Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

...

...

...

...


Table of Contents

...

Note

...

SSO for BO and HANA is currently not supported.

Summary

SSO / SNC is supported for BW and BW/4HANA.

Tip

If you decide to use SSO, your license need needs an adjustment (free of charge).
Please create a short ticket in our Help Desk with your SNC Partner Name of the respective SAP system.

...

The Support-Team will adjust your license and send you a new license file with SSO unlocked.

Image Added

Your Login screen will now have an SSO Logon button.

Image Removed

Errors

...

Image Added

Are you instead of looking for:
My SAP System connection properties have changed

...

Troubleshooting

Error (You have no password; you cannot log on using a password.)

Code Block
languagejava
themeDJango
You have no password; you cannot log on using a password.


Code Block
languagejava
themeDJango
EN: Unencrypted communication is rejected by this system.
DE: Eine unverschlüsselte Kommunikation wird von diesem System abgelehnt.

Solution

Send us your SNC Partner Name of the respective SAP system (Link: Help Desk)

Image Added

Error (Unable to load GSS-API DLL)

Code Block
languagejava
themeDJango
Unable to load GSS-API DLL named "GX64KRB5.DLL"

Solution

Message info@bluetelligence.de with your SNC Partner Name.

Image Removed

...

  1. Check SAP-Transaction RZ10 for the entry snc/gssapi_lib = 'C:\Windows\System32\xxxxx.DLL'
  2. Add in your 'Environment Variables' the System variable SNC_LIB_x64 and set the Value to the DLL-name you found in the RZ10.
    Image Added

Error (several suitable SAP users)

Code Block
languagejava
themeDJango
System found several suitable SAP users for the SNC name of the caller.
Mehrere passende SAP-Benutzer zum SNC-Namen des Aufrufers gefunden.


Code Block
languagejava
themeDJango
Name or password is incorrect.

Solution

Make sure only one SAP-User is connected to an SNC Name.
There is currently a limitation where you cannot have an SNC Name pointing to multiple SAP-User.

If possible, reduce the amount of SAP-User bound to the SNC Name to one.

Image Added


...

Things to check first in case SSO is not working

  1. Is your normal SAP GUI logon working with SSO?
  2. Which SSO mechanism are you using? SNC, Logon Ticket or X.509 certificateWhich SNC_LIB system variables are set on your machine?
  3. Are you using the latest Connection Tester?
  4. Check SAP transaction RZ10 for correct SNC Partner Name (snc/identity/as) and used SNC Library (snc/gssapi_lib)
  5. Which SNC_LIB system variables are set on your machine?
    Logic: User Variables > System Variables
    Image Added
  6. Did you try using the Connection Tester to confirm your connection parameters?
  7. "Write Trace log" for better analysis
  8. (Double-check Services and Hosts file)

...

 

Widget Connector
urlhttp://youtube.com/watch?v=ERgzPdQEE9I

...

More Information

Single Sign-On with Microsoft Kerberos SSP

SAP’s New Cryptographic Library “CommonCryptoLib”

Setting up SAP Secure Network Communications (SNC) (RZ10)

...

You can use Kerberos to overcome the security weakness characteristic of more basic authentication mechanisms such as user ID and password authentication.

The Kerberos authentication process relies on the exchange of session tickets. The session tickets are issued by a Kerberos Key Distribution Center (KDC) when the user attempts to connect to the AS ABAP. The KDC itself establishes and verifies the user identity and the user is not required to interactively provide a user ID and    password for  for the AS ABAP logon.

As a result of the use of session tickets, the AS ABAP authentication credentials of users are not communicated over the network for the connection between the SAP GUI and the AS ABAP. Thereby, the credential confidentiality and integrity protection is are guaranteed.

In addition, Kerberos makes use of several systems in your landscape, which may result in additional administrative effort and costs.


Client Certificate Logon:

You can use X.509 client certificates to enable secure authentication instead of using the traditional user ID and password-based authentication. The authentication credentials are protected during their transport over the network due to the use of public-key technology in X.509 client certificates.

Users need to receive their client certificates from a Certification Authority (CA), using a Public Key Infrastructure (PKI). If you do not have an established PKI then you can use a Trust Center Service to obtain certificates.

...