Hi Ana,
Just to be precise, I did not say that it is not working, I said it was not supported. I do not know of any 3rd party products you can use. Patrick had the best suggestion though. He said, "Maybe if you describe the use case, there is an other solution, that can be used instead?"
Oh yeah, good old macro trick. I think that there is a workaround for this but I am not sure. You could try to crash program and check variables in ST22. Anyway, it came to me that you can set up a trace for HTTP connections in SMICM that captures payloads. Hence all this protection won't prevent a malicious user from setting a trace and reading secret from a trace log.
It's really hard to protect against user with sufficient authorization and skills. You can accept the risk or move this whole thing into environment where you have more control (e.g. a simple Java app that gets a JSON document, updates it with secret and forward it to recipient of the message).
Cheers
Corrections for trace features are kernel based and ST01 shows them as string in a field which it can read from the file.
Sometimes ABAP correction features are needed for the STAuthTrace as it splits those file strings into fields for ALV.
This can have the unfortunate side affect that the kernel version is not 100% downward compatible with ABAP based ALV reporting.
This sometimes affects tags (type=xx name=xx bname=xx) if they contain special characters, particularly the character & or the tag && (Eg &NC& or ' ' which ABAP might interpret as a tabulator or double-split.
-> you should check SAP notes for ABAP corrections or open a customer message.
Which ABAP and kernel versions are you on?
Cheers,
Julius
Hi,
can someonetell mehow I candownloadbc_snc_adapter_101.zip
or ifsomeone has itplease let me knowwhattosendmail.
Best regards
Hello Tim,
we have the same symptom of GUI CRASH once we try to transport from DEV to QAS.
Woudl you mind to tell us how did you solve your problem?
Did you change the password of TMSADM on client 000?
Please let us know.
We haven't managed to find a solution yet.
It is good to know we are not only ones having the issue.
When you find a solution, please let me know and I will do same.
The password of TMSADM is unrelated to this as it always needs a password for the domain - the question is just which one.
At most if the TMSADM cannot even connect for the "uncritical" functions via the TMSADM* destinations as this has a fixed user in it, then it will not even reach the TMSSUP* destinations which is where Tim's problem is for the "critical" functions.
I suspect that these are two different problems for which the symptom appears to be the same -> it does not work.
Cheers,
Julius
What a sick joke to propose WS as a replacement for REST based service. Also Fiori guys did not get memo. Just kidding.
Cheers
Hi,
it's going to be tricky. A proper way to implement this would be to use some identity management solution (e.g. SAP IDM). All changes to users would be made in IDM and then they would be propagated to backend systems. In your case same changes would be replicated to golden and backup system. This will require some time and money.
Other option on a shoestring could be to implement this by yourself. In the new release there is a user exit that is called after user is changed. So you you raise an event that would cause a user replication to backup system. Re-using IDocs used by CUA would be probably the simplest option. The only part that could be tricky is to replicate password changes. I don't think that there is a user exit for password change. Also capturing password in plaintext might not be possible.Warning that these custom solution may end costing more than proper solution.
BTW our of curiosity, how is this switch from golden to backup system going to happen? I understand that you want to have same users in both systems but what about other master and transactional data?
Cheers
REST is not for going concerns then it seems.
2nd hand car dealers, insurance salesmen and fly-by-night SAP consultants and non-ABAP developers should fair well with it for a while then.
Personally I find it more ugly that you are forced to use the secure store instead of other more secure authentication mechanisms.
You can prevent the attaching of the debugger via user type SYSTEM, some system parameters to control the debugger and even deactivate the external debugger at rdisp level regardless of authorization (escalation).
There are infact quite a lot of options there, but if the service is designed to have a lot of functional access and you get the PWD then 9 / 10 time you can do anything you want to using protocols which are permitted.
Anyway... this is the security forum so easy way does not score points on it's own... 
Cheers,
Julius
hello Tim and Juilius,
the crash of SAP GUI once the SNC has been enabled can be only be overcame giving SAP_ALL to TMSADM on client 000 of the destination systems.
This way it works however it has the very bad side-effect that all the transport will be transported with the users TMSADM so we decided to dismiss this scenario, disable SNC for STMS and rebuild the RFC in every single system involved.
Yes, giving TMSADM SAP_ALL is just about the worst thing available to do.
Cheers,
Julius
If SNC has to be turned off in STMS, does that mean that the users who are using STMS to transport between systems needs to enter an SAP user and password ? If so, this is bad, since it means these users will have multiple passwords to remember, one for the SNC SAP GUI logon (e.g. their AD credentials) and one for when they use STMS. It would be better if SNC could be used so that the user doesn't have to remember their SAP password. Then, the users SAP password can be disabled.
Do you think that SNC should be supported with STMS without using SAP_ALL on TMSADM user ? If so, is it worth opening an OSS message with SAP to get this fixed ? I would be happy to do that if you agree that this is a bug.
Thanks,
Tim
Hi Tim,
a user that is logged to a system that is receiving transport does not have to authenticate again. Hence a "workaround" is to logon on to receiving system directly and then import transport from there. Or am I missing something? I know that it's not ideal but if they use SNC for SSO then logging into another system will be pretty quick.
As a customer I would not be afraid to open an OSS message.
Cheers
Martin,
I like your workaround. We will try this. It is certainly a better workaround than using SAP password instead of SNC...
Only concern with opening OSS is that this is a very slow process since the person who gets assigned the message is often not the right person and it usually takes many weeks/months to get the message escalated to somebody who understands what we want. This is my personal experience anyway :-)
Nevertheless, we will open a message and see what happens.
Thanks,
Tim
Hello everybody,
There is a documentation or a guide about the configuration of SapGui authentication using MS AD instead of using standard user repository?
I have found some documentations, but all them are about a ECC server system in Microsoft Windows. Is it possible make the configuration without use a third party software?
Thanks in advance,
Renato Lima.
Hi Renato
sorry to be a pain but, sapgui is the presentation server of a ecc server and ad is microsoft's directory server, what's the third party sw?
Let me know
cheers
a
Andrea,
He is looking for an SSO solution that uses AD as an authentication server (via. SNC interfaces). There are many of these available, either from SAP or from SAP partners. Looks like he wants one for free since he said he doesn't want to buy third party s/w.
Renato,
If you don't want to spend money on a product, you can build your own using open source Kerberos libraries. Other SAP customers have done this. I personally wouldn't recommend it, but you can if you wish.
Thanks,
Tim
HI Both
apologies for my silly question
It appears i have to book again the adm100 
later
a
Tim,
we are sharing same experience :-). At least with workaround you can wait. In the worst case they will point you to this thread.
Cheers