WiSM2 HA issues AP SSO 7.4

Similar Messages

• Issuer of sso ticket is not authorized SAP gui logon

  Hello,
  Would you please brief me how to enable SSO between two ABAP systems for NWBC.
  We are not able to browse from source system to target system in NWBC, a logon prompt of second system is displayed for each browser session.
  What I did.
  Certified the server certificates with CA.
  Imported the certificate CA into ABAP and browser as well.
  Exchanged the certificates of both systems to each other strust store.
  RFC connections between those two ABAP systems are working fine , without logon prompts.
  HTTPS is working fine in browser without prompting for any certificate.
  After examining the trace using fiddler debugger,
  MYSAPSSO2 cookie is created and the same is being passed on to next system.
  It seems /its/webgui is not able to decrypt/receive this mysapsso2 cookie.
  SSL Server standard is certified by root CA in both abap systems and the root CA is added to strust store.
  ACL list is maintained for each in both systems.
  Issue has been resolved. ACL list is client dependent. So,  entries are maintained in the desired client.
  Now, no more logon prompt .

  Hi Michael,
  Thanks for you rhelp
  But this is not the problem.
  We found something strange in two environments.
  In BW Development (this is OK), the certified in ACL is showing:
  BWD 200 CN=BWD, OU=I0020274560, OU=SAP Web AS, O=SAP Trust Community, C=DE
  In BW Quality (isn´t OK), the certified in ACL is showing:
  BWQ 300 CN=BWQ  (only this)
  Can be this the problem? If yes, how can I solve?
  Thanks
  Carlos

• Facing issue with SSO communication after Upgrade to SAP EP7.31

  Hi Experts,
  This is happening post upgrade of system from 7.0 to 7.31. We are using SSO to connect ECC(back-end system) in two ways, logon Ticket and User-Mapping
  Issue:
  When we click on a tab, lets say "A tab/ User Administration Tab"  which uses User-Mapping to communicate with back-end system and clicking on another tab say, "B tab / Content Administration Tab" in portal which uses Logon Ticket to communicate with back-end system.
  When both the tabs are clicked one after the other the SSO communication should be different, but in our case it uses the same SSO communication for all the back-end communication, which does not delete the cookies / uses the different SSO mode of communication when clicked on the other tabs.
  Kindly help to solve this issue.
  Thanks,
  Preetha Balan

  Hello Preetha,
  Go to SAP Service Marketplace - Home -> Services and Support (from the menu) -> Report a product error (on the right side under "Need technical assistance?")
  In the meanwhile you can also search for a solution in the SAP notes in the same place but go to the link above "Search for SAP Notes and SAP Knowledge Base Articles.
  Best regards,
  Donka Dimitrova

• BizTalk ESB tool kit 2.2 Configuration Issue File/SSO

  Hi,
  I m trying to configure BizTalk ESB tool kit 2.2.
  In the configuration we have File Counfiguration source or SSO Configuration source. As per the below blog 
  MSDN ESB Tool Kit Configuration
  If you are installing and configuring the ESB Toolkit in a single server environment, you should
  use File Configuration Source. The SSO Configuration Provider is most commonly used for multiple machine deployments.
  1. We having the BizTalk VM and SQL Server as a Remote machine, in our case do we need to go with the File or SSO configuration.
  2. What is the use of the Configuration (File and SSO COnfiguration)?
  3. If i go with SSO configuration i am getting below error : 
  Error:   Exception calling "PushAllConfiguration" with "6" argument(s): “Unrecognized element 'typeConfig'. (C:\Program Files (x86)\Microsoft BizTalk ESB Toolkit\esb.config line 151)”
  I find the error in the Microsoft blog but dont know how to change the TypeConfig:( 
  Please let me know which configuration i need to select and resolution for the above issue.
  Regards, Aboorva Raja R Please remember to mark the replies as answers if they help and unmark them if they provide no help.

  Hi,
  I configured SSO Configuration Source because for multi environment we need to use the same.
  Follow the instruction in the below blog and Replace the Resolver as it is in the blog. Then it will configured successfully.
  ESB ToolKit Configuration Issue Resolution
  Regards, Aboorva Raja R Please remember to mark the replies as answers if they help and unmark them if they provide no help.

• Identity 6.0 issues passing SSO token from JSP to web service

  Hi,
  Environment: Solaris 8, SunOne IS 6.0, SP1, Sun One WebServer
  We're using a JSP (based on the samples) to pass an SSO token to a java based web-service (everthing is running locally on one server):
  The token string resulting from calling mgr.createSSOToken is different from the value examined in the browser/JSP initial cookie and is practically useless when passed to the web-services for use as an SSO token (doesn't work and IS doesn't recognize it as a valid session/token).
  Here's the code:
  >>>>>>>
  SSOTokenManager mgr = SSOTokenManager.getInstance();
  SSOToken token;
  if (request.getParameter("token") == null)
  token = mgr.createSSOToken(request);
  else
  token = mgr.createSSOToken(request.getParameter("token"));
  mgr.validateToken(token);
  >>>>>>>>
  What are we doing wrong?

  not resolved closed

• Cannot deploy BPEL process with SSO to BPELConsole activated

  I cannot deploy BPEL process with SSO to BPELConsole activated. Here is the error I get from JDeveloper (sorry for the french error message):
  Problème détecté lors de la connexion au serveur "ssdvoiagu.dev.local.csst.qc.ca" sur le port "7781" : java.security.AccessControlException: access denied (com.collaxa.security.DomainPermission generique read)
  at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
  at java.security.AccessController.checkPermission(AccessController.java:427)
  at com.collaxa.security.OC4JSecurityService.checkAccess(OC4JSecurityService.java:16)
  at com.collaxa.security.SecurityService.checkDomainAccess(SecurityService.java:26)
  at com.collaxa.cube.fe.util.ServletUtils.getLocatorWithoutUrlRewrite(ServletUtils.java:162)
  at deployHttpClientProcess.jspService(_deployHttpClientProcess.java:332)
  at com.orionserver.http.OrionHttpJspPage.service(OrionHttpJspPage.java:59)
  at oracle.jsp.runtimev2.JspPageTable.service(JspPageTable.java:462)
  at oracle.jsp.runtimev2.JspServlet.internalService(JspServlet.java:594)
  at oracle.jsp.runtimev2.JspServlet.service(JspServlet.java:518)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
  at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:65)
  at oracle.security.jazn.oc4j.JAZNFilter$1.run(JAZNFilter.java:396)
  at java.security.AccessController.doPrivileged(Native Method)
  at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
  at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:410)
  at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:623)
  at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:370)
  at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:871)
  at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:453)
  at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:302)
  at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:190)
  at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
  at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
  at java.lang.Thread.run(Thread.java:595)
  Target BPEL process manager runs under SOA 10.1.3.3. When the SSO to BPELConsole is disabled, the deployment works just fine. Is there any way to make it work with SSO?

  Please check:
  http://blog.jpoot.com/category/oracle-appserver/oid-ldap/
  We had some issues with SSO and SSL but everything is running now.
  Marc

• APEX and SSO problem

  I was having issues with SSO and APEX.
  I got error in portal_sso_redirect: missing application registration information.
  we followed the APEX as partner app on how to site.
  Problem was that in SSO sdk docs, they state that if ports 80 or 442 are used, do not include the in p_listener_token - so we followed that.
  Looking through forums I tried rerunning regapp.sql and appending the 80 port for the listener token.
  Now works.
  I hope this helps others that are banging their heads against a wall trying to solve this.
  These forums are a fabulous resource.
  Peter

  I've just created a new instance on the same server, installed Apex 3.2, created a single page test app, used Application Express as Partner Application as SSO authorisation scheme, accessed the app's url and exactly the same thing happens... I just get a 404 page where the URL http://OID_HOST:port/sso/auth
  I must be overlooking something somewhere but as far as I know, I've followed all the guidance and have created this based on previous installs.
  Again, any help would be greatly appreciated!
  Thanks.

• SSO from non-SAP J2EE to NW04 ABAP WebService

  Hello,
  I currently have issues establishing SSO from a J2EE (which is NOT a NetWeaver system) server to a WebService that resides on a AS ABAP 6.40. When I look over the options I see no obvious SSO solution. I cannot be the only one in this situation. Which solution have you managed to implement.
  I must stress that username/password is not a solution.
  Withouth really understanding the different scenarios, I would prefer to make som sort of trust relation. And then just let the calling application supply the username in a header variable
  Best regards,
  Thomas Mouritsen

  >
  Thomas Mouritsen wrote:
  > Hello,
  >
  > I currently have issues establishing SSO from a J2EE (which is NOT a NetWeaver system) server to a WebService that resides on a AS ABAP 6.40. When I look over the options I see no obvious SSO solution. I cannot be the only one in this situation. Which solution have you managed to implement.
  >
  > I must stress that username/password is not a solution.
  >
  > Withouth really understanding the different scenarios, I would prefer to make som sort of trust relation. And then just let the calling application supply the username in a header variable
  >
  > Best regards,
  > Thomas Mouritsen
  Well, the best solution would be using message-based authentication (WS-Security) - either "X.509 Token" (digitally signed message) or "SAML (1.1) Token". Unfortenately you are using an older ABAP system where this feature is not available.
  Especially regarding Web Services it is definetly worth to consider upgrading to NWAS 7.0 Enhancement Pack 1 (or at least: NWAS 7.0 with SP14 or higher).
  But it also depends on the capabilities of "your" J2EE server. Does it support WS-Security and SAML Tokens? Can it servce as SAML Source Site?
  Transport-level security (e.g. SSL with X.509 client certificates) will not help in your scenario (system-to-system calls). It would only be an option if the WS Consumer is an User Agent (-> SSL client represents a single user); only then X.509 client certificates can be used for SSO.
  Best regards, Wolfgang

• SSO UIDPW not working for external Popup Window but works with SAPLOGONTICK

  Dear Experts,
  I have an issue with SSO user mapping (UIDPW), but the same scenario is working with SAPLOGONTICKET.
  Some list gets displayed in the Web Dynpro ABAP iView which has the hyperlinks where on click on the hyper link it opens a external popup window (another Web Dynpro Application) and display the summary some data.
  This scenario works when I set the logon method to SAPLOGONTICKET, but when I set it as UIDPW it won't work when a new window opens on click on the hyperlink from Web Dynpro iView as stated above. It asks to login to R/3 system.
  Can anyone please let me know what could be the reason it fails in External Popup window scenario when logon method as UIDPW.
  Thanks
  Murthy

  Hi Murthy,
  You can use application integrator iView to integrate your ABAP application into the portal and you'll be able to pass the variables <MappedUser>, <MappedPassword>, etc. assuming you know about the security risks in passing mapped info.
  http://help.sap.com/erp2005_ehp_05/helpdata/en/36/5e3842134bad04e10000000a1550b0/frameset.htm
  Still, your ABAPers might need to handle the passed in variables in the first ABAP application and pass them onto the second one.  Again, without knowing how you navigate between the 2 apps and other details about your system landscape, versions, etc. this remains as a guess.  If you search SDN, you'll find many different solutions then you can choose one which is most suitable for your situation.
  Regards,
  Dao

• SSO and JavaScript

  Hi all,
  does any one of you know about any restriction or any other issue involving SSO and JavaScript?
  We have a web app in an OC4J instance, which uses JSP and JavaScript.
  When SSO is disabled for the application, everything goes well. But when SSO is active, the page loads a lot slower, and the IE browser always shows the error icon when any component tries to execute Javascript.
  Any ideas about this issue?
  Oracle AS 10g (9.4.1)
  Win 2000 SP4
  IE 6.0 SP1
  Thanks a Lot in advance.
  Have a nice day.
  Jaime

  It is simpler to do from server side as follows. Place below line
  inside Page_Load event of any portal component:
     Write(this.Request.Cookies.Get("MYSAPSSO2").Value);

• Sso and sso2 functionlity test

  Hello All,
  I have one issue with sso and sso2 functionlity test.
  How can be sure about sso and sso2 is working fine for any system.
  Could you provide some test to insure sso and sso2 functionlity
  Thanks in advance
  Atul jain

  Hi Atul,
  SNC is a technology on which sso2 & sso is based.For configuring SNC follow the following link:
  http://help.sap.com/saphelp_nw04/helpdata/en/c3/d2281db19ec347a2365fba6ab3b22b/content.htm
  If one wants to enable sso with logon tickets sso2 should be used.Plz go through the following link for SSO2.
  https://help.sap.com/saphelp_nw04/helpdata/en/14/252f4069702d22e10000000a1550b0/frameset.htm
  For SSO to work,one needs to ensure that all the SNC parameters are maintained correctly in the Instance profile.
  Regards,
  Abhishek
  If you have any queries Plz revert back.

• Different ways to establish SSO between Portal and ADP

  Hi,
  We are implementing payroll with the help of ADP.
  Please let me know different ways of establishing SSO between portal  and ADP
  Thanks
  Bala Duvvuri

  You may a few issues. SSO with logon tickets is based on accessing web sites in the same domain. So, if the portal is on http://ourportal.company.com, then the web site being accessed needs to have a URL like http://adphosted.company.com. Is the ADP system accessible by a DNS alias that is within company.com? If so, you're OK. If not, then there will be problems.
  The other SSO method is user mapping, but the security implications are not good...

• Unable to configure SSO in Oracle11g

  Hi,
  I have tried to install and Configure SSO in Windows 2008 R2 server (64bit). I am facing issue with SSO Metadata repository installaion, please helpful on that.
  Steps I did
  1. Installed Oracle 11g R2
  2. Installed Oracle WebLogic Server (10.3.3)
  3. Run the RCU to create repository for IDM and SOA Suite
  4. Installed SOA Suite 11g (11.1.1.2.0 && 11.1.1.3.0)
  5. Installed Oracle Identity Management (11.1.1.2.0 && 11.1.1.3.0)
  6. Configured Oracle Identity management
  When i run the SSO Metadata Repository Creation Assistant (10.1.4.3.1), it is completing without any installatin progress. Also i didn't 64bit version in downloads.
  Please help me to resolve the SSO configuration issue.

  Which SSO you are trying to add ?
  1. Is this Microsoft SSO i.e. Kerberos ?
  2. Oracle 10g SSO a.k.a OSSO ?
  3. Oracle Access Manager SSO
  Looking at installer "SSO Metadata Repository Creation Assistant (10.1.4.3)" it looks like you are trying to use 10g OSSO , is there any reason for using this ?
  10g SSO is mergning to 11g OAM SSO so 11g OAM SSO is one you should use if this is new implementation.
  For 10g SSO what error message you are hitting ? Which document you are following ?

• Setting up web Bex in BWsystem:error com.sap.mw.jco.JCO$Exception:Issuer of

  Dear SAP Gurus,
  I'm facing an error when seting up web Bex in BW system which is based on AS java patch 14 when i run Diagnostics & Support Desk Tool as described in Note 937697  there is only one red signal which is BI Mastersystem
  the error is
  RFC connection using properties in Portal System Landscape to ABAP backend has failed. Reason:
  com.sap.mw.jco.JCO$Exception:Issuer of SSO ticket is not authorized
  thanks in advance
  Rgds
  George Varghese

  thanks Deepika ,unfortunately I posted this a Long back ,time limit was very less ,we were not in a situation to do more R&D on that,it will be a Waste of time ,what I did is that I uninstall ed SAP and installed again with latest available Patches and we were succeed
  thanks
  George Varghese

• Problem SSO between VPN and NAC

  Hello
  Description of our problem : SSO doesn't work
  -on the first connexion from vpn client we insert two time the login and password :one time for the client vpn and the seconde time for CAA (clean Access agent).
  -although for the other connexion that succeed, we insert only one time the login and password (for vpn only) and for CAA the connexion is done automatiquely and a some hours later we reinsert two times login and password for vpn and CAA.
  The following steps are done to configure Cisco NAC Appliance to work with a VPN concentrator:
  Step 1 Add Default Login Page =ok
  Step 2 Configure User Roles and Clean Access Requirements for your VPN users =ok
  Step 3 Enable L3 Support on the CAS = ok
  Step 4 Verify Discovery Host =ok (CAS IP ADDRESS 192.168.2.11)
  Step 5 Add VPN Concentrator to Clean Access Server =ok (ASA IP ADDRESS 192.168.2.1)
  Step 6 Make CAS the RADIUS Accounting Server for VPN Concentrator =ok
  Step 7 Add Accounting Servers to the CAS (accounting server is CAM IP ADDRESS 192.168.20.10)
  Step 8 Map VPN Concentrator(s) to Accounting Server(s)=ok
  Step 9 Add VPN Concentrator as a Floating Device =ok
  Step 10 Configure Single Sign-On (SSO) on the CAS/CAM =ok
  the database for vpn authentication is cisco secure acs(192.168.1.30).
  Tanks to any anybody to give us a possible solution.
  FILALI Saad
  Ares Maroc

  Hi
  I have just gone the the same issues with SSO VPN with my CAS in real-ip mode.
  First thing to consider, when your testing, every time you test a user, make sure you go into the CAS or CAM and remove them as a certified device or active user before you perform your next test. I found that while I was testing that it would sometimes cache the user and I was getting successful auth attempts but due to their device being already accepted on a previous connection because the CAS was not made aware that the user had logged out correctly.
  1. Make sure you have a fully functional DNS system on the inside network, I didnt realize how important it was to have forward and reverse look ups for your CAS and CAM. Make sure that all CAS and cams are listed in dns with correct domain names.
  This in very important if your running your own CA certificates on cas and cam. Make sure that the CAM and CAS can resolve each other via dns. Make sure the CAM and CAS can perform reverse lookups of each other. Also make sure that when the user VPN's into your ASA that they can also perform DNS lookups and reverse lookups. If they cant perform dns look ups, you may need to temporarily allow the untrusted network full access while you resolve the DNS lookup problem on the client computer. One of the issues I had was that the VPN clients couldnt resolve internal DNS names and so the CCA agent would never auto pop-up and start the auto login process because it was trying to resolve the CAM name and also check that the CA certificate I had on the CAS was legitimate as I had used names in my certs and not IP addresses.
  2. Make sure your VPN group settings on the IPSEC policy of the ASA has DNS pointing to your internal DNS server.
  3. I know you already said you have done this but check to make sure that the VPN group setup on your ASA for your remote access users, has been setup with the radius accounting being directed the INSIDE interface IP address of your CAS, (if you are running your CAS in real-ip, I found that the inside interface was the only interface listening on 1813, do a 'netstat -an' on the cas to check) if your running in VGW mode then you only have 1 ip address to direct it to anyway.
  Follow from step 15 in following link
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
  3. Troubleshoot and make sure that the ASA actually sends a radius accounting message to the CAS. I did this by ssh into the CAS and doing a 'tcpdump -i any src and not tcp 22'. I then logged into the VPN client and made sure that once I entered my vpn user and pass, that the ASA authenticates the vpn user and then passes a radius accounting message to the CAS informing the CAS it has allowed a new user. If you dont see this radius accounting message hit the CAS interface go back to my step 3 and resolve.
  4. Finally check that you have not mistyped a shared secret somwhere, ie between CAM and ACS, Between ASA and ACS, Between ASA and CAS. I had all my users authenticate though radius on my ACS server, a number of times I got caught out by a simple typo in a shared secret.
  Try these things first.
  Also someone else here on the forums linked this guide to me that also helped me setup my CAS correctly.
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_vpncon.html
  You may find it useful too.
  Dale