Hi Frane,

first of all - thanks. We tested this scheme with SLL on BW and it works. I mean BO still can run reports.

But anyway - how can we configure our BW parameters now for using SSO based on Kerberos token?

SL Library guide tells to use some specific snc/identity/as and we use this p:CN=QBW, OU=Surgutasuneft, O=Surgutneftegas, C=RU.

We have user KerberosSSO to provide SSO on all our systems with servicePrincipalNames

SAP/KerberosSSO

SAP/KerberosSSO@OAO.SNG

And we have user qasbo under which we run BO.

What else we need to modify to provide SSO for BW without breaking server-side trust BO/BW?

Thanks in advance

wbr

Stanislav

Hi Stanislav,

good to hear it works 🙂

The only thing left is to konfigure the Kerberos keyTab in Secure Login Library.

If not created, please create (on AS ABAP - BW) the Security Token Container (PSE.ZIP) with the command (OS) snc crtpse -x <password for the Security Token Container>

The next step is to create the keyTab for the servicePrincipalName SAP/KerberosSSO@OAO.SNG

Please use the following command to create keyTab snc crtkeytab -s SAP/KerberosSSOOAO.SNG -p <password of your Service Account KerberosSSO>

Please keep in mind you have created Service Account KerberosSSO and create a servicePrincipalName for this account SAP/KerberosSSO@OAO.SNG

I assume you have done this 🙂

If not done please install Secure Login Client on the client OS and configure SAP GUI SNC for Kerberos connection (SNC Name = p:CN=SAP/KerberosSSO@OAO.SNG).

Last isue is to configure SNC Name User Mapping in AS ABAP --> SU01.

please configure here the Kerberos User Name (e.g. p:CN=MicrosoftUser@OAO.SNG).

--> For correct Kerberos User Name you can check the name displayed in Secure Login Client 🙂

Further details are described in the Secure Login Library manual.

Cheers,

Frane

Hi Frane,

we installed SAP NW SSO on like 8 systems, so all the steps you described of course we did them.

But here is the problem. We created Kerberos keytab for servicePrincipalName=SAP/KerberosSSOatOAO.SNG

and you intend to use same SNC Name in SAP GUI SNC, but in profile we still got distinguished name:

p:CN=QBW, OU=Surgutasuneft, O=Surgutneftegas, C=RU

and I think that's why we have error with this text:

GSS-API(maj): No credentials were supplied

Unable to establish the security context

target="p:CN=QBW, OU=Surgutasuneft, O=Surgutneftegas, C=RU"

So that's and was a question. Do we need to modify our profile parameter (maybe we should write SAP/KerberosSSOatOAO.SNG in X.509 format there and then remake all the trust connection between BO/BW)? Or do we need to add servicePrincipalNames to our Active Directory service user?

Thanks in advance,

wbr

Stanislav

Hi Stanislav,

yes if you want to use the Kerberos technology for SAP GUI to AS ABAP System, you need to configure the Kerberos SNC name of ther desired AS ABAP system in SAP GUI configuration.

Best regards,

Frane

Hello Frane.

As I said we configured SAP NW SSO already. Including SAP GUI SNC.

But when we started configuring SSO in BW system, we faced with the fact that some of the profile parameters that we need to change, have been used. Including snc/identity/as. So now we have SAP GUI SNC=p:CN=SAP/KerberosSSO@OAO.SNG as you wrote above, but in our BW profile we still have snc/identity/as=p:CN=QBW, OU=Surgutasuneft, O=Surgutneftegas, C=RU (this needed for BO) and upon entering to the system error occurs

GSS-API(maj): No credentials were supplied

Unable to establish the security context

target="p:CN=QBW, OU=Surgutasuneft, O=Surgutneftegas, C=RU"

wbr,

Stanislav

Hi Stanislav,

are you able to create a support ticket (verify your configuration in complete)?

From my point of view we should verify your configuration.

Here some further hints (to be checked):

- The error message was provided by (SAP GUI / ASW ABAP trace)?

- At Secure Login Client, are you using X.509 certificates in parallel?

  Maybe try to choose right-click on Kerberos profile (maybe an existing X.509 will be used)?

- What are the versions you are using (Secure Login Client and Secure login Library).

Please provide these information to the support ticket too?

Best regards,

Frane

Hi Frane,

I opened a ticket already and your colleague (if I can say so) has sent me to the forum.

Message №371804.

What's about questions.

1)

2) Don't understand this. I can only choose 1 type of profiles for using for SAP applications. Selected Kerberos token.

3) Secure Login Client Version: 1.0 Support Package: 3

    Secure Login Library Version: 1.0 Support Package: 2

wbr,

Stanislav

Hi Stanislav,

thank you for the information. I send you an email with further questions.

Afterwards we can provide the results here in forum.

Best regards,

Frane

Hi Frane, Do we have a solution for the issue?

Thanks, but this problem was resolved. Frane was very helpfull in solving this problem, but it was beyond the forum.

He described the possibility of Secure Login Client that I did not know.

"

Another possibility is implemented in Secure Login Client 1.0 SP02 Patch 03 and higher (current version is 1.0 SP03 Patch 02).

Secure Login Client is able to “rebuild” the required SPN Name (in your example p:CN=SAP/KerberosSSO@OAO.SNG).

1. This means if the X.509 certificate SNC name is p:CN=KerberosSSO à Secure Login Client will rebuild p:CN=SAP/KerberosSSO@OAO.SNG

This works also if the X.509 certificate name is p:CN=KerberosSSO, OU=SAP Security, C=RU

Maybe this solution integration is easier for You? You can use the transaction STRUST to create a self-signed certificate.

"

Thanks again, Frane.