cancel
Showing results for 
Search instead for 
Did you mean: 

Portal gives message "SSO not activated on server"

Former Member
0 Kudos

Hi all gurus!

My struggeling with SSO continues. I found a checklist here at SDN which should be used in posting questions concerning SSO so here it is:

1. you are using fully qualified domain names in the system landscape definition and when accessing the portal;

"sto-sap-abd-01.kf.local" is used both as logon and in system landscape.

2. your certificate hasn't expired;

It will expire in 2008.

3. your backend RZ10 settings are correct (login/accept_sso2_ticket);

"login/accept_sso2_ticket" is set to "1".

"login/create_sso2_ticket" is set to "0".

4. you have uploaded the certificate to the backend system (STRUSTSSO2);

Yepp!

5. there is an entry in the ACL table (TWPSSO2ACL) in the backend client you are connecting to;

Yepp again!

6. you have the same username in the portal and backend OR you have set up user mapping.

We have a Central User Administration where Solution Manager is the central system and R3 a child and the portal uses Solution Manager as datasource for logon so the names should be the same. At least in my opinion...

Well, in the system connection to R3, SAP Logon Ticket is chosen as "Logon Method" and "Authentication Ticket Type". I assume I don't have to do anyting in the portal server since it, due to documentation, issues logon tickets as default. So everything should be OK but when I open the iviews using R3, I get the message "SSO logon not possible; logon tickets not activated on the server".

This is my problem, I have done everything according to documents but it still gives me this result.

Best regards

Benny Lange

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi ,

Please try

"login/accept_sso2_ticket" is set to "1".

"login/create_sso2_ticket" is set to "2".**

Infact it has to be 2

OK

CHEERS

Answers (2)

Answers (2)

Former Member
0 Kudos

Run SSo2 transaction with RFC destination NONE and check .

Regards

Bharathwaj

Former Member
0 Kudos

Hi Bharathwaj.

Thanks a lot for your tip. That transaction and destination gave this result (please note I have replaced the lights with the color😞

Issuing System for the Logon Ticket

SAP System ARD Client 200

Certificate of the Issuing System for the Logon Ticket

Owner CN=ARU

Issuer CN=ARU

Serial Number 00

Validity 19971001 000000 20380101 000000

Check Sum A1:80:3A:99:EC:AE:CE:2A:29:B0:36:10:66:E4:06:A4

Profile Parameters login/create_sso2_ticket = 0

red System ARD Is not Creating Logon Tickets

green The Current System ARD Is Also the Issuing System for the Logon Ticket

An Entry in Certificate List of ARD Is not Necessary

The Certificate for System ARD Is not Included In the Certificate List for System ARD

green System ARD Accepts Verified Logon Tickets for System ARD

Own System Data

SAP System ARD Client 200

Profile Parameters login/accept_sso2_ticket = 0

red Logon Tickets Are not Accepted

Certificate List

The Certificate List Is Used To Verify the Digital Signature for the Logon Ticket

/usr/sap/ARD/DVEBMGS00/sec/SAPSYS.pse

Owner CN=APD

Issuer CN=APD

Serial Number 00

Owner CN=APU

Issuer CN=APU

Serial Number 00

Systems for Which ARD Accepts Verified Logon Tickets

The Access Control List Defines Which Systems the Verified Logon Tickets Are Accepted From

Table TWPSSO2ACL

SAP System APD Client 000

Owner CN=APD

Issuer CN=APD

Serial Number 00

..........

I'm quit confused since I set the login/accept parameter to "1" and not "0" as it is shown above. Can the default profile be "not active"? I have no clue about how to handle profiles...

And why is the current system (our R3 system) also the issuing system? No one has configured it to be that. Can it be a result of the R3 being a child to Solution Manager in Central User Administration? But in Solution Manager the parameters login/accept and login/create don't even exist.

Best regards

Benny Lange

Former Member
0 Kudos

Hi Benny

Are you restarting the server after making changes??

Are you activating your parameters after changing them??

Did you have a look here?

http://help.sap.com/saphelp_nw04/helpdata/en/62/07795aaada9c42b18a9df8054c2481/frameset.htm

Cheers.

Message was edited by:

Goutam Dev

Former Member
0 Kudos

Hi,

It would be interesting to hear what actually solved your problem. I have not worked in CUA .. If its taking from the SOLMAN .. it mite be because.. each standard parameter has a default value set. You can view this in Rz11. These are default values and hence seen in that way..

Please do share how you had solved this issue. Quite a lot of people come across this!

Regards

Bharathwaj

Former Member
0 Kudos

Hi Benny

The above clearly shows the problem:

<b>Profile Parameters login/accept_sso2_ticket = 0

red Logon Tickets Are not Accepted</b>

once this is set you should be OK.

Generation of tickets is not necessary for SSO from a portal. It is necessary if you want the ABAP system to generate tickets.

Cheers

Former Member
0 Kudos

Was the ABAP system restarted after setting the RZ10 paramaters?

Cheers

Former Member
0 Kudos

Hi Michael!

Yes, the system was restarted after the settings so I will now try Sumits suggestion, thanks a lot Sumit!

Best regards to the both of you

Benny Lange