SAP Single Sign in

Similar Messages

• Issue with SAP Single Sign-On and Scheduling Reports

  Hello --
  We are on XI 3.1 with SAP BW and SSO.  Some users are getting failures with this error message when they schedule a report to run:
  "A database error occured. The database error text is: Unable to connect to SAP BW server System received an expired SSO ticket. (WIS 10901)." 
  It SEEMS as though the users are fine if they schedule the report to run immediately and have it run every hour (or less) after that.  If they schedule it to run several hours from the time they are in the system, however, it looks like they begin getting failures around 8 hours after they were in the system.  This would make sense from looking at the "InfoView and Central Management Console Session Management" document (https://www.sdn.sap.com/irj/boc/index?rid=/library/uuid/405547f9-b840-2b10-44b5-8e17ff9e48a9&overridelayout=true) since a logon token expires after 8 hours, but since it is a scheduled report, and the user is not logged in through a browser, how is a token being passed?  Is it captured and included when the report is scheduled?  Would disabling logon tokens fix this issue?  How is authentication handled here if they are disabled? 
  Thanks for any info
  Casey

  Hi Gurus
  I am facing the exact same error.
  However, we are not trying to schedule the WEBI report.
  The user gets this error even when he is running on demand from the portal.
  Here are the various steps tha twe have tried and still it doesnt work:
  1) Refreshed and created new Universe connection
  2) Bounced BOE server
  3) Synced up the SSO timeout ticket to 8 hrs on all systems including BOE
  4) Changed browsers
  5) Removed cache, cookies etc
  Please help.

• Agent Enterprise Single Sign On 11

  Good day everyone,
  I have a problem with the Logon Manager component (agent) suite of Enterprise Single Sign On 11, when I install the agent on the client pc console generated in the Logon Manager administration does not recognize me configure applications on the console to automatic access.
  I use as a repository database Oracle 10g,
  Thanks

  Hi,
  I think it is possible. I came across below link:
  [This FAQ was deleted: visit SAP Single Sign-On for help]
  As per this link, it says:
  The following SAP systems can issues SAP Logon Tickets: systems as of SAP Basis 4.6C (see SAP Note 358469), SAP Web Application Server 6.10 and above, SAP Enterprise Portal 5.0 and above. SAP systems as of SAP Basis 4.0 can accept SAP Logon Tickets (see SAP Note 177895).
  Also, check below link:
  http://help.sap.com/saphelp_nwmobile71/helpdata/en/78/f1a8490e7011d6999500508b6b8a93/content.htm
  Thanks
  Sunny

• Configuring JCo3 Connection Pool with single sign on on non SAP Java server

  Hi Everyone,
  i have configured a connection pool on JBoss as per JCo3 Documentation and is working great.
  Now I need help to configure this connection pool with single sign on so that RFc on SAP ECC systems are executed using end users credential rather than using single user name password used to configure JCo connection pool.
  On SAP Java stack I am sure its possible within Java WebDynpro    and i assume using JCA resource adapter. But what if we don't want to use SAP Java App server.
  Any help will be appreciated.
  Thanks,
  Divyakumar Jain

  Eason, 你好！
  I have exactly the same problem.  Did you find a solution to this problem?  If so, please let me know!

• SAP Netweaver Portal Single Sign On.

  Ok, I need some help!
  We have a dashboard that is accessed through a SAP Netweaver Portal.  The Dasboard gets it's data from a LiveOffice Crystal Reports object which when refreshed asks the user for the BOE logon credentials. The users do not want to have to Log in to the BOE for the Crystal Report to refresh, so the question is has anyone successfully managed to use some method of Single Sign On from SAP Netweaver to BOE (v3.1) for a dashboard SWF refresh?
  Many thanks
  [Charles|http://www.reportex.co.uk]

  Hi Charles,
  can you share with us the configuration steps needed in the SAP Portal in order to use SSO?
  Thank you.
  Best regards
  Victor

• How enabled Single Sign-On with a System SAP WAS ABAP (Run application BSP)

  Hi.
  I need to run any application BSP from a System SAP WAS ABAP, without entering SAP user and password. Using the windows authentication and without SAP Enterprise Portal.
  What authentication methods I have to apply for enabled Single Sign-On with a System SAP WAS ABAP?.
  And How can I enabled this method?.
  Best regards.
  Luis Gomez.

  Hi Ticiano,
  SAP WebAS ABAP supports a number of authenticaiton mechanisms. See
  [http://help.sap.com/saphelp_nw04s/helpdata/en/02/d4d53aa8a9324de10000000a114084/frameset.htm]
  A number of these authentication mechanisms can be combined with Windows authentication (e.g. SNC, client certificates, ...).
  The decision what mechanism fits best depends on critieria like
  - SAP server platform
  - security requirements
  - extensibility (should same authentication mechanism be used for future SAP environments, which will be E-SOA based)
  - authentication from outside company domain
  - Use of SAP security library (SAPcryptolib)
  You may want to look at the SAP Software Solution Partner Catalog, if you look for certified SSO solution vendors for SAP.
  Best regards,
  Peter

• Single Sign On for SAP - Integration wih AD

  Users often need both an SAP and Active Directory identity and password to work in their IT environment. However, these multiple identities and passwords create several problems: user confusion leading to decreased productivity, increased help desk costs and security breaches.
  For this purpose how can we extend Active Directory authentication for single sign-on to SAP?
  Regards,
  Majid Khan

  Hi,
  It seems that SAP SSO/IWA  based on Spnego Kerberos is what you want.
  Spnego Kerberos only works on a J2EE stack based system.
  The classical technique is so to implement it on a SAP portal and to use redirect applications to use the portal saplogon ticket to authenticate on abap systems.
  Check help.sap.com on the subject, you will get a lot of information.
  Regards,
  Olivier

• When we need to go for single sign-on in SAP-XI

  hi,
     When exactly we need single sign-on, and if we do not implement single sign-on in XI , do we get any problems during implementing the project.
  Regards
  siva

  Siva,
  SSO is used to avoid signing on using password each time into ur IR /ID RWB or Appln. system. See each and everytime when u log in to these systems u need to give user name and pwd, but if  enabled SSO then it won't prompt for u the password. Once u enter the username it will log u in.
  No, you won't get any problem in XI , if u haven't enabled SSO in XI. Its the additional feature so that it will not affect ur implementation.
  -raj.

• Active Directory, single sign-on and  SRM Users

  We are in the process of installing SRM 7.0. using the Classic Scenario. I am seeking clarification around the creation of users in that system given the following:
  - My Basis colleagues are in the process of implementing single sign-on using Active Directory for our SAP Portal, SAP Business Warehouse and SRM systems.
  - Single sign-on will not  at this point be used for our SAP ECC 6.0 system
  My questions are:
  1. If active directory is being used do we need to create actual users within the SRM system?
  2. If actual users in the SRM system are not required, does this have any impact on the creation of the Organizational structure in SRM from the SAP ECC HR hierarchy?
  Many Thanks

  Hi Claire,
  The Single Sign On work only if user exist on every systemes.
  For example :
  If you connect trough portal to access ECC and SRM, your user id must exist in ECC and SRM.
  For Active Directory you can synchronize your user table to AD by using LDAP option.
  The best way is to configure a CUA for ECC and SRM, use the UME of Portal on ECC and synchronize the CUA to Active Directory.
  Finally use the SSO certificate between Portal ECC and SRM.
  Regards,
  Gilles SEBBAG
  Sap Technical Consultant.

• Single Sign On and user security with IS

  We have installed Information Steward 4.1 SP1 Patch 1 with Data Services 4.1 SP1 Patch 2 on Information Platform Services 4.0 SP 5 patch 6.  The Information Steward system is installed on it's own server.  We are connecting IS to our SAP Netweaver 7.3 system. 
  I have set up Single Sign On using Windows AD authentication.  The connection to the SAP system uses a service account. 
  Because the SAP system has our payroll information on it, we want to restrict Information Steward users based on their SAP security profiles.  We don't want to have to maintain security settings in both SAP and Information Steward. 
  Does anyone know if there's a way to set up Single Sign On so it passes the user credentials from SAP to Information Steward?  Then restrict the users on Information Steward based on their SAP security settings?
  Any advice would be appreciated!

  Hi,
  You can use Windows AD or SAP Authentication and configure it with SSO. However this should be done in the BI/IPS plaftorm and not IS. See the BI admin guide (http://help.sap.com/bobip40) section "Authentication options in BI platform". Please let me know if that's what you wanted.
  thanks

• Single Sign on and Macintosh

  Hello,
  we realized single sign on on our mac machines. It runs great. Now i want to combine it with our SAP logon groups. There's an error that he cannot find the KDC. Where's the problem? Is it nit possible to combine groups with using snc?
  We set the followign connection string:
  SAP Prod: conn=/M/sapmachine.firma.de/S/1234/G/example_group&sncon=true&sncname=p:[email protected]&sncqop=9

  Hi Derick,
  I want to make our discussion into 2 parts
  1) Sign on
  2) Viewing data based on the Heirarchy
  1)Before discussing about the Sign on i want to know which connectivity you are using ? Live offcie or QaaWS.
  2) We can make the second point possible in two ways One is with providing restriction at universe level
  and the other one is through the use of flash variables.
  Using flash variables:
  The main idea of using flash variables is reading the User ID from BO authentication and based on that we fetch the Heirarchy level of that user. Then we use some excel logic to hide the data from Low level heirarchy(Here we use Dynamic Visibility for components).
  I hope this is what you ar looking for....
  If so i have more points to acheive such scenario.
  Please provide the your BO environment details, such that it will be easy to identify the better best wat to acheve it.
  Regards,
  AnjaniKumar C.A.

• SSO (single sign on) on NetWeaver 7.0 Enterprise Portal based on spnego with Microsoft Active Directory

  Hi,
  we are using SAP Netweaver Enterprise Portal 7.0 (SP25) based on Windows 2008 R2/Oracle 11g.
  When we setup the Portal, we used the UME of the ECC - ABAP.
  The portal is used internally only.
  Now we want to provide SSO.
  User authenticate against Windows Active Directory (Windows 2003).
  We thought SSO via spnego would be the best solution.
  Any better alternates, we should use?
  We are following the SAP documentation:
  SAP-Bibliothek - Benutzerauthentifizierung und Single Sign-On
  We still want to create users in ABAP and assign them the portal roles. LDAP access should only have read access, to verify the security token from Active Directory.
  When we setup the portal from scratch using ABAP as its UME, in the system configuration, LDAP can't be selected/add as data source.
  In case we understand the documentation correctly, we would now need to add LDAP via the configtool for read access.
  What is not clear to us, when we active now LDAP via config tool, if we would now lose the ABAP connection.
  Is there a tutorial for SSO Netweaver 7.0 EP, like for EP 7.3, available?
  In 7.3 SSO is pretty simple to get it running, thanks to the many tutorials here and on the internet.
  Thanks for your help.
  Best regards
  Carlos Behlau

  Hi,
  I was able to generate the key via ktab program.
  But when I am enable SSO, nothing is happening when I try to log-on via SSO to the portal.
  I installed WebDiag tool on the portal server and ran trace.
  The users are located in domain: company.com of activate directory.
  The Java AS are located in domain: sap.company.com of activate directory.
  The sap.company.com domain acts as child of company.com.
  When I check the WebDiag trace, I see for the SPNegoLoginModule - the entry "... no key (etype: 23) for realm sap.company.com available ..."
  I would except company.com as realm key, as the keytabs have been generated on the domain controller of company.com.
  Is it possible to get SSO with child domain running?
  Based on the statement of the network folks, child and father domain having a trust.
  Thanks for your help.
  Best regards
  Carlos

• Single Sign-On Netweaver Portal with Cornerstone On Demand

  Hi
  Does someone experiences with Single Sign-On between SAP Netweaver Portal and the Learning Management System of Cornerstone On Demand?
  The options are:
  - SAML: but at this moment we don't have SAML provider. Is it easy to use this with Netweaver 7.01 SP6 ?
  - standard SSO : encrypted string between SAP portal and LMS: client sends encrypted string with userid...based on encryption algorithm.: Has someone developed this (java code) for SSO to an other system?
  But can they use Sap Login Tickets?
  Best regards
  Luc

  Hi,
  I just recently implemented SSO between SAP system and on demand solution from 3rd party provider. We didn't have any guy with Java skills so we implemented HTTP handler in SICF that generates web page with redirection to the 3rd party system. ABAP does not have a good support for various encryption algorithms so we used javascript interpreter available in ABAP AS. Portal just points to ICF service on ECC system that redirects to on demand solution. Implementation took one day. Obviously, in this case all users had to have account in ECC system.
  Cheers

• Single Sign On -- Enterprise portal and BI JAVA

  Hi,
  I need to watch reports BI J2ee from an EP 7.00. I have configured the single sign On but it works just for ABAP BI Stack.
  This is what I have done for SSO JAVA:
  Importing the BI JAVA Certificate to the SAP NetWeaver 2004s Portal (SAP EP 7.0)
         1.      Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%admingo.bat.
         2.      Connect to the portal server.
         3.      Choose  are the values of and of certificate SAPLogonTicketKeypair-cert (see above).
  You also have to add these values under evaluate_assertion_ticket:
     13.      Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%admingo.
     14.      Connect to the portal server.
     15.      Choose  (for example, CN=J2E)
  Any clue?
  Regards

  Hi Jorge,
  if the UME is used with an ABAP based system as the back-end user storage, do the following:
  Generate and export the Portal Certificate:
  Go to Visual Administrator
  Choose <SID> - Server - Services - Key Storage - from the tree Select the view TicketKeystore under Views
  If the SAPLogonTicketKeypair exist, delete it.
  If the SAPLogonTicketKeypair-cert exist, delete it.
  Generate a portal certificate using the following steps:
  Under Entry choose Create.
  Enter the folowing values in u201CKey and Certificate Generationu201D
  Organization Unit Name (OU) = J2EE
  Common Name (CN) = <SID>
  Entry Name = SAPLogonTicketKeypair
  Store Certificate: X
  Algorithm: DSA
  Click u201CGenerateu201D
  Import the Portal Java Certificate into ABAP
  STRUSTSSO2
  System PSE:
  u201CImport Certificateu201D - Choose your exported .crt file - File format = Binary
  Click u201CAdd to Certificate Listu201D
  Click u201CAdd to ACLu201D - System ID = <SID>, Client = 000
  save it.
  Export PSE ABAP Certificate and import into J2EE Portal:
  STRUST
  Choose PSE, export it and save as <SID>.pse
  sapgenpse export_p12 -p <SID>.pse <SID>.p12
  copy the generated p12 file <SID>.p12 to J2EE Portal
  Go to Visual Administrator
  Choose <SID> - Server - Services - Key Storage - from the tree Select the view TicketKeystore under Views
  export the .p12 ABAP certificate with "Load"
  adjust com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule:
  Choose <SID> - Server - Services - Security Provider - from the components tree select evaluate_assertion_ticket
  ensure that trustediss<n>, trusteddn<n>, trustedsys<n> are correct set.
  ume.configuration.active = true.
  restart the ICM in SMICM
  If you also want to use SSL, there are some further steps to be done.
  Regards,
  Gerd

• Single Sign-On (Portal to R/3 Backend)

  Hi all,
  Iu2019m trying to implement Single Sign On (SSO) between our SAP portal (front end) and SAP R/3 ECC 6.0 Backend.  Keep in mind this has nothing to do with Active Directory.
  I read posting after posting from this site and I canu2019t tell you how much documentation and canu2019t seem to get to the root cause of the problem.
  To sum it up, the Test connections in the Portal, which there are 3 (SAP Web AS Connection, ITS Connection, and Connection Test for Connectors)
  The connection tests work for the first 2.  The one that fails is the Connector.
  The errors are not much help.  Here is what I get.
  Test Details:
  The test consists of the following steps:
  1.     Retrieve the default alias of the system
  2.     Check the connection to the backend application using the connector defined in this object.
  Results:
  1.     Retrieval of default alias successful.
  2.     Connection failed.  Make sure the Single Sign-On is configured correctly. 
  Details:       Portal Host name = lansapdep01
       Backend Host name = lansapdev01
  Property Category:  Connector
  Application Host = lansapdev01
  Gateway Host = lansapdev01
  Logical System Name = devcln150
  Remote Host type = 3
  SAP Client = 150
  SAP System ID <SID> = DEV
  System Number = 01
  Server Port 3600
  System Type =  SAP R/3

  You use Server Port 3600, message server.
  It means, while creating a system you used wrong template and picked "SAP system using dedicated application server".
  You should use "SAP system with load balancing", since message server is doing load balancing.
  Once you selected correct template you will see "Message Server" instead of App and GW servers.
  Make sure to fill in
  Group  - Logon group to use. If not defined in R3, use SPACE
  Message Server - ansapdev01
  SAP Client = 150
  SAP System ID <SID> = DEV
  Server Port 3600
  System Type = SAP R/3
  It should work.
  Regards,
  Slava