SSO to SAP via SAP Logon Group

Similar Messages

• Java connector calls against sap system with logon groups

  hi there.
  i want to use java connector to connect to a sap system and run a function. my problem: the sap system has more than one instance and i do not want to connect against the central instance. i want to use a logon group. does anyone have an idea how to handle this?
  thanks,
  martin

  hi,
  check this
  http://help.sap.com/saphelp_nw04/helpdata/en/f6/daea401675752ae10000000a155106/frameset.htm
  http://nwadave.com/NwadExplorer/data/SAPDoc/architecture/SAP-Client_LogonAndCommunication.doc
  let me know  u need any further info
  bvr

• SAP Portal J2EE logon groups

  Please can you help.
  Within ABAP you can go into SMLG and configure logon groups so you can separate user groups to particular application instances.
  I would like to do the same within NW Portal and CE.  We have external and internal users accessing the portal (NW 7.0) I have web dispatchers to load balance across application instances however is it possible to create logon groups and dedicate dedicated application instances to these user groups.  I have read that you able to do this however the user groups would require different URL's and then the Web dispatcher can filter the URL and assign it to the relevant Java logon groups.  The requirement which I have is that I am unable to change my URL so external and internal users use the same URL.Please note I only have 1 set of Portal Web dispatchers.  The Web dispatchers serve both internal and external users.  Also for extra information my portal mainly calls Web Dynpro code from CE.  CE also has Web dispatchers as I have more than 1 CE app server.  I assume if it is possible my requirement would also be to create logon groups within CE so external users use certain EP app servers and CE app servers and internal use other EP app servers and other CE app servers.
  EP is version 7.0
  CE is version 7.2
  WD is version 7.3
  Any help and advice would be appreciated.
  Thanks
  Ajay

  Hi Arjun,
  Thanks - I know how to make the logon groups in Java however I don't want to use different URL's for alias.
  I have 1 URL for example  jo.blogs.com/irj/portal which both my internal and external users use.
  Is there any way I can make use of the logon groups without having to give my users 2 seperate different URLs.
  Thanks
  Ajay

• Issue with parallel operation of SAP NW SSO 2.0 and SNC Client Encryption (Logon Groups)

  Hi!
  One of our customers is using the SNC Client Encryption solution to ensure encryption using SNC (based on Kerberos Technology) for their SAP GUI Dialog connections. They have lots of SAP backends DEV, QAS, PRD all with the SNC Client Encryption SNC Lib installed. The profile parameter snc/identity/as contains the following value: p:CN=SAP/<ServiceAccount>@<DOMAIN>.
  Example: p:CN=SAP/[email protected]
  The customer is using one AD Service Account "SNCServiceUser" with one registered SPN "SAP/SNCServiceUser" for all systems (yes, this is not recommended... but the case).
  Important: All users use group entries in the SAP Logon (saplogin.ini). Means, for SAP logon the SNC name can not be manually configured on the SAP Front End. With group logons, the application server's SNC name is dynamically requested by the message server each time a SAP GUI connection is started. The SNC Name is greyed out in this case as dynamically obtained from the applications servers profile parameter snc/identity/as.
  Now our customer implements SAP NetWeaver Single Sign-On 2.0 within his landscape. Based on the Secure Login Server 2.0 (SP3) he likes to use X.509 based authentication to his AS ABAP backends using SAP GUI SNC while others still use SNC Client Encryption.
  Replacing the SNC Library on the AS ABAP
  The Secure Login Library 2.0 (SP3) has been installed on one of the ABAP systems and the SNC Client Encryption SNC Library (which is based on SSO 1.0) is no longer used, thus we changed the parameter snc/gssapi_lib to point to the new SNC library. We removed the old PSE.ZIP containing the keytab and created the new SAPSNCSKERB.PSE incl. the keytab and proper credentials. To ensure parallel operation, we kept the snc/identity/as value as is =  p:CN=SAP/[email protected].
  After restarting the system with initialized Secure Login Library 2.0, still the SNC client encryption works fine for existing users.
  The problem
  We created on the Secure Login Server an SNC certificate for the AS ABAP which has the following X.509 Distinguised Name Fomat: CN=SAP/[email protected] This is to avoid having to change the snc/identity/as to an "real" X.509 DN which would lead to non-working SNC Client Encryption for all the other users using SAP GUI and logon groups.
  As soon as we install the PSE via STRUST on the system the SNC Client Encryption solution stops working with error „Server refuses kerberos key exchange“.
  As part of an pilot implementation we have installed Secure Login Client 2.0 (SP3) on some test PCs. The test PC with SLC is able to perform Single Sign-On with SNC based on X.509 (incl. Encryption) to the ABAP system.
  Seems the SAP System now only tries to do X.509 based authentication thus key exchange fails. The problem is, we cannot change the snc/identity/as value because of the logon groups. If we were able to do so, we would in any case set the server identity to X.509 DN and in addition create the SAPSNCSKERB.PSE incl. keytab. This should work, as confirmed by SAP see this post.  
  Any ideas how to solve this and have both solutions in parallel?
  Appreciate any help.
  Regards,
  Carsten

  Hi all,
  we was able to fix the issue. It was an issue with the customers cluster configuration and the  $SECUDIR variable. This tricky issue leads to non working or sporadic working SNC Client Encryption...
  This was how the configuration looks before:
  Environment variable $SECUDIR is defined:
  "/ABCDEF<SID>/usr/sap/<SID>/DVEBMGSxx/sec“
  sapgenpse seclogin -l -v
  running seclogin with USER="<SID>adm"
  Credentials for username '<SID>adm':
  0 (LPS:OFF):
           (LPS:OFF): /ABCDEF<SID>/usr/sap/<SID>/DVEBMGSxx/sec/SAPSNCSKERB.pse
  1 (LPS:OFF):
           (LPS:OFF): /usr/sap/<SID>/DVEBMGSxx/sec/SAPSNCS.pse
  After changing the $SECUDIR to "/usr/sap/<SID>/DVEBMGSxx/sec“ and re-creating the credentials, it worked like a charm.
  As a result of this we can confirm, this configuration and SNC Client Encryption works with CommonCryptoLib in parallel to the SSO configuration.
  And Valerie was right with 2. SLC starting from V. 1.0 SP2 PL3 was able to convert the CN= part of the SNC Name into an SPN, was my mistake. In addition SNC Client Encryption starting from Version 1 SP1 PL1 does this also.. just to make this clear
  Thread closed hope this helps someone
  Carsten

• Idoc Scenario from SAP to SAP  via PI 7.1o

  Q: Two idocs will process from SAP to SAP via SAP-PI 7.1o and generated together.
  Requirement :
  Sync
  2 IDOCs – as we explained our design will require two IDOCs. The first IDOC will be developed by a Z code and the second IDOC is generated by 100% Standard SAP BAPIs and 2 IDOCs  send them to PI. Both IDOCs will be generated together by  process code in sap and must be moved to PI and later to the receiver client together(SAP). The process can only be 100% completed when both IDOCs will be processed with success in the receiver side. Any one of the IDOC among 2 idoc's failed all the process should stop.
  i think that is not possible , PI will not be able to stop successfull IDOC If another IDOC get fails .
  Please give me approaches if any chance .
  Thanks, Sanakr

  Hi Bhavani,
  You can use BPM with correlation to achieve this scenario:
  Demonstration of ccBPM Scenario: SAP PI 7.1
  **************** - BPM Scenario using Fork and correlation
  Regards,
  Suman

• Connection to ECC with SAP Logon Group failing

  I'm creating a new system connection to an ECC backend using a logon group (transaction SMLG in ABAP stack).  I have created the connection with the wizard as a SAP_R3_LoadBalancing connection and given it the appropriate Group, Logical System Name, Message Server, Remote Host Tppe and SAP Client.  Also I've given it an Alias.
  SSO is working correctly between the portal and ECC.
  The System Connection Tests > Connection Test for Connectors works, as can been seen::
  Test Connection with Connector
    Test Details:
  The test consists of the following steps:
  1. Retrieve the default alias of the system
  2. Check the connection to the backend application using the connector defined in this system object
    Results
  Retrieval of default alias successful
  Connection successful
  However, if I try to connection to this system with the Alias, it fails.  If I change the alias to a system with a standard R3 connection with a specified hostname, it works.  The /etc/services is correct and contains the appropriate entries.  Any ideas?
  Regards,
  Graham

  Hi Srikishan,
  Thanks for the response. When user from CRM logged in another language than EN for eg. FR, clicks on external link in CRM, takes to EN, only if that language FR is not installed in ECC, else it will take to the same language in which CRM user logged in. This cannot be controlled in SSO configuration. Is this correct?
  In case if FR is installed in both the systems, ie CRM and ECC, but user wants to log only to EN when clicked the external link(to ECC) from CRM, how we can configure this, Is any parameter can control or SSO setup configuration available? Please advice.
  Regards,
  Shahul Hameed

• Authorization Check when logon into SAP via ITS

  Hello
  We have implemented Authorization Check after user have logged on to SAP via ITS in this User Exit SUSR0001. It was working fine in 46C version, but after upgrade to ERP 2005, when user logs on into SAP via ITS, this user exits is ignored, while logging normally via SAP GUI; authorization check is performed as before?
  Did anyone else have experienced the same problem?

  From what I understand something on that line changed.  We are still hanging on to our external ITS 6.20 so I am afraid I can not go into details.

• BO 4.0 - Database error: Unable to connect to SAP BW Incomplete logon data

  Hello Experts,
  I have enabled a 'SSO to database' between SAP BW and Business objects by referencing to the documents related to below link.
  [http://wiki.sdn.sap.com/wiki/display/BOBJ/HowtosetupSSOagainstSAPBWinSBOBI4.0forLDAPusers]
  I have created a universe connection with option 'use single sign on when refreshing reports at view time' and have created a universe on top of my BEx query by log-in to the universe designer tools using my LDAP account.
  Now when I run the report with either SAP account or LDAP - I am able to run a adhoc webi report on this universe and get data either through the webi rich client or via BO 4.0 Info-view/Launch Pad.
  But the issue is that when other users are trying to run webi queries on this universe either through Info-view/launch pad or rich client by log-in via LDAP Authentication - they get the below error: I have given SAP_ALL to this user for time being and also have done the necessary configuration for 'simple user format' in CMC so these user has 1 account with 3 alias definitions: Enterprise, SAP, R/3.
  Database error: Unable to connect to SAP BW server Incomplete logon data -
  If the user logs on into the BO 4.0 Info-view/launch pad or webi rich client using his SAP authentication than he is able to run and retrieve data.
  I also get a dump in the SAP BW system - I analyzed the dump in SAP BW using st22 tcode and it gives the error short text as - Incomplete logon data and run-time error -  CALL_FUNCTION_SIGNON_INCOMPL
  Desired outcome:
  I want the users to log-in to webi rich client or BO 4.0 Launch pad/Info-view using their 'LDAP'  authentication and run reports against the universe on SAP BW/BEx query without any errors or additional username/password requirements.
  Can someone please tell me if I am missing any steps/configuration and guide me to achieve the above mentioned desired result ?
  Any help in this matter would be greatly appreciated.
  Thanks & regards,
  CD.

  Hi Simone,
  Thank you for the reply.
  Here are the things done by me.
  1. Generated the keystore file and imported it in BI 4.0 CMC on  SAP Authentication Option tab
      ([http://wiki.sdn.sap.com/wiki/display/BOBJ/GeneratekeystoreandcertificateforSAPBO+BI4.0])
      ([http://wiki.sdn.sap.com/wiki/display/BOBJ/SetupofSAPSSOServiceinSAPBOBI4.0+CMC])
  2. Generate the certificate file cert.der and this cert is imported in SAP BW with STRUSTSSO2 transaction.
      ([http://wiki.sdn.sap.com/wiki/display/BOBJ/ImportSAPBOBI4.0certificateintoSAP+BW])
  3. BW Roles/Users have been imported into CMC.
  4. SAP Users and LDAP users are mapped/aliased with each other using the registry key method
      ([http://wiki.sdn.sap.com/wiki/display/BOBJ/HowtomapSAPusersandLDAPusersinSBOBI4.0+CMC])
  I haven't explicitly configured STS (Security token service) as STS is a part of Adaptive processing server (APS) and I have verified that by going to servers in CMC and then to analysis services.
  I have searched for SAP OSS notes related to my issue but couldn't find any note related to SAP BW SSO with Business objects 4.0. Most of the notes are relevant for BO XI 3.1 environments.
  Thanks & regards,
  CD.

• SSO from non-SAP to SAP apps

  Hi All,
  Currently We have SAP applications, non-SAP applications(java, .NET, PHP etc) in our landscape.
  If the client tries to access any non-SAP application it should ask for authentication and thereby for any subsequent access to any URL's(SAP or NON-SAP apps) it should not ask for any authentication.
  FYI:
  The client logins into SAP Portal(SAP to NON-SAP) first and thereby able to achieve SSO for non-SAP applications as well.
  Currently we are stuck for the scanerio of  Non-SAP to SAP apps ?
  Please suggest.......
  Thanks,
  Mano.

  Hi samuli,
  Using SPNEGO, we can incorporate windows authentication for SAP Portal ( after desktop authentication user can logon without userid/password). But for non-sap apps this would be challenge.
  I have another option, using webdispatcher if we enable server redirect for all applications(SAP & NON-SAP) and get authenticated centrally by which SSO can be achieved across all the apps.
  Would above solution work ?
  Thanks,
  Mano.

• User is getting email delivery failure when processing via SAP as it tries to send an email to a user who have left the company

  Hi Experts,
  I need to remove a name on a group list in Outlook as the user is getting email delivery failure when processing via SAP (He sends the invoice for approval and emails get sent to different users for approval.) One of those users has left the company and so the user gets a email delivery failure error.
  How do I remove this user who is no longer with the company?
  The user is saying: When I approve an invoice in SAP it sends an email notification through outlook. One of those users is no longer with the company so it cannot deliver the notification, and in return send a delivery failure (in outlook). I am approving the invoices from my SAP Workplace inbox.
  How do we know what group the email is going to?
  Please let me know if you have seen this issue before. Greatly appreciate your help.
  Thanks,
  Asad

  Hi,
  Please check whether you are using a custom z program for sending emails of approved invoices to users. If yes then either the user email ids are hardcoded in the program else a ztable is maintained for them.

• Rfc conn.: Connect to SAP gateway failed , edit: Group PUBLIC not found

  Hello!
  I want to create a RFC connection.
  In the "Connection and Transport"-Tab I fill out the fields: Target Host, System Number and System ID.
  If I save the destination the fields Gateway-Host and Gateway-Service will be automatically filled out with the same input value of the Target Host field.
  But there is no gateway for this system and if I ping the destination the following error message is shown:
  Error during ping operation: Connect to SAP gateway
  failed Connect_PM  TYPE=A ASHOST=sma82 SYSNR=01
  WHOST=sma82 GWSERV=sma82 PCS=1 LOCATION    CPIC (TCP/IP)
  on local host with Unicode ERROR       service sma82
  unknown TIME        Thu Sep 27 11:27:37 2007 RELEASE   
  710 COMPONENT   NI (network interface) VERSION     39 RC
           -3 MODULE      nixxhsl.cpp LINE        643 DETAIL
        NiHsLGetServNo: service name cached as unknown
  COUNTER     6
  How can I handle this?

  Hi,
  I have attempted to configure the Destination with a co-worker who successfully configured a Destination to the same R/3-System but with SAP NetWeaver 2004s and not with SAP Netweaver CE 7.1 SR1.
  He said that in his case he connects to the Message-Server so we activated “Load Balancing”.
  The Message-Server will be found now but the Logon Group can’t be found:
  Error during ping operation: Connect to message server host failed Connect_PM  TYPE=B MSHOST=xxx.xxx.xxx GROUP=PUBLIC R3NAME=TDE MSSERV=sapmsTDE PCS=1 LOCATION    CPIC (TCP/IP) on local host with Unicode ERROR       <b>Group PUBLIC not found</b> TIME        Tue Oct 02 12:28:09 2007 RELEASE     710 COMPONENT   LG VERSION     5 RC          -6 MODULE      lgxx.c LINE        4392 DETAIL      LgIGroupX COUNTER     15
  But the Logon Group is PUBLIC! I checked it with SMLG.
  Any ideas?
  Regards,
  Armin

• SSO E-Sourcing and SAP GUI for HTML

  Hi,
  We are trying to provide integration between SAP E-Sourcing and SAP ECC via the SAP GUI for HTML. From an E-Sourcing project, we should define a link which will link us to the report via SAP GUI for HTML. Some parameters are automatically transferred via the URL so that the report will be prefiltered.
  The problem arises that we cannot create a SSO mechanism between SAP E-Sourcing and SAP GUI for HTML. The only documentation we can find is how to setup this SSO between the Portal and ESO (only included going from the EP to ESO). We need to find a way to do the opposite, i.e. SSO from ESO to SAP / EP.
  Thnx,
  Bram

  Dear Chong,
  I have came across the following information about SAP GUI For HTML
  With the version 7.02 / 7.20 of the NW Application Server
  the SAP GUI for HTML has been completely
  reworked.
  1.The rendering is now based on Unified
  Rendering which is also used by many other
  SAP UI technologies.
  2.Similar Look & Feel as other UI technologies
  3.Better Portal integration
  4.Full Theme support
  5.Unified client requirements
  But have not came across any note which converts the SAP GUI for HTML to SAP GUI for Windows in appearacne. I think the point 2 mentioned about says that in this version the SAP GUI for HTML will have appearnce like the other UI.
  Pls refer the [link|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d06db80d-ebf4-2a10-6b99-faa652c69d5c?QuickLink=index&overridelayout=true]
  Hope it helps.
  Regards,
  Samir

• EC-CS Reports via SAP NetWeaver Technology

  Hi Guys,
  I would like to know if its possible report consolidated financials (EC-CS tables) via SAP NetWeaver technology. Can I use web services to fetch data from EC-CS tables (FIMC table, for example).
  Please, let me know tips to start that work.
  thanks in advance,
  Luciano

  Hello Ariel,
  EC-CS. Does consolidation of financial data based on group, company code,business area, profit center etc.
  SEM BCS Does consolidation of financial data based on consolidation units which can represent, for example, companies, plants, business areas, profit centers, and cost centers.
  EC-CS part of ECC 6.0 and SEM BCS 6.0 does the same thing.
  EC-CS part of ECC 6.0
  Pros:
  Consolidated data is on the same system ECC 6.0 ( OLTP)
  The reporting part is carried out with report writer.
  Drill down and basic reporting.
  Cons
  Reporting on large amount of data does take a toll on the system
  Rolling 12- 24 month report
  Comparing actual/prior/budget
  Reporting flexibility is limited
  SEM BCS 6.0
  Pros
  The data is extracted into the underlying BW/BI system which operates exclusively for consolidation.
  Sky is the limit in terms of customization and delivery of reports with Bex functionalities like Bex Analyzer, Web Application Designer, Report Designer.Reports can also be directly printed in Excel, Pdf format.
  Reporting needs wont affect the performance of ECC 6.0.
  Cons
  SEM Implementation cost
  Hope this gives a rough Idea. Let me know if you have any further concerns or comments.
  Thanks
  Raj

• Unable to clear the invoice/credit in SAP via T-Code F-04

  Hello Guys,
  Unable to clear the invoice/credit in SAP via  T-Code F-04.
  While I proceed to Clear the cutomer open item i am getting below error.
  " The Entry GB XX Is Missing in Table T059Q".
  Kindly suggest what needs to be done to overcome with this message.
  Thanks and regards,
  Hemanth.

  Hi Hemanth,,
  Hope you are using Classic WHT for your company code in country GB.
  And the Classic WHT tcode XX was maintained in customer master data, but the same code would have been deleted from the system. Since these line items to be cleared also, stored that tax code only. So you are getting this erro in F-04.
  So you need to create the above said tax code in OBA7 and then you will be able to clear the customer line items with F-04.
  Regards,
  Srinu

• Error while attaching PDF to FI doc via SAP services

  Hi,
  I am calling SCMS_DOC_CREATE_FILES funtion module to attach PDF to FI doc via SAP services and SAP internally calling standard function 'HTTP_POST_FILESu2019 with RFC_DESTINATION u2018SAPHTTPAu2019 and returned error due to connection fail.
  RFC DESTINATION SAPHTTPA checked and   its working fine.
  call function 'HTTP_POST_FILES' destination rfc_destination
      EXPORTING
        uri                   = absolute_uri
        path                  = component_path
        proxy                 = proxy
        trace                 = http_trace
        prefix                = component_prefix
        user                  = user
        pwd                   = password
      IMPORTING
        status                = status_code
        stext                 = stext
        error                 = cerror
        etext                 = comp_err
      TABLES
        resp                  = response_entity_body
        resphead             = response_headers
        reqhead               = request_headers
        comp                  = components
        compx_255             = componentsx
      EXCEPTIONS
        system_failure        = 1  message msg
        communication_failure = 2  message msg.
       output:   Sy-subrc is 0 and status_code is '403'
  response_entity_body internal table return the below error information:-
  -     HTTP/1.1 403 Forbidden
  -     Server: Apache-Coyote/1.1
  -     X-ErrorDescription: Genuine channels operation exception: Can not connect to the remote host "gtcp://127.0.0.1:49008". System error message: No connection could be made because the target machine actively refused it 127.0.0.1:49008.
  -     Content-Type: text/html;charset=utf-8                           Date: Tue, 08 Nov 2011 21:36:02 GMT
  -     Connection: close
  Please help i am not to able find the reason why i am getting status_code is '403' and RFC failed.
  Thanks
  Sireesha
  Edited by: Sireesha_SAP on Nov 10, 2011 8:53 PM
  Edited by: Sireesha_SAP on Nov 10, 2011 10:16 PM

  Hi,
  I would like to know what font type, you are using in the forms.
  Ideally it should be HELVETICA .
  If you are using any other font in your style/form,try changing it to HELVETICA & Test.
  Also Check the OTF data at the call of gen. FM,before converting it to PDF.
  Regds,
  AS
  Edited by: abheesawant on Oct 12, 2011 7:48 AM