SAPGUI:SSO with OSX : How to configure SSO on Mac.

This is an old document created on 25 June 2007 , Please if you found something now updated let me know and I will make the update.

Applies to:

SAPGUI : SAPGUI for Java 7.00 rev 4
VM: Apple Computer, Inc. Version 1.5.0_07-87

OS: Mac OS X(i386) Version 10.4.10 / Intel-MAC

ADS: Windows 2003

Summary

How to implement the Single-sign on with Kerberos using SAPGUI for JAVA 7.00,

Install Kerberos in OSX

To start to use Single-sign On (SSO) in Mac environments we need install the Kerberos/Seclude library in our system.

If you don’t have installed ,you can download from :   http://db.tt/IclHWMLV

This TAR file have 2 files

• sncgssec.dyld for PowerPC (Secude framework must already be installed!)
• sncgssk5.dyld for Universal

Select the better library for you and rename to sncgss.dyld , then copy to “/usr/local/lib” or “/usr/lib” directory. If you want use another directory, you have to set the SNC_LIB environment variable to the location of the library.

   i.e. export SNC_LIB=/mnt/server/lib/sncgss.dyld (for bash)

or set the user environment via file "~/.MacOSX/environment.plist" (see Developer Connection Technical QA 1067 and Property List Editor Application which comes with the Developer Tools)

Configure Kerberos

If you work like consultant, usually you don’t include your MAC in the client domain, for use SSO you only need type your password the first time when you logon, and then you have SSO until the ticket expire.

You need to setup the krb5.conf file in /etc with the follow lines :

0. [logging]
   default = FILE:/var/log/krb5libs.log
   kdc = FILE:/var/log/krb5kdc.log
1. admin_server = FILE:/var/log/kadmind.log

[libdefaults]

ticket_lifetime = 24000
default_realm = SUB.DOMAIN.NET

default_tkt_enctypes = des-cbc-crc des-cbc-md5

default_tgs_enctypes = des-cbc-crc des-cbc-md5

 

[realms]

SUB.DOMAIN.NET = {
kdc = server_hostname.sub.domain.net

admin_server = server_hostname.sub.domain.net

default_domain = sub.domain.net
}

[domain_realm]
.sub.domain. = SUB.DOMAIN.NET

server_hostname.sub.domain.net = SUB.DOMAIN.NET

 

 

Configure Sap Logon

First of all, you need to configure your SAP Logon, in this example we configure the guimsg.txt in the preference panel with file:/Library/Preferences/SAP/guimsg.txt,

 

ELD : /M/server_hostname/S/3601 

 

Click in New

Click in the drop box of System and select ELD

 

The SAPGUI show the Group/Servers for Load balance, select the right option and click Security

 

 

 

 

In the Security TAB you see the SNC Name of the server, click in “Enable Secure Network Communication” and Save.

 

 

 

When you try to logon, the system ask your DOMAIN password

 

Now you can start to use the SSO