Professional Documents
Culture Documents
2 10/2011
SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com
Copyright 2011 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. in the United States and in other countries. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. Disclaimer Some components of this product are based on Java. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components. Any Java Source Code delivered with this product is only to be used by SAPs Support Services and may not be modified or altered in any way.
Typographic Conventions
Type Style Example Text Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation Emphasized words or phrases in body text, graphic titles, and table titles Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for example, F2 or ENTER.
Icons
Icon Meaning Caution Example Note Recommendation Syntax Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.
Example text
EXAMPLE TEXT
Example text
Example text
<Example text>
EXAMPLE TEXT
Contents
1 Introduction ......................................................................................... 6
1.1 About this Document ............................................................................. 6
2 Planning ............................................................................................... 7
2.1 Hardware Requirements ........................................................................ 7 2.2 Software Requirements ......................................................................... 7 2.3 Smart Card Requirements ..................................................................... 7
3 Preparation .......................................................................................... 8
3.1 Preparations Steps for Windows XP .................................................... 8 3.2 Preparation Steps for Java Applications ............................................. 8 3.3 Install Secure Login Client .................................................................... 9 3.4 Preparation Steps for Citrix Use ........................................................... 9
5 Configuration ..................................................................................... 21
5.1 Card Reader Configuration ................................................................. 21 5.2 Adding Group Policy Templates via Group Policy Editor ................ 22 5.3 Windows Vista and Windows 7 Credential Provider (CRP) Common Options ....................................................................................... 24 5.4 Apply E-SSO Filter ............................................................................... 27 5.5 Password Credential Options ............................................................. 29 5.6 Certificate Credential Options ............................................................. 31 5.7 Customize Tile Image Bitmaps............................................................ 32 5.8 Logon Settings ..................................................................................... 33 5.9 Customizing Bitmaps for Smart Card ................................................. 35 5.10 Customizing PIN Pane Image Bitmap ............................................... 37 5.11 Local Management Console Options ............................................... 38 5.12 SSO User Activity Trace and Log Filter ............................................ 40 5.13 Web Setting......................................................................................... 40 5.14 LMC Setting ........................................................................................ 41 5.15 Soft Token Settings ............................................................................ 41 5.16 Terminal Emulator Host Configuration ............................................ 43 5.17 Configuration of Smart Card Removal Behavior ............................. 44
10/2011
6.2 Distribute Applications, Blacklist and Policies to Users .................. 47 6.3 Handling Certificates ........................................................................... 49
6.3.1 Preparing the Microsoft Management Console for Certificates .................................. 49 6.3.2 Where to Get More Information .................................................................................. 50
7 Troubleshooting ................................................................................ 51
7.1 Preliminary Troubleshooting .............................................................. 51 7.2 No Permission to Install, Modify Components or Remove Enterprise Single Sign-On ......................................................................... 51 7.3 Smart Card Troubleshooting ............................................................... 52 7.4 Multiple Smart Card Readers .............................................................. 52 7.5 Enterprise Single Sign-On Login/GINA Dialog Not Appearing ......... 52 7.6 Unable to Log In to the Network ......................................................... 52 7.7 CRP Filter Does Not Disable Specified CRPs .................................... 53 7.8 Web SSO Toolbar Does Not Appear ................................................... 54 7.9 Group Policies do Not Display Correctly ........................................... 54
10/2011
1 Introduction
1 Introduction
Enterprise Single Sign-On (E-SSO) helps end users log in to multiple systems or applications without the need to remember every password or logon dialog. After the end user is successfully authenticated to the Enterprise Single Sign-On application, further logon procedures to applications running under the systems control are carried out automatically. Enterprise Single Sign-On supports the following methods of signing-on to an application: Windows logon (for smart card-based authentication only) This method can either be certificate-based or can use a user ID/password combination stored on the smart card. Certificate-based authentication (for smart card-based authentication only) Certificate-based authentication is provided via the standard interfaces such as Microsoft Crypto-API or the GSS-API. The requirements of most applications can be fulfilled via these interfaces, such as Internet browsers, e-mail clients, VPN clients, and so on. Windows logon and certificate-based authentication are not available for operation with a soft token. Logon to Windows applications This feature allows you to use Single Sign-On for password-protected Windows, .NET, terminal emulator, and Java applications. Logon to Web sites (Web Single Sign-On) This feature allows you to log in to password-protected Web sites using Single Sign-On. A toolbar for Microsoft Internet Explorer and Mozilla Firefox enables the registration and management of sites for Single Sign-On.
Integration
To use Enterprise Single Sign-On you will need to install the following components on each client computer prior to Enterprise Single Sign-On: .NET 3.0 or later (Windows XP only) Oracle Java JRE/JDK 1.6 Oracle Java access bridge 2.0.2 for 32-bit and 64-bit systems SAP NetWeaver Single Sign-On - Secure Login Client 1.0 SP1
Constraints
This guide does not provide information about how to use Enterprise Single Sign-On. For such information please see the User Guide.
10/2011
2 Planning
2 Planning
2.1 Hardware Requirements
The hardware requirements of the operating system must be met. At least 25 MB of free hard disk space for Enterprise Single Sign-On. For information about the space required by the Secure Login Client see the Secure Login Installation, Configuration and Administration Guide. For other components please see the respective documentation. If smart cards are to be used then a PC/SC-compliant smart card reader will be needed.
10/2011
3 Preparation
3 Preparation
3.1 Preparations Steps for Windows XP
Use
For Windows XP users, the computer must be a member of a domain to allow the Enterprise Single Sign-On Login (GINA dialog) feature. Normally, the configuration of Enterprise Single Sign-On clients is defined globally for an Active Directory domain or an organizational unit and the workstations are members of this domain. This section details how to use the Group Policy Editor to add domain/organizational unit to Enterprise Single Sign-On. If you intend to use Enterprise Single Sign-On with Windows XP, the .NET Framework 3.0 needs to be installed.
Prerequisites
You must start Active Directory Users and Computers from either an Exchange server or from a workstation that has the Exchange System Management Tools installed. Microsoft Windows XP Professional 32-bit SP3. The computer must be a member of a domain to allow the Enterprise Single Sign-On Login (GINA dialog) feature.
Procedure
1. On the server or workstation, create a domain/organizational unit. For more information, see the Microsoft documentation: http://technet.microsoft.com/enus/library/cc785077(WS.10).aspx. 2. Download and install .NET Framework v.3.0 or above. To download and get more information, see the Microsoft Website: http://www.microsoft.com/downloads/en/default.aspx.
Prerequisites
Close all running applications prior to installation.
Procedure
1. Download and install the latest Java Runtime Environment (JRE) or Java Development Kit (JDK) 1.6 for the target environment (32-bit or 64-bit). To download the JRE/JDK see the Java website: http://www.oracle.com/technetwork/java/javase/downloads/index.html 1. Download Java Access Bridge 2.0.2 (for both 32-bit and 64-bit systems): http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136191.html 2. Manually configure the Java Access Bridge component. This will vary according to version: For information about how to install Java Access Bridge 2.0.2 under 32-bit systems see: http://download.oracle.com/javase/accessbridge/2.0.2/setup.htm#installing-jab-32bit
10/2011
3 Preparation
For information about how to install Java Access Bridge 2.0.2 under Windows 7 64-bit see: http://download.oracle.com/javase/accessbridge/2.0.2/setup.htm#installing-jab-64bit
Prerequisites
Close all running applications prior to installation.
Procedure
Download and install the Secure Login Client package. For more information on installation, see the Secure Login Client Installation, Configuration and Administration Guide.
Prerequisites
If you want to use Citrix, you must buy a license from Citrix Systems, Inc. (see www.citrix.com). Read the license agreement carefully. You are only allowed to install the library if you have paid the license fee. Citrix Presentation Server 4.5 must be installed. For a detailed description on the installation and configuration of the Citrix Presentation Server, consult the relevant Citrix documentation (see www.citrix.com). Citrix ICA Client software must be installed. For a detailed description on the installation and configuration of the Citrix Presentation Server, consult the relevant Citrix documentation (see www.citrix.com). Ensure that no smart card reader is connected to the server and the client before proceeding.
2. Install .NET Framework 3.0. See Preparations Steps for Windows XP [page 8]. 3. Install JRE. See Preparation Steps for Java Applications [page 8].
10/2011
3 Preparation
4. When installing the Secure Login Client, enable the Terminal Server Components custom setup). For more information, see the Secure Login Client Installation, Configuration and Administration Guide.
5. When installing Enterprise Single Sign-On disable all smart card components (custom setup). See Installation, Update, and Removal [page 12].
6. Restart the computer to complete Enterprise Single Sign-On installation. 7. Configure the server desktop via the Citrix Access Management Console to ensure that the client can connect to the Citrix Presentation Server and access all Enterprise Single Sign-On features and components. You can consult the relevant Citrix documentation For more information.
10
10/2011
3 Preparation
9. In the Citrix Program Neighborhood toolbar, click the Settings icon. The Settings dialog will appear. Enter information in the User name and Domain fields and click OK.
10/2011
11
Prerequisites
Make sure that the following components have been installed before installing Enterprise Single Sign-On: Windows XP only: Install Microsoft .NET Framework 3.0 or above. See Preparations Steps for Windows XP Users [page 8]. Install the latest Java JRE/JDK 1.6. See Preparation Steps for Java Applications [page 8]. Install Java Access Bridge. See Preparation Steps for Java Applications [page 8]. If you want to use a smart card install the third-party middleware. See Smart Card Requirements [page 7]. Install the Secure Login Client version that is released in the same NetWeaver Single Sign-On download package. For information about the installation, see the Secure Login Client Installation, Configuration and Administration Guide.
Procedure
1. Open the Enterprise Single Sign-On MSI package (double-click Enterprise Single Sign-On.msi, or Enterprise Single Sign-On_x64.msi). 2. The Welcome dialog will appear.
Click Next.
12
10/2011
This dialog helps you choose between the following types of installation: Typical Select this if you want to install the most common Enterprise Single Sign-On components.
Custom Select this if you want to manually select specific components for installation. Click Next and proceed to the next step. 4. If you selected Custom in the previous step, on 64-bit systems, the following dialog will appear:
The Custom Setup dialog helps you modify Enterprise Single Sign-On components. You can select the following components for installation: Smartcard support > Credential Provider: Install support for PKCS#11 providers. Smartcard support > Checkpoint Support: Install support for the Checkpoint VPN client. Internet browser plug-ins > Microsoft Internet Explorer Support: Install the Enterprise Single Sign-On plug-in for Internet Explorer 64-bit. Internet browser plug-ins > Microsoft Internet Explorer Support for x86: Install the Enterprise Single Sign-On plug-in for Internet Explorer 32-bit.
10/2011
13
Internet browser plug-ins > Mozilla Firefox Support for x86: Install the Enterprise Single Sign-On plug-in for Mozilla Firefox 32-bit. 5. The Authentication Method dialog will appear. Depending on your requirement, select Smart Card or Soft Token.
If you selected Smart Card Support components in the Custom Setup dialog and select Soft Token as authentication method in the Authentication Method dialog, the features of the Smart Card Support components will be deployed but deactivated. You can activate the Smart Card Support components by switching to Smart Card Mode via the Local Management Console. For more information on switching authentication methods, see the Enterprise Single Sign-On User Guide. 6. The Ready to Install the Program dialog will appear:
Click Install to start the installation (this can take a few minutes). 7. The completion dialog will appear. Click Finish. 8. You will be prompted to restart your computer to complete Enterprise Single Sign-On installation. Select Yes.
14
10/2011
9. The product is now installed using default values for most of the settings. For information about how to customize Enterprise Single Sign-On to your requirements, see Configuration [page 21].
Prerequisites
Windows XP only: Install Microsoft .NET Framework 3.0. See Preparations Steps for Windows XP Users [page 8]. Install Java JRE/JDK 1.6. See Preparation Steps for Java Applications [page 8]. Install Java Access Bridge 2.0.1. See Preparation Steps for Java Applications [page 8]. Install third-party middleware. For list of supported middleware, see Smart Card Requirements [page 7]. Install Secure Login Client 1.0. For more information, see the Secure Login Client Installation, Configuration and Administration Guide.
Procedure
1. Open the Enterprise Single Sign-On MSI package - open a Command window. Windows XP: Select Start > Run. Enter cmd in the Open field and click OK. Windows Vista and Windows 7: Select Windows logo > Search programs and files. Enter cmd in the Search programs and files field and click OK.
2. The Command window will appear. Navigate to the directory in which the installation package is located. 3. To install in quiet mode with no user interaction use the following syntax with options: msiexec /i "Enterprise Single Sign-On.msi" <PROPERTY> /qn
10/2011
15
SCRIPT
Enable COM-based scripting to log in to legacy applications with credentials stored on smartcards.
Windows XP
Soft Token
Windows Vista/ Windows 7 32bit Windows Vista/ Windows 7 32bit Windows 7 64bit Windows 7 64bit
Smart Card
Soft Token
Smart Card
Soft Token
16
10/2011
Prerequisites
You need administrator rights (role or group member) to be able to modify Enterprise Single Sign-On.
Procedure
1. Open the Enterprise Single Sign-On MSI package - double-click Enterprise Single Sign-On.msi. 2. The Welcome dialog will appear. Click Next. 3. The Program Maintenance dialog will appear. Select Modify and click Next.
4. The Custom Setup dialog will appear. Modify each of the components in the list by clicking an entry and selecting the appropriate action from the context menu and click Next. For more information on these components, see Manual Installation [page 21]. If you installed Firefox after installing Enterprise Single Sign-On, you will need to use the modify feature to install the Firefox support component to enable the Web SSO toolbar in Firefox. See Web SSO Toolbar Does Not Appear [page 54]. 5. The Ready to Modify the Program dialog will appear. Click Install to execute the changes. 6. After a while, the completion dialog will appear. Click Finish. 7. You will be prompted to restart your computer to complete Enterprise Single Sign-On installation. Select Yes. Enterprise Single Sign-On is now modified.
10/2011
17
Prerequisites
You need administrator rights (role or group member) to remove Enterprise Single Sign-On. Please close Microsoft Internet Explorer and Mozilla Firefox before removing Enterprise Single Sign-On. This will aid the removal of the Enterprise Single Sign-On browser plugin.
18
10/2011
5. The completion dialog will appear. Click Finish to close the dialog and complete the procedure. 2. You will be prompted to restart your computer to complete Enterprise Single Sign-On removal. This process does not remove user data or registry entries made by Enterprise Single Sign-On. If you want to remove these as well see Complete Removal Options [page 20].
Unattended Removal
1. Open a Command window: Windows XP: Select Start > Run. Enter cmd in the Open field and click OK. Windows Vista and Windows 7: Select Windows logo > Search programs and files. Enter cmd in the Search programs and files field and click OK.
2. The Command window will appear. Navigate to the directory in which the Enterprise Single Sign-On installation package (Enterprise Single Sign-On.msi) is located. 3. To start the removal, enter the following syntax: msiexec /x "Enterprise Single Sign-On.msi" This process does not remove user data or registry entries made by Enterprise Single Sign-On. If you want to remove these as well see Complete Removal Options [page 20].
10/2011
19
Login. Those details can be found in the SAP Secure Login Installation, Configuration and Administration Guide.
Prerequisites
Remove Enterprise Single Sign-On. See as of Remove Enterprise Single Sign-On [page 18].
Procedure
1. Remove the rest data and files from the installation directory: Windows XP: Select Start > Run. Enter %AppData%\SAP in the Open field and click OK. Windows Vista and Windows 7: Select Windows logo > Search programs and files. Enter %AppData%\SAP in the Search programs and files field and click OK.
2. Delete the signon directory. 3. To remove registry entries made by Enterprise Single Sign-On, open the Windows Registry Editor (regedit) and delete the following entries: HKEY_LOCAL_MACHINE\SOFTWARE\SAP\signon HKEY_CURRENT_USER\Software\SAP\signon
Prerequisites
You need administrator rights (role or group member) to perform the update procedure.
Procedure
1. Update the Secure login Client. For information see the Secure Login Configuration and Installation Guide. 2. Remove Enterprise Single Sign-On. See Remove Enterprise Single Sign-On [page 18]. It is not necessary to restart the computer. This does not remove user data or registry entries made by Enterprise Single Sign-On. If you want to remove these as well see Complete Removal Options [page 20]. If upgrading from E-SSO 1.0.0, remove Java Access Bridge 2.0.1. Restart the computer. If upgrading from E-SSO 1.0.0, install Java Access Bridge 2.0.2. See Preparation Steps for Java Applications [page 8]. Install Enterprise Single Sign-On 1.x. See Preparation Steps for Java Applications [page 12] If you intend to re-use the existing credential store (soft token or smart card) make sure you re-install the correct authentication method this can also be changed after installation via the Local Management Console.
3. 4. 5. 6.
20
10/2011
5 Configuration
5 Configuration
Some of the steps in this chapter involve modification to the Windows registry. Incorrectly modifying the registry can cause serious problems that may require the reinstallation of the operating system. We cannot guarantee that problems resulting from modifications to the registry can be solved. Although the modification process has been made as foolproof as possible (semi-automated via group policies) there may still be unforeseen conflicts most of them are outof-scope of this product. Manual modification of the registry is not considered part of this product and may be attempted at your own risk.
Procedure
1. Start the Enterprise Single Sign-On Card Configuration Tool as follows: Windows XP: Start > All Programs > SAP > signon > E-SSO Card Configuration Tool
Windows Vista and Windows 7: Windows logo > All Programs > SAP > signon > E-SSO Card Configuration Tool 2. The Enterprise Single Sign-On Card Configuration Tool dialog will appear:
The active card reader configuration is listed in the upper field Current Configuration. Click Refresh to update the list of currently connected smart card readers in the Available PC/SC smart card readers combo-box. Enable Favour readers with inserted smart card if you want to automatically display only those readers that currently have a smart card inserted in them (click Refresh first!).
Click Reset in the lower left corner to erase the active settings. 3. Select the card reader you want from the Available PC/SC smart card readers combobox and click OK. The E-SSO Card Configuration Tool dialog will close. 4. To complete card reader configuration: Windows XP: Restart your system. Windows Vista and Windows 7: Log off and log back in to the system.
10/2011
21
5 Configuration
Prerequisites
If you are running the Microsoft Group Policy Editor as a member of a domain, your workstation must be connected to the domain for the settings to take effect. If your workstation is offline, the settings will not be applied to the registry. For a detailed description, consult the relevant Microsoft documentation
Procedure
1. To start the Microsoft Group Policy Editor: Windows Vista / Windows 7: click Start and enter gpedit.msc in the Search programs and files field and press Return. Windows XP: click Start > Run, enter gpedit.msc in the Open field and click OK.
2. The Group Policy Editor window will appear. 3. Open the Computer Configuration node, right-click the Administrative Templates node and select Add/Remove Templates from the context menu.
22
10/2011
5 Configuration
5. Click Add. 6. The Policy Templates dialog is shown. Locate the following directory in the Enterprise Single Sign-On delivery package: Extras\adm\en:
For Windows XP: Use the Ctrl key to select the files csp_xp.adm, gina_xp.adm, and signon.adm. Click Open.
For Windows Vista and Windows 7: Use the Ctrl key to select the files crp.adm, and signon.adm. Click Open. 7. The Add/Remove Templates dialog will reappear; click Close. 8. The templates are now imported to the Group Policy Editor. Click Administrative Templates > SAP AG to view the Enterprise Single Sign-On configuration options. 9. You are now ready to configure Enterprise Single Sign-On. The following sections detail each of the configuration options.
10/2011
23
5 Configuration
5.3 Windows Vista and Windows 7 Credential Provider (CRP) Common Options
Use
Configure the parameters related to the behavior of the CRP. These parameters apply only to smart card-based authentication they cannot be used for soft token authentication.
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > CRP Common Options
Parameters
Parameter Allow logon certificate expiration check Description This parameter will allow the certificate on the smart card to be checked for validity and only continues with the logon process if the certificate is valid. Enabled: The certificate validity check is performed after the user clicks the OK button in the Windows logon PIN dialog. The certificate is valid if the system date and time is within the validity range of the authentication certificate. If the certificate is invalid, an error message is displayed. Disabled: The certificate validity check is deactivated for both the Windows logon and the screen unlock.
24
10/2011
5 Configuration
Allow logon certificate expiration warning Allow logon certificate update Allow logon help wizard Allow unlock certificate expiration check Default key container label Enable SAP Certificate Based Logon
The parameter sets an integer value that indicates the number of days before a certificate expires. A maximum of 60 days is possible. This will appear as a text message in the Windows Logon user interface. Enabled: The CRP checks for new certificates during logon and screen unlock. Disabled: No CRP check will be performed. Enabled: Logon Help link is visible in selected CRP. It supports the functions that allow user to change PIN and unblock token. Disabled: Logon Help like is not displayed in selected CRP.
This parameter allows certificate validity check on Windows unlock. The setting can only be enabled if the parameter Allow logon certificate expiration check is also enabled. When the parameter is enabled, the certificate is checked using the same rules as for Windows logon. This parameter defines the certificate to be used for certificate-based Windows logon via its label. Enter the PKCS#11 label of certificate you want to use. It can either be User Certificate or Signing Certificate. This parameter will enable logon to Windows using the credentials contained within the certificate the user need only quthenticate via a PIN. Enabled: The E-SSO certificate-based logon will not be filtered. Disabled: The E-SSO certificate-based logon is filtered.
This parameter will enable logon to Windows using the username and password of the user contained on the smart card. Enabled: The E-SSO password-based logon will not be filtered. Disabled: The E-SSO password -based logon is filtered.
Filter
This parameter allows you to disable any registered Credential Provider (CRP) used for the Windows Logon. Basic description (For a full description see Apply E-SSO Filter [page 27]): Double-click the Filter entry to open the Filter Properties dialog. Enable the parameter and click Show to display the Show contents dialog. Click Add to display the Add Item dialog for filter entries: The Enter the name of the item to be added field should contain the value of the GUID enclosed in { } (braces). For example: {<25CBB996-92ED-457e-B28C-47s74084BD562>} The Enter the value of the item to be added field should contain the scenarios in which E-SSO filter is applied to, separated by ';' (semicolon), with no spaces between each scenario. For example: <LOGON;UNLOCK;CHANGE;CREDUI>. LOGON (restarting computer, switching user, logging off computer) UNLOCK (pressing Ctrl-Alt-Delete to unlock a locked workstation) CHANGE (pressing Ctrl-Alt-Delete then selecting 'Change
10/2011
25
5 Configuration
Password'; forced password change) PLAP (Pre-Logon-Access Provider screen) CREDUI (for authentication on remote machines, prompting in User Account Control) If you leave an empty string, the default filter values are applied to all 5 scenarios. Prevent smart card lock on workstation lock If this parameter is enabled, it prevents the smart card from being locked when the workstation is locked. This parameter can be used for example, by PMF scripts for underlying applications that still require smart card access. Per default, this parameter is set to disabled and the smart card is always locked.
26
10/2011
5 Configuration
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Procedures
1. In the Group Policy Object Editor, open Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > CRP Common Options. 2. Double click Filter. 3. The Filter dialog will appear. Select Enabled and click Show (in the Options panel).
10/2011
27
5 Configuration
The Value name field is for the GUID of the CRP that you want to filter out - and therefore will not be available to the user. The GUID must be obtained via the Registry Editor and is detailed in the next steps.
The Value field is for the scenarios to which E-SSO filter will be applied. 5. Open the Windows Registry Editor. Click Start and enter regedit into the Search programs and files field. 6. Open the folder HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Authentication\CredentialProviders. 7. You should now see a list of folders, each with a number/letter combination. This combination is also known as the GUID. Each of them represents a CRP registered with Windows. Click each one to display its values in the right panel and therefore identify the purpose of the CRP. 8. Copy & paste the number/letter combination of the folder (the GUID) including brackets! For example: {25CBB996-92ED-457e-B28C-47s74084BD562}. To copy the folder/GUID name: Right-click the folder and select Rename from the context menu. The folder will be highlighted and ready to be changed. Press Ctrl-C to copy the name DO NOT change it! Abort the Rename function by clicking elsewhere in the Registry Editor window.
A list of default GUIDs in Windows Vista and Windows 7 can be found at the end of this section. See Default GUIDs [page 29]. 9. Go back to the Show Contents dialog. Paste the folder/GUID name into the Value name field. 10. In the Value field, enter the names of the scenarios to which the CRP filter will be applied. The scenarios must be separated by ';' (semicolon), with no spaces between each one. For example: <LOGON;UNLOCK;CHANGE>. The scenarios in which Enterprise Single Sign-On filter are applied are as follows: LOGON (restarting computer, switching user, logging off computer) UNLOCK (pressing Ctrl-Alt-Delete to unlock a locked workstation) CHANGE (pressing Ctrl-Alt-Delete then selecting 'Change Password'; forced password change) PLAP (Pre-Logon-Access Provider screen)
28
10/2011
5 Configuration
CREDUI (for authentication on remote machines, prompting in User Account Control) If you leave an empty string, the filter will be applied for all 5 scenarios.
11. Click OK to close the Add Item dialog. The GUID of the CRP has now been added to the CRP filter. 12. Repeat steps to add other providers to the CRP list. 13. To delete CRPs: Windsows Vista / 7: highlight an entry and press the Del (delete) key.
Default GUIDs
Credential Provider Generic Provider Network Provider (NPProvider) Password Provider Smartcard Credential Provider Description {25CBB996-92ED-457e-B28C-4774084BD562} {3dd6bec0-8193-4ffe-ae25-e08e39ea4063} {6f45dc1e-5384-457a-bc13-2cd81b0d28ed} {8bf9a910-a8ff-457f-999f-a5ca10b4a885}
Additional third-party CRPs can be found in the following registry hive: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Creden tial Providers.
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
10/2011
29
5 Configuration
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Password Credential Options
Parameters
Parameter Allow auto password generation Allow view UPN certificate Description This parameter will support the automatic generation of a Windows logon password for Windows logon, if a password change is requested. Per default, this parameter is disabled. When the parameter is disabled, the CRP performs a normal interactive password change. This parameter allows you to enable or disable Enable certificate user name presentation. This parameter is only used by the password-based CRP that has an additional certificate stored on the smart card. The CRP for certificate-based logon presents the certificate subject as soon as the smart card is entered. If this parameter is disabled, a default text is used. With this parameter enabled, the User Principle Name attribute of the public authentication certificate on the smart card is read out by the CRP and presented to the user as text. The parameter should show the name of the user, for example, <John.Doe@domain> without the domain name. If no name could be extracted, the policy is treated as disabled. By default, this parameter is disabled in the CRP. In case the Windows password is about to expire, a message is displayed where you can choose if you want to change the password now. If the user rejects then a normal logon is performed. If the user accepts the message by clicking the OK button, then a password change is performed. If this parameter is activated (and automatic password change policy is activated), the message will not be shown and the password will be changed immediately without user interaction. Per default the parameter is deactivated and the message is always shown. The customer image bitmap (256x256 pixels) is normally installed and configured when installing the product. Custom bitmaps must be deployed with the correct size before the installation. The bitmap cannot be located on a network drive and must be stored in a user- and language-independent location (for example: C:\logonbitmaps, and not in the %Program Files% directory). See Customize Tile Image Bitmaps [page 32] for more information about customizing tile image bitmaps.
30
10/2011
5 Configuration
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Certificate Credential Options
Parameters
Parameter Set custom tile image for certificate credential Description The customer image bitmap (256x256 pixels) is normally installed and configured when installing the product. Custom bitmaps must be deployed with the correct size before the installation. The bitmap cannot be located on a network drive and must stored in a user- and language-independent location (for example: C:\logonbitmaps, and not in the %Program Files% directory). See Customize Tile Image Bitmaps [page 32].
10/2011
31
5 Configuration
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Procedures
1. In the Group Policy Object Editor, open Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Password Credential Options or Certificate Credential Options. 2. Double-click Set custom tile image for password (or certificate) credential. 3. The Set custom tile image for password (or certificate) credential Properties dialog will appear.
4. Select Enabled. 5. Enter the location of the bitmap into the field. The bitmap cannot be located on a network drive and must be stored in a user- and language-independent location (for example: C:\logonbitmaps\CRP_tile_logo.bmp, and not in the %Program Files% directory). 6. Click Apply to save the changes and click OK to close the window.
32
10/2011
5 Configuration
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Logon Settings
Parameters
Parameter Background refresh for fast screen unlock Description Enter either of the following values to the Background refresh enabled/disabled: 0: Background refresh disabled 1: Background refresh enabled If this parameter is enabled, the parameter Timeout for fast screen unlock is ignored. The smart card image bitmap is normally installed and configured during product installation. Use this parameter to define a custom smart card image: Enable the parameter and enter the absolute path, filename and extension into the field. The image must be available in the correct size (160 wide x 100 high in pixels) and format (*.bmp). The bitmap cannot be located on a network drive and must be stored in a user- and language-independent location. For example: C:\CustomBitmaps\SC.bmp See Customizing Bitmaps for Smart Card [page 35]. Default Domain Display Options This parameter defines the default domain to use for the Windows logon if more than one Windows domain exists. You can specify the display options of the E-SSO Logon dialog: Disable GINA dialog elements: You can disable either or both the Dialup Checkbox and the Domain Selection. Select Show Enter PIN Options to display all PIN options on the ESSO Logon dialog. To show the PIN option that was used during the previous login, select Show Enter PIN Options persistent.
Custom Bitmaps
Enable Check Logon with certificate persistent to limit the Windows logon options to certificate-based logon only. Note: This parameter is only applicable if the parameter Enable certificate-based logon is enabled. Enable certificate -based logon This parameter enables certificate-based logon.
10/2011
33
5 Configuration
Enable Generate new password for new entry Enable passwordbased logon Generated password length
If this parameter is enabled, new passwords will automatically be generated for new entries on logon. Passwords will automatically be changed if the domain requires changing the logon password.
This parameter specifies the default password length. It might be possible that another policy that sets the minimum password length exists. To ensure that this parameter does not interfere with other parameters, make sure that the default password length is more than or equal to the minimum password length set by other policy settings. You can check the policies in the following registry settings: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentV ersion\Policies\Network] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Policies\Network] Value Name: MinPwdLen Data Type: REG_BINARY (Binary Value)
Lock token if workstation is locked Logging location Logon password not stored Message box caption PIN pane image
When enabled, this parameter closes the token if the workstation is locked and the token remains on the reader. Attention: A locked token is more secure but can cause some conflict (for example, if an application needs to access the token in locked workstation mode). If logging is enabled, this parameter specifies the location of a log. The default log file is located in C:\temp\login.log. If this parameter is enabled, the Windows logon password will not be stored on the smart card. The user will be asked for the Windows logon password on every logon. Specify a message box caption. This parameter is enabled per default. Instead of a white background image, you can specifiy a new image on for the Enterprise Single Sign-On logon and unlock dialogs. Enable the parameter and enter the absolute path, filename and extension into the field. The image must be available in the correct size (455 wide x 70 high in pixels) and format (*.bmp). The bitmap cannot be located on a network drive and must be stored in a user- and languageindependent location. For example: C:\CustomBitmaps\PINpane.bmp See Customizing PIN Pane Image Bitmap [page 35]. If this parameter is enabled, you can only log in using a smart card. If this parameter is disabled, you can log in using CTRL-ALT-DEL and entering User ID and password. NOTE: If this parameter is enabled, logging in to the system with a defective card reader or an absent smart card will not be possible. This parameter will be set after the first successful smart card logon.
34
10/2011
5 Configuration
ShowPwdExpi resMsg
In case the Windows password is about to expire, a message will be displayed prompting the user to change the password now or later. If this parameter is disabled and automatic password change is activated, the message will not be shown and the password will be changed without user interaction. This parameter defines the period of time (in minutes) for the fast screen unlock. If the value is 0, fast screen unlock is inactive and the system performs full authentication. If the last screen unlock or login is less than the time window set, then a fast screen unlock is carried out. If the last screen unlock is greater than the time window set, a full screen unlock including refresh of the Kerberos tickets is performed.
This parameter defines the default logon option if both the certificatebased logon and password-based logon are enabled.
If this parameter is enabled, the expiry date of the logon certificate will be checked during logon. Optionally, the certificate expiry date can be checked during unlock. The user will not be allowed to logon if the certificate has expired. Note: No CRL checking is performed! This feature can delay the logon procedure for password logon. If this parameter is enabled, the expiry date of the logon certificate will be checked during logon and unlock. A warning message will be displayed if the certificate will expire within a defined number of days.
10/2011
35
5 Configuration
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Procedures
1. Create a new image that must adhere to the following: The image should be in BMP format. The image size should be 160x100 pixels. 2. In the Group Policy Object Editor, open Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Logon Settings. 3. Double-click Custom Bitmaps. 4. The Custom Bitmaps Properties dialog will appear:
5. Enable the setting. The Enter <path>\<filename> field will be enabled. 6. Enter the location of a language-related PIN Pane Image bitmap. The image cannot be located on a network drive and must be stored in a user- and language-independent location. For example, <%Programfiles%\smartcard.bmp>. 7. Click Apply to save the changes, and click OK to close the window.
36
10/2011
5 Configuration
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Procedures
1. Create a new image that must adhere to the following: The image should be in BMP format. The image size should be 455x70 pixels. 2. In the Group Policy Object Editor, open Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Logon Settings. 3. Double-click PIN pane image. 4. The Custom Bitmaps Properties dialog will appear:
10/2011
37
5 Configuration
5. Enable the setting. The Enter <path>\<filename> fields will be enabled. 6. Enter the location of a language-related PIN Pane Image bitmap. The image cannot be located on a network drive and must be stored in a user- and language-independent location. For example, <%Programfiles%\PINpane.bmp>. 7. Click Apply to save the changes, and click OK to close the window.
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Location
Windows XP: Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Local Management Console Options Windows Vista and Windows 7: Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Local Management Console Options
Parameters
Parameter Backup Expiry Time Description This parameter defines the number of days a deleted entry remains flagged as deleted until it will be erased. To ensure correct synchronization, deleted entries will be first flagged as deleted before they are finally removed from the password file. If you disable this parameter or do not configure it, the default value of 90 days will be applied. This parameter defines the full path to the folder in which the backup history files will be stored. Note: Every Enterprise Single Sign-On user will need read/write permission to the folder specified by this parameter. This parameter applies to smart card-based authentication only. For every change made (for example, change, create or delete), a backup will be created to the password file stored on the card. This parameter defines the maximum amount of backup files per user. Note: Every Enterprise Single Sign-On user will need read/write permission to the folder specified by this parameter. If this parameter is enabled, a user will be unable to open the Drag and Drop Credentials dialog from the SSO Tray Utility menu. For more information about the Drag and Drop Credentials feature, see the Enterprise Single Sign-On User Guide. If this parameter is enabled, the SSO Learning Wizard features (automatically detect and register new application) will be inactive. For more information about the Register a New Application feature, see
38
10/2011
5 Configuration
the Enterprise Single Sign-On User Guide. If this parameter is enabled, the features of SSO Monitor (automatically register a new application and automatic login to applications) will be inactive. For more information about the Register a New Application and Automatic Login features, see the Enterprise Single Sign-On User Guide. This parameter allows you to specify the speed with which characters are sent to the destination window during a drag & drop operation. The send speed refers to the latency between the sending of characters. The send speed is defined in milliseconds. Per default, the send speed is 40 milliseconds. However, some applications such as Terminal Service clients on slow connections need a lower send speed to guarantee that all characters reach the destination window. The drag & drop operation sends KEYDOWN, then delays for half of the latency time until KEYUP is sent. It delays for half of the speed until the next character KEYDOWN is sent. If this parameter is enabled, the content of a destination field is erased before the drag & drop content is dropped into the field.
Drag & Drop Characters Erase Input Fields Hide LMC Dialog Hide SSO Tray Icon Local Backup Path
If this parameter is enabled, the Local Management Console submenu will not be displayed in the context menu available via the system tray icon. If this parameter is enabled, the E-SSO icon in the system tray will be hidden. This parameter defines the full path to the folder in which the backup files will be stored. Note: The destination folder must be accessible while the user is not logged in. If this parameter is enabled, the dialog will be shown, containing the list of credentials linked to the application. From this dialog, user can select the credential to log in with. If this parameter is enabled, trace messages from the E-SSO Monitor component will be logged. This setting is useful for debugging purposes. If this parameter is enabled, E-SSO will trace and log the activities performed by the user.
Show credentials dialog SSO Monitor trace and log SSO User Activity Trace and Log
10/2011
39
5 Configuration
Prerequisites
Before using this feature, make sure that the ADM setting SSO User Activity Trace and Log is enabled. See Local Management Console Options [page 38].
Procedures
The Secure Login Notification Viewer (Log Console) can be accessed via: C:\Program Files\SAP\FrontEnd\SecureLogin\bin\sbustrace.exe. For more information about this utility, see the Secure Login Installation, Configuration, and Administration Guide. Click the Secure Login taskbar icon to open the certificate/token dialog. Select the menubar entry View > Log Console.
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Web Settings
Parameters
Parameter Auto detect Web login form Description This parameter will allow E-SSO to automatically detect Web application authentication fields and pop up the registration wizard. Enabled: E-SSO will automatically detect Web application authentication fields and pop up the registration wizard. Disabled: If this parameter is disabled, automatic detection will not take effect. The user can register the Web application by using the Save button in the E-SSO Internet browser toolbar.
40
10/2011
5 Configuration
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > LMC Settings
Parameters
Parameter Hide password policy for normal user Description This parameter allows E-SSO to hide the password policy node in the Local Management Console. Enabled: The password policy will either be hidden or set to readonly. Disabled: If this parameter is disabled, the password policy in the LMC will be visible to a normal user.
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Soft token setting
Parameters
Parameter Minimum characters of answer or password string Softtoken Path Configurati on Description Define the minimum number of Characters used for the security Question and Answer fields.
This parameter defines the full path to the folder in which the soft token files will be stored. Each user needs read/write permissions to this folder. For example: To configure the soft token path to a companys network location <G:\ShareAll>, click Enabled, enter the network location into the Softtoken Path field, and click Apply.
10/2011
41
5 Configuration
This parameter defines the size of the soft token file. There are three options for the password file size: Small: 1280 bytes (approximately 20 entries) Medium: 3840 bytes (approximately 40 entries)
Large: 7680 bytes (approximately 60 entries) If you disable this setting or do not configure it, the default value (Small) will be used.
42
10/2011
5 Configuration
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > Terminal Emulator Host Configuration
Parameters
Parameter Configure the first host, Configure the second host, Configure the third host, Configure the fourth host, Configure the fifth host Description These parameters define the values to be used for each terminal emulator host. Hostname or IP: The host name or IP address of the host. The string to detect Username: The title of user name field. This string must be the same as the label of the field in which the user enters the user name in the host machine. The string to detect Password: The title of password field. This string must be the same as the label of the field in which the user enters the password in host machine Control key after Username: The key value that the user presses after inputting the user name. For example: If the user presses the Enter key after entering their Username, the value here is {ENTER} If the user presses the Tab key after entering their Username, the value here is {TAB} If the user presses the Tab key twice after entering their Username, the value here is {TAB}{TAB}
Control key after Password: Input the key value that user presses after inputting their password. For example: If the user presses the Enter key after entering in their password, the value here is {ENTER} If the user presses the Tab key after entering their password, the value here is {TAB} If the user presses the Enter key twice after entering their password, the value here is {ENTER}{ENTER}
MaxLength of Username field: The maximum number of characters that the user can enter into the user name field MaxLength of Password field: The maximum number of characters that the user can enter into password field
10/2011
43
5 Configuration
Procedure
1. In the Group Policy Object Editor, open Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. 2. The security options will appear in the right panel:
3. Double click Interactive logon: Smart card removal behaviour. 4. Select the behaviour from the combo-box and click OK. This is the behaviour that will occur when a smart card is removed. For example, to lock the workstation after the smart card is removed, select Lock workstation.
44
10/2011
6 Additional Information
6 Additional Information
6.1 Preparing Smart Cards for E-SSO
Use
To use a smart card with Enterprise Single Sign-On, you must first enable it by partitioning the card in readiness for the PMF file. This can be done via: The E-SSO Smart Card Preparation Tool. See Preparing Smart Cards via E-SSO Smart Card Preparation Tool [page 45]. Windows XP GINA: See Preparing Smart Cards via Windows XP GINA [page 46]. Windows Vista or Windows 7 CRP: See Preparing Smart Cards via Windows Vista and Windows 7 Login [page 46].
3. First, it is necessary to authenticate to the smart card. Click Enter Smart Card PIN. 4. A PIN prompt will appear. Enter the PIN and click OK. 5. Now the smart card is ready for preparation. Click Add Sign-On. Add Sign-On will be disabled if the smart card has already been enabled for Windows logon. If you wish to continue adding a sign-on object to the smart card, click Remove Sign-On. 6. The Please enter user name dialog will appear:
10/2011
45
6 Additional Information
7. Enter the users Windows credentials into the fields User name, Password and Log on to (domain). Select Write Windows login data to card to enable the Password and Log on to fields. 8. Select Verify before writing to card to check if the credential is correctly entered before adding the credential to the smart card. 9. The Token Type ID displays the token type of the current smart card system configuration and cannot be edited. 10. Click OK to add the E-SSO object to the smart card. If the Windows credentials were not previously entered, then the user will have to perform initial Windows logon (see the following sections for more information).
Enter your user name and password for the Windows logon into the User name and Password fields, respectively.
Select the domain for the Windows Logon from the Log on to drop-down menu and click OK. 4. Enterprise Single Sign-On will automatically add the data to the smart card and perform Windows logon. 5. You can now use Enterprise Single Sign-On for Windows logon. For more information see the Enterprise Single Sign-On User Guide. For security reasons, we strongly recommend that you replace the initial PIN as soon as you start using a smart card. For more information see the Enterprise Single Sign-On User Guide.
6.1.3 Preparing Smart Cards via Windows Vista and Windows 7 Login
1. Insert the smart card into the card reader. If the smart card is recognized by Enterprise Single Sign-On, a PIN prompt will appear. Enter the smart card PIN.
46
10/2011
6 Additional Information
2. If the smart card meets the minimum requirements, you can enable the card for Enterprise Single Sign-On as follows:
Enter your user name into the first input field. Enter your password into the second input field. Enter the computer or network domain to which you want to log in to into the third input field. Per default, this field displays the computer name or network domain to which the last user has been logged in to.
Click Save logon password on token in the Windows logon dialog. 3. The user will be prompted to use the currently connected smart card for Enterprise Single Sign-On. Click OK. 4. Enterprise Single Sign-On will automatically add the data to the smart card and perform Windows logon. You can now use Enterprise Single Sign-On for Windows logon. For more information see the Enterprise Single Sign-On User Guide. For security reasons, we strongly recommend that you replace the initial PIN as soon as you start using a smart card. For more information see the Enterprise Single Sign-On User Guide.
Soft Token
5. On the primary computer register applications, create blacklist and policies: Register applications and link them to appropriate credentials. Register or add applications to the blacklist. Create password policies.
10/2011
47
6 Additional Information
After this step, the application (<*.api>), blacklist (<*bll>) and policy file (<*.plc>) will be created. For example: <user1.api>, <user1.bll>, <user1.plc>. 6. On the primary computer create credentials in the soft token. After this step, the credential file (<*.bin>) will be created. For example: user1.bin 7. On each secondary computer terminate the process SSOMonitor.exe (launch Windows Task Manager, select SSOmonitor.exe, and click End Process). 8. Now to start distribution. To distribute applications, blacklist and policies: Copy folder AppInfo (located under %appdata%\SAP\signon) from primary computer to the same path on each the secondary computer. On the secondary computer, open the AppInfo folder and rename the *.api, *.bll and *.plc files to the correct username (<%username%>.api, <%username%>.bll, <%username%>.plc). For example: user2.api, user2.bll, user2.plc. Copy the folder Softtoken (located in %appdata%\SAP\signon) from the primary computer to the same path on each the secondary computer. On the secondary computer, open the Softtoken folder and rename the *.bin to file to the correct username (<%username%>,bin). For example: user2.bin.
9. To distribute credentials:
10. Restart the process SSOMonitor.exe on each secondary computer: double-click the SSOMonitor.exe file in %installation path%\SAP\signon folder.
Smart Card
1. On the primary computer register applications, create blacklist and policies: Register applications and link it to appropriate credentials. Register or add applications to the blacklist. Create password policies. After this step, the application (<*.api>), blacklist (<*bll>) and policy file (<*.plc>) will be created. For example: <user1.api>, <user1.bll>, <user1.plc>. 2. On the primary computer create credentials in the soft token. After this step, the credential file (<*.bin>) will be created. For example: user1.bin 3. On each secondary computer terminate the process SSOMonitor.exe (launch Windows Task Manager, select SSOmonitor.exe, and click End Process). 4. To distribute applications, blacklist and policies: Copy folder AppInfo (located under %appdata%\SAP\signon) from primary computer to the same path on each the secondary computer. On the secondary computer, open the AppInfo folder and rename the *.api, *.bll and *.plc files to the correct username (<%username%>.api, <%username%>.bll, <%username%>.plc). For example: user2.api, user2.bll, user2.plc.
48
10/2011
6 Additional Information
5. To distribute credentials via the Local Management Console to smart cards (credentials have already been created in step 2 and stored in a soft token): Open the Local Management Console and go to Authentication > Copy Token Contents. The Enterprise Single Sign-On Soft Token utility dialog will appear.
To copy the credentials to smart card, select the credentials from the Credentials Stored in Soft Token list and click the transfer arrow (up). Once transferred the credentials will appear in the Credentials Stored in Smart Card list. For more information about the Soft Token utility, see the Enterprise Single Sign-On User Guide. 6. Restart the process SSOMonitor.exe on each secondary computer: double-click the SSOMonitor.exe file in %installation path%\SAP\signon folder.
Procedure
1. Start the Microsoft Management Console: Windows XP: select Start > Run, enter mmc in the Run dialog and click OK. Windows Vista / Windows 7: select Start, enter mmc in the Search programs and files field and click OK. The Microsoft Management Console will appear. Select File > Add/Remove Snap-in from the menu. Windows XP only: The Add/Remove Snap-in dialog will appear. Click Add. The Add Standalone Snap-in (Windows XP) or Add or Remove Snap-ins (Windows Vista/7) dialog will appear. Select Certificates and click Add. The Certificates snap-in dialog will appear. Select the option My User Account and click Finish. Click OK to close the dialog. Close the Microsoft Management Console.
2. 3. 4. 5. 6. 7.
10/2011
49
6 Additional Information
50
10/2011
7 Troubleshooting
7 Troubleshooting
Use
Overcome the most common problems to do with the installation or configuration of Enterprise Single Sign-On.
To continue the installation process, select the option Allow I trust this program. I know where its from or Ive used it before. The installation will proceed.
10/2011
51
7 Troubleshooting
Procedure
1. Verify that a smart card reader is properly connected and recognized by the operating system. 7. Verify that the latest version of the smart card middleware (PKCS#11 library / middleware) is installed in the system. 8. If you are still prompted with the error dialog Smart card is not available, try re-inserting the smart card and/or restarting the system. 9. If all of the above fail please contact your system administrator.
Procedure
Define the default smart card reader via using the E-SSO Card Configuration Tool. For more information see Card Reader Configuration [page 21]. The tool may be started via the Local Management Console or via the menu entry Start > All Programs > SAP > signon > E-SSO Card Configuration Tool.
Procedure
In Windows XP Professional it is not possible to use the Windows Logon feature of Enterprise Single Sign-On if the computer is not member of a domain. Microsoft does not support this for computers that are just members of a workgroup. If the Enterprise Single Sign-On login or GINA dialog does not appear after pressing Ctrl-Alt-Delete, make sure that the computer is a member of a domain.
52
10/2011
7 Troubleshooting
Procedure
1. Access the Filter properties > Show Contents dialog (see Apply E-SSO Filter [page 27]) and check the following values:
2. The Value Name field should display the GUID of the CRP that you want to filter. The GUID is a number/letter combination - including brackets! For example: <{25CBB99692ED-457e-B28C-4774084BD562}>. 3. The Value field should display the scenarios to which the filter will be applied, separated by a semicolon ; with no spaces between each entry. For example: <LOGON;UNLOCK;CHANGE> 4. If any of these values are incorrectly set, click Remove and add a new entry to the CRP list. See Apply E-SSO Filter [page 27].
10/2011
53
7 Troubleshooting
Cause
The Filter option is active.
Procedure
1. To display the policy settings in the Microsoft Group Policy Editor right-click the respective node in the left pane and de-select the option Filter on. 2. The navigation tree will close. Re-open the respective node to view the policy settings.
54
10/2011