cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Single Signon 3.0 settings for Kerberos login using a shared PC

SF111
Explorer

on ‎01-08-2024 2:23 PM

0 Kudos

I'm currently hitting an issue with using the Single Signon 3.0 Client where it's forcing users to type in their credentials every time they try to open a new GUI window (after they've already logged into the SAP client). Here's the scenario:

1) We have instances where the computer stays logged in as a generic Active Directory user account that does not have any authorization setup to login to SAP. These PC's are used by multiple operators and this is to keep operators from having to constantly log off of windows and log back on each time a different operator needs to get onto the computer

2) In the past, they would have right clicked on SAPGUI and selected "RUN AS DIFFERENT USER" and logged in. This does NOT work with the single Sign-on 3.0 client because it stores that users kerberos key and the next user that tries to login automatically logs in as the first user because the client stored the kerberos key

3) To try and prevent the issue in item 2, I needed SAPGUI to prompt the user for username/password each time they needed to login to the SAP client, but not store the kerberos key. I found this link (https://help.sap.com/docs/SAP_SINGLE_SIGN-ON/df185fd53bb645b1bd99284ee4e4a750/8b5500efc24147758cbf918cd829bbdb.html) that pointed me to the SSO Mode registry key. I set that SSOMode=2 and that fixed the initial issue, if a user tried to open SAPGUI or business client and tried to get into an SAP system/client, it prompted for credentials, logged them in, but did NOT store the kerberos key information in the client. This means that if they closed out of SAP, the next user that walked up would be prompted for credentials.

4) The problem with the solution from item 3 is that after a user logs in, if they try to click "new GUI window" or use /o<transaction_name>, it prompts them for credentials again instead of just opening the new window in the same session.

Is there any way to get around this with the Single Signon Client? We don't want to use SAP credentials for these users because that would be yet another set of username/password to have to keep up with.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Colt
Active Contributor
‎01-15-2024 10:52 AM
0 Kudos

Hi Hal,

based on the information provided, it appears that the behavior you're experiencing is related to how transactions are handled in a new mode or window, treating it similarly to the initial call of a DIAG connection with the SAP GUI, which is a new SNC session. This results in a lack of credentials at that moment, leading to the prompt for credentials again.

The issue you're facing might be a limitation or design choice in the Single Sign-On 3.0 client. I am not aware of any options or settings to address this specific behavior. You may consider checking with the SAP support, maybe they have another hint?

Possible workarounds would be personalized login at the shared operator desks or the use of contactless cards, although this would be associated with additional effort, hardware, and a switch of the SSO technology from Kerberos to X.509. To me, it doesn't sound like a feasible alternative.

Cheers Carsten

Show replies
Show replies
tim_alsop
Active Contributor
‎01-15-2024 11:02 AM
0 Kudos

Our company's product could be used instead of SAP SSO product, and then shared workstations would be fully supported. Many of our customers use our product in the same way as the OP described. This is not intended as marketing, just to inform you that there is another option. I doubt that SAP will change their product just for one customer.

Ask a Question