Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 70 Next »


Summary

Yes, SNC/SSO is supported by the Docu Performer for BW.
We are thinking about adding SSO to BO and HANA, but nothing is specifically planned.

If you decide to use SSO, your license needs an adjustment (free of charge).
Please create a ticket in our Help Desk with your SNC Partner Name of the respective SAP system.

The Support-Team will adjust your license and send you a new one with SSO unlocked.

Your Login screen will now have an SSO Logon button.

Are you instead of looking for:
General: My SAP System connection properties has changed


Error (You have no password; you cannot log on using a password.)

You have no password; you cannot log on using a password.

Solution

Send us your SNC Partner Name of the respective SAP system (Link: Help Desk)

Error (Unable to load GSS-API DLL)

ProjectB.SAPConnections.Data.Exceptions.ConnectionFailedToSapException: RfcOpenEx failed(RFC_ERROR_COMMUNICATION) SAP_CMINIT3 : rc=20 > Connect to SAP gateway failed
Connect_PM  GWHOST=10.118.169.25, GWSERV=sapgw05, SYSNR=05

LOCATION    CPIC (TCP/IP) on local host
ERROR       SncPDLInit()==SNCERR_INIT
            Unable to load GSS-API DLL
            named "GX64KRB5.DLL"
TIME        Tue May 28 11:32:09 2019
RELEASE     720
COMPONENT   SNC (Secure Network Communication)
VERSION     5
RC          -1
MODULE      sncxxdl.c
LINE        378
DETAIL      LoadLibrary("GX64KRB5.DLL")
              Error 126 = "The specified m
   at ProjectB.SAPConnections.SapConnectionOpeners.SapConnectionOpenerWrapper.HandleConnectionError(Exception ex, BwConnection connection)
   at ProjectB.SAPConnections.SapConnectionOpeners.SapConnectionOpenerWrapper.GetOpenConnection()
   at ConnectionTester.Helpers.BwConnectionHelper.ConnectToBW(MainViewModel mainViewModel)

Solution

  1. Check SAP-Transaction RZ10 for the entry snc/gssapi_lib = 'C:\Windows\System32\xxxxx.DLL'
  2. Add in your 'Environment Variables' the System variable SNC_LIB_x64 and set the Value to the DLL-name you found in the RZ10.



Troubleshooting SSO

  1. Is your normal SAP GUI logon working with SSO?
  2. Which SSO mechanism are you using? SNC, Logon Ticket or X.509 certificate
  3. Check SAP transaction RZ10 for correct SNC Partner Name (snc/identity/as) and used SNC Library (snc/gssapi_lib)
  4. Which SNC_LIB system variables are set on your machine?
    Logic: User Variables > System Variables
  5. Are you using the latest Connection Tester?
  6. "Write Trace log" for better analysis
  7. (Double-check Services and Hosts file)

How-to setup SSO:

 


More Information

Single Sign-On with Microsoft Kerberos SSP

SAP’s New Cryptographic Library “CommonCryptoLib”

Setting up SAP Secure Network Communications (SNC) (RZ10)


Kerberos:

You can use Kerberos to overcome the security weakness characteristic of more basic authentication mechanisms such as user ID and password authentication.

The Kerberos authentication process relies on the exchange of session tickets. The session tickets are issued by a Kerberos Key Distribution Center (KDC) when the user attempts to connect to the AS ABAP. The KDC itself establishes and verifies the user identity and the user is not required to interactively provide a user ID and password for the AS ABAP logon.

As a result of the use of session tickets, the AS ABAP authentication credentials of users are not communicated over the network for the connection between the SAP GUI and the AS ABAP. Thereby, the credential confidentiality and integrity protection are guaranteed.

In addition, Kerberos makes use of several systems in your landscape, which may result in additional administrative effort and costs.


Client Certificate Logon:

You can use X.509 client certificates to enable secure authentication instead of using the traditional user ID and password-based authentication. The authentication credentials are protected during their transport over the network due to the use of public-key technology in X.509 client certificates.

Users need to receive their client certificates from a Certification Authority (CA), using a Public Key Infrastructure (PKI). If you do not have an established PKI then you can use a Trust Center Service to obtain certificates.

Typically, your Web browser generates these keys. You then send the public key of this key pair to a central instance called a Certification Authority (CA) to be signed. This step guarantees your ownership of the key pair. You can compare this to a central office that distributes identification cards. These keys then “belong” to the owner and can be used for identification purposes.


  • No labels