SSO to SAP using workstation password (GUI/Web)

Hello All - I am very new to this area and I am analyzing a SSO solution to implement in our company where in the User's workstation password will be the only authentication to logon to SAP.  We are looking into SSO using Kerberos but we are still not clear on the solution. Below are some of the questions that I can think of from the top of my head.
1) What is the pre requisite to logon to SAP without password? AD/etc...
2) Can logon via. SAP Logon GUI be passwordless? If yes, what is the solution/technology? Also if passwordless GUI log on is possible, what will be situation where a system has more than one client? Will it prompt to enter the client number?
3) WIll SSO work across multiple landscapes like 4.7, MySAP, BW, Netweaver, etc?
I apologise ahead if I my questions are very vague. Kindly bear with me and point me to the right information, so that I can have the analysis of SSO ready for my company.

>
Kishore Karuppan wrote:
> Hi Guys -  Iam back again. I am not sure if  I need to open a new thread since  I marked that my question was answerd. I had a chance to discuss the possibilties of enabling single sign on to GUI and my web with the experts in our company and we have the below questions. Since we already have Kerberos enabled in our workstations, we like the idea of installing SNC libraries.
Good choice Yes, you could have opened another thread, but I am happy to help you using this thread.
> 1) Will SSO via. GUI using SNC libraries will work for all versions of SAP including 4.5, 4.6, mySAP, etc.. (I just want to ensure that I covered 4.5, 4.6, mySAP as well, as I didnot mention this in my previous post)?
Yes, SNC is supported on versions of SAP ABAP AS since 3.1I through to NetWeaver 2004s and beyond. So, you can use same solution for all versions of SAP in your landscape, and on all platforms as long as the vendor product you use has libraries for the operating system.
> 2) Will installing SAPNEGO module enable single signon for web for all versions of SAP?
Yes, this is one option as it uses Kerberos capability already included in IE browser and also in Firefox browser - there is therefore no client software required and you can utilise Kerberos credentials already on workstation.
> 3) Is there a whitepaper or a source where we can verify the above so that can get approval to get help from the SAP or SAP partners to devise a SSO plan for our complex SAP landscape?
As I explained before - some of this functionality is provided by SAP Partners so you need to contact one of them to ask for such papers. If you contact me I can give you a demonstration of this technology via a web meeting and answer any detailed questions you might have when you have seen it working. You might want to invite other people from your company as well.
> For some reason, our Security Architect believes that SSO via. GUI is not possible using SNC libraries. I need some data from a trusted source. I did lookup by searching for SSO in thge forums and hwite papers but I am unable to find a source that validates the information.
I can show it to him working, or you can point him to http://www.cybersafe.com/d2 so he can see the products being installed and demonstrated.
> I will have one more follow up question to clarify but I will wait for the response to above. If I have to create a new thread, please let me know and i am happy to do so.
Since you have started on this thread you might as well continue. No need to confuse matters by opening new thread, but in future when a thread is closed it is better to open a new one if you have additional questions.

Similar Messages

  • SSO with SAP logon tickets to non-SAP web app

    I am trying to implement SSO to an oracle portal based web application using SAP logon tickets, but can't seem to find a way for it to work.  I thought maybe it would be a web server filter, but am unsure if this would work for oracle portal.  Anyone tried similar?
    Cindy

    Hi Cindy,
    If it is EP6 SP2 probably you can checkout the following document.
    http://service.sap.com/ep60
    Go to Documentation Help>How-To-Guides>Current How To Guides section.
    checkout the following how to guide.
    Perform Cross Domain SSO with SAP Logon tickets zip file.
    If you want the zip file please send an e-mail to
    [email protected]
    Regards
    -Venkat Malempati

  • How to integrate Microsoft and SAP using Web Services?

    Hi All
    How to integrate Microsoft and SAP using Web Services? If any one has document please send it to me. My id is [email protected]... Please
    Help me
    Best Regards
    Ravi Shankar

    Hi Ravi,
    This is for Customizing Email and Other Web Services.
    Create addresses
    The address maintenance of R/3 users is carried out either via the R/3 User Maintenance (Transaction SU01) or the Private office settings (Transaction SO12):
    Address --> Other communication...
    Selection of the required communication service.
    Enter address.
    Copy or save.
    b) Configuration of SAPconnect (Transaction SCOT)
    Set communication method
    4.0 + 4.5: Goto --> Customizing --> Communication methods
    as of 4.6: Settings --> Communication methods
    Set the method of the required communication service to the value 'SAPCONNECT' and save the setting.
    Customized the same for Internet mailing.
    C) If you want to Transfer Table Structure Values from SAP R/3 to Web Services then
           1. Create BAPI and Transfer whichever things you want.(Note: The Structure
               of BAPI should be similar to Web Structure (Datatypes).
           2. Create a BDC and Schedule it in the Background.
    Hope it helps you, Awaiting for the Reward Points.
    Thanks
    Subrato Chowdhury

  • Lost my phone. reset my icloud password, now its asking me to sign in from the phone before i could use it on the web, and i need to access my icloud account from the web. what shall i do ?

    lost my phone. reset my icloud password, now its asking me to sign in from the phone before i could use it on the web, and i need to access my icloud account from the web. what shall i do ?

    Welcome to the Apple community.
    If you are unable to remember your password, security questions, don’t have access to your rescue address or are unable to reset your password for whatever reason, your only option is to contact Apple ID Support, upon speaking to an operator you should explain that your problem is related to your Apple ID, this way you will not be charged for assistance, even if you don’t have an AppleCare plan.
    The operator will take you through some steps you may have already tried, however they need to be sure they have exhausted all usual approaches before trying to reset your account, so you should try to be helpful and show patience with the procedure.
    The operator will need to verify they are speaking to the account holder and may ask you some questions that only the account holder could know, and you will need to answer them if the process is to proceed.
    Once the operator has verified your identity they will send a message through to your device which contains an alpha numeric code, which you will need to read back to them.
    Once this has been completed they will send an email to your iCloud email address after a period of 24 hours, so you should check that mail is enabled in your devices iCloud settings.
    Upon receipt of the email, use the reset link provided to reset your password, after which you should be able to make the adjustments to iCloud that you wish to do.

  • Ost my phone. reset my icloud password, now its asking me to sign in from the phone before i could use it on the web, and i need to access my icloud account from the web. what shall i do ?

    i have lost my phone. reset my icloud password, now its asking me to sign in from the phone before i could use it on the web, and i need to access my icloud account from the web. what shall i do ?

    Welcome to the Apple community.
    If you are unable to remember your password, security questions, don’t have access to your rescue address or are unable to reset your password for whatever reason, your only option is to contact Apple ID Support, upon speaking to an operator you should explain that your problem is related to your Apple ID, this way you will not be charged for assistance, even if you don’t have an AppleCare plan.
    The operator will take you through some steps you may have already tried, however they need to be sure they have exhausted all usual approaches before trying to reset your account, so you should try to be helpful and show patience with the procedure.
    The operator will need to verify they are speaking to the account holder and may ask you some questions that only the account holder could know, and you will need to answer them if the process is to proceed.
    Once the operator has verified your identity they will send a message through to your device which contains an alpha numeric code, which you will need to read back to them.
    Once this has been completed they will send an email to your iCloud email address after a period of 24 hours, so you should check that mail is enabled in your devices iCloud settings.
    Upon receipt of the email, use the reset link provided to reset your password, after which you should be able to make the adjustments to iCloud that you wish to do.

  • XI Installation: SAP System Account+Password- Login failed

    Hi All,
    This is my first attempt in installing XI.
    I have installed SAP Web AS 6.40 ABAP+Java System and am trying to install XI now.
    I can also confirm that my J2EE engine is up and running. I ran the J2EE example on HTTP using port 50000.
    Here is my basic config:
    VMWare with Windows 2003 Server SE, 60Gigs dedicated HDD space, 2Gig RAM, MS SQL Server 2k Enterprise SP4.
    My Problem is that when I run the "XI Installation" from "NetWeaver Components Running on Java" I get asked for my SAP System Account's (user: l01adm) password. I know what my password for System account is, but for some reason I get "Invalid Password" error message from SAPInst GUI program.
    Since I am very new to SAP Web AS and XI, there could be quite a few reasons why this is not working.
    Could anyone please shed some light my direction regarding the possible things that could be causing my problem?
    Regards,
    -Alen Ribic

    C if any of these threads can help you out -
    XI Installation: invalid XI SAP <sid>adm password
    Re: invalid password during xi-installation
    Also ref note : 721548

  • JCOerror: This system does not let you log on using a password

    Hi,
    "JCOerror: This system does not let you log on using a password"
    This is the error message I get from MII tries to connect to the Production ECC using my credentials to perform a BAPI call.
    These credentials work fine interactively (using the SAP GUI) and for BAPI calls from MII on SAP Development instances.
    I can interpret this message in two ways:
    - My login can not log on using password (though I can interactively)
    - The server does not allow logging on using password only. (It might require to pre-authorize the connecting server as well).
    I guess my question can be if this error requires adding additional rights to my login for the production environment, or if this is a global SAP setup for this system?  Or something else?
    In either way, what is required to have this work?
    Thanks.

    Hi,
    Kindly try the following options.
    Try executing the BAPI seperately in se37, using your login credentials.
    Check whether RFC is enabled for the BAPI.
    Check whether the SAP server is details are furnished correctly in "SAP Server"(available under "Data Services") editor.
    We can ensure this by checking the connection status link in xMII.(Link is available under "Data Services").
    If connection status is "Running" then SAP server setting configuration is fine. Else it is not configured properly.
    Try executing the BAPI in BLS(Business Logic Services) using JCO connector.
    I believe if any one of these scenarios fail then "Proxy Error" might thrown.
    Thanks
    Rajesh Sivaprakasam

  • SSO to SAP works but no OLAP Connection per SSO Auth

    Hi experts,
    we have setup an SSO for the Authentication of SAP BW and SAP BO and used the portal integration. We are using SAP BO 4.1 SP4 and SAP BW 7.4.
    We use the Login via Netweaver Portal go then to the SAP BO where the reports are stored.
    The SSO login works fine, but the OLAP connection to the SAP BW system does not fly. I have tried to create a connection via IDT. This works.
    After that I created a WebI report in the Applet and chose BEx Connection and retreived the error:
    error.openSapBwBrowsingSessionFailed
    Then i tried the WebI Rhich Client and recieved the message: Unknown Error in SL Service and Even do not recieve the list of possible Bex connections.
    We are using SNC for the user authentication in SAP BW.
    An now it is getting very unnormal:
    When i go the IDT tool and create the connection again and republish this to the repository and try to connect again via WebI Applet, i do not get the error message again.
    Can you please assist, as our Business user can not publish their OLAP connection.
    Regards,
    Markus

    The new Business Objects version (BI 4.0) comes with a new authentication
    technology to create a trust relationship between a non-SAP user and the SAP
    data source. How to determine the correct method to be used?
    When using legacy .unv universes (XI 3.1 technology) = SNC
    When using .unx environments (BI 4.0 new semantic layer) = STS
    when you try to connet BICS connection or IDT it is important to use the STS methodology.
    check the below link to have configurations.
    Follows a Wiki link with a "How to setup SSO against SAP  BW in SBO BI4.0 for LDAP users".  and follow the raunak kumar suggestion when you configire SNC and STS.
    http://wiki.sdn.sap.com/wiki/display/BOBJ/How+to+setup+SSO+against+SAP+BW+in+SBO+BI4.0+for+LDAP+users

  • SSO between SAP Portal 7.3 and Ruby on Rails

    Hello Everyone,
    We are planning to integrate SAP Portal 7.3 and a RoR application and I am wondering If someone can share some experience (If you have any of course) on how to establish SSO between SAP Portal and RoR.
    The SAP Portal will act as service provided and RoR as a consumer, we don't have LDAP, so the Portal UME is in ABAP and RoR uses an own UME database. We have SSO between our Portal and SAP Backend systems.
    In RoR customers will have access to their own information (Invoices, etc..) that will be provided by the backend system.
    URL transaction and iFrames is not an option for us.
    The second option is to call Web Services, directly or through the SAP Portal (we are using a central sr).
    I am a NetWeaver consultant who heard about RoR but have no experience in this field.
    All help and tips are greatly appreciated!.
    Regards,
    Ridouan

    We used Client certificates. Still working on the PoC.

  • My experience of SSO between SAP Portal6.0 and non-Sap Application

    Firstly I announce that I am not a Sap developer or a Sap Consultant.  I am a Cognos Consultant. I need do SSO between Sap Portal and Cognos Portal in my project, So I have to make SSO between two portals.
    I  tested  SSO between the two products on IIS5 of Windows XP and IIS6 of Windows 2003 and passed.
    Step 1:  Copy sapsecin.exe and sapsecu.dll on any directory where you want, such as “C:PortalSecurity”
    Then add this  directory  to your Environment variable PATH. You can find the two files on sapserv<x> under general/misc/security/SAPSECU/<platform>;
    Step 2: Copy your Filter ISAPI Files IIS_SSO.dll or IIS6_SSO.dll in any directory where you want, such as “C:PortalFilter”. You can find this two files on SAP note 442401.
    Step 3:  Get you ‘verify.pse’  which is located in
    <irj>
    ootWEB-INFpluginsportalservicesusermanagementdata  and put it on the same directory with your ISAPI Files ,such as C:PortalFilter
    (According Sap Support articles , IIS_SSO.dll should be used on IIS 5 and IIS6_SSO should be used on IIS 6,but I can not load IIS_SSO.dll on IIS 5 of Windows XP, I use IIS6_SSO.dll );
    Step 4:  Create a new file named ‘verify.properties’ , the content of this file see the appendix A;
    Step 5:  Load the IIS6_SSO.dll on your IIS. On IIS5, Select  Website Properties—ISAPI Filter—Add IIS6_SSO.dll and name it ‘wp’ . On IIS6,do as such and Create a Web Extensions  named  ‘wp’ and allocate file IIS6_SSO.dll. Finally restart the www service.
    I
    If you can load the filter successfully, you will see the  filter color is  green.
    On IIS6,Maybe you find that you can’t load your ISAPI file IIS6_SSO.dll, Its state is unloaded and its color is red. I am confused by this question long time. I finally found you must install some R3 dll files on your system! The .dll files which I mentioned can be found in SAP note 684106, put it in a same directory with your security files, such as C:PortalSecurity and restart your web server.
    (The steps above I reference Chris beck ‘s topic)
    Step 6: I write an  ASP file named ‘headerdumper.asp’ on my website and create a i-view to show my asp file in SAP Portal. If you succeed, you can see the http header variable<your logon name> in ASP page. If you application can receive http header variables, then Congratulations! You have apply SSO successfully.
    If your log file show ‘Can't find MYSAPSSO2 ticket cookie for URI "" on host "", don’t worry about it. I am confused by this question long time though.  I found the key cause the errors are cross domain or different DNS suffix.
    I tested 3 scenarios :
    1 if your Sap Portal URL is http://sap-server:50000/irj/protal ,and your asp file is located in http://sap-server:80/headerdumper.asp, You can’t access this asp page from i-view . I am sorry that I have no idea about this.
    2 if your Sap Portal URL is http://sap-server:50000/irj/protal ,and your asp file is located in http://your-server:80/headerdumper.asp, Your log will show ‘Can't find MYSAPSSO2 ticket cookie for URI "" on host "". because they have  no domain name, which is seemed that they meant different  domain.
    3 you must deploy your asp file and sap portal like below ,So you can apply SSO correctly:
    you must access SAP Portal like : http://sap-server.domain.com:50000/irj/portal
    you must access your asp file like http://yourserver.domain.com:80/headerdumper.asp
    then add your asp file as  i-view to your SAP Portal which URL is like  above , you can get Http header variable correctly.
    I am not an native English speaker, I hope you can understand what I said.
    Appendix A The Content of Verfy.properties
    remote_user_alias=REMOTE_USER
    pse_file=C:PortalFilterverify.pse
    application=portal
    log_file=C:PortalFilterverfy.log
    log_level=3
    cache_size= 1000
    Appendix B The Code of headerdumper.asp

    I'd recommend to cross-post your inquiry to the Security

  • XI Installation: invalid XI SAP sid adm password

    During an initial XI installation on top of an ABAP + JAVA NW04 system. In the Java Deployment > Windows Domain installation step i am unable to enter the correct SAP <sid>adm password with below error message:
    "Invalid password. DIAGNOSIS: The password you specified for user 'xi2adm' is wrong. SOLUTION: Enter the correct password."
    In the sapinst_dev.log is the following:
    TRACE      [iaxxgenimp.cpp:845]
               showDialog()
    waiting for an answer from gui
    TRACE      [iaxxcnclhd.cpp:101]
               CCancelHandler::doHandleDoc()
    CCancelHandler: ACTION_ERROR received
    TRACE      [iaxxdlghnd.cpp:187]
               CDialogHandler::doHandleDoc()
    CDialogHandler: ACTION_ERROR received
    TRACE      [iaxxdlghnd.cpp:98]
               CDialogHandler::doHandleDoc()
    CDialogHandler: ACTION_NEXT requested
    TRACE      [synxcuser.cpp:517]
               bool CSyUserImpl::checkPassword(iastring sPassword) const
    checking password of user xi2adm failed
    TRACE      [iaxxdlghnd.cpp:322]
               CDialogHandler::doHandleDoc()
    Invalid password. DIAGNOSIS: The password you specified for user 'xi2adm' is wrong. SOLUTION: Enter the correct password.
    Any insights would be greatly appreciated.

    Vivian Liu,
       I am trying to install XI on Windows2003/sql server.
    I have installed os/sp3/sqlserver/patches/Central Instance/Db instance.
    I have used Administrator account to install this.
    1. When do i need to create  <SID>adm user?
    2. If you have any installation notes with the sequence of steps, can you please send it to me at [email protected]
    Thank you
    Gangas Leaves

  • SAP Menu disappeared in GUI 7.10p4  after update from rel.6.20

    Hi Guys,
    you are my last chance!
    I'm going to update the SAP GUI in all our PCs (about 1500) from rel 6.20 to 7.10 Patch 4. Our PCs are WinXP SP2. This is a requirement due to a system upgrade from 4.6c to ECC6.
    I made some tests and I'm facing this problem:
    in some cases, after the update, I run the GUI, log a userID and the SAP menu is disappeared! (as SAP Menu I mean the tree where you can see also your favorites)
    All the other bars are OK but the SAP menu is missed...
    I tried logging in with many userIDs but the result is the same.
    I'll update the GUI using Tivoli Software Distribution but I'm scared about this problem.
    Has anyone faced a same issue?

    Hello Martin,
    thanks for your information... I checked the file wdttree.ocx and the release is correct (7100.1.4.286). I also checked the file wdtrmenu.ocx and it resulted ok (rel. 7100.1.4.6). I tried to register the files but all was useless...
    On the same PC, if I login into Windows with the local admin account (used for the GUI upgrade), I can see the SAP Menu, if I login into Windows with another admin account, the SAP menu disappears.
    What do you mean when you talk about opening an "official" ticket? Can I open a ticket directly on the SAP's main web site?

  • What kind of SSO shall I use ?

    Hi all,
    We would like to use SSO while logging on through SAPGUI, on SAP systems. The systems are running on both Unix and Windows family. It is important that, they are not attached into the domain. We are using Active Directory on Windows 2003 as domain controller. First question is, can I use SSO between cross domain Unix and Windows SAP servers. And the second question is what SSO shall I use?
    Thank you

    Orkun,
    For this you need to take advantage of the SNC interface provided in SAP GUI and on most versions of SAP app server (later than 3.1I). The SNC interface requires a compatable GSS-API library, which you can obtain from a third part vendor. There is a library available from SAP for this, but it only works if you are using SAP on Windows. Since you have SAP on both Windows and UNIX you will need a product which supports this range of operating systems. The company I represent (CyberSafe Limited) has such a product, and you can find out about it <a href="http://www.cybersafe.com/links/snc.htm">at this location</a>. If you have any questions, or would like to arrange a free evaluation please contact me using my email address given in my SDN business card.
    Thankyou,
    Tim

  • User cannot log in using Opendirectory password but can log in using Crypt

    Hi,
    We have an Xsan environment with Opendirectory authentication. Most of the users are created in Workgroup manager and home folders are stored on an Xsan volume.
    We have noticed (this has happened to two users recently) that sometimes user cannot log in using his password stored in Opendirectory Password server. This is permanent to some specific User/Workstation combination. Other users can log in to the same workstation and this user can log in to other workstations.
    Also, if I change password type to Crypt in Workgroup manager, user can log in to this workstation. In past this happened to another user/workstation combination.
    I tried to create a new Opendirectory password (password ID has changed in WM), with no success.
    Any ideas?
    Thanks,
    Darius

    You say you can log in the web browser right? You can find your username in the following url: https://play.spotify.com/user

  • How to Uplaod Image in BW Server(Images to be used in creation of web appli

    Hi All,
    How can we upload images in BW server, which can be used  in creation of web application which will contain the links to the super user utilities such as super queries and help documentation.
    Regrads
    Premanshu

    Hi,
    Goto SE80-> Mime repository ->SAP ->BW->Customer -> Images -> Right click ->Create mime object -> Show path from local computer and its done .
    After importing image remember to log off and log on from WAD in order to see imported image and include it in the object.
    Hope that helps.
    Regards
    Mr Kapadia

Maybe you are looking for

  • Purchase Order with VAT

    Hi Is it possible to include VAT when creating Purcahse Orders such that the VAT is NOT included in the cost of stocks? Thanks Nadia

  • There is no disk in drive - message won't go away

    Wene i Tunes starts it displays a panel saying "there is no disk in drive, insert a disk in the drive" . Options are "cancel", "try again" "continue" NO matter which option I choose the message comes back again and again making it impossibe to do any

  • Searchs in Portal doesn't search inside the document

    My searchs in oracle portal doesn't search inside the documents. It only works in txt documents, but not in word docuements, excel documents, etc... Patch 3.0.9.8.2 Database Oracle 9i 9.0.1.3.1

  • DYNAMIC PIVOT - Problem with variables

    Dear All, I'm working on a Query that makes use of Dynamic Pivot It is intented to give a summarized list of Income and Expenses month by month I have adapted the foll. Query from SAP B1 Forum to my problem: Re: Date Wise Production Report Unfortunat

  • Finder menu not showing properly

    I restarted my G5 Power Mac after installing additional memory. When I went to the apple icon in Finder to verify the memory was installed correctly, I saw this. I opened a program to see if this only happened in Finder or was universal, but the menu