Anfang des Inhaltsbereichs

Vorgehensweisen Kerberos and NTLM Dokument im Navigationsbaum lokalisieren

In the Windows environment it is possible to use Kerberos, NTLM and X509 certificates as single sign-on options. The client where the proxy is running must have the appropriate GSS library (for example gsskrb5.dll) and the correct environment variables set. For more information, see the SNC Users guide and the SAP Web AS Inst. on Windows: MS SQL Server in the SAP Service Marketplace at the internet address:

service.sap.com.

Before configuring the SAP .NET Connector proxies to use SSO we recommend you to test the connection with SAPGUI to be sure single sign-on is working. For technical reasons you must still provide the SAP user name in the connection string. In many companies mapping of the SAP user to the Windows NT user is quite easy, as for example they use the same name or apply a logical naming process. The exception to this is with X509 certificates where no USER parameter should be provided.

To connect to the SAP system with the SNC parameters, you can use one of the SAP Destination components. You can also construct your own connection string; however, due to deployment problems we do not recommend hard coding correction strings.

Here is an example of a connection string using Kerberos to show what parameters to set on your destination component.

 

// connection string with SNC parameters and debug

string ConnStr = "ashost=pcintel11 client=000 snc_mode=1 sysnr=00 type=3 user=SAPDOTNET snc_partnername=\"p:SAPServiceCS2@nt5.sap-ag.de\";

The disadvantage of SSO is that you may have to configure additionally each client machine. However, you can use Active Directory to distribute the SSO configuration to users. For more information, see the installation guide SAP Web AS Inst. on Windows:MS SQL Server on the SAP Service Marketplace at: http://service.sap.com.

An alternative to configuring all user machines for SSO is to use a web application, impersonate the user, and then perform SSO as that user. In this case, you only have to configure the web server. You also have to configure your IIS application for impersonation. For more information about ASP .NET impersonation, refer to the .NET Framework Developer's Guide: ASP .NET Impersonation at: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconaspnetimpersonation.asp

 

When Using ASP .NET Impersonation

Be sure to set these values in the authentication section of the Web.config file:

<identity impersonate=”true” />
<authentication mode = “Windows” />

 

In IIS Administration turn off Anonymous access under the directory security tab

A simple ASPX page to test if impersonation is working is:

User Name: <%=System.Environment.UserName />
Domain: <%=System.Environment.UserDomainName/>

 

When you access this test web page and if impersonation is working, you can see the logged-on NT user but not the IIS anonymous user.

Diese Grafik wird im zugehörigen Text erklärt

There is currently technical limitation in the Kerberos implementation from SAP. You can only use Kerberos with the client machine at this time.

Kerberos is case sensitive so make sure that you get SNC_PARTNERNAME correct. The SAP user name is not case sensitive. This is only needed due to a limitation in the RFC library and not because of SSO considerations.

NTLM is not supported in this web scenario because it does not provide impersonation capabilities.

 

Ende des Inhaltsbereichs