As I mentioned above, this is a comment scenario that I have helped many customers with. It is easy if you use the correct protocol/libraries.
↧
Re: Secure communication between SAP and .NET Application
↧
Re: Secure communication between SAP and .NET Application
Tim Alsop wrote:
As I mentioned above, this is a comment scenario that I have helped many customers with. It is easy if you use the correct protocol/libraries.
So here Secure login client doesn't support my scenario? .NETapp --> AS ABAP
Thanks,
Krishna
↧
↧
Re: Programmatically set (or change) the master role
Hi again.
Yes it works but..... I was too fast in the test.
It seems that the function creates a new role.
In other words if I execute the function against role XXX which was created before (with texts, profile generated, etc) and then I execute S_AUTH_CREATE_AGR, the result is a NEW role with the same name, with the parent role assigned but without all the features previously set.
Any further hint?
Thank you
Lorenzo
↧
Alternative to PRGN_1252_SAVE_ORG_LEVELS
Hi all
Is there an alternative to PRGN_1252_SAVE_ORG_LEVELS that can be called via RFC?
Currently I'm using the function withing a SECATT but a recent test I made demostrated that the function does not perform ANY authorization check.
This means that I can't leave the script saved so that anybody with the permission to execute SECATT scripts can mess up with roles.
As an alternative, is there a way to transform the function so that it can be called via RFC?
I mean, other than to write a wrapper.
Thank you
Lorenzo
↧
Re: Terminal name not displayed in SM20
↧
↧
Re: Terminal name not displayed in SM20
Hi Rohit, please ensure you have implemented these SAP Security Notes in your system:
- 2190621 - SAP Netweaver SAL incorrect logging of addresses
- 2122391 - SAP Netweaver SAL incorrect logging in RFC functions
- 1497445 - SAL| Logging the IP address instead of the terminal name
Those 3 notes are related on how the Security Audit Log handles the "terminal" field, there are some issues around it that you need to fix.
↧
Re: Secure communication between SAP and .NET Application
Hi Tim, one question which comes out of my only theoretical knowledge of this scenario:
doesn't this scenario need something like Kerberos Constrained Delegation on the .net server side? The .net server either needs to impersonate the user or the SAP server to allow end to end identity, doesn't ist?
Regards,
Lutz
↧
Re: Secure communication between SAP and .NET Application
yes, impersonation needs to be enabled on IIS so that the Kerberos TGT of the user at the workstation can be used by SNC library on .net server to authenticate to ABAP backend system. The session between .net server and ABAP system will be authenticated using the users credentials and encrypted if SNC is configured to encrypt the session.
↧
Re: Alternative to PRGN_1252_SAVE_ORG_LEVELS
how about using tcode pfcgmassval instead?
b.rgds, Bernhard
↧
↧
Re: Security steps in upgrading from BI 7.01 to 7.4
Hi Krishna,
Do you know if this AA migration creates any log somewhere in the system that can be referred later?
Thanks
Shiwani
↧
Re: Alternative to PRGN_1252_SAVE_ORG_LEVELS
PFCGMASSVAL does not seem to be available on my system.
Is it something that can be installed? A note to be implemented maybe?
Thank you
↧
Receiving massage "number of failed password logon attempt" in every successful login
Hi All
Users are receiving a massage "number of failed password logon attempt" continuously even though they logged in successfully.
We tried to set new password, but still the massage is receiving. Can some have expertise how to get rid of it?
Please help resolve this error.
Thanks in Advance,
Deven Bhandarkar
↧
Re: Receiving massage "number of failed password logon attempt" in every successful login
Has the user previously not logged in successfully? Is there a chance user is sharing the account and another person is making a mistake? Do you have Security Audit Log configured to see if you can identity what the user is doing? Is it all users, some users or a specific user?
What happens if they logout and then log back in?
Do these numbers match the USR02 numbers? And is there any chance someone has custom code that is directly updating USR02 which could be causing issues.
↧
↧
Re: Receiving massage "number of failed password logon attempt" in every successful login
SAP KBA 1894688
-->only a succesful logon with user/password will reset the counter..... using SSO, the popup will reappear, as the pwd-logon counter is not reset.
↧
Blank Evaluation path in Auth. profile
Hi All,
i have a Auth. profile, which has no Evaluation path assigned. So, could you suggest, if and how it works
Regards
Plaban
↧
SSL Certificate Mismatch on 2 SSL Certificates on Same Hostname
Hello everybody,
We have two websites, e.g. www.a.com and www.b.com running on the same server (a single hostname and IP address for the two websites) .
We imported their SSL certificates into transaction STRUST without any problems.
(Certificates are OK and can be verified in web browser)
SSL configuration on R/3 is OK.
We created two RFC destinations in SM59 to test the connection from R/3 to websites.
Connection to www.a.com is ok, SMICM logs show an exact match between the requested websites address and it's certificate.
<<- SapSSLSetTargetHostname(sssl_hdl=00000000399975C0)==SAP_O_K
in: hostname = "a.com"
NiIBlockMode: set blockmode for hdl 550 TRUE
NiIBlockMode: set blockmode for hdl 550 FALSE
NiIBlockMode: set blockmode for hdl 550 TRUE
Subject Alt Names: dNSName=a.com, dNSName=www.a.com
MatchTargetName("a.com", dNSName="www.a.com") MISmatch
MatchTargetName("a.com", dNSName="a.com") == EXACT match
But connection to www.b.com fails with message "SSL handshake with b.com:443 failed:"
SMICM logs show a weird situation:
<<- SapSSLSetTargetHostname(sssl_hdl=0000000039997240)==SAP_O_K
in: hostname = "b.com"
NiIBlockMode: set blockmode for hdl 1334 TRUE
NiIBlockMode: set blockmode for hdl 1334 FALSE
NiIBlockMode: set blockmode for hdl 1334 TRUE
Subject Alt Names: dNSName=a.com, dNSName=www.a.com
MatchTargetName("b.com", dNSName="www.a.com") MISmatch
MatchTargetName("b.com", dNSName="a.com") MISmatch
MatchTargetName("b.com", "CN=www.a.com") MISmatch
<<- ERROR: SapSSLSessionStart(sssl_hdl=0000000039997240)==SSSLERR_SERVER_CERT_MISMATCH
Subject DN = "CN=www.a.com, O=.....
*** ERROR => SSL handshake with b.com:443 failed: SSSLERR_SERVER_CERT_MISMATCH (-30)
SAP is requesting a connection to b.com but the returned certificate is the one of website a.com.
How can this be possible? I am not sure if SAP's SLL lib is supporting such a scenario with two certificates on the same host (IP address)
Has anyone experienced the same situation before?
Any help will be much appreciated since we are stuck.
Best regards,
Ozcan.
Message was edited by: Ozcan Gurdal
↧
Re: SSL Certificate Mismatch on 2 SSL Certificates on Same Hostname
Hello Ozcan,
See SAP note 1318906 (SSL problems) - Also check SAP Note 510007 for SSL configuration.
Thanks
↧
↧
Re: Mass change of single authorization object in more than 400 Roles
Hello,
Did you check t-code PFCGMASSVAL for mass role change ? Note 1842231
Thanks
↧
Re: Mass change of single authorization object in more than 400 Roles
Hi,
thanks for sharing this note. It's always nice to realize that SAP still invests into platform. A bonus point for SAP that they provide reusable API so customer can build their solutions on top of it.
Cheers
↧
Re: Receiving massage "number of failed password logon attempt" in every successful login
Hello Bernhard,
After going though SAP KBA 1894688, it has been cleared that the receiving massage "Number of failed password logon attempts is a known error.
Thanks for you help and support.
Regards,
Deven Bhandarkar
↧