Security on SAP Logon

Similar Messages

• Potential Risks in Setting SAP Logon Security Settings

  In SAP GUI Options - SAP Logon u2013 Security u2013 Security Settings we would like to know the risks pertaining to setting the default Status as Customized and the Default Action to Allow.  This would be set in the Registry so that Users would not be able to change it. We do have some security rules set by the administrator, all are directories primarily driven by converting to Excel docs in BW.  To reiterate, what are the risks to u201Chard codingu201D the default Status as Customized and the Default Action to Allow?
  Thanks,
  Chad

  Ahmad,
  SOAP adapter supports SSL and Digital Certificates and you need to configure your SSL on the J2EE stack before you can use the same on your SOAP adapter.
  Look into this blog to understand what needs to be done.
  /people/aparna.chaganti2/blog/2007/01/23/how-xml-encryption-can-be-done-using-web-services-security-in-sap-netweaver-xi
  Regards
  Bhavesh

• How to Activate Send SAP Logon Ticket in Logon Security...??

  Hi
  I am trying to create RFC Destination for SAP EP 6.0. Here i need to activate <b>Send SAP Logon Ticket</b>. But that Activate Radio button is in disable mode. How to make it enable. Please Help me
  Best Regards
  Ravi Shankar B

  The F1 help for this option says:
  <i>When you activate this option, an attempt is made to create and send the SAP logon ticket for the current session, for a logon to the target system. Before you can create this ticket, the environment must be configured appropriately (for example, the profile parameter login/create_sso2_ticket must be set to 2).</i>
  So, J. has the right idea...
  Cheers

• SSO to non SAP Application using SAP Logon Ticket

  Hi Experts,
  I Have EP 7 SP 15 using SPNego Wizard to SSO with Active Directory and SSO between EP and ECC using SAP Certificates.
  Now I have a demand to SSO some JAVA based applications (non SAP) to my portal using the SAP Logon Ticket.
  I Have followed some blogs that directed me to use SAPSSOEXT (some libs) to read the MYSAPSSO2 cookie. The problem is that I didn't found this cookie, I even executed the command javascript:document to look for this cookie but the browser just show me the JSESSIONID info.
  Does anybody knows where I can find this cookie or if there's a better way to set up this SSO? It´s necessary to say that I cannot SSO these application to the kerberos protocol because some security reasons on my company.
  Thanks
  Armando

  Hi,
  I dont have much info related but i can giv u hint
  refer OSS Notes 442401 and 723896.
  When using SAP logon tickets for non-SAP applications, two different implementation options are available. The difference lies in where the ticket verification takes place.
  In the first case,  the SAP logon ticket is submitted to the web server filter located on the web server. The web server filter verifies the portal serveru2019s public key
  certificate using its local Personal Security Environment (PSE) and then populates the HTTP header field with the user ID for SSO to the non-sap web application.
  In the second case,  the SAP logon ticket is sent to the non-SAP application, which then verifies it using the ticket verification DLL and submits the user ID to the application for SSO.
  You can refer following link :-
  http://help.sap.com/saphelp_nw70/helpdata/EN/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm
  user authentication and SSO
  http://help.sap.com/saphelp_nw70/helpdata/EN/8f/ae29411ab3db2be10000000a1550b0/frameset.htm
  Authentication Using a Directory with SSO Integration Using Logon Tickets
  http://help.sap.com/saphelp_nw70/helpdata/EN/f8/3b514ca29011d5bdeb006094191908/frameset.htm
  SSO
  SAP Logon Ticket-based Single Sign-On
  http://help.sap.com/saphelp_nwce10/helpdata/en/45/b6af743753003ae10000000a11466f/frameset.htm

• Java client application + SAP Logon Tickets (SSO)

  Java client application + SAP Logon Tickets (SSO)
  Hello
  I have the following question, it is about connection between SAP Enterprise Portal and Java Application.
  After registration in Enterprise Portal (with Internet Explorer Browser) request is passed on to SAP backend system - cFolders (SSO methode)
  With internet browser functioned everything.
  How can one get, however, this Logon tickets with Java application and then be of use later for SOAP connection
  (everything with client java application)
  Thanks for quick help
  Edo

  Hi Edo,
  look at this https://media.sdn.sap.com/javadocs/NW04/SPS15/um/com/sap/security/api/ticket/TicketVerifier.html
  Best Regards
  Oliver

• Modification to SAP Logon Cannot be written to INI file

  Hi,
  When i am trying to create a New Item in SAP logon it is giving an error "Modification to SAP logon could not be Written to INI file
  Check permission for file 'C:\Windows'.
  The problem is that, this is showing even when i m logged in as "XXXADM".
  I have Reinstalled the SAP GUI, but the problem is as it is.
  OS: WINDOWS 2003 server
  Database: Oracle.
  Please help me.
  Thanks in advance,
  Sharib

  I had this same problem under a VISTA Enterprise client setup.  I tried all the various recommendations, including setting the SAPLOGON_INI_FILE environment variable to point to c:\windows\saplogon.ini.  None of these changes worked, I even modified the file ownership to match up with my logged on user without success.
  I then looked at the shortcut for launching SAPLOGON, and tried to set the shortcut to run as an Administrator.  That option was greyed out.  I deleted the shortcut, and re-created it.  Still unable to save changes.  I then set the new SAPLOGON shortcut to execute as the administrator, and once I confirmed that I trusted the program, everything is now working as it should.
  Not content to leave it this way, I moved my saplogon.ini file OUT of the c:\windows directory and instead placed it in the directory pointed to by %USERPROFILE%\saplogon.ini .  I updated the environment variable setting and also removed the falg to execute the shortcut as the system administrator.
  Now everything is working as it should without any special hoops -- seems that even with full access, VISTA security would not let a domain user that was part of the PC's Administrators account to edit the file w/o running as the system administrator.
  Edited by: David L. Flad on Oct 30, 2009 4:02 AM

• Problems with SAP Logon ticket

  Hi.
  I am trying to send SAP Logon ticket from ECC 6.0  to the backend legacy using Soap adapter in receiver side. I get the following error in SXMB_MONI, so it looks like AF is not accepting the ticket. Can anybody tell me please, how I can identify that the ticket has been received in PI's side?
  <Trace level="1" type="T">Principal Propagation connection attributes</Trace>
    <Trace level="1" type="T">Host = hostname</Trace>
    <Trace level="1" type="T">Port = 12345</Trace>
    <Trace level="1" type="T">Transport protocol = HTTP</Trace>
    <Trace level="1" type="T">Transport protocol vers = 1.0</Trace>
    <Trace level="1" type="T">Message protocol = 003000</Trace>
    <Trace level="1" type="T">Path = /MessagingSystem/receive/AFW/XI</Trace>
    <Trace level="1" type="T">Security: Logon Ticket</Trace>
    <Trace level="1" type="System_Error">Error while sending by HTTP (error code: 403, error text: Forbidden)</Trace>
    </Trace>
  Thanks, Jukka

  Hi.
  I have had some progress. Actually Principal Propagation works well now, thanks to instructions in http://help.sap.com/saphelp_nwpi711/helpdata/en/48/a9bbb97e28674be10000000a421937/frameset.htm
  But I think I have now found out that the principal progation might not be a direct answer to my problem. In the end of the day I should be able to deliver UsernameToken in my soap message header. Something like this:
  <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    |          <wsu:Timestamp wsu:Id="Timestamp-12134742" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    |             <wsu:Created>2007-10-14T12:45:34.656Z</wsu:Created>
    |             <wsu:Expires>2007-10-14T12:46:34.656Z</wsu:Expires>
    |          </wsu:Timestamp>
    |          <wsse:UsernameToken wsu:Id="UsernameToken-33259721" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    |             <wsse:Username>test</wsse:Username>
    |             <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
    |          </wsse:UsernameToken>
    |       </wsse:Security>
  I just have not found any documentation which I could utilize in Abap Proxy - PI 7.1 - Soap Receiver scenario. Just wondering should I create my own customized soap envelope and disable the Pi envelope in SOAP communication channel...
  Do you know if there's any "standard way" to configure this kind of configuration?
  Br. Jukka

• How to Enable password saving in SAP Logon for Windows

  how to Enable password saving in SAP Logon for Windows

  Even though password saving, in SAP Logon for Windows is disabled by default, this can be enabled following the steps listed below:
      Open the command prompt by navigating to Start → Run and by typing “cmd”.
      Go to the \SAP\FrontEnd\SAPgui directory (in Program Files), through the command prompt.
      Create the necessary value in Windows registry by typing: sapshcut -register An information message will appear.
      Open the registry editor, in order to access Windows registry, by navigating to Start → Run and by typing “regedit”.
      Go to the HKEY_CURRENT_USER\Software\SAP\SAPShortcut\Security registry key.
      Change the value data of “EnablePassword“ from 0 to 1.
      Close SAP Logon and open it again, in case it was open during the whole process.

• How to call additional Enrolment page from SAP Logon?

  Hi Team,
  I have a requirement here to customise the SAP logon page.
  My requirement is, when a user logins in with his User ID and Password and when he clicks Logon then it should redirect to my Enrollment page(only for the first time login for certain users) and in the enrollment page we got some additional fields to be captured for security reasons and that fields will be stored in our local database and then it will pass the control back to my SAP application.
  Is there any method where we can call the additional enrolment/registration page from SAP Logon.
  Thanks in Advance
  Regards
  Akesh

  Hi Akesh,
  As per my understanding, you should amend your login page by writing a new servlet which will communicate with your database where you have your ids.
  It means flow would something like below
  1. You enter userid/password into the login page of SAP EP and click on logon button redirect the request to newly created Servlet and check.
  2. After check if enrollment required then open new jsp page for this else redirect the request as original flow.
  3. Once enrollment is done then at submit button, first we it should save the data then again redirect to original flow.
  Thanks,
  Hamendra

• Windows Integrated Authentication & SAP Logon tickets

  1) We have configured windows authentication and the IISproxy on a SPS frontend server to our SAP portal environment.
  2)We have configured SAP logon tickets on the SAP portal (running on hp-ux).
  3) Both the IIS server and the sap portal server exist on the same domain inside our firewall (iis_server.lsv.internal_company_name.com and sap_portal_server.lsv.internal_company_name.com)
  4) A virtual URL has been created on the IIS server, http://sap_portal.external_company_name.com, using a domain alias.
  5) When an authenticated user is passed from the IIS server to the SAP portal the SAP logon ticket that is created is for external_company_name.com alias rather than lsv.internal_company_name.com. This logon ticket is not accepted by any of the backend SAP systems that have been configured to except logon tickets because they all exist in the lsv.internal_company_name.com domain.
  6) The portal security guide says:
  "The Portal Server issues a SAP logon ticket for the Internet domain or a sub-domain of the
  Portal Server only."
  Given this scenario, is there some configuration that can be added to allow the use of this alias or is there a bug in the SAP portal code that needs to be addressed?

  Hi,
  You cannot use the external alias. You can however set SSO on the portal not to look to the total url. For example it would work if you use:
  sap_portal_server.lsv.internal.company_name.com
  and
  sap_portal.external.company_name.com
  The prerequisite here is that at least the domain name should be the same i.e. the last two parts.
  Greetings,
  Vincent

• SAP Logon Issue_Copyright Dialog Box at every SAP logon on QAS

  Dear Friends,
  From last few days, every QAS user logs into SAP, a Copyright Dialog appears with User last logon time, every time each user has to Click Continue on the dialog box. This is the only case with the QAS system and for each QAS client - 000, 200 and 220.
  A kind request to help me disable the dialog box at the SAP Logon, what & where do have to configure in SAP QAS for it removal.
  Thanks and Best Regards,
  Chandrakant

  Hi,
  SAP is obliged by law to display the screen. The logic of when the copyright screen is displayed, is that when a user logs on for the first  time, the screen is displayed, subsequent logons are without the copyright screen. Also, logging on in different languages will cause the logon screen to be displayed.
  One reason is that there are no language specific copyright texts stored in the relevant tables - hence we
  cannot store that the user in question has seen the actual copyright text and have to display again and again this popup.
  The reason for these missing texts may be you did not import the corresponding language as I can see in SMLT
  The language supplementation does not take into account the long texts and we cannot do any fallbacks for these texts due to legal reasons.
  Regards,
  Naveen.

• SAP GUI (SAP LOGON 620).Problem connecting to R/3

  Hi I Installed SAP 4.7 successfully.I could see SAP R3 Management console started properly.After Installing SAP GUI,I tried to connect from SAP Logon.I get an error ,A box opens
  Which has title 'Syntax Errors'
  and fields in the box are,
  Syntax error in program -
  in include                      -
  in line                           -
  Last changed by           -
  Author                         -
  Any help on this would be greatly appreciated.I tried to google but could not find any reasonable answer.
  I also tried to connect to R/3 from other box but the same result
  Thanks in advance
  Durga

  Mantosh,
  I dont see any user defined on my logon pad.All I see Proerties,Groups,Server,New,Delete.
  Manas,
  Still no luck.I changed as adviced by bu still I get 'Sytax Errors' window.
  Here is my SAPLogon pad after the changes you suggested.
  [Configuration]
  SessManNewKey=4
  [MSWinPos]
  NormX=38
  NormY=71
  [Router]
  Item1=
  Item2=
  [Router2]
  Item1=
  Item2=
  [RouterChoice]
  Item1=0
  Item2=0
  [Server]
  Item1=10.10.10.12
  Item2=SR1
  [Database]
  Item1=00
  Item2=
  [System]
  Item1=3
  Item2=3
  [Description]
  Item1=sap 4.7d
  Item2=SAP 4.7E
  [Address]
  Item1=
  Item2=
  [MSSysName]
  Item1=SR1
  Item2=
  [MSSrvName]
  Item1=
  Item2=
  [MSSrvPort]
  Item1=sapmsSR1
  Item2=
  [SessManKey]
  Item1=3
  Item2=2
  [SncName]
  Item1=
  Item2=
  [SncChoice]
  Item1=0
  Item2=0
  [Codepage]
  Item1=1100
  Item2=1100
  [CodepageIndex]
  Item1=-1
  Item2=-1
  [Origin]
  Item1=USEREDIT
  Item2=USEREDIT
  [LowSpeedConnection]
  Item1=1
  Item2=0

• SSO using Kerberos with SAP Logon Tickets

  Hi,
  I am creating a Repository Manager for the Portal Knowledge Management System and I want to use SSO to a backend IIS application and I have a few questions here. 
  I have a three tiered architecture. 
  A.  The presentation tier (SAP Portal which has my Repository Manager implementation)
  B.  ASP.NET web service data layer.
  C.  Backend document management system which runs on IIS. 
  I have installed the ISAPI filter on my ASP.NET application server and have enabled this HOST account for delegation in MSAD 2003.   Server B will use Kerberos constrained delegation to access Server C, which is an IIS backend server. 
  My question is how do I pass an SAP Logon Ticket to an ASP.NET web service request from my Repository Manager implementation?  Basically how do I just make an HTTP request to an ASP.NET application from some portal iView or WebDynPro code and pass along the SAP Logon Ticket in the request so it can be interpreted by the ISAPI filter on the IIS server.  Does anyone have any sample code or an application here that does this?
  Thanks,
  Scott

  Hi Scott
  Did you managed to find out anything regarding how to pass SAP Logon ticket to ASP.NET Webservice. Can you share it with me?
  regards
  ram

• SSO to SAP via SAP Logon Group

  Hi,
  I've tried to configure SSO to SAP via SAP logon group. When trying this I'll get the following error:
  Connect to message server failed Connect_PM MSHOST=<server>, R3NAME=IB1, GROUP=IB1_Web LOCATION CPIC (TCP/IP) on local host ERROR The message received isn't from a message server. Are you really connected to the message server? Please check your connection parameters. (<server> / sapmsIB1) TIME Tue Dec 16 16:48:49 2008 RELEASE 640 COMPONENT MS (message handling interface, multithreaded) VERSION 4 RC -2
  I've also configured the file services under winnt\system32\drivers\etc on the BO server with the following line:
  +sapmsIB1      443/tcp     +
  Is there anything I'll have to configure too? Or what does this error mean? The server which I have tried to reach is a message server.
  Thanks in advice.
  Claudia

  HI Ingo,
  yes I can connect with SAP GUI via message server and application server. I can also connect with BO via sso to the application server. Only the message server failed.
  I have now found out that I had the wrong port. But also the right port doesn't work. I have tested the port with telnet. The port is reachable.
  Thanks
  Claudia

• How to implement SSO to non-SAP systems using SAP logon ticket?

  Hello,
  We would like to implement Single Sign On between our SAP Netweaver system and a Siebel which is a non-SAP system using SAP logon tickets.
  Can anyone please give me some leads on this, in particular:
  1. Is there a JAVA API or an SAP plug-in that can be implemented on the Siebel machine to extract the SAP logon ticket?
  2. As the other machine might seat on a complete different domain, is it possible to implement SAP logon ticket without using cookies (perhaps through the HTTP header?
  3. In case you think using SAP logon tickets is not the best solution here I would be happy to hear any other suggestions you might have.
  Roy

  Hi,
  I'm currently using SAML as well. Unfortunately the SAP J2EE cannot work as authority (identity provider) but what you can do is using an open implementation of SAML such as opensso which is an open version of SUNs Java System access manager.
  There are a couple of other projects such as opensaml, apache's wss4j or shibboleth that might be interesting in this context.
  I just installed opensso and got it working with SAP J2EE 7.0 using SAPs JAAS SAMLLoginModule to authenticate users within SAP J2EE.
  In this scenario opensso serves as identity provider just as you need! There are a couple of Policy agents available on SUNs Download site you can use with Apache, Tomcat, JBOSS, WebSphere, Bea Web Logic etc. in order to authenticate! Otherwise you just directly authenticate against opensso. When installing opensso you can configure the type of user store you want  to use! By default it uses LDAP but you can also use different types of user store using JDBC or other mechanisms. Since you have a Directory Service you could easily connect it to your existing directory.
  There is also a way to map user ids directly in opensso by adding a uid mapping class. I created some documentation with lots of screenshots about using opensso with SAP J2EE. You can easily use opensso with any other system that supports SAML. In the case of SAP the usage is currently limited to SAML versions 1.0 and 1.1. Version 2.0 is not yet supported but should be in one of the following versions.
  Here are some links you might want to check:
  OpenSAML: https://spaces.internet2.edu/display/OpenSAML/Home
  wss4j: http://ws.apache.org/wss4j/
  shibboleth: http://shibboleth.internet2.edu/
  opensso: https://opensso.dev.java.net/
  On SDN you will find a documentation on how to connect SUN Java System Access Manager to SAP J2EE (see https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/906d9fc6-31b9-2910-1385-90edad7d7570). As I said opensso is based on the SUN Access Manager code and looks quite the same. So you can adapt this documentation in order to configure opensso or you can just ask me for the documentation.
  Hope this is helpful...
  Let me know if you need further assistance on this topic
  Cheers