cancel
Showing results for 
Search instead for 
Did you mean: 

single sign on error

Former Member
0 Kudos
75

hai friends iam configured SSO for ep server with SAP system (ECC). but it is giving error in test connection .

the user iam trying is exist in two systems with same name.

but it is not working can any body help me pls .its ozt.

iam fallowed sap stndard prosidure for SSO.

i was checked in sap sso2 it is ok

and also cheked parameetes in sap system.

and restarted the system also.

and iam created rfc connection between sa and ep systems it is also working proparly

but iam not under standing where is error in my configuration pls helpme

with regards

srikanth vipparla.

Edited by: srikanth vipparla on Sep 9, 2008 9:39 AM

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

hi Srikanth,

I hope while uploading certificates from Portal to ECC you have given client as 000.

Regards

Parth

Former Member
0 Kudos

Results

Retrieval of default alias successful

Connection failed. Make sure that Single Sign-On is configured correctly

Former Member
0 Kudos

Hello Srikant,

Pls Check

1) That Ur Verify .der certificate is properly absorbed in Backend or not(Most important i think that its not properly updated in BACKEND).

2) Plesae check some property like SID ,Server Port ans other Backend related Property (Hope all correct in ur case).

3)and last very rare but can happen that the certificate that u r useing is Expired to check it open Certificate and check date of Expiry.

Hope this helps.

If so points are welcome

Regards.

Soni Vinit

Former Member
0 Kudos

Hi Srikant,

I believe this is an issue with the backend ABAP system which is unable to recognize your portal system.So you need to re-import the portal & ABAP certificates again & restart the portal server and check.

Remember to add the certificates both in the Systems certificcates list & as well as in ACL.Remember while adding the Portal certificate in the ACL, client should be 000.

Regards

Gourav Sharma.

Former Member
0 Kudos

is it requred to do in both the systems

if it requied then what is the proses pls help me

in each system what is the proces .

pls help me onthis .

with regards

srikanth vipparla

Former Member
0 Kudos

Hi,

Did you create an alias for your ECC system on the Portal side? In the system you created on the portal side, did you set the logon method to SAPLOGONTICKET? Make sure the authentication ticket type is set to SAP Logon Ticket. Also, set the user mapping type to admin, user.

Then, as someone earlier stated, make sure to download the verify.der file and unzip it. Finally, upload it via transaction strustsso2 and use client 000 when you add it to the ACL list.

Hope this helps.

Regards,

Rick

Former Member
0 Kudos

Hello dear Gourav Sharma. "Remember while adding the Portal certificate in the ACL, client should be 000" Are you think so? Where you read about it, and why i'm think the ACL is client dependent ? Try to check your solution yourself .....

Dear srikanth vipparla, can you say your steps, step by step.

Are your ECC have JAVA server (ABAP+JAVA) or it only ABAP? If your ECC has JAVA you need to chenge in portal the "JAVA client (Different to ECC JAVA)" -->

login.ticket_client

http://help.sap.com/saphelp_nw70/helpdata/EN/0b/50ad3e1d1edc61e10000000a114084/frameset.htm

You must add in ACL the verify.der in required client( for example you want work in 100 client, login in this client, after strustsso2 and add in ACL your verify.der sertificate.

http://help.sap.com/saphelp_nw70/helpdata/EN/4d/dd9b9ce80311d5995500508b6b8b11/frameset.htm

Regards.

Former Member
0 Kudos

Hi Sergo Beradze

"When the J2EE Engine is the ticket-issuing system, its system ID is used as specified in the installation. Although the J2EE Engine does not have a client, it still needs to provide a client value to use for logon tickets so that the tickets can be accepted by other systems, for example, from an SAP Web AS ABAP. The default client for the J2EE Engine is 000, however, you can explicitly set a different value to use. "

Regards

Parth

Former Member
0 Kudos

Hi Sergo,

The J2EE Engin does not have a client but when you add the certificate in the ACL you need to provide a client number which is 000.

I think you should check the SAP Best Practise for Portal where in you can find that.

Regards

Gourav.

Former Member
0 Kudos

i did above settings from 000 client.

still the same error is comming

in trace information iam getting this error

Incomplete ACL! trusteddn1 is missing!

what is this how to resolve this error.

with regards

srikanth vipparla.

Edited by: srikanth vipparla on Sep 10, 2008 9:27 AM

Former Member
0 Kudos

Hi Srikant,

You have to connfigure the login module stack for this.

Login to Visual Administrator.

1.Choose Server ## --> Services --> Security Provider

2.Choose ticket in the Components menu.

3.Choose com.sap.security.core.server.jaas.EvaluateTicketLoginModule in the Login Modules table.

4.Choose Modify button. An Edit Login Module dialog box displays.

5. There enter in the left trusteddn1 & in the right enter CN=<3 letter SID of the ABAP system>.

Restart the WAS & try again.

Hope it helps.Reward points if found helpful.

Regards,

Gourav.

Former Member
0 Kudos

Hi,

I think you didnt added your system in Security Provide List:

1.Choose Server  Services  Security Provider of J2ee VA.

2. Choose ticket, Edit,

3.Choose com.sap.security.core.server.jaas.EvaluateTicketLoginModule in the Login Modules table

4.Modify and edit login Module.

5.trustedsys1 = <SID>, <client> (for example, D2B, 100)>

6.trustediss1 = CN=<SID> (for example CN=D2B)

7.trusteddn1 =CN=<SID> (for example CN=D2B)

CN=<SID> (for example CN=D2B) click OK.

8.Do same steps for com.sap.security.core.server.jaas.CreateTicketLoginModule.

Regards

Parth

Former Member
0 Kudos

still iam getting same error

Former Member
0 Kudos

can you just restart and check it.

regards

Parth

Former Member
0 Kudos

Hey Srikanth,

If you wanna check your SSO configuration for your systems involved you can download and run SSO diagtool as it is described in note 957707.

Please set the trace level for the security component in the ABAP system to trace level 3 as outlined in section 'Logging and tracing' of note 701205 (remember Trace level '3' NOT '2')

Please then recreate the error

/usr/sap/<SID>/<InstID>/j2ee/cluster/server<n>/log/defaulttracesX.trc

  • SM50 trace

After running the DIAGTool you can check the file named diagtool_<timestamp>.html to see whih of your configuration is giving errors.

Hope it helps.Do award point if found helpful.

Regards,

Gourav.

Former Member
0 Kudos

Iam already done this in this report it showing every thing ok

But it is not connecting to ECC backend system

any other settings

pls help me.

Former Member
0 Kudos

Hello Dear Gourav Sharma, you doesn't understand what i write above .... The ACL are client dependent in ABAP stack, if you want to use SSO in 100 client in ABAP , you must add in ACL in 100 client. About JAVA client, i say you need to check and set in portal if it required the "login.ticket_client" --> this parameter are "JAVA client", yes by default is the 000, but if you want to use on ore more JAVA you need to change this setting in one of JAVA , restart it , and reimport certificate in ABAP. Are you know it from your best practices ?

To Mr. srikanth vipparla, try to read my posts ....

Where you find this errors, it's not so hard to creat SSO from Portal to ABAP....

1) check time and date in both servers, it must be same (Synchronization to one time server).

2) Check the JAVA client in your portal server, the login.ticket_client from configtool for example. (change if need to other (after restart the JAVA).

3) Set the profile parameter login/accept_sso2_ticket to the value 1 in every instance profile of the ABAP server. Restart ABAP server.

4)Download verify.der sertificate form your portal.

5)Login in 000 client in your ABAP server, go to transaction

"strustsso2", and add this certificate in certificates list. SAVE settings.

6)Relogin in your required client in ABAP (for example in 333)

go to same "strustsso2", and add this certificate in ACL of this client. Where you see question about portal, Enter the portalu2019s system ID and client (the login.ticket_client). SAVE settings. You can check the SSO now. Regards.

Former Member
0 Kudos

Thank you very much Sergo Beradze

U helped me lot.

Thank very much.

I did add to acl form 000 client that is the error I did.

Now it is rectified.

Thank very much.

Former Member
0 Kudos

Hi Srikanth,

Congratulation for solving your problem .. but if you refer my first first reply I said the same thing which solved your problem.. seems you didnt tried that time....

Regards

Parth

Answers (0)