This blog post is the seventh part of a tutorial series. For a better understanding of the concepts and technologies, it is highly recommended that you read part IV first, and then come back here again. Part IV introduces the Microsoft Power Platform with some of its key components that you will use in this part of the tutorial series as well, such as the On-Premises Data Gateway (OPDG), Power Automate, and Connectors. Since there is no "one-size-fits-all" approach for integration scenarios between Microsoft's and SAP's platforms using principal propagation, this series starts with part I explaining the technology standards for principal propagation in the context of calling a simple Web Service on SAP Business Technology Platform (BTP) on behalf of the authenticated user (or principal) from Azure Active Directory (Azure AD). Parts II, III, IV and V extend this scenario step by step by adding on-premise connectivity, Microsoft Teams integration, and API management to it. I do recommend reading these parts as well to get an understanding of the different scenarios and recommended options to implement them. Part VI looks at the reverse direction for propagating the principal from SAP Cloud Identity Services to Azure in the context of calling the Microsoft Graph API from an BTP application. This part takes in in-depth look at principal propagation for an application built with the Microsoft Power Platform making a Remote Function Call (RFC) to an SAP system on-premise using a Business Application Programming Interface (BAPI) to search a product catalogue. Check out episode 142 of the SAP on Azure video podcast series for a live demo of this scenario. |
TGT
) with an authentication service request (AS_REQ
) message (1) from the Authentication Service (AS) of the KDC. The user authenticates at the AS by encrypting this message with her secret key KC that is created by hashing the user's password stored in the KDC's account directory. Upon successfull decryption, the KDC constructs the TGT for the user and returns it to the client with a AS_REP
(2) message. The TGT is encrypted with the KDC's secret key KK and is a special type of Kerberos ticket that can only be used by the client to obtain other tickets from the KDC.TGS_REQ
) message (3). The service for which the ST is requested for is identified by its Service Principal Name (SPN). SPNs uniquely identify an instance of a service and are registered on a user or computer account in the KDCs account directory by setting the servicePrincipalName
attribute of the object. The KDC returns the ST for the service encrypted with the service key KS to the client with a ticket-granting service response (TGS_REP
) message (4).AP_REQ
) message requesting access to the service (5). The server can validate the ticket by decrypting it with its service key KS where it finds the user's unique name (cname). Optionally, the client might request that the server verify its own identity by sending back a application server response (AP_REP
) message (6).BAPI_EPM_PRODUCT_GET_DETAIL
Business Application Programming Interface (BAPI) of the EPM demo application.Figure 3: Application components HTTP 401 Unauthorized
response.aud
ience), the trusted iss
uer who constructed the token (Azure AD tenant), and the validity of the exp
iration of the token, before the User Principal Name (UPN) is extracted from it and send to the OPDG.msDS-cloudExtensionAttribute1
in this scenario. This lab setup requires user mapping because the user's UPN suffix in Azure AD (e.g. jdavis@bestruncorp.onmicrosoft.com) is different from her suffix in the corporate AD (e.g. jdavis@corp.bestrun.com). As specified by the S4U2self extension, OPDG creates the PA_FOR_USER data structure with the mapped user name and sends it with a TGS_REQ
message to AD DS.TGT
sent with the TGS_REQ
message to create the OPDG service ticket and returns the service ticket for the user in the TGS_REP
message.TGS_REQ
message with the user's service ticket for OPDG obtained in the previous step as an additional-ticket
in the request.forwardable
flag is set in the OPDG's service ticket found in the additional-ticket
and uses its local policy to determine if OPDG is allowed to obtain a service ticket on behalf of a user to the SAP system. If these conditions are met, the TGS crafts the TGS_REP
message to return the user's service ticket to the SAP. This response contains the cname
field identifying the user's UPN in AD DS that was taken from the additional-ticket
.cname
to the user's SNC name (e.g. p:CN=JDAVIS@CORP.BESTRUN.COM).System | Operating system & software |
Active Directory Domain Controller (AD DC) |
|
On-Premises Data Gateway (OPDG) Server |
|
Workstation |
|
SAP System |
|
part7
of the blog series GitHub repository with a Git client of your choice and the following commands:git clone https://github.com/raepple/azure-scp-principal-propagation.git
cd azure-scp-principal-propagation
git checkout part7
Role | User accounts |
Administrator |
|
Developer |
|
Application test user |
|
Step | Description | Screenshot |
1 | As a domain administrator, launch the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in on the Domain Controller host. Right-click on Users in your domain to open the context menu and select New → User to create the new service account for the SAP system. | |
2 | Enter Kerberos<SID> as the First name, Full name and User login name. Replace <SID> with the ID of your SAP system (e.g. "A4H"). Click Next. | |
3 | Enter the password for the new service user account. Select User cannot change password and Password never expires. Click Next. | |
4 | Click Finish. | |
5 | Start the ADSI Editor (adsiedit.msc) to maintain the Service Principal Name (SPN) of the new service account. Select CN=Users from your domain's default naming context, and right-click on the CN=Kerberos<SID> user object. From the context menu, select Properties. Alternatively to steps 5 to 8, you can also use the command line as an Administrator and enter the following command: setspn –A SAP/<SID> <domain>\Kerberos<SID> Replace <domain> with the NetBIOS name of your domain (e.g. "CORP"), and <SID> with the ID of your SAP system (e.g. "A4H"). | |
6 | Select servicePrincipalName from the list. Click Edit. | |
7 | Enter the Service Principal Name (SPN) for the SAP service account in the format "SAP/<SID>". Replace <SID> with the ID of your SAP system (e.g. "A4H"). Click Add. | |
8 | Click OK. | |
9 | Go back to the Active Directory Users and Computers MMC snap-in and select the new SAP service account Kerberos<SID> from the Users list. Right-click on it and select Properties from the context menu. | |
10 | Switch to the Account tab. Under Account options, activate the checkbox for This account supports Kerberos AES 256 bit encryption. Click OK. | |
11 | Login to the domain on the workstation host with your application test user (e.g. CORP\jdavis). | |
12 | Start SAP GUI and login as the SAP administrator. Run transaction SNCWIZARD to start the SNC Configuration wizard. | |
13 | If you see the error message "DEFAULT profile in the DB and in the file system are different" then run transaction RZ10 first, and select Utilities → Import Profiles → Of active servers, and return to the SNCWIZARD. On the Start page of the SNC Configuration wizard, click Continue. | |
14 | Accept the default value for system's SNC Identity and click Continue. | |
15 | Click Continue. | |
16 | Click Close. | |
17 | Log off from the SAP system to restart the application server. | |
18 | As SAP system user <SID>adm, use the commands sapcontrol -nr <instance_number> -function Stop and sapcontrol -nr <instance_number> -function Start to restart the application server. Replace <instance_number> with the number of your application service instance, e.g. "00". | |
19 | After the restart of the application server, log on to SAP GUI and run transaction SNCWIZARD again. | |
20 | On the Start screen, click Continue. | |
21 | Click Continue. | |
22 | In the SPNEGO Configuration, click Display/Change to switch into edit mode. | |
23 | Click Add to configure a new Kerberos User Principal. | |
24 | Enter the following values: User Principal Name: Kerberos<SID>@<full-qualified name of your Active Directory Domain in uppercase letters, e.g. "CORP.BESTRUN.COM"> Password: <The password you specified in step 3> Confirm Password: <The password you specified in step 3> | |
25 | Click Exit. Click Save to store the updated SPNEGO Configuration. | |
26 | Click Skip on the X.509 Credentials wizard step. | |
27 | Click Complete to finalize the wizard. | |
28 | Open the SAP Secure Login Client and right-click on the Kerberos Token from the Profiles list. Select Copy SNC name to clipboard from the context menu. | |
29 | Go back to SAP GUI and run transaction SU01 to maintain the application user's SNC mapping. Enter the application test user's ID (e.g. JDAVIS) in the User field and click Change. | |
30 | Switch to the tab SNC. Maintain the user's SNC name by pasting the value you copied in step 28 from the clipboard (e.g. p:CN=JDAVIS@CORP.BESTRUN.COM). Click Save. | |
31 | Repeat the last two steps for maintaining the SNC mapping for the developer's user account. Enter the developer user's ID (e.g. DEVUSER) in the User field and click Change. | |
32 | Switch to the tab SNC. Maintain the developer user's SNC name (e.g. p:CN=DEVUSER@CORP.BESTRUN.COM). Click Save. | |
33 | Log off as the administrator from SAP GUI. | |
34 | Right-click on the SAP system connection and select Properties... from the menu. | |
35 | Switch to the Network tab. Activate the checkbox Activate Secure Network Communication. In the SNC Name field, enter the SAP system's SNC Identity from step 12. Click Finish. | |
36 | Right-click on the system's connection and select SNC Logon with Single Sign-On to test the new SNC setup. | |
37 | You should be single signed-on as user JDAVIS to the SAP system. Click Log off (or select System → Log off from the menu) to log out as user JDAVIS. |
Step | Description | Screenshot |
38 | On the Domain Controller host, go back to the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Right-click on Users in your domain and select New → User from the context menu. Enter "GatewaySvc" as the First name, Full name and User login name. Click Next. | |
39 | Enter the password for the OPDG domain service account. Select User cannot change password and Password never expires. Click Next. | |
40 | Click Finish. | |
41 | As the domain administrator, run the following command to create an SPN for the new service account which is required to configure the Kerberos delegation in the next step: setspn –S gateway/<OPDG hostname> <domain>\GatewaySvc Replace <OPDG hostname> with the hostname of your OPDG system. You can find out the name by entering the command hostname . | |
42 | Right-click on the new service account and select Properties from the context menu. | |
43 | Switch to the Delegation tab. Select Trust this user for delegation to specified services only and Use any authentication protocol. Click Add. | |
44 | Click Users or Computers. | |
45 | Enter "Kerberos<SID>" in the object names field. Replace <SID> with your SAP system's ID, e.g. "A4H". Click Check Names to resolve it to the full existent name. Click OK. | |
46 | The list of allowed services now contains the value from the SPN (Service Type / Computer) of the SAP system. The new OPDG service account can request a service ticket only for the SAP system on-behalf-of the propagated user with the Kerberos S4U2proxy protocol extension. Click Select All. | |
47 | Click OK. | |
48 | Click OK. | |
49 | The OPDG service account must be granted to local policies on the OPDG host. Perform this configuration with the Local Group Policy Editor by running gpedit.msc from an Administrator command prompt. | |
50 | Go to Local Computer Policy → Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment. Grant the OPDG domain service account (e.g. "CORP\GatewaySvc") the local policy Act as part of the operating system by double-clicking on it. Click Add User or Group. | |
51 | Enter the name of your OPDG's domain service account (e.g. "GatewaySvc") and click Check Names to resolve it to the full existent name. Click OK. The service account's domain name (e.g. "CORP\GatewaySvc") is now added to the policy's user list. Click OK to apply the new configuration. | |
52 | Repeat the same step for the Impersonate a client after authentication policy by double-clicking on it. Click Add User or Group and resolve the OPDG's service account to the full existent name with Check Names. Click OK. | |
53 | The service account's name (e.g. "CORP\GatewaySvc") is now added to the policy's user list. Click OK. Close the Local Group Policy Editor. | |
54 | Start the OPDG app from the desktop link on the gateway host, or by running C:\Program Files\On-premises data gateway\EnterpriseGatewayConfigurator.exe .Click Sign in to login as the Power Platform System administrator user who registered the OPDG in the environment. | |
55 | Select Service Settings from the configurator's menu. Click Change account. | |
56 | Click Apply and Restart. | |
57 | Enter your OPDG's service account name (e.g. "CORP\GatewaySvc") and password from step 34. Click Configure. | |
58 | Provide your Power Platform System administrator sign-in account, by clicking on Sign in. | |
59 | Choose Migrate, restore or takeover an existing gateway to restore your gateway registration. | |
60 | Select your gateway cluster and instance from the drop-down boxes and provide the recovery key you've chosen during the initial registration. Click Configure. | |
61 | After the restoration is complete, your OPDG service instance uses the domain service account (e.g. "CORP\GatewaySvc"). | |
62 | Add the OPDG service account to the Windows Authorization and Access Group. This is requried because the user accounts that the gateway will impersonate are in Azure AD and thus not in the same domain as the OPDG service account. On the Domain Controller host, go back to the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Select the Builtin folder for your domain and double-click on the Windows Authorization and Access Group security group. | |
63 | Switch to the Members tab of the security group. Click Add. | |
64 | Enter the name of your OPDG's domain service account (e.g. "GatewaySvc") and click Check Names to resolve it to the full existent SPN. Click OK. | |
65 | The OPDG service account is now added to the policy's user list. Click OK to apply the new configuration. |
Step | Description | Screenshot |
66 | Download the latest version of the SAP Cryptographic Library from the SAP Support Portal's Software Download (S-User required), and copy the library file ( sapcrypto.dll ) to the OPDG's installation directory on the gateway host (C:\Program Files\On-premises data gateway ).Right-click on the sapcrypto.dll file and select Properties from the context menu. | |
67 | Switch to the Details tab to check the version of the library. It should be 8.5.25 or newer. Click OK. | |
68 | Create a new text file ccl/snc/enable_kerberos_in_client_role = 1 Save the file. | |
69 | Grant read and execute permissions to both the sapcrypto.ini and sapcrypto.dll files to the gateway service user account and the AD user(s) that the service user impersonates.Right-click on the files and select Properties from the context menu. Switch to the Security tab. Check that the groups Domain Users and Authenticated Users are in the list. Click OK. | |
70 | Create a CCL_PROFILE system environment variable and set its value to the path of thesapcrypto.ini configuration file.On the gateway host, launch the Control Panel and navigate to System and Security → System. Click Advanced system settings. | |
71 | Click Environment Variables. | |
72 | Under System variables, click New. | |
73 | Enter CCL_PROFILE as the variable name.For the variable value, enter the full path to your sapcrypto.ini file, e.g. C:\Program Files\On-premises data gateway\sapcrypto.ini Click OK. | |
74 | Click OK. |
msDS-cloudExtensionAttribute1
of the local AD user to store the Azure AD UPN. Any other unused Active Directory attribute can be used as well.msDS-cloudExtensionAttribute1
attribute of the local AD domain user account jdavis@corp.bestrun.com
to the user's Azure AD UPN jdavis@bestruncorp.onmicrosoft.com
for linking his two accounts. The same applies to the application development user devuser, who requires a mapping from devuser@corp.bestrun.com
to devuser@bestruncorp.onmicrosoft.com
.Step | Description | Screenshot |
75 | On the gateway host, open the file Microsoft.PowerBI.DataMovement.Pipeline.GatewayCore.dll.config in the OPDG installation folder (C:\Program Files\On-premises data gateway ) in an editor. | |
76 | Search for the setting ADUserNameReplacementProperty and set its value to SAMAccountName . | |
77 | Search for the setting ADUserNameLookupProperty and set it to the value msDS-cloudExtensionAttribute1 .Save the changes in the file. | |
78 | Click Restart now from the OPDG's configurator Service Settings tab to apply the changes. | |
79 | On the Domain Controller host, click Start, and select Windows Administrative Tools → ADSI Edit from the menu. In the ADSI Editor, navigate in the left-side object tree to CN=Users under the domain's Default naming context. Right-click on the test user's object (e.g. CN=Jack Davis) and select Properties from the context menu. | |
80 | Select the attribute msDS-cloudExtensionAttribute1 from the list and click Edit. | |
81 | Enter the test user's Azure AD UPN (e.g. jdavis@<domainname>.onmicrosoft.com) in the Value field. Replace <domainname> with your Azure AD tenant's domain name, e.g. bestruncorp. Click OK. | |
82 | Repeat steps 79 to 81 for the developer user object (e.g. CN=Developer User) and map it to the user's Azure AD UPN (e.g. devuser@<domainname>.onmicrosoft.com).via the msDS-cloudExtensionAttribute1 attribute.Click OK and close the ADSI Editor. |
BAPI_EPM_PRODUCT_GET_DETAILS
BAPI to search the product catalog with the Power App.Step | Description | Screenshot |
83 | Go back to SAP GUI and log in as the administrator user. Start transaction PFCG to define a new role for the application users in this scenario. | |
84 | Enter PRODUCT_SEARCH_BAPI in the Role field.Click Single Role. | |
85 | Click Save. | |
86 | Switch to the Authorization tab. Click the pencil button to edit the new role's authorization data. | |
87 | Click Do not select templates. | |
88 | Click Manually. | |
89 | Enter S_RFC for the Authorization Object in the first row.Click OK. | |
90 | Click the pencil button to edit the authorization checks for field RFC_NAME. | |
91 | Enter the following values in the Value Intrvl table's 'From' column:
Click Save. | |
92 | Click the pencil button to edit the authorization checks for field Activity (ACTVT). | |
93 | Select Execute from the list. Click Save. | |
94 | Click the pencil button to edit the authorization checks for field RFC_TYPE. | |
95 | Select FUNC (Function Module) from the list. Click Save. | |
96 | Click Save to save the application user role. | |
97 | Click Generate. | |
98 | Click Exit. | |
99 | Switch to the User tab. Enter your application test user's ID (e.g. JDAVIS) in the first row of the User Assignment table. Click Save. | |
100 | Click User Comparison. | |
101 | Click Full Comparison, then Close the dialog window. | |
102 | Click Exit. | |
103 | Next, create the role for the application developer. Enter PRODUCT_SEARCH_DEVELOPER in the Role field.Click Single Role. | |
104 | Repeat steps 85 to 90 for the new role. Enter the following values in the Value Intrvl table's 'From' column:
Click Save. Continue by repeating steps 92 to 98 for the application developer role. | |
105 | Switch to the User tab. Enter your application test user's ID (e.g. DEVUSER) in the first row of the User Assignment table. Click Save. | |
106 | Click User Comparison. | |
107 | Click Full Comparison, then Close the dialog window. | |
108 | Click Exit. |
Step | Description | Screenshot |
109 | Login to Power Apps Studio at https://make powerapps.com with your Power Platform developer user. From the top menu, select the environment to deploy the scenario components. | |
110 | Click Import solution from the top menu bar. | |
111 | Click Browse and select the file SAPProductSearchSolution.zip from the Git repository's /ProductSearchApp folder.Click Next. | |
112 | Click Next. | |
113 | Open the drop-down box and select New connection. | |
114 | In the SAP ERP Connection dialog, select Azure AD integrated as the Authentication Type. In the Choose a gateway drop-down box, select your OPDG instance for this scenario. Click Create. | |
115 | The new connection requires authentication to your Azure AD tenant. Click Fix connection. | |
116 | Sign-in to your Azure AD tenant with your development user's account that you configured the SNC mapping in step 32 and AD mapping in step 82, and assigned the PRODUCT_SEARCH_DEVELOPER role in step 105. | |
117 | Upon successful sign-in, switch back to the previous browser tab. | |
118 | Click Refresh. | |
119 | The new connection is now selected by the import solution wizard. Click Import. | |
120 | Wait for the completion of the import as indicated by the green banner. Then select the imported SAP Product Search Solution from the list. | |
121 | From the solution components, select the SAPERPSettings environment variable. This variable is used by the SAP ERP connector action in the Power Automate flow to configure the SAP system connection parameters. It is in JSON format. | |
122 | Click New value to overwrite the default value. | |
123 | Enter the SAPERPSettings environment variable's new value according to your lab setup and the example below. You can use the default value as a template in a text editor.
Click Save. | |
124 | Select the SAP Product Search canvas app from the solution. | |
125 | The Power Apps Studio opens the SAP Product Search canvas app in edit mode. Click Allow. | |
126 | Select Power Automate from the left-side navigation menu to list the flows used by the canvas app. From the list, select the ellipsis ('…') next to the GetProductDetailsFromSAP flow. Click Refresh. | |
127 | Click Publish. | |
128 | Click Publish this version. | |
129 | You need to provide your application test user(s) access to the app. Click Share. | |
130 | Enter your application test user's name (e.g. "Jack Davis") in the search field. Click on the user account. Note: Instead of configuring single users, you can also type "Everyone" in the search filed and share the app with "Everyone in <tenant org>". | |
131 | Deactivate the checkbox Send an email invitation to the user. Click Share. | |
132 | Close the Share dialog box. | |
133 | Click the Copy link to clipboard icon next to the app's Web link. | |
134 | Since the SAP Product Search app uses the SAP ERP Connector which is Premium tier connector, the application test user requires a Power App license to use this app. In a new browser tab, open the Microsoft 365 admin center at https://admin.microsoft.com/ and login as your Power Platform administrator. Select Billing → Licenses from the left-side navigation menu. Click Microsoft Power App Plan 2 Trial. | |
135 | Click Assign licenses. In the search box, enter your application test user's name and select the user's account from the list. Click Assign. You can now log out from the Microsoft 365 admin center. | |
136 | Similar to the canvas app, it is also required to set the user's permission to access the OPDG instance. Go to the Power Platform admin center at https://admin.powerplatform.microsoft.com and login as your Power Platform admin user. Select Data (Preview) from the left-side navigation menu and switch to the On-premises data gateway tab. For the OPDG instance in your scenario, select the ellipsis ('…'). From the context menu, select Manage users. | |
137 | In the search field, start entering your application test user's name. Select the user's account from the list to add it. | |
138 | Click Share. |
Step | Description | Screenshot |
139 | Login to the domain on the workstation host with your application test user (e.g. CORP\jdavis). | |
140 | Open a web browser and paste the URL copied in step 133 into the address field. | |
141 | Since you have synchronized your AD users with Azure AD Connect, you are single signed-on with the application test user to your Azure AD tenant and the app is loaded. | |
142 | The SAP ERP connector requires a connection on-behalf-of the authenticated user. Click Allow to give consent to the requested permission to use this connection. | |
143 | Enter a product ID form the catalog in the entry field, e.g. AR-FB-1000. Click Search. | |
144 | The app triggers the flow which calls the SAP system on-behalf-of the Azure AD-authenticated user. The SAP ERP connector obtains a Kerberos ticket from Active Directory for the user found in the msDS-cloudExtensionAttribute1 attribute. Upon receiving the Kerberos ticket with the BAPI call, the SAP system is able to map the AD user via the SNC mapping to a local user in the system, for whom it checks the proper authorizations to invoke the BAPI. Finally, the response with the product details is returned to the Power Automate flow, which parses the response and sends the price information back to the canvas app. |
Step | Description | Screenshot |
145 | Start a Windows Powershell as an administrator. Import the necessary modules using the following commands: Install-Module -Name Microsoft.PowerApps.Administration.PowerShell Install-Module -Name Microsoft.PowerApps.PowerShell -AllowClobber Confirm the questions with "Y". | |
146 | Provide your Power Platform administrator credentials using the following command: Add-PowerAppsAccount | |
147 | The command opens the prompt to collect your Power Platform administrator credentials. | |
148 | Run the Power Apps cmdlet Get-AdminPowerAppEnvironment and copy the value for your scenario's EnvironmentName to a temporary textfile. | |
149 | Run the Power Apps cmdlet Get-AdminPowerApp -EnvironmentName <value from step 148> with the value obtained in the previous step. Copy the value for your app's AppName to the temporary textfile. | |
150 | With the two values for EnvironmentName and AppName run the command: Set-AdminPowerAppApisToBypassConsent -EnvironmentName <value from step 148> -AppName <value from step 149> This command changes the bypassConsent flag of the SAP Product Search app to true. |
{
"MessageServerHost": "<SAP Message Server address or hostname, e.g. 23.123.153.183>",
"Client": "<your client ID, e.g. 001>",
"LogonType": "Group",
"MessageServerService": "<The service name or port number that the Message Server is listening under for load balancing requests, e.g. 3601>",
"SncLibraryPath": "C:\\Program Files\\On-premises data gateway\\sapcrypto.dll",
"SncPartnerName": "<SAP system's SNC name, e.g. 'p:CN=A4H'>",
"SncQOP": "Default",
"SncSso": "On",
"SystemID": "<SAP system's ID, e.g. A4H>",
"UseSnc": "true"
}
SMMS
(Message Service Monitor) to find the correct value for parameter MessageServerService
:{
"MessageServerHost": "20.123.153.183",
"Client": "001",
"LogonType": "Group",
"MessageServerService": "3601",
"SncLibraryPath": "C:\\Program Files\\On-premises data gateway\\sapcrypto.dll",
"SncPartnerName": "p:CN=A4H",
"SncQOP": "Default",
"SncSso": "On",
"SystemID": "A4H",
"UseSnc": "true"
}
/usr/sap/<SID>/<INST>/exe
, and create a new text file named sectrace.ini
with the following content:LEVEL=4
DIRECTORY=<new-or-empty-subfolder>
DIRECTORY
must be set to a valid folder name for the respective platform. It must be the subfolder of an existing one, and should be placed in a local drive. If DIRECTORY
doesn't exist it will be created. As an example, DIRECTORY
can be set on a Linux system to /usr/sap/<SID>/<INST>/sectrace
.sec-disp+work-<nnnnnn>.trc
by the SAP GUI login of the application test user in step 37:sapcrypto.ini
(see step 68) and add the following two lines to it:ccl/trace/level=4
ccl/trace/directory=C:\snctrc
ccl/trace/directory
profile parameter.sectrace.ini
and/or the configuration profile parameters from sapcrypto.ini
once the troubleshooting activities are completed.Launch Wireshark. Select the network interface(s), e.g. Ethernet, to capture traffic for, and click on Start capturing packets. | |
Run the application scenario (steps 139 to 144) | |
Enter "kerberos" in the display filter field and press Enter. In the captured messages filtered for the Kerberos protocol, look for any error messages. The screenshot shows the TGS_REQ message (figure 2, step 12) with the user's service ticket for OPDG obtained in the previous step as an additional-ticket in the request. |
ODGLogs
folder on your Windows desktop. Look for the most recent GatewayErrors*
file in the archive. The following screenshot shows the log file with an error message that the SAP Cryptographic Library could not be found in the OPDG installation directory:If you see this ... | ... try this: |
When signing on to the Power app, the error message PowerPINotAuthorizedException is shown: | Go to Power Platform admin center at https://admin.powerplatform.microsoft.com and login as your Power Platform admin user. Select Data (Preview) from the left-side navigation menu and switch to the On-premises data gateway tab. For the OPDG instance in your scenario, select the ellipsis ('…'). From the context menu, select Manage users. Check if the user you signed-on to the app is in the list of users assigned to the Connection Creator role of the gateway and that the SAP ERP Connection type is activated. |
When executing the search, a No RFC authorization error message is shown: | An error in the app indicating an RFC authorization issue can be fixed by checking the correct role design (steps 83ff) and the assignment to the user (step 99). To troubleshoot authorization problems of the propagated principal in the backend start a system trace as the SAP admin with transaction ST01 as shown in the screenshot below. Select Authorization checks from the Trace Components and click Trace on. Re-run the scenario and click Trace off, then Anaysis. On the next screen, enter "*" for the user name and click Start Reporting (F8): The orange-colored lines in the report show failed authorization checks due to missing permissions of the user in the system. |
GatewayTimeout caused by SAP system connection timeout with the message "partner '<IP address of SAP system>:48<instance number>' not reached" | Make sure that port 48<instance number> (e.g. 4800) on the SAP system can be reached from the OPDG. In case you deployed a CAL instance on Azure, check the Network security group (NSG) settings on the subnet and network interface level for corresponding rules to allow network traffic over this port as shown in the following screenshot: |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
11 | |
11 | |
8 | |
7 | |
5 | |
4 | |
4 | |
4 | |
3 |