Quest Authentication Services 4.0

Quest Single Sign-on for SAP Integration Guide

Copyright (c) 2010 Quest Software, Inc.ALL RIGHTS RESERVED.

This guide contains proprietary information protected by copyright. The software described in this guide is furnishedunder a software license or nondisclosure agreement. This software may be used or copied only in accordance with theterms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means,electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal usewithout the written permission of Quest Software, Inc.

The information in this document is provided in connection with Quest products. No license, express or implied, by estoppelor otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products.EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATINGTO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR APARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT,CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSSOF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THISDOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representationsor warranties with respect to the accuracy or completeness of the contents of this document and reserves the right tomake changes to specifications and product descriptions at any time without notice. Quest does not make any commitmentto update the information contained in this document.

If you have any questions regarding your potential use of this material, contact:

Quest Software World HeadquartersLEGAL Dept5 Polaris WayAliso Viejo, CA 92656www.quest.comemail: legal@quest.com

Refer to our Web site for regional and international office information.

PatentsProtected by U.S. Patent # 7,617,501. Additional patents pending.

TrademarksQuest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, Benchmark Factory, BigBrother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight, ChangeAuditor, CI Discovery,Defender, DeployDirector, Desktop Authority, Directory Analyzer, Directory Troubleshooter, DS Analyzer, DS Expert,Foglight, GPOADmin, Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, JClass, JProbe, LeccoTech,LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo,PerformaSure, Point, Click, Done!, Quest vToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic,SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, StorageHorizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator, vConverter, vEcoShell, VESI,vFoglight, vPackager, vRanger,vSpotlight, vStream, vToad, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vEssentials, VizioncorevWorkflow, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Incin the United States of America and other countries. Other trademarks and registered trademarks are property of theirrespective owners.

Third Party ContributionsThis product may contain one or more of the following third party components. For copies of the text of any license listed,please go to http://www.quest.com/legal/third-party-licenses.aspx .

NotesComponentApache LicenseApache Commons 1.2Version 2.0, January 2004Boost Software LicenseBoostVersion 1.0, August 2003© 1998, 1999, 2000 Thai Open Source Software Center LtdExpat 2.0.0© 2004 - 2007 Kungliga Tekniska HögskolanHeimdal Krb/GSSapi 1.2(Royal Institute of Technology, Stockholm, Sweden).All rights reserved.This product includes software developed by the OpenSSL Project for use in theOpenSSL Toolkit (http://www.openssl.org/)

OpenSSL 0.9.8d

© 1998-2008 The OpenSSL Project. All rights reserved.

Contents

Chapter 1: About This Guide......................................................................7Quest One Identity Solution............................................................................................................................................8Conventions..........................................................................................................................................................................8About Quest Software.......................................................................................................................................................9Contacting Quest Support...............................................................................................................................................9

Chapter 2: Introducing Quest Single Sign-on for SAP............................11SAP Secure Network Communications (SNC).........................................................................................................12Client Requirements........................................................................................................................................................12Functional Description...................................................................................................................................................12Summary..............................................................................................................................................................................13

Chapter 3: SAP R/3 Server Configuration................................................15Supported Platforms.......................................................................................................................................................16Enabling SNC on the SAP R/3 Server.........................................................................................................................16Creating and Using a Service Account for the SAP Service...............................................................................17Configuring a SAP User to Enable SNC Authentication......................................................................................18Installing Quest Single Sign-on for SAP....................................................................................................................20Configuring the SAP GUI Client on Windows XP...................................................................................................21Configuring the SAP GUI Client on Windows Vista and Above.......................................................................23Configuring SAPlpd on the Front-End System.......................................................................................................26Configuring SAPlpd on the SAP R/3 Server.............................................................................................................28Testing the Printer Connection...................................................................................................................................30

Quest Authentication Services | TOC | 5

6 | Quest Authentication Services | TOC

Chapter

1About This Guide

The Quest Single Sign-on for SAP Integration Guide is intended for systemadministrators, network administrators, consultants, analysts, and any other

Topics:

• Quest One Identity Solution IT professionals who will be using Quest Single Sign-on for SAP to provide• Conventions seamless authentication to SAP using the Active Directory credentials of the

logged-on user. This guide walks you through the installation andconfiguration process.

• About Quest Software• Contacting Quest Support

Quest One Identity Solution

Quest Single Sign-on for SAP is a component of the Quest One Identity Solution, a set of enabling technologies,products, and integration that empowers organizations to simplify identity and access management by:

• Reducing the number of identities• Automating identity administration• Ensuring the security of identities• Leveraging existing investments, including Microsoft Active Directory

Quest One improves efficiency, enhances security and helps organizations achieve and maintain compliance byaddressing identity and access management challenges as they relate to:

• Single sign-on• Directory consolidation• Provisioning• Password management• Strong authentication• Privileged account management• Audit and compliance

Conventions

In order to help you get the most out of this guide, we have used specific formatting conventions. These conventionsapply to procedures, icons, keystrokes and cross-references.

ConventionElement

This word refers to actions such as choosing orhighlighting various interface elements, such as files andradio buttons.

Select

Used to indicate elements that appear in the graphicaluser interface that you are to select such as the OKbutton.

Bold text

Interface elements that appear in Quest products, suchas menus and commands.

Italic text

Used to indicate host names, file names, program names,command names, and file paths.

courier text

Indicates an interactive link to a related topic.Blue Text

Used to highlight additional information pertinent to theprocess or topic being described.

A plus sign between two keystrokes means that you mustpress them at the same time.

+

A pipe sign between elements means that you mustselect the elements in that particular sequence.

|

8 | Quest Authentication Services | About This Guide

About Quest Software

Now more than ever, organizations need to work smart and improve efficiency. Quest Software creates and supportssmart systems management products—helping our customers solve everyday IT challenges easier and faster. ContactQuest for more information:

Contacting Quest Software

949.754.8000 (United States and Canada)Phone:

info@quest.comEmail:

Quest Software, Inc.Mail:

World Headquarters

5 Polaris Way

Aliso Viejo, CA 92656 USA

www.quest.comWeb site:

Contacting Quest Support

Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Questproduct and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, ourself-service portal.

Contact PointsInformation Sources

SupportLink: support.quest.comQuest Support

Quest SupportLink gives you access to these tools and resources:

• Product Information

Most recent product solutions, downloads, documentation, notifications andproduct lifecycle table.

• Product Downloads

Download the latest Quest product releases and patches.

• Product Documentation

Download Quest product documentation, such as installation, administrator, userguides and release notes.

• Search KnowledgeBase

Search our extensive repository for answers to Quest-product related issues orquestions.

• Case Management

Create new support cases and manage existing cases.

Email: support@quest.com

Phone: 1.800.306.9329

Quest Authentication Services | About This Guide | 9

Contact PointsInformation Sources

View the Global Support Guide for a detailed explanation of support programs, onlineservices, contact information, policies and procedures. The guide is available atsupport.quest.com.

Global Support Guide

10 | Quest Authentication Services | About This Guide

Chapter

2Introducing Quest Single Sign-on for SAP

SAP systems host critical enterprise applications. In today's regulatoryenvironment, the ability to secure access to these applications, and to secure

Topics:

• SAP Secure Network Communications(SNC)

the transmission of their data, is an increasingly important compliance andsecurity requirement.

• Client Requirements The Quest Single Sign-on for SAP solution integrates SAP solutions with ActiveDirectory. Using the identity and security infrastructure available with Active• Functional Description

• Summary Directory, organizations can implement tight identity integration betweenSAP and Active Directory user accounts allowing users to securely authenticatewith SAP applications using their desktop login credentials. This eliminatesthe need to re-enter (or remember) a separate SAP username and password.

You can use these same credentials to implement secure data transmissionamong SAP modules and the SAPgui client. Sensitive enterprise informationthat is exchanged between the user's desktop and the remote R/3 server isautomatically encrypted, securing it from any network eavesdropping.

Quest Authentication Services provides a solution that complies with theserver-side functional requirements of the SAP SNC interface. The ability ofQAS to directly join Unix systems with the Active Directory domain is whatmakes the tight integration and single sign-on experience possible.

SAP SNC makes use of the GSS-API provided by QAS on the R/3 server side.The SAPgui client on the Windows desktop also uses GSS-API through theQuest Single Sign-on for SAP extensions.

SAP Secure Network Communications (SNC)SNC is designed to allow external security mechanisms (such as Quest Authentication Services) to integrate withthe SAP environment to provide additional security features. By integrating the SAP system through standardprotocols such as GSS-API, SNC allows you to isolate SAP applications from the specifics of the authentication andsecurity implementation. SNC provides three aspects of security: authentication; data integrity; and data security.

The authentication feature provides for secure authentication using an external security token such as a Kerberosticket which allows single sign-on.

With the data integrity feature enabled, the system detects any changes or manipulation of the data which mayhave occurred between the two end points of a communication.

The data security or privacy protection feature encrypts message transmission making them resistant to networkeavesdropping. This feature also includes data integrity support.

The level of security to be applied to the environment is determined by the SNC configuration as described in theSAP document, Secure Network Communications: SNC User's Guide.

Client Requirements

The Quest Single Sign-on for SAP solution is used with SAPgui clients running on Windows systems (Windows 2000and higher) that are joined to an Active Directory domain. The Quest Single Sign-on for SAP installs and configuresthe qgsskrb5.dll module which provides GSS-API to SSPI translation. You do not need to install any additional clientsoftware.

Note: SSPI is Microsoft's proprietary implementation of the same network protocols the GSS-API provides.The qgsskrb5.dll maps the GSS-API interfaces used by SAPgui, to the corresponding SSPI systemcalls.

Functional Description

Once you have joined a Unix server to the Active Directory domain using Quest Authentication Services, you canconfigure an SAP R/3 server to use the GSS-API libraries provided by QAS. You can then configure SAPgui clientsrunning on a supported Windows operating system and joined to the same Active Directory domain (or forest) touse the credentials provided by Active Directory login to seamlessly authenticate to the SAP R/3 server.

The Quest Single Sign-on for SAP solution is designed to work with Active Directory as the KDC with Windows clientsonly.

This describes and illustrates the solution's operation:

1. When the user wants to access a SAP application, the SAPgui requests a Kerberos service ticket with the currentdesktop login credentials using the Quest Single Sign-on for SAP qgsskrb5.dll module.

2. The system responds with a service ticket from the local cache or requests the service ticket from the KDC.3. The SAPgui client then opens a connection to the SAP R/3 Application Server and provides the Kerberos service

ticket when requested by the remote server. The configuration stored in the SAPgui profile identifies the specificSAP R/3 service, in this case, an SAP R/3 service running on a Unix host with QAS installed.

4. The SAP R/3 Application Server processes the service ticket, validating it using the GSS-API libraries provided byQAS.

5. If the ticket is successfully authenticated, the SAP R/3 Application Server can then identify the Windows useraccount and map it to the corresponding account maintained by the SAP R/3 Application Server. The user is

12 | Quest Authentication Services | Introducing Quest Single Sign-on for SAP

logged on to the SAP Application Server with all of the attributes of the account as maintained by the SAP userdatabase.

6. Depending on the SAP R/3 configuration, all of the data client/server communication is encrypted for the remainderof the session.

The user is never required to enter a username and password, because authentication uses the existing Kerberoscredential acquired when the user logged in to Windows.

Summary

The Quest Single Sign-on for SAP solution provides increased security, identity integration, centralized auditing,data integrity, data privacy, and user experience. The integration of Unix and Linux hosts with Active Directorythrough QAS allows SAP clients and servers to use the capabilities of the SAP Secure network Communications (SNC)

Quest Authentication Services | Introducing Quest Single Sign-on for SAP | 13

interface to use a common security and authentication infrastructure and to fully leverage the ability of Windowsto provide a secure authentication token in the form of a Kerberos ticket, while retaining the benefits of continueddeployment of SAP R/3 server solutions on Unix hosts.

14 | Quest Authentication Services | Introducing Quest Single Sign-on for SAP

Chapter

3SAP R/3 Server Configuration

Before you can configure your SAP R/3 server, you must have QuestAuthentication Services installed on your Unix server and joined it to the

Topics:

• Supported Platforms Active Directory domain. Refer to the QAS product documentation forinstructions on how to install and join the domain.• Enabling SNC on the SAP R/3 Server

• Creating and Using a Service Accountfor the SAP Service

• Configuring a SAP User to Enable SNCAuthentication

• Installing Quest Single Sign-on forSAP

• Configuring the SAP GUI Client onWindows XP

• Configuring the SAP GUI Client onWindows Vista and Above

• Configuring SAPlpd on the Front-EndSystem

• Configuring SAPlpd on the SAP R/3Server

• Testing the Printer Connection

Supported Platforms

Quest Single Sign-on for SAP supports Windows 7, Vista, XP, Windows 2008 and Windows 2003.

Enabling SNC on the SAP R/3 Server

To enable Secure Network Communications (SNC) on the R3 server

1. Add and configure the SNC-specific parameters to the instance profile of the R/3 server.The SNC parameters for configuring R/3 are fully described in the SNC User’s Guide published by SAP.You can set the profile parameters using transaction RZ10 if you have the corresponding administrator rights tomake these changes.

2. Add the following SNC-parameters to the instance profile of the application server. These settings enable theSNC features without impacting existing operations.

snc/enable = 1snc/data_protection/min = 1snc/data_protection/max = 3snc/data_protection/use = 3snc/accept_insecure_gui = 1snc/accept_insecure_cpic = 1snc/accept_insecure_rfc = 1snc/accept_insecure_r3int_rfc = 1snc/r3int_rfc_secure = 0snc/r3int_rfc_qop = 3snc/permit_insecure_start = 1snc/identity/as = p:R3SERVER@EXAMPLE.COMsnc/gssapi_lib = /opt/quest/lib/libvas-gssapi.so

The actual path of the GSS-API library varies by platform. The following table lists the path and file name of theGSS-API library.

Table 1: Object: User-Display

FilenamePathPlatform

libvas-gssapi.so/opt/quest/libAny 32-bit (except HP-UX)

libvas-gssap.sl/opt/quest/libHPUX 32-bit

libvas-gssapi64.so/opt/quest/libAIX 64

libvas-gssapi.so/opt/quest/lib64Linux-x86_64

libvas-gssapi.so/opt/quest/lib/sparcv9Solaris-sparc 64

libvas-gssapi.so/opt/quest/lib/64Solaris-x86_64

libvas-gssapi.sl/opt/quest/lib/pa20_64HP-UX pa-risc 64

libvas-gssapi.so/opt/quest/lib/hpux64HP-UX ia64

The snc/identity/as parameter R3SERVER@EXAMPLE.COM corresponds to the KRB5 principal name ofthe SAP R/3 system.You can determine the KRB5 principal name by examining the Kerberos ticket cache using the vastool klistcommand.

16 | Quest Authentication Services | SAP R/3 Server Configuration

3. Change the group ownership of /etc/opt/quest/vas/host.keytab to sapsys by running:

chgrp sapsys /etc/opt/quest/vas/host.keytab

Modify the permissions so that the sapsys group has read access:

chmod 640 /etc/opt/quest/vas/host.keytab

4. Restart the R/3 application server.If problems occur with the startup of the SNC, they are logged into the work directory of the R/3 applicationserver in the /usr/sap/SID/instance/work/dev_w0 file.

Here is a sample work process log containing SNC activation messages:

N SncInit(): Initializing Secure Network Communication (SNC)N Intel x86 with Linux (st,ascii,SAP_UC/size_t/void* = 8/32/32)N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)N SncInit(): found snc/data_protection/use=9, using 3 (Privacy Level)N SncInit(): found snc/gssapi_lib=/opt/quest/lib/libvas-gssapi.soNN Tue Sep 30 17:11:14 2008N File "/opt/quest/lib/libvas-gssapi.so" dynamically loaded as GSS-API v2 library.N The internal Adapter for the loaded GSS-API mechanism identifies as:N Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2N SncInit(): found snc/identity/as=p:SAP@EXAMPLE.COMN SncInit(): Accepting Credentials available, lifetime=IndefiniteNN Tue Sep 30 17:11:15 2008N SncInit(): Initiating Credentials available, lifetime=09h 57m 07sM ***LOG R1Q=> 1& [thxxsnc.c 252]M SNC (Secure Network Communication) enabled

Creating and Using a Service Account for the SAP ServiceQuest recommends the steps described in this section as a best practice for defining a distinct service account forSAP authentication.

Active Directory service accounts provide a means for authenticating and managing services and rights to accesshost resources. When you create a service account, it generates a random password for the account and a Kerberoskeytab for the service. The previous section described a configuration where SAP uses the host keytab, while thissection describes the recommended configuration where SAP uses a service account.

Each service account has a KRB5 Principal Name (KPN) and an optional set of Service Principal Names (SPN’s). TheKPN is the sAMAccountName of the service account (case sensitive) including the domain in the form"samaccountname@example.com". The keytab file is created in the QAS configuration directory at/etc/opt/quest/vas. The default permissions on the keytab file are 0600 and the file is owned by root. Youmust update the ownership of the file so that the service has rights to read from the keytab file.

To create and use a Service Account for the SAP Service

1. Create the service account using vastool on the SAP R/3 Server host:

vastool –u Administrator service create SAP/

This command creates the /etc/opt/quest/qas/SAP.keytab file. Administrator, is the name of the ActiveDirectory user with administrative privileges to create a new service account. The user is prompted for their ActiveDirectory password.

Quest Authentication Services | SAP R/3 Server Configuration | 17

2. Set the password to "never expires" and "can not be changed" by setting the userAccountControl attribute,by entering:

vastool -u administrator setattrs SAP/ userAccountControl 66048

3. Change the file permissions on the newly created service.keytab file so that the corresponding service hasthe rights to read from the keytab file, by entering:

chgrp sapsys /etc/opt/quest/vas/SAP.keytab

Change the group ownership of the keytab to the sapsys group, by entering:

chmod 640 /etc/opt/quest/vas/SAP.keytab

4. Set the snc/identity/as value and the SNC Name (in Advanced Options of SAPlogin) top:samaccountname@example.com

where example.com is the name of the domain to which the R3 server is joined.

You can obtain the sAMAccountName of the service account by running the following command:

vastool -u host/ attrs -q SAP/ sAMAccountName

5. On the SAP R/3 server, set the environment variable KRB5_KTNAME to the location of the previously createdSAP.keytab file.

For example, in ~<instance>adm/.cshrc add the following:

setenv KRB5_KTNAME /etc/opt/quest/vas/SAP.keytab

6. Restart the SAP services.

Configuring a SAP User to Enable SNC AuthenticationEach user must have a unique Kerberos Principal Name (KPN) associated with their SAP account to use Quest SingleSign-on for SAP.

To configure a SAP user to enable SNC authentication

1. Log on to the SAP Server as a user with administrative permissions.

18 | Quest Authentication Services | SAP R/3 Server Configuration

2. Enter SU01 and click Enter or access the user management functions under SAP Menu | Tools | Administration| User Maintenance | Users.

3. Enter a User name and click the pencil icon.

Quest Authentication Services | SAP R/3 Server Configuration | 19

4. Select the SNC tab of the User Management screen.5. In the SNC name box, enter the user's Kerberos Principal Name (KPN) (samaccountname@domain).

Note: You must put a "p:" in front of the user's KPN, as follows: p:samaccountname@domain.

6. Click Save on the menu bar.The SNC data property page displays a check mark next to the "Canonical name determined" message.

Installing Quest Single Sign-on for SAPYou can install Quest Single Sign-on for SAP from the Quest installation setup wizard. From the Autorun Setup page,select Quest Single Sign-on for SAP from the Related Products tab to install this add-on or follow the steps below.

Note: If you do not have local administrator rights, the SNC_LIB system environment variable will notbe set during the installation. To resolve this issue, you can set the environment variable path for SNC_LIBto <install folder>/qgsskrb5.dll.

To install Quest Single Sign-on for SAP

1. In Windows Explorer open the QAS CD, navigate to add-ons | qas-sso-for-sap.2. Double-click qas-sso-for-sap-1.0.x.x.msi to launch the installer.3. Click Next.4. Click Browse to locate the license file.

Note: You must have a license file to install.

5. Select I accept the terms in the license agreement and click Next.6. Click Next to install to the default folder, or click Change to install to an alternate location.

20 | Quest Authentication Services | SAP R/3 Server Configuration

Note: If you are running the installer as a non-administrator, Quest recommends that you specify analternate location where you have rights to copy files.

7. Select Complete and click Next.8. The Ready to Install the Program dialog displays. Click Install.

Note: On Windows Vista or higher you may be prompted for permission to install. In that case, clickAllow.

9. Click Finish to exit the wizard.

Configuring the SAP GUI Client on Windows XP

To configure the SAP GUI client on Windows XP

1. Verify that the environment variable SNC_LIB contains the path to qgsskrb5.dll.

The library is located in the folder where you installed Quest Single Sign-on for SAP.

2. Run the SAPlogin application.3. Select a server connection and click Change Item to open the Properties page.

The SAPgui client should already be installed and configured for normal password-based authentication.

Quest Authentication Services | SAP R/3 Server Configuration | 21

4. Click the Advanced button to open the Advanced Options.

5. Select Enable Secure Network Communication to enable SNC.6. In the SNC Name box, enter the KPN of the SAP R/3 server. For example, enter:

p:samaccountname@example.com

This is the same KPN that was used for the SAP instance profile key snc/identity/as described in EnablingSNC on the SAP R/3 Server on page 16.

7. Select the Max. Available option to enable single sign-on as well as data integrity and encryption for all of thetraffic between the SAPgui client and the R3 server.

8. Click OK to save these settings.

You can now click the server name in SAPlogon to log onto the server without being prompted for a user nameor password.

Once you have configured the server connection to use SNC, it is now possible to create desktop shortcuts usingSAPlogon. Shortcuts normally require a password to either be included with the shortcut (not recommended)or else the user is prompted for a password when the shortcut is activated. With SNC activated, however, it isonly necessary to enter an arbitrary shortcut (a single letter will do) in the password field of the shortcut. Thisshortcut is not actually used for authentication, as the SAP system attempts authentication using GSS-API first.

The use of SNC and shortcuts allows SAP administrators to create desktop icons for users that will launch themdirectly into specific SAP applications, securely authenticating without the use of passwords.

22 | Quest Authentication Services | SAP R/3 Server Configuration

Configuring the SAP GUI Client on Windows Vista and Above

To configure the SAPgui client on Windows Vista

1. Open SAPgui Logon 7.10 and click New Item.

The Create New System Entry screen displays:

Quest Authentication Services | SAP R/3 Server Configuration | 23

2. Select User Specified System and click Next.

3. Ensure the connection type is Custom Application Server.4. Enter the appropriate information in the Application Server, System Number, and System ID boxes and click Next.

24 | Quest Authentication Services | SAP R/3 Server Configuration

5. Select the Activate Secure Network Communication option and enter the Kerberos Principal Name (KPN) ofthe SAP R/3 server and click Next.

For example, enter:

p: samaccountname@example.com

Use the same KPN that you used for the SAP instance profile key snc/identity/ as described in Enabling SNCon the SAP R/3 Server on page 16.

Quest Authentication Services | SAP R/3 Server Configuration | 25

6. Leave the defaults on this page and click Finish.The new item you created will now appear on the SAPgui log on.

7. Click Logon and log in as a user who is setup to use SNC.

Configuring SAPlpd on the Front-End SystemTo use SAPlpd with SNC, you must provide the SAPlpd system on the front-end desktop with the local library pathand identity information.

To configure SAPlpd on the front-end system

1. In the Windows directory, create a SAPLPD.INI file, if one does not already exist.

2. Add the following section to the SAPLPD.INI file:

[snc]enable=1identity/lpd=<SNC-Name_of_saplpd>gssapi_lib=<drive>:\path\to\your\snclib.dll

Note: You can omit the gssapi_lib= entry when you have the environment variable, SNC_LIB,configured to be a system environment variable.

The identity/lpd variable, <SNC-Name_of_saplpd>, is in the SNC form of the user logged in and runningSAPlpd. You must use this format: u:samaccountname@example.com where sAMAccountName is theSAM-Account-Name of the currently logged in user and example.com is the Active Directory domain name.

Note: You can also add these settings to the WIN.INI file if you do not want to create theSAPLPD.INI file.

3. Run SAPlpd.

A window appears listing the output from the SAPlpd startup:

4. From the SAPLOPD.LOG – SAPLPD window, select the Options | Secured Connections menu item.The following dialog opens:

26 | Quest Authentication Services | SAP R/3 Server Configuration

5. Select the Use if possible and Privacy protection of data options and click the Add new connection buttonto go to the Access Control List maintenance for SAPlpd.

6. In the Last authenticated connection initiator box, enter the SNC-name of the application server(s) that will betransferring print jobs to this SAPlpd using SNC.This is the value of the snc/identity/as key from the instance profile on the QAS-enabled SAP R/3 server.(See Enabling SNC on the SAP R/3 Server on page 16.)

7. Click Authorize to add this name to the list of authorized connection initiators.

Quest Authentication Services | SAP R/3 Server Configuration | 27

8. Close all open SAPlpd dialogs by clicking their OK buttons.Your front-end desktop is now configured to securely connect.

Configuring SAPlpd on the SAP R/3 Server

To configure SAPlpd on the SAP R/3 Server

1. Create a new output device (Printer) by navigating to Configuration | Output devices from the SpoolAdministration screen.You can apply these same settings to an existing device.

2. Click the Device Attributes tab.

3. Enter the appropriate information in these boxes:

• Output Device• Short name• Device Type• Spool Server

28 | Quest Authentication Services | SAP R/3 Server Configuration

To populate the Spool Server box, click F4 or , the folder icon next to the Spool Server box, to list all theapplication servers with a color-coded background. The application servers running a spool process are highlightedin green.

4. Click the Access Method tab.

5. Set the Host Spool Access Method to S: Print Using SAP Protocol.6. Enter the host name of the printer.7. Enter the host name of the front-end system as the Destination host.8. Select the Do Not Query Host Spooler for Output Status option.9. Select the Security tab and select a level of security: Only Authentication, Integrity Protection, or Privacy

Protection.

Quest Authentication Services | SAP R/3 Server Configuration | 29

10. Change the Security Mode to Only Use Secure Transfer to specify that you want SNC to be required.11. In the Identity of the Remote SAPlpd for the Security System box, enter the SNC name in the format.

u:samaccountname@example.com

This is the Active Directory user who will be logged in when using this instance of SAPlpd.

12. Save the changes and exit the Spool Administration screens.

Testing the Printer Connection

To test the printer connection and verify that SAPlpd is still running

1. From the list of output devices, print using the printer icon or navigate to System | List | Print.

30 | Quest Authentication Services | SAP R/3 Server Configuration

2. Select the SNC-enabled output device that you just created and change the Time of Print to Print out immediately.3. Click Continue or , the green check mark, to submit the print request.

You can track the status and progress.

Quest Authentication Services | SAP R/3 Server Configuration | 31

Index

B

Best Practice: 17for defining a distinct service account for SAP authentication17

C

contacting 9conventions 8

E

environment variable 20setting 20

F

front-end desktop 26configuring 26

G

GSS-API to SSPI translation 12

K

Kerberos ticket 12KRB5 Principal Name (KPN) 17

P

printer connection 30testing 30

Q

Quest One Identity Solution 8Quest Single Sign-on for SAP 12, 15, 16, 17, 18, 20, 21, 23, 26, 28,

30functional description 12installing 20prerequisites 15, 16, 17, 18, 20, 21, 23, 26, 28, 30

Quest Support 9

S

SAP GUI client 21, 23configuring on Windows Vista 23configuring on Windows XP 21

SAP R/3 server 12configure 12

SAP user 18configuring 18

SAPgui clients 12sub-term 12

SAPlpd 26, 28configuring 26configuring on the SAP R/3 Server 28

Secure Network Communications (SNC) 12, 16defined 12enabling on SAP R/3 16

service account 17creating 17

SNC authentication 18enabling 18

SNC-parameters 16supported platforms 16

Quest Authentication Services | Index | 33

34 | Quest Authentication Services | Index