Portal SSO to ITS

Similar Messages

• SSO from Portal to a ITS (standalone) to the R/3 backend

  Dear all,
  I have the following situation:
  1. I have successfully installed SSO between Portal and the Backend system. That works fine.
  PORTAL -> D98 (R/3 System with 4.7)
  2. The backend system has no ITS because it's SAP R/3 4.7 without ITS.
  PORTAL -> ITS (Standalone) -> D98 (R/3 4.7)
  Question:
  I have to create now a connection from the SAP Portal to the ITS and so on in the backend system with SSO.
  Which settings are necessary to create SSO over a ITS system like this:
  PORTAL -> ITS (Standalone) -> D98 (R/3 4.7)
  Who could help me?
  Thanks for your effort.
  Kind regards,
  Thomas

  Dear Ansar,
  Sorry, but I don't find this note.
  Note 56691
  Could you please give me the right note?
  Thanks a lot for your help and your effort.
  Kind regards,
  Thomas

• SSO between ITS 620 R/3 and EP

  Hi,
  I need to use ITS 620 for R/3 4.7 and EP 6.0 for ess/mss implementation
  I have to configure SSO between R/3 and EP.
  Do I also need to configure SSO between ITS and R/3 , ITS and EP also for this?
  If yes can any one tell me the steps in configuring SSO between ITS and R/3, ITS and EP ?
  advance thanks,
  PK

  UPDATE:
  I have installed a portal (SAp netweaver 7.0 Java stack) and have connected it to a ECC6.0 SR3 backend and I needed only to configure the SSO between portal and backend abap instance, and all worked fine. There was no need to configure the SSO between the integrated ITS and abap instance.
  About the error  message mentioned in my previous forum entry:
  I did not only do the steps for SSO between portal and backend as described in the blog "Configuring the Business Package for Employee Self-Service (ESS)", but I also did all the additional steps as mentioned in "10 golden rules of SSO".
  After that the error message "SSO logon not possible; logon tickets not activated on the server" did not appear anymore. (Instead a screen that asks for username and password always appears with the warning "No switch to HTTPS occurred, so it is not secure to send a password". But I think that's ok.)

• Access to Guest Folder requires login when accessed from Portal/SSO

  We have wired XML-P to use OID and then registered it as a Partner Application in our Portal/SSO server (which also uses the same OID instance). All works well except now when we try to access the Guest folder from within Portal the SSO login screen pops-up. We have created a very simple HTML/URL portlet that points to the Guest folder and the idea is for users to have Public/anonymous access to this folder. Any ideas?

  Hi,
  You can try to enable "Turn on password protected sharing" in Network Sharing Center. After that, only people with a user name and password on the computer will be able to log into shared network folders.
  Another workaround method you can try:
  Open Run, type rundll32.exe keymgr.dll, KRShowKeyMgr, then Press
  Enter.
  In the prompt dialog, choose and delete the user account used to network sharing.
  Roger Lu
  TechNet Community Support

• User assgined to a group, SSO to ITS is not working

  We had our security group add a ESS-User group.  We imported 500 users and assigned them to that group.  When logging into EP, we are getting access to the correct tabs, but ITS is requiring us to login. 
  But when logging in as a user that is not assigned to this group, the SSo to ITS is working. 
  What setup step are we missing?  Are we supposed to configure something in Visual Administrator.

  Hi Dena,
  A logon trace might provide the cause of the problem. See SAP note 495911 for starting.
  Thanks and regards,
  Dieter

• Configure SSO for ITS to R/3 using SNC/Kerberos

  Our R/3 systems had been configured for SSO using SNC and Kerberos for awhile now.  We now have a requirement to configure SSO between ITS and R/3.  Since our R/3 env. has been using kerberos library, we won't be able to use SAP Cryptographic library.  I had modified the registry, environment and services in itsadmin to point to the kerberos library and principal names for agate and r/3 servers as described in SNC User Guide; also, I updated table SNCSYSACL with the Agate SNC name.  That seems to work fine.  From the trace file, it recognized GSS-API library for Kerberos and the SNC name for Agate.  However, when I tried to logon to R/3 from ITS, I still am being prompted with the logon screen to enter my SAP account/password.
  I found several whitepapers and documentations stating that ITS does support Kerberos for SSO but I couldn't find any procedure on how to implement it.  Following is the error I'm getting from the sapbasis.trc file but I can't find any document on this error:
  =====================================================
  [Thr 5284] SncInit(): Initializing Secure Network Communication (SNC)
  [Thr 5284]       PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/32/32)
  [Thr 5284] SncInit(): Trying environment variable SNC_LIB as a
        gssapi library name: "C:\WINNT\system32\gsskrb5.dll".
  [Thr 5284]   File "C:\WINNT\system32\gsskrb5.dll" dynamically loaded as GSS-API v2 library.
  [Thr 5284]   The internal Adapter for the loaded GSS-API mechanism identifies as:
    Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
  [Thr 2888] Sun Jan 15 22:44:59 2006
  [Thr 2888] <<- ERROR: SncSetParam()==SNCERR_PARAM_DENIED
  [Thr 2888] *** WARNING => NO Domain! domain==NULL means: No domain at all within the cookie. [sapss1_loctr 333]
  [Thr 2888] Sun Jan 15 22:45:29 2006
  [Thr 2888] *** WARNING => NO Domain! domain==NULL means: No domain at all within the cookie. [sapss1_loctr 333]
  =====================================================
  Does anyone know what am I missing?  Any help is greatly appreciated.
  Thank you!
  Diem

  Hi Markus,
  I also just installed/configured PAS for LDAP authentication using the "PAS for External Authentication Mechanisms" documentation.  I think the domain problem probably due to not having the external authentication mechanism install (in this case - PAS).  Does that sound right to you?
  I tried both options for ~extid_type parameter = "LD" and "UN".  I added the DN information to table USREXTID when ~extid_type="LD" but both options gave me error of "LDAP authentication failed".  I increased the trace level for sapextaut.trc but I don't see enough detail information.  Following are the errors/data from the trace file.  Can you please let me know how I can tell what string is being passed for authentication? 
  I'm quite sure the LDAP host and port data is correct since we've been using the same information for the SAP LDAP connector and we've been using our LDAP connector between MS AD and R/3 for a long time without any problem. 
  To logon to R/3 through ITS, I entered the AD account (CN attribute in AD) when I got the errors.
  Thank you very much for all your help.
  Diem Tran
  Trace:
  =====================================================
  2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth,  437]: W sapextauth: PAS session begins...
  2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth,  456]:     sapextauth: SncNameR3 is:    "p:na1adm/[email protected]"
  2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth,  462]:     sapextauth: SncNameAGate is: "p:[email protected]"
  2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  468]:     sapextauth: SNC_LIB is:      "C:\WINNT\system32\gsskrb5.dll"
  2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  568]:     sapextauth: XGatConnectSession leaving....
  2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  616]:     sapextauth: XGatHandleLogin called....
  2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  976]:     sapextauth: Entering XGatHandleLogin with LDAP...
  2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  993]: W Either ~login or ~password missing, returning XGDKRCloginrequired.
  2006-01-18T01:39:50.281 p001688 t4992 s00000000 [sapextauth,  398]:     sapextauth: XGatEventOpenSession called...
  2006-01-18T01:39:50.281 p001688 t4992 s0158B4E8 [sapextauth,  616]:     sapextauth: XGatHandleLogin called....
  2006-01-18T01:39:50.281 p001688 t4992 s0158B4E8 [sapextauth,  976]:     sapextauth: Entering XGatHandleLogin with LDAP...
  2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1059]:     sapextauth: LDAP port ist 389
  2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1261]: E sapextauth: LDAP authentication failed.
  2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1277]: E sapextauth: Wrong try for user Tran_Diem
  2006-01-18T01:39:59.140 p001688 t4992 s00000000 [sapextauth,  398]:     sapextauth: XGatEventOpenSession called...
  2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth,  616]:     sapextauth: XGatHandleLogin called....
  2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth,  976]:     sapextauth: Entering XGatHandleLogin with LDAP...
  2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1059]:     sapextauth: LDAP port ist 389
  2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1261]: E sapextauth: LDAP authentication failed.
  2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1277]: E sapextauth: Wrong try for user Tran_Diem
  =======================================================

• SSO to ITS via EP6

  Ok all knowing people, I have this working in EP5 but, can't get it working in EP6.
  Our Portal:
  EP6 SP2 Pack3 Hotfix7.  Working like a champ.  However, SSO to our ITS box will not work.
  I have downloaded and am using the SAP application integrator.  After creating the ITS System I make an Iview with com.sap.portal.appintergrator.sap with the generic component selection. 
  Url template is HTTPS://its.server.net/scripts/wgate/webgui/! ?<authentication>
  Template fraction for user mapping:
      login=<mappeduser>&password=<mappedpassword>
  After I run the Iview I get a runtime error.
  "Unable to process template https://its.server.net/scripts/wgate/webgui/! ?<authentication> because authentication is an invalid terminal property of the context."
  Am I going in the wrong direction?  Do you know of anyone that is running a webgui within an Iview with SSO?

  Hi,
  you have to create a "SAP Transaction iView" instead of using the app integrator.
  ==> right click on the desired folder in the PCD ==> choose "New" and "iView" ==> choose "SAP Transaction iView" ==> enter the ID info ==> choose the GUI type ("SAP Gui for HTML in your case) ==> select your SAP system and enter the desired transaction code ==> save
  Regards,
  Michael

• SSO To ITS not working

  Hi Experts,
  Here is the issue:
  I have 2 Internal Portals SP and EP.
  1.If I open SP Portal from Internet Explorer, SSO Tickets are getting generated and I am able to Login using SSO to SP - ITS machines.
  2.If I open EP Portal from Internet Explorer and In the same Browser If I open SP Portal,now I am unable to Login using SSO to SP - ITS Machines.It is showing logon screen.
  The Issue might be SSO Tickets generated by EP Portal do not subsequently allow SSO to SP ITS Machines.
  Could you please let me know where exactly goes wrong,and where should I make changes to rectify this issue.
  Any help would be highly appreciated.Thankx in advance.
  Regards,
  Karthick

  Hi Karthick,
  This blog might be interesting for troubleshooting.
  /people/dennis.kleymeonov/blog/2005/09/15/connecting-sap-systems-to-enterprise-portal-with-sso
  You might also get more information with the hints given in SAP note 495911.
  Thanks and regards,
  Dieter

• SSO - integrated ITS - SRM 5(EBP)

  Hi all,
  I am just wondering if we need Java stack in order to set up Single sign on for SRM/EBP shopping cart (bbpstart).
  We are on SRM Server 5.5 with integrated ITS. We don't have Portal. We currently have SSO implemented on all Gui interfaces for all SAP systems via Active directory.
  What is the correct documentation for my case?
  Thanks a lot and looking forward to hearing from any good instruction,
  Kev

  Hi,
      If your password field is already pre filled with some value due to which you are unable to enter the password then you need to maintain the foll parameers in RZ10:
  The foll tasks need to carried out preferably by a BASIS person after which you need to restart the SRM server for changes to be effective:-
  1.Select the instance profile in RZ10 and  goto Extended maintainence.
  2.login/create_sso2_ticket  = 2
     login/accept_sso2_ticket   = 1
  Also check if the values for the SRM server are properly maintained in the table TWPURLSVR.
  HTH.
  BR,
  Disha.
  Pls reward points for useful answers.

• SSO and ITS

  Hello,
  We are trying to setup SSO for SAP System. Our architecture looks like this:
  3rd party logon mechanism(via web) --> ITS --> Web Dispatcher --> WAS (BSP's)
  We did extensive research and found that ITS might enable us to do that. But we are not clear if SNC is a must (Which we don't want to do). The documenation is not clear. The current URL without SSO points to Web Dispatcher which get us the bsp pages from the WAS.
  Following is what we want to achieve:
  1. Users will logon to the 3rd party logon mechanism via web(software is installed with APACHE 2.0)
  2. once users are authenticated we need to pass the ID via HTTP header or any other method available to logon to SAP BSP Pages.
  Currently users can logon to 3rd party software which redirects to the BSP application and requests user id and password.
  We are wondering if anyone has done this sort of setup.
  Thanks,

  Hi
  For SSO concept visit (You can also find usage in EP)
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/90277dbd-0401-0010-33a1-ac2c7e3a5659
  <b>Usage across portal:</b>
  Normally Portal provides you a page which has content from different backend applications. Portal actually provides single point of entry to these applications which reside outside Portal. Now with Single SingOn feature user does not have to logon to backend application again. That means when he clicks a link on Portal which points to Backend application, he does not have to enter user and password again for that application.
  for more info
  sso
  Some fundas related to SSO with portal
  What is meant by "SSO across multiple domains"
  some usefull blog
  Step-By-Step Guide to implement Application Integrator
  Hope that helps

• EP 7.0 with SSO to ITS 6.10

  Hello,
  we have conacted a EP 7.0 SP12 over an iview to an ITS 6.10, which then use rfc to connect ess/mss from an old sap server 620. We implemented SSO. If we access the ITS over the portal we see the login screen from the ITS. We are able to login without using user/password, only by pressing the button login. So far the sso is working, but we don't want to the the login side from the ITS. This will confuse the users.
  Have I configured in the iview the wrong authentication methode? Or shouldn't I use an iview to build the connection to the ITS?
  Regards,
  Alexander

  Hello Alexander,
  We are also facing the same problem, a login screen comes up, where just pressing the logon button, opens the desired screen.
  Why is this login screen coming up?How did you solve your problem?
  Please respond, as it is a very urgent task, which needs to be completed asap.
  Thanks,
  Sonali.

• SSO to ITS through WebSEAL gives secure/non-secure messages

  Hi
  We running the following setup:
  EP6 SP14
  Stand-alone ITS 6.20 patch 18
  4.7 R/3 Enterprise
  TAM/WebSEAL 5.1
  We are running SSO through WebSEAL to the portal and everything seems to be working just fine.
  But when we try to access a transactional iView or an IAC iView running on the ITS server I get a pop-up message saying "This page contains both secure and nonsecure items."
  We are accessing WebSEAL through HTTPS, we are running HTTPS between WebSEAL and the portal and HTTP between WebSEAL and ITS.
  I have tried to access the ITS through WebSEAL without using the portal, and I still get the message. So it must be something between the WebSEAL and the ITS server.
  Does anybody have any ideas what is causing this?
  Cheers,
  Jacob Vennervald

  The "secure and non-secure" message, displayed when accessing ITS through WebSEAL when using IE and HTTPS, is caused by an empty source reference (<IFRAME ... SRC="" ...>) within the ITS menu page (...d_menu.html).
  The integration guide, available on the <a href="http://www-1.ibm.com/support/docview.wss?uid=swg24003605">IBM website</a> and the <a href="http://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/sdn/developerareas/ibm">SAP SDN</a>, contains the information on how to stop the message from appearing.
  The message should not be displayed when accessing ITS through WebSEAL using HTTP.
  Regards,
  Peter Tuton.

• How to use Portal SSO with existing BSP application

  Hi all,
  we run SAP EP 6.0 here and have a single start BSP page of
  an application integrated with the SAP appintegrator for BSP. The rest of the existing BSP application still uses
  the login functionality based on CL_BSP_LOGIN_APPLICATION
  and is not integrated in the portal.
  Problem: If a user directly accesses one of the "old" BSP pages, he should be redirected to the portal to auth. him via SSO and afterwards the original BSP page with all its parameters should be processed.
  How to deal with that? Is there a similar mechanism like with the BSP_LOGIN_APP in between for the SAP EP?
  Thanks for your help!
  -RAINER-

  I think that doesnt solve the problem.
  I have 2 systems: SAP ECC with all BSPs and the portal on another system. So I have to entry points: Via portal using the appIntegrator BSP or directly to the ECC.
  As-is: If the auth. for the BSP appl. fails, the user is re-directed via the error page given in the service (SICF)
  to a BSP login app. and from there to the requested page.
  No portal in this concept.
  Must-be: A user is still able to directly access a BSP on the SAP ECC by entering the URL in the browser. It's not a must entering via the portal first.
  So when the login failed on the ECC (no SSO ticket), he should be redirected to the portal for getting his SSO.
  After he signed in successfully the user will be forwarded to the BSP page he entered in the browser the first place.
  I can't see a way to use the URL iView. I am thinking of simply changing the login mechanism of the BSP using the portal login functionality.
  The link you gave me offers an implementation of CL_ICF_SYSTEM_LOGIN. Any ideas?
  Regards,
  -RAINER-

• Menu is not visible after logging into the portal(SSO)...please help.

  Hello Experts,
  I am facing one EP issue...its like once the user logs in to the portal through SSO...he is not able to see any menu on the left side of the page. Actually there is a Detailed Navigation Tab on Left side which contains links to other servers.
  Since there is no Detailed navigation tab on his page this particular user is not able to navigate to other servers...
  Please letme know where to look for as I am very very new to EP...please give in your valuable inputs...
  Regards,
  Jignesh.

  Hi Joshi,
  Check ur detailed navigation is open or closed
  goto cont adminportal content-- go to ur  default frame work page-- desktop innerpage-- open --- see detailed navigation iview is checked for visible or not
  hope this helps u
  Regards
  Krishna.

• How to reset the user password in Portal (SSO Users).

  Hi,
  How to let the Portal users (SSO Users) reset their passwords by themselves..?
  - J

  Forgot one another thing,
  Assume that the users have set their required challenge questions (hints).
  How does it work when the user forget his/her password. Is it like something below.
  - click the "Forgot Password" link.
  - Enter your id
  - Answer your Hints.
  Will the new password be emailed to you or you will be allowed access the system and then the user has to choose a new password.
  Could you please shed light on this.
  J.