Welcome! Guest
New User? Register | Login

How to create the SSO(SINGLE SIGN ON) in sap sysetm?

By: rekha | 19 Oct 2010 12:07 pm

This document is meant to be a step by step guide to enable Single Sign-On (SSO) for SAP applications in a Microsoft Active Directory environment using Kerberos authentication. This will allow end users of an SAP system to logon to SAP with the Active Directory credentials, and avoid having another system to maintain a password in.

Active Directory Account Setup

SAP recommends to perform a Domain installation

The following tasks will have to be completed by Domain Administrator

Create the new global group SAP_<SAPSID>_GlobalAdmin
Create the two new SAP system users <sapsid>adm and SAPService<SAPSID>
Add the users <sapsid>adm and SAPService<SAPSID> to the newly created group
SAP_<SAPSID>_GlobalAdmin

In the Active Directory Users and Computers console, Right-click Users in Tree, and choose New Group

Enter the following Group Name: SAP_<SAPSID>_GlobalAdmin
Note: Enter the SAP_<SAPSID>_GlobalAdmin group exactly as specified in the correct uppercase and lowercase.
Group Scope: Global
Group Type: Security

In the Active Directory Users and Computers console, Right-click Users in Tree, and choose New Group

Creating the New SAP System Users <sapsid> adm and SAPService<SAPSID>

Note: Enter the <sapsid>adm and SAPService<SAPSID> user exactly as specified in the correct uppercase and lowercase.

Enter the password and select never expires

Adding the <sapsid>adm User to the SAP_<SAPSID>_GlobalAdmin Group

Choose Member and Add
Select the new SAP_<SAPSID>_GlobalAdmin group and choose Add to add it to the list
Note: By Default, the user is also a member of the Domain Users group

Adding the SAPService<SAPSID> User to the SAP_<SAPSID>_GlobalAdmin Group
In the Users folder, double-click the newly created user account SAPService<SAPSID> in the list on the right.

Choose Member Add
Select the new SAP_<SAPSID>_GlobalAdmin group
Choose Add to add it to the list

o The SAPService<SAPSID> user must not be a member of the Domain Users group
Select the SAP_<SAPSID>_GlobalAdmin group

Choose Set Primary Group.
Select the Domain Users group
Choose Remove to delete it from the Member of list
Choose OK to close SAPService<SAPSID> Properties

o In the Active Directory Users and Computers console, open the SAPService<SID> UserID

On the Account tab ensure the below fields are defined
UserID (ex. SAPServiceSLM)
Note: The UserID is case sensitive
Domain (ex. @company.com)

Active Directory SPN for Service Account

o Update Service Principle Name (SPN) for the SAP Service Account in the Active Directory
(This must be done on all Windows 2003 Native Mode Domains!)

On a Domain Controller in the SAP systems Domain, a Domain Admin must update the SPN for the SAPService<SID>
From the Windows 2003 Support Tools, setspn.exe must be installed
From a command prompt the Domain Admin will execute
setspn –A SAPService<SID>/HostComputerName Domain\SAPService<SID>

o Note the following Microsoft Updates should be applied to Windows systems to prevent unexpected Kerberos related authentication errors for the SAP clients:

Windows 2003 RTM Systems – Kerberos Update for Domain Controllers
http://support.micorosoft.com/kb/q829074
Windows XP SP2 Systems – Kerberos Update for Clientshttp://support.microsoft.com/kb/q885887

o A reference article from Microsoft detailing Kerberos and SPN’s is available at:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/4a1daa3e-b45c-44ea-a0b6-fe8910f92f28.mspx

o SAP System & Client Configuration Update

o Copy current gsskrb5.dll to %windir%\system32 directory on both clients and servers. Currently this file is dated 9/7/2004.
SAPGUI currently does not support the 64-bit gx64krb.dll or the gi64krb5.dll if the SAPGUI is needed to run on a 64-bit machine then the 32-bit gsskrb5.dll will have to be used instead.

o Set System Environment Variable for SNC_LIB on both clients and servers

Right Click My Computer & Left Click Properties
Click on the Advanced tab

Click on Environment Variables button at the bottom

Under System Variables Click New

Enter
Variable Name: SNC_LIB
Variable Value: %windir%\system32\gsskrb5.dll

Click OK, and OK and OK

SAP Instance Profile Configuration

o In RZ10 update Instance Profile with the following additions

#Kerberos
snc/enable =1
snc/accept_insecure_cpic =1
snc/accept_insecure_gui =1
snc/accept_insecure_r3int_rfc =1
snc/accept_insecure_rfc =1
snc/data_protection/max =1
snc/data_protection/min =1
snc/data_protection/use =1
# Location of the dll used for kerberos
snc/gssapi_lib = C:\windows\system32\gsskrb5.dll
snc/permit_insecure_start =1
# The Windows User Account used to run SAP Server
snc/identity/as = p:SAPService<SID>@corp.company.com
snc/r3int_rfc_secure = 0

o Save the updates, and the instance must be restarted.

SAP UserID Update

o Log on to the desired SAP system and client, and enter transaction SU01
o Enter the UserID to modify, and click Change ( )

o A tab now appears titled SNC in the Maintain User screens, click on that tab
o In the SNC name field, enter the name of the Active Directory user and their Fully Qualified Domain Name (FQDN) preceded with a p: as it was listed in Active Directory Account Setup step from above. For instance:

p:test@ COMPANY.COM

SAPGUI Configuration

o In SAP Logon update SNC configuration for the system

Select the desired system & Click Properties
Click Advanced on the Properties Window

Check the box next to “Enable Secure Network Communication”
For the field “SNC name” Enter p:SAPService<SID>@company.com
entry is case sensitive, and the p: is required

Troubleshooting
o The following section is a decision road-map that will step through the items to check if the authentication mechanism is failing for the users trying to login to the SAP environment

o Check Status of SAP Instance by logging in without SNC configuration. This step should be performed on more than one client computer to ensure that it is not specific to the client running the machine.

o Check the Domain Controller availability of the server and if service are available

o Check Client installation and ensure that configuration is correct and proper components have been installed. (see section Active Directory SPN for Service Account)

Possible SSO Errors

o The following error is from incorrect user added in the SNC configuration

o The following errors are due to system outage

o The following error is due to incorrect or incomplete environment variables in place

Comments

Hi,

1. Download the verify.der file to your local (portal server) file system.

a) As portal user navigate to System Administration →

System Configuration → Keystore Administration.

b) Choose Download verify.der File and store the file in your local

filesystem.

c) UnZIP this file (e.g. using WinZIP or WinRAR) to be able to store

verify.der.

2. Upload the verify.der file to your ABAP based backend system.

Caution: Only one user can access the STRUSTSSO2 transaction,

so you may have to wait until other groups have left STRUSTSSO2.

a) Launch the SAP Logon shortcut on your portal’s server desktop.

b) Create an entry for you ABAP based backend system .

c) Logon to that system to client 100 with user.

d) Launch transaction STRUSTSSO2 and press the Import certificate

icon (in area Certificate). In field File path, browse to the verify.der

file and press Enter.

e) Press the Add to Certificate List button and Save.

Hint: Do not exit the transaction, because to have to add the

entry to the ACL (see next task).

f) From the certificates list (area Cert. List), double-click the entry for

.your. portal server, e.g. CN=SID.

c) Choose Add to ACL and provide the following data:

System ID. Your portal server system ID, e.g. SID,

Client your portal server client which should be 000

d) Save your entry and exit the transaction.

By: rekha | 22 Dec 2010