SAP_PRD)...I do not see the system alias there.
  Case 2:
  In the user management property category, I have the following defined
  Authentication Ticket Type - SAP Logon Ticket
  Logon Method - SAPLOGONTICKET
  User Mapping Fields  -
  User Mapping Type - admin, user 
  In the alias editor, I defined the default alias as SAP_DEV
  Result, when I go to the identity management to assign the refernce system (the default alias - SAP_DEV), I see it there.
  What might be my issue? Does it mean I can't assign SAP reference if I am using UIDPW as logon method?
  Please help me.

  Hi Mahesh,
  Thanks for the feedback. I am relatively new to EP...so please I won't mind if you can guide me on how to go about this.
  This is what I did...
  I chose System Administration > Permissions
  In the PCD, I located my system with the alias, SAP_PRD
  It opened up the permission assignment area.
  Now I have these permissions set
  Administrator - Full Control
  Administrators - Full control
  com.sap.caf.eu.gp.roles.superuser - Full control
  Everyone (built in group) - Full control
  Everyone (Everyone role)- Full control
  super_admin_role - Owner
  For all the above End User box is checked.
  I can't find anyone end user group .
  Once I pick UIDPW, the alias disapperars from the reference system list.
  Please help.

• Configuration Issue in User Mapping ..

  Hi,
  Pls help resolve this issue..
  When i go to <b>" UserMapping "</b> option using the <b>"Personalize "</b> link , i get the following error msg..
  "There is a configuration issue which leads to problem when accessing user mapping data for the selected backend system"
  Also , if i go thru "User Administration -> User Mapping "
  then it says,
  --"There is a configuration issue which leads to problem when accessing user mapping data for the selected backend system  .
  Usually reason is user mapping being configured for Strong encryption, but necessary additional files might be missing.Check Security log file for information "--
  I am not able to solve this problem..Pls help
  Thanks in advance

  Hi Venkat,
  <b>Here the quick and dirty solution</b>:
  In your portal go to 'System Administration' -> 'System Configuration' -> 'UM Configuration' -> 'Direct Editing'.
  There locate the parameter 'ume.usermapping.unsecure', set it to 'TRUE' and restart your server.
  I would rather recommend to install the unlimited strength jurisdiction policy files.
  For more info on this, check this thread:
  JCE Jurisdiction does not allow Portal to start
  Hope this helps,
  Robert