Enterprise SSO Instal and Configure Guide

PUBLIC Document Version: 1.
2 10/2011
SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com
Copyright 2011 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. in the United States and in other countries. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. Disclaimer Some components of this product are based on Java. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components. Any Java Source Code delivered with this product is only to be used by SAPs Support Services and may not be modified or altered in any way.
Terms for Included Open Source Software

This SAP software contains also the third party open source software products listed below. Please note that for these third party products the following special terms and conditions shall apply. 1. domainname-parser (http://code.google.com/p/domainname-parser/) Copyright (c) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
Typographic Conventions
Type Style Example Text Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation Emphasized words or phrases in body text, graphic titles, and table titles Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for example, F2 or ENTER.
Icons
Icon Meaning Caution Example Note Recommendation Syntax Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.
Example text
EXAMPLE TEXT
Example text
Example text
<Example text>
EXAMPLE TEXT
Installation and Configuration Guide: Enterprise Single Sign-On
Contents
1 Introduction ......................................................................................... 6
1.1 About this Document ............................................................................. 6
2 Planning ............................................................................................... 7
2.1 Hardware Requirements ........................................................................ 7 2.2 Software Requirements ......................................................................... 7 2.3 Smart Card Requirements ..................................................................... 7
3 Preparation .......................................................................................... 8
3.1 Preparations Steps for Windows XP .................................................... 8 3.2 Preparation Steps for Java Applications ............................................. 8 3.3 Install Secure Login Client .................................................................... 9 3.4 Preparation Steps for Citrix Use ........................................................... 9
4 Installation, Update, and Removal................................................... 12

4.1 Manual Installation ............................................................................... 12 4.2 Unattended Installation ........................................................................ 15 4.3 Modify Enterprise Single Sign-On Components................................ 17 4.4 Remove Enterprise Single Sign-On .................................................... 18 4.5 Complete Removal Options ................................................................ 19 4.6 Update Enterprise Single Sign-On ...................................................... 20
5 Configuration ..................................................................................... 21
5.1 Card Reader Configuration ................................................................. 21 5.2 Adding Group Policy Templates via Group Policy Editor ................ 22 5.3 Windows Vista and Windows 7 Credential Provider (CRP) Common Options ....................................................................................... 24 5.4 Apply E-SSO Filter ............................................................................... 27 5.5 Password Credential Options ............................................................. 29 5.6 Certificate Credential Options ............................................................. 31 5.7 Customize Tile Image Bitmaps............................................................ 32 5.8 Logon Settings ..................................................................................... 33 5.9 Customizing Bitmaps for Smart Card ................................................. 35 5.10 Customizing PIN Pane Image Bitmap ............................................... 37 5.11 Local Management Console Options ............................................... 38 5.12 SSO User Activity Trace and Log Filter ............................................ 40 5.13 Web Setting......................................................................................... 40 5.14 LMC Setting ........................................................................................ 41 5.15 Soft Token Settings ............................................................................ 41 5.16 Terminal Emulator Host Configuration ............................................ 43 5.17 Configuration of Smart Card Removal Behavior ............................. 44
6 Additional Information ...................................................................... 45

6.1 Preparing Smart Cards for E-SSO ...................................................... 45
6.1.1 E-SSO Smart Card Preparation Tool.......................................................................... 45 6.1.2 Preparing Smart Cards via Windows XP GINA .......................................................... 46 6.1.3 Preparing Smart Cards via Windows Vista and Windows 7 Login ............................. 46
10/2011
6.2 Distribute Applications, Blacklist and Policies to Users .................. 47 6.3 Handling Certificates ........................................................................... 49
6.3.1 Preparing the Microsoft Management Console for Certificates .................................. 49 6.3.2 Where to Get More Information .................................................................................. 50
7 Troubleshooting ................................................................................ 51
7.1 Preliminary Troubleshooting .............................................................. 51 7.2 No Permission to Install, Modify Components or Remove Enterprise Single Sign-On ......................................................................... 51 7.3 Smart Card Troubleshooting ............................................................... 52 7.4 Multiple Smart Card Readers .............................................................. 52 7.5 Enterprise Single Sign-On Login/GINA Dialog Not Appearing ......... 52 7.6 Unable to Log In to the Network ......................................................... 52 7.7 CRP Filter Does Not Disable Specified CRPs .................................... 53 7.8 Web SSO Toolbar Does Not Appear ................................................... 54 7.9 Group Policies do Not Display Correctly ........................................... 54
10/2011
1 Introduction
1 Introduction
Enterprise Single Sign-On (E-SSO) helps end users log in to multiple systems or applications without the need to remember every password or logon dialog. After the end user is successfully authenticated to the Enterprise Single Sign-On application, further logon procedures to applications running under the systems control are carried out automatically. Enterprise Single Sign-On supports the following methods of signing-on to an application: Windows logon (for smart card-based authentication only) This method can either be certificate-based or can use a user ID/password combination stored on the smart card. Certificate-based authentication (for smart card-based authentication only) Certificate-based authentication is provided via the standard interfaces such as Microsoft Crypto-API or the GSS-API. The requirements of most applications can be fulfilled via these interfaces, such as Internet browsers, e-mail clients, VPN clients, and so on. Windows logon and certificate-based authentication are not available for operation with a soft token. Logon to Windows applications This feature allows you to use Single Sign-On for password-protected Windows, .NET, terminal emulator, and Java applications. Logon to Web sites (Web Single Sign-On) This feature allows you to log in to password-protected Web sites using Single Sign-On. A toolbar for Microsoft Internet Explorer and Mozilla Firefox enables the registration and management of sites for Single Sign-On.
1.1 About this Document

Purpose
This document describes how to install, customize, and remove Enterprise Single Sign-On on Windows XP and Windows Vista, and Windows 7.
Integration
To use Enterprise Single Sign-On you will need to install the following components on each client computer prior to Enterprise Single Sign-On: .NET 3.0 or later (Windows XP only) Oracle Java JRE/JDK 1.6 Oracle Java access bridge 2.0.2 for 32-bit and 64-bit systems SAP NetWeaver Single Sign-On - Secure Login Client 1.0 SP1
Constraints
This guide does not provide information about how to use Enterprise Single Sign-On. For such information please see the User Guide.
10/2011
2 Planning
2 Planning
2.1 Hardware Requirements
The hardware requirements of the operating system must be met. At least 25 MB of free hard disk space for Enterprise Single Sign-On. For information about the space required by the Secure Login Client see the Secure Login Installation, Configuration and Administration Guide. For other components please see the respective documentation. If smart cards are to be used then a PC/SC-compliant smart card reader will be needed.
2.2 Software Requirements

Windows XP Professional 32-bit SP3. The computer must be a member of a domain to allow the Enterprise Single Sign-On Login (GINA dialog) feature. For more information, see Preparations Steps for Windows XP Users [page 8]. Microsoft Windows Vista SP2 32-bit (Business, Enterprise, or Ultimate) Microsoft Windows 7 SP1 32-bit / 64-bit (Professional, Enterprise, or Ultimate)
2.3 Smart Card Requirements

Verify that a smart card reader is properly connected and recognized by the operating system. It is possible to connect a smart card reader after you have installed Enterprise Single Sign-On. However, we recommend connecting a card reader before the product installation. If you want to use Enterprise Single Sign-On with a third-party PKCS#11 library, you must first install the PKCS#11 library provided by the smart card vendor. To use third-party libraries, you will need a license from the library vendor. Only smart cards and middleware certified by SAP are supported in Enterprise Single Sign-On.
10/2011
3 Preparation
3 Preparation
3.1 Preparations Steps for Windows XP
Use
For Windows XP users, the computer must be a member of a domain to allow the Enterprise Single Sign-On Login (GINA dialog) feature. Normally, the configuration of Enterprise Single Sign-On clients is defined globally for an Active Directory domain or an organizational unit and the workstations are members of this domain. This section details how to use the Group Policy Editor to add domain/organizational unit to Enterprise Single Sign-On. If you intend to use Enterprise Single Sign-On with Windows XP, the .NET Framework 3.0 needs to be installed.
Prerequisites
You must start Active Directory Users and Computers from either an Exchange server or from a workstation that has the Exchange System Management Tools installed. Microsoft Windows XP Professional 32-bit SP3. The computer must be a member of a domain to allow the Enterprise Single Sign-On Login (GINA dialog) feature.
Procedure
1. On the server or workstation, create a domain/organizational unit. For more information, see the Microsoft documentation: http://technet.microsoft.com/enus/library/cc785077(WS.10).aspx. 2. Download and install .NET Framework v.3.0 or above. To download and get more information, see the Microsoft Website: http://www.microsoft.com/downloads/en/default.aspx.
3.2 Preparation Steps for Java Applications

Use
Enterprise Single Sign-On uses Java technology to login to Java-based applications. A certain amount of manual configuration is needed to ensure correct operation.
Prerequisites
Close all running applications prior to installation.
Procedure
1. Download and install the latest Java Runtime Environment (JRE) or Java Development Kit (JDK) 1.6 for the target environment (32-bit or 64-bit). To download the JRE/JDK see the Java website: http://www.oracle.com/technetwork/java/javase/downloads/index.html 1. Download Java Access Bridge 2.0.2 (for both 32-bit and 64-bit systems): http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136191.html 2. Manually configure the Java Access Bridge component. This will vary according to version: For information about how to install Java Access Bridge 2.0.2 under 32-bit systems see: http://download.oracle.com/javase/accessbridge/2.0.2/setup.htm#installing-jab-32bit
10/2011
3 Preparation
For information about how to install Java Access Bridge 2.0.2 under Windows 7 64-bit see: http://download.oracle.com/javase/accessbridge/2.0.2/setup.htm#installing-jab-64bit
3.3 Install Secure Login Client

Use
The Secure Login Client installer will install base components and functions that are necessary for the correct operation of Enterprise Single Sign-On. The Secure Login Client can be downloaded from the SAP Marketplace (also as a part of the NetWeaver Single SignOn package).
Prerequisites
Close all running applications prior to installation.
Procedure
Download and install the Secure Login Client package. For more information on installation, see the Secure Login Client Installation, Configuration and Administration Guide.
3.4 Preparation Steps for Citrix Use

Use
If you wish to use Enterprise Single Sign-On in a Citrix environment, you must prepare the server and client machines. This section details the specific steps for each component. This version of Enterprise Single Sign-On only supports soft tokens under Citrix smart cards are not supported.
Prerequisites
If you want to use Citrix, you must buy a license from Citrix Systems, Inc. (see www.citrix.com). Read the license agreement carefully. You are only allowed to install the library if you have paid the license fee. Citrix Presentation Server 4.5 must be installed. For a detailed description on the installation and configuration of the Citrix Presentation Server, consult the relevant Citrix documentation (see www.citrix.com). Citrix ICA Client software must be installed. For a detailed description on the installation and configuration of the Citrix Presentation Server, consult the relevant Citrix documentation (see www.citrix.com). Ensure that no smart card reader is connected to the server and the client before proceeding.
Prepare the Server Machine

1. Switch Citrix Presentation Server to install mode: Turn on: change user /install Turn off: change user /execute
2. Install .NET Framework 3.0. See Preparations Steps for Windows XP [page 8]. 3. Install JRE. See Preparation Steps for Java Applications [page 8].
10/2011
3 Preparation
4. When installing the Secure Login Client, enable the Terminal Server Components custom setup). For more information, see the Secure Login Client Installation, Configuration and Administration Guide.
5. When installing Enterprise Single Sign-On disable all smart card components (custom setup). See Installation, Update, and Removal [page 12].
6. Restart the computer to complete Enterprise Single Sign-On installation. 7. Configure the server desktop via the Citrix Access Management Console to ensure that the client can connect to the Citrix Presentation Server and access all Enterprise Single Sign-On features and components. You can consult the relevant Citrix documentation For more information.
Prepare the Client Machine

8. In the Citrix Program Neighborhood main menu, select Tools > ICA Settings. The ICA Settings dialog will appear. Enable Pass-Through Authentication and Use local credentials to log on.
10
10/2011
3 Preparation
9. In the Citrix Program Neighborhood toolbar, click the Settings icon. The Settings dialog will appear. Enter information in the User name and Domain fields and click OK.
10/2011
11
4 Installation, Update, and Removal

4.1 Manual Installation
Use
Manual installation of Enterprise Single Sign-On.
Prerequisites
Make sure that the following components have been installed before installing Enterprise Single Sign-On: Windows XP only: Install Microsoft .NET Framework 3.0 or above. See Preparations Steps for Windows XP Users [page 8]. Install the latest Java JRE/JDK 1.6. See Preparation Steps for Java Applications [page 8]. Install Java Access Bridge. See Preparation Steps for Java Applications [page 8]. If you want to use a smart card install the third-party middleware. See Smart Card Requirements [page 7]. Install the Secure Login Client version that is released in the same NetWeaver Single Sign-On download package. For information about the installation, see the Secure Login Client Installation, Configuration and Administration Guide.
Procedure
1. Open the Enterprise Single Sign-On MSI package (double-click Enterprise Single Sign-On.msi, or Enterprise Single Sign-On_x64.msi). 2. The Welcome dialog will appear.
Click Next.
12
10/2011
3. The Setup Type dialog will appear:
This dialog helps you choose between the following types of installation: Typical Select this if you want to install the most common Enterprise Single Sign-On components.
Custom Select this if you want to manually select specific components for installation. Click Next and proceed to the next step. 4. If you selected Custom in the previous step, on 64-bit systems, the following dialog will appear:
The Custom Setup dialog helps you modify Enterprise Single Sign-On components. You can select the following components for installation: Smartcard support > Credential Provider: Install support for PKCS#11 providers. Smartcard support > Checkpoint Support: Install support for the Checkpoint VPN client. Internet browser plug-ins > Microsoft Internet Explorer Support: Install the Enterprise Single Sign-On plug-in for Internet Explorer 64-bit. Internet browser plug-ins > Microsoft Internet Explorer Support for x86: Install the Enterprise Single Sign-On plug-in for Internet Explorer 32-bit.
10/2011
13
Internet browser plug-ins > Mozilla Firefox Support for x86: Install the Enterprise Single Sign-On plug-in for Mozilla Firefox 32-bit. 5. The Authentication Method dialog will appear. Depending on your requirement, select Smart Card or Soft Token.
If you selected Smart Card Support components in the Custom Setup dialog and select Soft Token as authentication method in the Authentication Method dialog, the features of the Smart Card Support components will be deployed but deactivated. You can activate the Smart Card Support components by switching to Smart Card Mode via the Local Management Console. For more information on switching authentication methods, see the Enterprise Single Sign-On User Guide. 6. The Ready to Install the Program dialog will appear:
Click Install to start the installation (this can take a few minutes). 7. The completion dialog will appear. Click Finish. 8. You will be prompted to restart your computer to complete Enterprise Single Sign-On installation. Select Yes.
14
10/2011
9. The product is now installed using default values for most of the settings. For information about how to customize Enterprise Single Sign-On to your requirements, see Configuration [page 21].
4.2 Unattended Installation

Use
Unattended installation allows Enterprise Single Sign-On to be installed without the need for user interaction.
Prerequisites
Windows XP only: Install Microsoft .NET Framework 3.0. See Preparations Steps for Windows XP Users [page 8]. Install Java JRE/JDK 1.6. See Preparation Steps for Java Applications [page 8]. Install Java Access Bridge 2.0.1. See Preparation Steps for Java Applications [page 8]. Install third-party middleware. For list of supported middleware, see Smart Card Requirements [page 7]. Install Secure Login Client 1.0. For more information, see the Secure Login Client Installation, Configuration and Administration Guide.
Procedure
1. Open the Enterprise Single Sign-On MSI package - open a Command window. Windows XP: Select Start > Run. Enter cmd in the Open field and click OK. Windows Vista and Windows 7: Select Windows logo > Search programs and files. Enter cmd in the Search programs and files field and click OK.
2. The Command window will appear. Navigate to the directory in which the installation package is located. 3. To install in quiet mode with no user interaction use the following syntax with options: msiexec /i "Enterprise Single Sign-On.msi" <PROPERTY> /qn
Enterprise Single Sign-On Installation Properties

Property GINA (Windows XP only) CRP (Windows Vista and Windows 7 only) CHECKPOINT IE IE_X86 FIREFOX FIREFOX_x86 AUTH=Smartcard AUTH=Softtoken Description Install support for Windows XP Graphical Identification and Authentication (GINA) Install support for Windows Vista and Windows 7 Credential Provider (CRP) Install support for the Checkpoint VPN Client. Install support for Internet Explorer 64-bit. Install support for Internet Explorer 32-bit on 32-bit and 64-bit systems.. Install support for Firefox 32-bit. Install support for Firefox 32-bit on 64-bit systems. Enable smart card as the primary authentication method. Note: This parameter is case-sensitive. Enable soft token as the primary authentication method. Note: This parameter is case-sensitive.
10/2011
15
SCRIPT
Enable COM-based scripting to log in to legacy applications with credentials stored on smartcards.
Example Syntax for Unattended Installation

Operating System Windows XP Authentication Method Smart Card Syntax msiexec /i "Enterprise Single SignOn.msi" ADDLOCAL=GINA,CHECKPOINT,IE, FIREFOX AUTH=Smartcard msiexec /i "Enterprise Single SignOn.msi" ADDLOCAL=GINA,CHECKPOINT,IE, FIREFOX AUTH=Softtoken msiexec /i "Enterprise Single SignOn.msi" ADDLOCAL=CRP,CHECKPOINT,IE_X86, FIREFOX AUTH=Smartcard msiexec /i "Enterprise Single SignOn.msi" ADDLOCAL=CRP,CHECKPOINT,IE_X86, FIREFOX AUTH=Softtoken msiexec /i "Enterprise Single SignOn.msi" ADDLOCAL=CRP,CHECKPOINT,IE, IE_x86, FIREFOX AUTH=Smartcard msiexec /i "Enterprise Single SignOn.msi" ADDLOCAL=CRP,CHECKPOINT,IE, IE_x86, FIREFOX AUTH=Softtoken
Windows XP
Soft Token
Windows Vista/ Windows 7 32bit Windows Vista/ Windows 7 32bit Windows 7 64bit Windows 7 64bit
Smart Card
Soft Token
Smart Card
Soft Token
16
10/2011
4.3 Modify Enterprise Single Sign-On Components

Use
Display the Custom Setup dialog to modify Enterprise Single Sign-On components.
Prerequisites
You need administrator rights (role or group member) to be able to modify Enterprise Single Sign-On.
Procedure
1. Open the Enterprise Single Sign-On MSI package - double-click Enterprise Single Sign-On.msi. 2. The Welcome dialog will appear. Click Next. 3. The Program Maintenance dialog will appear. Select Modify and click Next.
4. The Custom Setup dialog will appear. Modify each of the components in the list by clicking an entry and selecting the appropriate action from the context menu and click Next. For more information on these components, see Manual Installation [page 21]. If you installed Firefox after installing Enterprise Single Sign-On, you will need to use the modify feature to install the Firefox support component to enable the Web SSO toolbar in Firefox. See Web SSO Toolbar Does Not Appear [page 54]. 5. The Ready to Modify the Program dialog will appear. Click Install to execute the changes. 6. After a while, the completion dialog will appear. Click Finish. 7. You will be prompted to restart your computer to complete Enterprise Single Sign-On installation. Select Yes. Enterprise Single Sign-On is now modified.
10/2011
17
4.4 Remove Enterprise Single Sign-On

Use
Remove Enterprise Single Sign-On via the Control Panel or MSI package.
Prerequisites
You need administrator rights (role or group member) to remove Enterprise Single Sign-On. Please close Microsoft Internet Explorer and Mozilla Firefox before removing Enterprise Single Sign-On. This will aid the removal of the Enterprise Single Sign-On browser plugin.
Remove Enterprise Single Sign-On via the Control Panel

1. Open the following Windows Control Panel: Windows XP: Start > Settings> Control Panel > Add or Remove Programs Windows Vista and Windows 7 (classic view): Windows logo > Control Panel > Programs and Features 2. Select Enterprise Single Sign-On from the programs list and click Uninstall. The removal process will start. 3. A dialog will appear asking you to confirm the removal. Click Yes. If the Windows Vista or Windows 7 User Account Control is active then a dialog will appear asking you to confirm the action. Click Allow to continue. 4. You will be prompted to reboot the computer. Click Yes to complete the removal. This process does not remove user data or registry entries made by Enterprise Single Sign-On. If you want to remove these as well see Complete Removal Options [page 20].
Remove Enterprise Single Sign-On via the MSI Package

1. Open the Enterprise Single Sign-On MSI package double-click Enterprise Single Sign-On.msi. 1. The Welcome dialog will appear. Click Next. 2. The Program Maintenance dialog will appear:
3. Select Remove and click Next.
18
10/2011
4. The Remove the Program dialog will appear:
5. The completion dialog will appear. Click Finish to close the dialog and complete the procedure. 2. You will be prompted to restart your computer to complete Enterprise Single Sign-On removal. This process does not remove user data or registry entries made by Enterprise Single Sign-On. If you want to remove these as well see Complete Removal Options [page 20].
Unattended Removal
1. Open a Command window: Windows XP: Select Start > Run. Enter cmd in the Open field and click OK. Windows Vista and Windows 7: Select Windows logo > Search programs and files. Enter cmd in the Search programs and files field and click OK.
2. The Command window will appear. Navigate to the directory in which the Enterprise Single Sign-On installation package (Enterprise Single Sign-On.msi) is located. 3. To start the removal, enter the following syntax: msiexec /x "Enterprise Single Sign-On.msi" This process does not remove user data or registry entries made by Enterprise Single Sign-On. If you want to remove these as well see Complete Removal Options [page 20].
4.5 Complete Removal Options

Use
Removing Enterprise Single Sign-On via the MSI installer does not remove some user data and files, for example, soft tokens (this mechanism has been implemented to allow an administrator to remove an older version of the product and install a new version without having to re-initialize the application and re-capture credentials). This section details how to remove user data after the main application has been removed (as detailed in the previous sections). This section does not detail how to remove Secure
10/2011
19
Login. Those details can be found in the SAP Secure Login Installation, Configuration and Administration Guide.
Prerequisites
Remove Enterprise Single Sign-On. See as of Remove Enterprise Single Sign-On [page 18].
Procedure
1. Remove the rest data and files from the installation directory: Windows XP: Select Start > Run. Enter %AppData%\SAP in the Open field and click OK. Windows Vista and Windows 7: Select Windows logo > Search programs and files. Enter %AppData%\SAP in the Search programs and files field and click OK.
2. Delete the signon directory. 3. To remove registry entries made by Enterprise Single Sign-On, open the Windows Registry Editor (regedit) and delete the following entries: HKEY_LOCAL_MACHINE\SOFTWARE\SAP\signon HKEY_CURRENT_USER\Software\SAP\signon
4.6 Update Enterprise Single Sign-On

Use
Update Enterprise Single Sign-On to the latest version. For E-SSO 1.0.0 it is also necessary to update the Java Access Bridge and Secure Login Client to newer versions.
Prerequisites
You need administrator rights (role or group member) to perform the update procedure.
Procedure
1. Update the Secure login Client. For information see the Secure Login Configuration and Installation Guide. 2. Remove Enterprise Single Sign-On. See Remove Enterprise Single Sign-On [page 18]. It is not necessary to restart the computer. This does not remove user data or registry entries made by Enterprise Single Sign-On. If you want to remove these as well see Complete Removal Options [page 20]. If upgrading from E-SSO 1.0.0, remove Java Access Bridge 2.0.1. Restart the computer. If upgrading from E-SSO 1.0.0, install Java Access Bridge 2.0.2. See Preparation Steps for Java Applications [page 8]. Install Enterprise Single Sign-On 1.x. See Preparation Steps for Java Applications [page 12] If you intend to re-use the existing credential store (soft token or smart card) make sure you re-install the correct authentication method this can also be changed after installation via the Local Management Console.
3. 4. 5. 6.
20
10/2011
5 Configuration
5 Configuration
Some of the steps in this chapter involve modification to the Windows registry. Incorrectly modifying the registry can cause serious problems that may require the reinstallation of the operating system. We cannot guarantee that problems resulting from modifications to the registry can be solved. Although the modification process has been made as foolproof as possible (semi-automated via group policies) there may still be unforeseen conflicts most of them are outof-scope of this product. Manual modification of the registry is not considered part of this product and may be attempted at your own risk.
5.1 Card Reader Configuration

Use
If you have more than one smart card reader connected to the client computer and you intend to use one of them with Enterprise Single Sign-On, you must use the Enterprise Single SignOn Card Configuration Tool to define the card reader intended for use with Enterprise Single Sign-On. You can configure the card reader any time after installing Enterprise Single SignOn.
Procedure
1. Start the Enterprise Single Sign-On Card Configuration Tool as follows: Windows XP: Start > All Programs > SAP > signon > E-SSO Card Configuration Tool
Windows Vista and Windows 7: Windows logo > All Programs > SAP > signon > E-SSO Card Configuration Tool 2. The Enterprise Single Sign-On Card Configuration Tool dialog will appear:
The active card reader configuration is listed in the upper field Current Configuration. Click Refresh to update the list of currently connected smart card readers in the Available PC/SC smart card readers combo-box. Enable Favour readers with inserted smart card if you want to automatically display only those readers that currently have a smart card inserted in them (click Refresh first!).
Click Reset in the lower left corner to erase the active settings. 3. Select the card reader you want from the Available PC/SC smart card readers combobox and click OK. The E-SSO Card Configuration Tool dialog will close. 4. To complete card reader configuration: Windows XP: Restart your system. Windows Vista and Windows 7: Log off and log back in to the system.
10/2011
21
5 Configuration
5.2 Adding Group Policy Templates via Group Policy Editor

Use
Add Enterprise Single Sign-On templates to the Group Policy Editor for the purpose of E-SSO configuration. Local configuration: If you are not member of a domain, you can also define the settings locally using the Microsoft Group Policy Editor. As a member of a Domain: You can run the Microsoft Group Policy Editor if your workstation is member of a domain.
Prerequisites
If you are running the Microsoft Group Policy Editor as a member of a domain, your workstation must be connected to the domain for the settings to take effect. If your workstation is offline, the settings will not be applied to the registry. For a detailed description, consult the relevant Microsoft documentation
Procedure
1. To start the Microsoft Group Policy Editor: Windows Vista / Windows 7: click Start and enter gpedit.msc in the Search programs and files field and press Return. Windows XP: click Start > Run, enter gpedit.msc in the Open field and click OK.
2. The Group Policy Editor window will appear. 3. Open the Computer Configuration node, right-click the Administrative Templates node and select Add/Remove Templates from the context menu.
4. The Add/Remove Templates dialog will appear.
22
10/2011
5 Configuration
5. Click Add. 6. The Policy Templates dialog is shown. Locate the following directory in the Enterprise Single Sign-On delivery package: Extras\adm\en:
For Windows XP: Use the Ctrl key to select the files csp_xp.adm, gina_xp.adm, and signon.adm. Click Open.
For Windows Vista and Windows 7: Use the Ctrl key to select the files crp.adm, and signon.adm. Click Open. 7. The Add/Remove Templates dialog will reappear; click Close. 8. The templates are now imported to the Group Policy Editor. Click Administrative Templates > SAP AG to view the Enterprise Single Sign-On configuration options. 9. You are now ready to configure Enterprise Single Sign-On. The following sections detail each of the configuration options.
10/2011
23
5 Configuration
5.3 Windows Vista and Windows 7 Credential Provider (CRP) Common Options
Use
Configure the parameters related to the behavior of the CRP. These parameters apply only to smart card-based authentication they cannot be used for soft token authentication.
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > CRP Common Options
Parameters
Parameter Allow logon certificate expiration check Description This parameter will allow the certificate on the smart card to be checked for validity and only continues with the logon process if the certificate is valid. Enabled: The certificate validity check is performed after the user clicks the OK button in the Windows logon PIN dialog. The certificate is valid if the system date and time is within the validity range of the authentication certificate. If the certificate is invalid, an error message is displayed. Disabled: The certificate validity check is deactivated for both the Windows logon and the screen unlock.
24
10/2011
5 Configuration
Allow logon certificate expiration warning Allow logon certificate update Allow logon help wizard Allow unlock certificate expiration check Default key container label Enable SAP Certificate Based Logon
The parameter sets an integer value that indicates the number of days before a certificate expires. A maximum of 60 days is possible. This will appear as a text message in the Windows Logon user interface. Enabled: The CRP checks for new certificates during logon and screen unlock. Disabled: No CRP check will be performed. Enabled: Logon Help link is visible in selected CRP. It supports the functions that allow user to change PIN and unblock token. Disabled: Logon Help like is not displayed in selected CRP.
This parameter allows certificate validity check on Windows unlock. The setting can only be enabled if the parameter Allow logon certificate expiration check is also enabled. When the parameter is enabled, the certificate is checked using the same rules as for Windows logon. This parameter defines the certificate to be used for certificate-based Windows logon via its label. Enter the PKCS#11 label of certificate you want to use. It can either be User Certificate or Signing Certificate. This parameter will enable logon to Windows using the credentials contained within the certificate the user need only quthenticate via a PIN. Enabled: The E-SSO certificate-based logon will not be filtered. Disabled: The E-SSO certificate-based logon is filtered.
Enable SAP Password Based Logon
This parameter will enable logon to Windows using the username and password of the user contained on the smart card. Enabled: The E-SSO password-based logon will not be filtered. Disabled: The E-SSO password -based logon is filtered.
Filter
This parameter allows you to disable any registered Credential Provider (CRP) used for the Windows Logon. Basic description (For a full description see Apply E-SSO Filter [page 27]): Double-click the Filter entry to open the Filter Properties dialog. Enable the parameter and click Show to display the Show contents dialog. Click Add to display the Add Item dialog for filter entries: The Enter the name of the item to be added field should contain the value of the GUID enclosed in { } (braces). For example: {<25CBB996-92ED-457e-B28C-47s74084BD562>} The Enter the value of the item to be added field should contain the scenarios in which E-SSO filter is applied to, separated by ';' (semicolon), with no spaces between each scenario. For example: <LOGON;UNLOCK;CHANGE;CREDUI>. LOGON (restarting computer, switching user, logging off computer) UNLOCK (pressing Ctrl-Alt-Delete to unlock a locked workstation) CHANGE (pressing Ctrl-Alt-Delete then selecting 'Change
The scenarios in which E-SSO filter is applied to are as follows:
10/2011
25
5 Configuration
Password'; forced password change) PLAP (Pre-Logon-Access Provider screen) CREDUI (for authentication on remote machines, prompting in User Account Control) If you leave an empty string, the default filter values are applied to all 5 scenarios. Prevent smart card lock on workstation lock If this parameter is enabled, it prevents the smart card from being locked when the workstation is locked. This parameter can be used for example, by PMF scripts for underlying applications that still require smart card access. Per default, this parameter is set to disabled and the smart card is always locked.
26
10/2011
5 Configuration
5.4 Apply E-SSO Filter

Use
The E-SSO Filter has been provided to disable any registered CRP for logon under Microsoft Windows Vista/7. The E-SSO Filter can be administrated from a central location via Group Policy Objects. This parameter allows you to, for example, filter out (hide) all CRPs so that the only one left can be used for Windows logon via smart card / Enterprise Single Sign-On. To remove a CRP from the Windows logon, the administrator has to enable the E-SSO filter policy in the Group Policy Object Editor. The Filter parameter applies only to smart cardbased authentication it cannot be used for soft token authentication!
Prerequisites
Procedures
1. In the Group Policy Object Editor, open Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > CRP Common Options. 2. Double click Filter. 3. The Filter dialog will appear. Select Enabled and click Show (in the Options panel).
4. The Show Contents dialog will appear.
10/2011
27
5 Configuration
The Value name field is for the GUID of the CRP that you want to filter out - and therefore will not be available to the user. The GUID must be obtained via the Registry Editor and is detailed in the next steps.
The Value field is for the scenarios to which E-SSO filter will be applied. 5. Open the Windows Registry Editor. Click Start and enter regedit into the Search programs and files field. 6. Open the folder HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Authentication\CredentialProviders. 7. You should now see a list of folders, each with a number/letter combination. This combination is also known as the GUID. Each of them represents a CRP registered with Windows. Click each one to display its values in the right panel and therefore identify the purpose of the CRP. 8. Copy & paste the number/letter combination of the folder (the GUID) including brackets! For example: {25CBB996-92ED-457e-B28C-47s74084BD562}. To copy the folder/GUID name: Right-click the folder and select Rename from the context menu. The folder will be highlighted and ready to be changed. Press Ctrl-C to copy the name DO NOT change it! Abort the Rename function by clicking elsewhere in the Registry Editor window.
A list of default GUIDs in Windows Vista and Windows 7 can be found at the end of this section. See Default GUIDs [page 29]. 9. Go back to the Show Contents dialog. Paste the folder/GUID name into the Value name field. 10. In the Value field, enter the names of the scenarios to which the CRP filter will be applied. The scenarios must be separated by ';' (semicolon), with no spaces between each one. For example: <LOGON;UNLOCK;CHANGE>. The scenarios in which Enterprise Single Sign-On filter are applied are as follows: LOGON (restarting computer, switching user, logging off computer) UNLOCK (pressing Ctrl-Alt-Delete to unlock a locked workstation) CHANGE (pressing Ctrl-Alt-Delete then selecting 'Change Password'; forced password change) PLAP (Pre-Logon-Access Provider screen)
28
10/2011
5 Configuration
CREDUI (for authentication on remote machines, prompting in User Account Control) If you leave an empty string, the filter will be applied for all 5 scenarios.
11. Click OK to close the Add Item dialog. The GUID of the CRP has now been added to the CRP filter. 12. Repeat steps to add other providers to the CRP list. 13. To delete CRPs: Windsows Vista / 7: highlight an entry and press the Del (delete) key.
Default GUIDs
Credential Provider Generic Provider Network Provider (NPProvider) Password Provider Smartcard Credential Provider Description {25CBB996-92ED-457e-B28C-4774084BD562} {3dd6bec0-8193-4ffe-ae25-e08e39ea4063} {6f45dc1e-5384-457a-bc13-2cd81b0d28ed} {8bf9a910-a8ff-457f-999f-a5ca10b4a885}
Additional third-party CRPs can be found in the following registry hive: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Creden tial Providers.
5.5 Password Credential Options

Use
Configure the parameters related to the appearance of the Enterprise Single Sign-On Logon dialog for the password provider. These parameters apply only to smart card-based authentication they cannot be used for soft token authentication.
Prerequisites
10/2011
29
5 Configuration
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Password Credential Options
Parameters
Parameter Allow auto password generation Allow view UPN certificate Description This parameter will support the automatic generation of a Windows logon password for Windows logon, if a password change is requested. Per default, this parameter is disabled. When the parameter is disabled, the CRP performs a normal interactive password change. This parameter allows you to enable or disable Enable certificate user name presentation. This parameter is only used by the password-based CRP that has an additional certificate stored on the smart card. The CRP for certificate-based logon presents the certificate subject as soon as the smart card is entered. If this parameter is disabled, a default text is used. With this parameter enabled, the User Principle Name attribute of the public authentication certificate on the smart card is read out by the CRP and presented to the user as text. The parameter should show the name of the user, for example, <John.Doe@domain> without the domain name. If no name could be extracted, the policy is treated as disabled. By default, this parameter is disabled in the CRP. In case the Windows password is about to expire, a message is displayed where you can choose if you want to change the password now. If the user rejects then a normal logon is performed. If the user accepts the message by clicking the OK button, then a password change is performed. If this parameter is activated (and automatic password change policy is activated), the message will not be shown and the password will be changed immediately without user interaction. Per default the parameter is deactivated and the message is always shown. The customer image bitmap (256x256 pixels) is normally installed and configured when installing the product. Custom bitmaps must be deployed with the correct size before the installation. The bitmap cannot be located on a network drive and must be stored in a user- and language-independent location (for example: C:\logonbitmaps, and not in the %Program Files% directory). See Customize Tile Image Bitmaps [page 32] for more information about customizing tile image bitmaps.
Prevent password expire message
Set custom tile image for password credential
30
10/2011
5 Configuration
5.6 Certificate Credential Options

Use
Configure the parameters related to the appearance of the Enterprise Single Sign-On Logon dialog for the certificate provider. This parameter applies only to smart card-based authentication it cannot be used for soft token authentication.
Prerequisites
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Certificate Credential Options
Parameters
Parameter Set custom tile image for certificate credential Description The customer image bitmap (256x256 pixels) is normally installed and configured when installing the product. Custom bitmaps must be deployed with the correct size before the installation. The bitmap cannot be located on a network drive and must stored in a user- and language-independent location (for example: C:\logonbitmaps, and not in the %Program Files% directory). See Customize Tile Image Bitmaps [page 32].
10/2011
31
5 Configuration
5.7 Customize Tile Image Bitmaps

Use
Customize tile image bitmaps for a password or certificate credential. This parameter applies only to smart card-based authentication it cannot be used for soft token authentication.
Prerequisites
Procedures
1. In the Group Policy Object Editor, open Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Password Credential Options or Certificate Credential Options. 2. Double-click Set custom tile image for password (or certificate) credential. 3. The Set custom tile image for password (or certificate) credential Properties dialog will appear.
4. Select Enabled. 5. Enter the location of the bitmap into the field. The bitmap cannot be located on a network drive and must be stored in a user- and language-independent location (for example: C:\logonbitmaps\CRP_tile_logo.bmp, and not in the %Program Files% directory). 6. Click Apply to save the changes and click OK to close the window.
32
10/2011
5 Configuration
5.8 Logon Settings

Use
Configure the parameters related to Windows XP logon. The parameters in this section apply only to smart card-based authentication it cannot be used for soft token authentication.
Prerequisites
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Logon Settings
Parameters
Parameter Background refresh for fast screen unlock Description Enter either of the following values to the Background refresh enabled/disabled: 0: Background refresh disabled 1: Background refresh enabled If this parameter is enabled, the parameter Timeout for fast screen unlock is ignored. The smart card image bitmap is normally installed and configured during product installation. Use this parameter to define a custom smart card image: Enable the parameter and enter the absolute path, filename and extension into the field. The image must be available in the correct size (160 wide x 100 high in pixels) and format (*.bmp). The bitmap cannot be located on a network drive and must be stored in a user- and language-independent location. For example: C:\CustomBitmaps\SC.bmp See Customizing Bitmaps for Smart Card [page 35]. Default Domain Display Options This parameter defines the default domain to use for the Windows logon if more than one Windows domain exists. You can specify the display options of the E-SSO Logon dialog: Disable GINA dialog elements: You can disable either or both the Dialup Checkbox and the Domain Selection. Select Show Enter PIN Options to display all PIN options on the ESSO Logon dialog. To show the PIN option that was used during the previous login, select Show Enter PIN Options persistent.
Custom Bitmaps
Enable Check Logon with certificate persistent to limit the Windows logon options to certificate-based logon only. Note: This parameter is only applicable if the parameter Enable certificate-based logon is enabled. Enable certificate -based logon This parameter enables certificate-based logon.
10/2011
33
5 Configuration
Enable Generate new password for new entry Enable passwordbased logon Generated password length
If this parameter is enabled, new passwords will automatically be generated for new entries on logon. Passwords will automatically be changed if the domain requires changing the logon password.
This parameter enables password-based logon.
This parameter specifies the default password length. It might be possible that another policy that sets the minimum password length exists. To ensure that this parameter does not interfere with other parameters, make sure that the default password length is more than or equal to the minimum password length set by other policy settings. You can check the policies in the following registry settings: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentV ersion\Policies\Network] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Policies\Network] Value Name: MinPwdLen Data Type: REG_BINARY (Binary Value)
Lock token if workstation is locked Logging location Logon password not stored Message box caption PIN pane image
When enabled, this parameter closes the token if the workstation is locked and the token remains on the reader. Attention: A locked token is more secure but can cause some conflict (for example, if an application needs to access the token in locked workstation mode). If logging is enabled, this parameter specifies the location of a log. The default log file is located in C:\temp\login.log. If this parameter is enabled, the Windows logon password will not be stored on the smart card. The user will be asked for the Windows logon password on every logon. Specify a message box caption. This parameter is enabled per default. Instead of a white background image, you can specifiy a new image on for the Enterprise Single Sign-On logon and unlock dialogs. Enable the parameter and enter the absolute path, filename and extension into the field. The image must be available in the correct size (455 wide x 70 high in pixels) and format (*.bmp). The bitmap cannot be located on a network drive and must be stored in a user- and languageindependent location. For example: C:\CustomBitmaps\PINpane.bmp See Customizing PIN Pane Image Bitmap [page 35]. If this parameter is enabled, you can only log in using a smart card. If this parameter is disabled, you can log in using CTRL-ALT-DEL and entering User ID and password. NOTE: If this parameter is enabled, logging in to the system with a defective card reader or an absent smart card will not be possible. This parameter will be set after the first successful smart card logon.
Prevent logon without smart card
34
10/2011
5 Configuration
ShowPwdExpi resMsg
In case the Windows password is about to expire, a message will be displayed prompting the user to change the password now or later. If this parameter is disabled and automatic password change is activated, the message will not be shown and the password will be changed without user interaction. This parameter defines the period of time (in minutes) for the fast screen unlock. If the value is 0, fast screen unlock is inactive and the system performs full authentication. If the last screen unlock or login is less than the time window set, then a fast screen unlock is carried out. If the last screen unlock is greater than the time window set, a full screen unlock including refresh of the Kerberos tickets is performed.
Timeout for fast screen unlock
Use certificate -based logon by default Validate logon certificate expiration
This parameter defines the default logon option if both the certificatebased logon and password-based logon are enabled.
If this parameter is enabled, the expiry date of the logon certificate will be checked during logon. Optionally, the certificate expiry date can be checked during unlock. The user will not be allowed to logon if the certificate has expired. Note: No CRL checking is performed! This feature can delay the logon procedure for password logon. If this parameter is enabled, the expiry date of the logon certificate will be checked during logon and unlock. A warning message will be displayed if the certificate will expire within a defined number of days.
Warn for logon certificate expiration
5.9 Customizing Bitmaps for Smart Card

Use
Customize the image used to represent the smart card image in the Unlock Computer (PIN pane) dialog.
10/2011
35
5 Configuration
Prerequisites
Procedures
1. Create a new image that must adhere to the following: The image should be in BMP format. The image size should be 160x100 pixels. 2. In the Group Policy Object Editor, open Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Logon Settings. 3. Double-click Custom Bitmaps. 4. The Custom Bitmaps Properties dialog will appear:
5. Enable the setting. The Enter <path>\<filename> field will be enabled. 6. Enter the location of a language-related PIN Pane Image bitmap. The image cannot be located on a network drive and must be stored in a user- and language-independent location. For example, <%Programfiles%\smartcard.bmp>. 7. Click Apply to save the changes, and click OK to close the window.
36
10/2011
5 Configuration
5.10 Customizing PIN Pane Image Bitmap

Use
Customize the image used as a banner in the Unlock Computer (PIN pane) dialog.
Prerequisites
Procedures
1. Create a new image that must adhere to the following: The image should be in BMP format. The image size should be 455x70 pixels. 2. In the Group Policy Object Editor, open Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Logon Settings. 3. Double-click PIN pane image. 4. The Custom Bitmaps Properties dialog will appear:
10/2011
37
5 Configuration
5. Enable the setting. The Enter <path>\<filename> fields will be enabled. 6. Enter the location of a language-related PIN Pane Image bitmap. The image cannot be located on a network drive and must be stored in a user- and language-independent location. For example, <%Programfiles%\PINpane.bmp>. 7. Click Apply to save the changes, and click OK to close the window.
5.11 Local Management Console Options

Use
Configure options related to the Local Management Console.
Prerequisites
Location
Windows XP: Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Local Management Console Options Windows Vista and Windows 7: Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Local Management Console Options
Parameters
Parameter Backup Expiry Time Description This parameter defines the number of days a deleted entry remains flagged as deleted until it will be erased. To ensure correct synchronization, deleted entries will be first flagged as deleted before they are finally removed from the password file. If you disable this parameter or do not configure it, the default value of 90 days will be applied. This parameter defines the full path to the folder in which the backup history files will be stored. Note: Every Enterprise Single Sign-On user will need read/write permission to the folder specified by this parameter. This parameter applies to smart card-based authentication only. For every change made (for example, change, create or delete), a backup will be created to the password file stored on the card. This parameter defines the maximum amount of backup files per user. Note: Every Enterprise Single Sign-On user will need read/write permission to the folder specified by this parameter. If this parameter is enabled, a user will be unable to open the Drag and Drop Credentials dialog from the SSO Tray Utility menu. For more information about the Drag and Drop Credentials feature, see the Enterprise Single Sign-On User Guide. If this parameter is enabled, the SSO Learning Wizard features (automatically detect and register new application) will be inactive. For more information about the Register a New Application feature, see
Backup History Path Backup History Size
Disable Drag and Drop Credentials Submenu Disable Feature of SSO
38
10/2011
5 Configuration
Learning Wizard Disable Features of SSO Monitor
the Enterprise Single Sign-On User Guide. If this parameter is enabled, the features of SSO Monitor (automatically register a new application and automatic login to applications) will be inactive. For more information about the Register a New Application and Automatic Login features, see the Enterprise Single Sign-On User Guide. This parameter allows you to specify the speed with which characters are sent to the destination window during a drag & drop operation. The send speed refers to the latency between the sending of characters. The send speed is defined in milliseconds. Per default, the send speed is 40 milliseconds. However, some applications such as Terminal Service clients on slow connections need a lower send speed to guarantee that all characters reach the destination window. The drag & drop operation sends KEYDOWN, then delays for half of the latency time until KEYUP is sent. It delays for half of the speed until the next character KEYDOWN is sent. If this parameter is enabled, the content of a destination field is erased before the drag & drop content is dropped into the field.
Drag & Drop Characters Send Speed
Drag & Drop Characters Erase Input Fields Hide LMC Dialog Hide SSO Tray Icon Local Backup Path
If this parameter is enabled, the Local Management Console submenu will not be displayed in the context menu available via the system tray icon. If this parameter is enabled, the E-SSO icon in the system tray will be hidden. This parameter defines the full path to the folder in which the backup files will be stored. Note: The destination folder must be accessible while the user is not logged in. If this parameter is enabled, the dialog will be shown, containing the list of credentials linked to the application. From this dialog, user can select the credential to log in with. If this parameter is enabled, trace messages from the E-SSO Monitor component will be logged. This setting is useful for debugging purposes. If this parameter is enabled, E-SSO will trace and log the activities performed by the user.
Show credentials dialog SSO Monitor trace and log SSO User Activity Trace and Log
10/2011
39
5 Configuration
5.12 SSO User Activity Trace and Log Filter

Use
The Secure Login Notification Viewer (Log Console) will also display E-SSO user trace messages. Use the filter feature to view only user trace information.
Prerequisites
Before using this feature, make sure that the ADM setting SSO User Activity Trace and Log is enabled. See Local Management Console Options [page 38].
Procedures
The Secure Login Notification Viewer (Log Console) can be accessed via: C:\Program Files\SAP\FrontEnd\SecureLogin\bin\sbustrace.exe. For more information about this utility, see the Secure Login Installation, Configuration, and Administration Guide. Click the Secure Login taskbar icon to open the certificate/token dialog. Select the menubar entry View > Log Console.
5.13 Web Setting

Use
Configure parameters related to the Web settings.
Prerequisites
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Web Settings
Parameters
Parameter Auto detect Web login form Description This parameter will allow E-SSO to automatically detect Web application authentication fields and pop up the registration wizard. Enabled: E-SSO will automatically detect Web application authentication fields and pop up the registration wizard. Disabled: If this parameter is disabled, automatic detection will not take effect. The user can register the Web application by using the Save button in the E-SSO Internet browser toolbar.
40
10/2011
5 Configuration
5.14 LMC Setting

Use
Configure parameters related to the Local Management Console (LMC) settings.
Prerequisites
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > LMC Settings
Parameters
Parameter Hide password policy for normal user Description This parameter allows E-SSO to hide the password policy node in the Local Management Console. Enabled: The password policy will either be hidden or set to readonly. Disabled: If this parameter is disabled, the password policy in the LMC will be visible to a normal user.
5.15 Soft Token Settings

Use
Configure parameters related to soft tokens.
Prerequisites
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Soft token setting
Parameters
Parameter Minimum characters of answer or password string Softtoken Path Configurati on Description Define the minimum number of Characters used for the security Question and Answer fields.
This parameter defines the full path to the folder in which the soft token files will be stored. Each user needs read/write permissions to this folder. For example: To configure the soft token path to a companys network location <G:\ShareAll>, click Enabled, enter the network location into the Softtoken Path field, and click Apply.
10/2011
41
5 Configuration
Softtoken Password File Size
This parameter defines the size of the soft token file. There are three options for the password file size: Small: 1280 bytes (approximately 20 entries) Medium: 3840 bytes (approximately 40 entries)
Large: 7680 bytes (approximately 60 entries) If you disable this setting or do not configure it, the default value (Small) will be used.
42
10/2011
5 Configuration
5.16 Terminal Emulator Host Configuration

Use
Configure parameters related to terminal emulator hosts.
Prerequisites
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > Terminal Emulator Host Configuration
Parameters
Parameter Configure the first host, Configure the second host, Configure the third host, Configure the fourth host, Configure the fifth host Description These parameters define the values to be used for each terminal emulator host. Hostname or IP: The host name or IP address of the host. The string to detect Username: The title of user name field. This string must be the same as the label of the field in which the user enters the user name in the host machine. The string to detect Password: The title of password field. This string must be the same as the label of the field in which the user enters the password in host machine Control key after Username: The key value that the user presses after inputting the user name. For example: If the user presses the Enter key after entering their Username, the value here is {ENTER} If the user presses the Tab key after entering their Username, the value here is {TAB} If the user presses the Tab key twice after entering their Username, the value here is {TAB}{TAB}
Control key after Password: Input the key value that user presses after inputting their password. For example: If the user presses the Enter key after entering in their password, the value here is {ENTER} If the user presses the Tab key after entering their password, the value here is {TAB} If the user presses the Enter key twice after entering their password, the value here is {ENTER}{ENTER}
MaxLength of Username field: The maximum number of characters that the user can enter into the user name field MaxLength of Password field: The maximum number of characters that the user can enter into password field
10/2011
43
5 Configuration
5.17 Configuration of Smart Card Removal Behavior

Use
It is also possible to define the behaviour of the smart card when it is removed from the reader. This parameter is defined for the Windows operating system.
Procedure
1. In the Group Policy Object Editor, open Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. 2. The security options will appear in the right panel:
3. Double click Interactive logon: Smart card removal behaviour. 4. Select the behaviour from the combo-box and click OK. This is the behaviour that will occur when a smart card is removed. For example, to lock the workstation after the smart card is removed, select Lock workstation.
44
10/2011
6 Additional Information
6.1 Preparing Smart Cards for E-SSO
Use
To use a smart card with Enterprise Single Sign-On, you must first enable it by partitioning the card in readiness for the PMF file. This can be done via: The E-SSO Smart Card Preparation Tool. See Preparing Smart Cards via E-SSO Smart Card Preparation Tool [page 45]. Windows XP GINA: See Preparing Smart Cards via Windows XP GINA [page 46]. Windows Vista or Windows 7 CRP: See Preparing Smart Cards via Windows Vista and Windows 7 Login [page 46].
6.1.1 E-SSO Smart Card Preparation Tool

1. Start the E-SSO Smart Card Preparation Tool located in the product download package under: \Utilities\E-SSO_SmartCardPrep.exe. 2. The E-SSO Smart Card Preparation Tool dialog will appear:
3. First, it is necessary to authenticate to the smart card. Click Enter Smart Card PIN. 4. A PIN prompt will appear. Enter the PIN and click OK. 5. Now the smart card is ready for preparation. Click Add Sign-On. Add Sign-On will be disabled if the smart card has already been enabled for Windows logon. If you wish to continue adding a sign-on object to the smart card, click Remove Sign-On. 6. The Please enter user name dialog will appear:
10/2011
45
7. Enter the users Windows credentials into the fields User name, Password and Log on to (domain). Select Write Windows login data to card to enable the Password and Log on to fields. 8. Select Verify before writing to card to check if the credential is correctly entered before adding the credential to the smart card. 9. The Token Type ID displays the token type of the current smart card system configuration and cannot be edited. 10. Click OK to add the E-SSO object to the smart card. If the Windows credentials were not previously entered, then the user will have to perform initial Windows logon (see the following sections for more information).
6.1.2 Preparing Smart Cards via Windows XP GINA

1. Insert the smart card into the card reader. If the smart card is recognized by Enterprise Single Sign-On, a PIN prompt will appear. Enter the smart card PIN. If not, the user will be prompted to use this card for Enterprise Single Sign-On:
2. Click Yes. 3. The Windows Logon Credentials dialog will appear:
Enter your user name and password for the Windows logon into the User name and Password fields, respectively.
Select the domain for the Windows Logon from the Log on to drop-down menu and click OK. 4. Enterprise Single Sign-On will automatically add the data to the smart card and perform Windows logon. 5. You can now use Enterprise Single Sign-On for Windows logon. For more information see the Enterprise Single Sign-On User Guide. For security reasons, we strongly recommend that you replace the initial PIN as soon as you start using a smart card. For more information see the Enterprise Single Sign-On User Guide.
6.1.3 Preparing Smart Cards via Windows Vista and Windows 7 Login
1. Insert the smart card into the card reader. If the smart card is recognized by Enterprise Single Sign-On, a PIN prompt will appear. Enter the smart card PIN.
46
10/2011
2. If the smart card meets the minimum requirements, you can enable the card for Enterprise Single Sign-On as follows:
Enter your user name into the first input field. Enter your password into the second input field. Enter the computer or network domain to which you want to log in to into the third input field. Per default, this field displays the computer name or network domain to which the last user has been logged in to.
Click Save logon password on token in the Windows logon dialog. 3. The user will be prompted to use the currently connected smart card for Enterprise Single Sign-On. Click OK. 4. Enterprise Single Sign-On will automatically add the data to the smart card and perform Windows logon. You can now use Enterprise Single Sign-On for Windows logon. For more information see the Enterprise Single Sign-On User Guide. For security reasons, we strongly recommend that you replace the initial PIN as soon as you start using a smart card. For more information see the Enterprise Single Sign-On User Guide.
6.2 Distribute Applications, Blacklist and Policies to Users

Use
Distribute pre-registered applications, blacklists, and policies to multiple users.
Soft Token
5. On the primary computer register applications, create blacklist and policies: Register applications and link them to appropriate credentials. Register or add applications to the blacklist. Create password policies.
10/2011
47
After this step, the application (<*.api>), blacklist (<*bll>) and policy file (<*.plc>) will be created. For example: <user1.api>, <user1.bll>, <user1.plc>. 6. On the primary computer create credentials in the soft token. After this step, the credential file (<*.bin>) will be created. For example: user1.bin 7. On each secondary computer terminate the process SSOMonitor.exe (launch Windows Task Manager, select SSOmonitor.exe, and click End Process). 8. Now to start distribution. To distribute applications, blacklist and policies: Copy folder AppInfo (located under %appdata%\SAP\signon) from primary computer to the same path on each the secondary computer. On the secondary computer, open the AppInfo folder and rename the *.api, *.bll and *.plc files to the correct username (<%username%>.api, <%username%>.bll, <%username%>.plc). For example: user2.api, user2.bll, user2.plc. Copy the folder Softtoken (located in %appdata%\SAP\signon) from the primary computer to the same path on each the secondary computer. On the secondary computer, open the Softtoken folder and rename the *.bin to file to the correct username (<%username%>,bin). For example: user2.bin.
9. To distribute credentials:
10. Restart the process SSOMonitor.exe on each secondary computer: double-click the SSOMonitor.exe file in %installation path%\SAP\signon folder.
Smart Card
1. On the primary computer register applications, create blacklist and policies: Register applications and link it to appropriate credentials. Register or add applications to the blacklist. Create password policies. After this step, the application (<*.api>), blacklist (<*bll>) and policy file (<*.plc>) will be created. For example: <user1.api>, <user1.bll>, <user1.plc>. 2. On the primary computer create credentials in the soft token. After this step, the credential file (<*.bin>) will be created. For example: user1.bin 3. On each secondary computer terminate the process SSOMonitor.exe (launch Windows Task Manager, select SSOmonitor.exe, and click End Process). 4. To distribute applications, blacklist and policies: Copy folder AppInfo (located under %appdata%\SAP\signon) from primary computer to the same path on each the secondary computer. On the secondary computer, open the AppInfo folder and rename the *.api, *.bll and *.plc files to the correct username (<%username%>.api, <%username%>.bll, <%username%>.plc). For example: user2.api, user2.bll, user2.plc.
48
10/2011
5. To distribute credentials via the Local Management Console to smart cards (credentials have already been created in step 2 and stored in a soft token): Open the Local Management Console and go to Authentication > Copy Token Contents. The Enterprise Single Sign-On Soft Token utility dialog will appear.
To copy the credentials to smart card, select the credentials from the Credentials Stored in Soft Token list and click the transfer arrow (up). Once transferred the credentials will appear in the Credentials Stored in Smart Card list. For more information about the Soft Token utility, see the Enterprise Single Sign-On User Guide. 6. Restart the process SSOMonitor.exe on each secondary computer: double-click the SSOMonitor.exe file in %installation path%\SAP\signon folder.
6.3 Handling Certificates

Use
The information in the section applies to smart card-based authentication only. The E-SSO Certificate Store Provider enables you to access certificates stored on a smart card, via the Microsoft certificate store Personal. In this way smart card certificates are available for all applications using CAPI (Cryptographic Application Interface), enabling for example, secure communication via Microsoft Outlook, the Intranet and the Internet (SSL environment), without having to import the certificates manually. If a smart card is removed from the card reader, the certificates are no longer accessible in the Microsoft certificate stores. In fact, the E-SSO certificate stores are physical stores, administered by the logical Microsoft certificate store Personal. An application is only meant to view and examine certificates; deleting, relocating, adding and modifying certificates are not possible.
6.3.1 Preparing the Microsoft Management Console for Certificates

Use
Prepare Windows for certificates in order to view, install, and export certificates.
Procedure
1. Start the Microsoft Management Console: Windows XP: select Start > Run, enter mmc in the Run dialog and click OK. Windows Vista / Windows 7: select Start, enter mmc in the Search programs and files field and click OK. The Microsoft Management Console will appear. Select File > Add/Remove Snap-in from the menu. Windows XP only: The Add/Remove Snap-in dialog will appear. Click Add. The Add Standalone Snap-in (Windows XP) or Add or Remove Snap-ins (Windows Vista/7) dialog will appear. Select Certificates and click Add. The Certificates snap-in dialog will appear. Select the option My User Account and click Finish. Click OK to close the dialog. Close the Microsoft Management Console.
2. 3. 4. 5. 6. 7.
10/2011
49
6.3.2 Where to Get More Information

View Certificates
Windows XP: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/enus/sag_cmprocsviewstores.mspx?mfr=true Windows Vista and Windows 7: http://windows.microsoft.com/en-US/Windows7/View-ormanage-your-certificates
Import and Export Certificates

Windows XP: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/enus/sag_cmintrocerts.mspx?mfr=true Windows Vista and Windows 7: http://windows.microsoft.com/en-us/Windows7/Import-orexport-certificates-and-private-keys
50
10/2011
7 Troubleshooting
7 Troubleshooting
Use
Overcome the most common problems to do with the installation or configuration of Enterprise Single Sign-On.
7.1 Preliminary Troubleshooting

Make sure that the system to which you are installing Enterprise Single Sign-On meets the minimum hardware and software requirements. For more information see Planning [page 7]. Is the version of Enterprise Single Sign-On up-to-date? Each release adds new features and fixes issues. Installing the latest version may clear any problems without the need for further troubleshooting. For more information see Installation, Update, and Removal [page 12].
7.2 No Permission to Install, Modify Components or Remove Enterprise Single SignOn

Windows XP: You need administrator access rights (role or group member) to be able to install, modify components or remove Enterprise Single Sign-On. If you do not have the administrator access rights, contact your system administrator for more assistance. Windows Vista and Windows 7: The Enterprise Single Sign-On installation package is signed to allow the system to identify the program. However, if this signature fails, the following User Account Control dialog will appear (providing User Account Control is active):
To continue the installation process, select the option Allow I trust this program. I know where its from or Ive used it before. The installation will proceed.
10/2011
51
7 Troubleshooting
7.3 Smart Card Troubleshooting

Use
Overcome problems when the smart card is not available and/or not recognized by the system.
Procedure
1. Verify that a smart card reader is properly connected and recognized by the operating system. 7. Verify that the latest version of the smart card middleware (PKCS#11 library / middleware) is installed in the system. 8. If you are still prompted with the error dialog Smart card is not available, try re-inserting the smart card and/or restarting the system. 9. If all of the above fail please contact your system administrator.
7.4 Multiple Smart Card Readers

Use
Troubleshoot problems if there are multiple card readers connected to the computer.
Procedure
Define the default smart card reader via using the E-SSO Card Configuration Tool. For more information see Card Reader Configuration [page 21]. The tool may be started via the Local Management Console or via the menu entry Start > All Programs > SAP > signon > E-SSO Card Configuration Tool.
7.5 Enterprise Single Sign-On Login/GINA Dialog Not Appearing

Use
This applies for Windows XP users only.
Procedure
In Windows XP Professional it is not possible to use the Windows Logon feature of Enterprise Single Sign-On if the computer is not member of a domain. Microsoft does not support this for computers that are just members of a workgroup. If the Enterprise Single Sign-On login or GINA dialog does not appear after pressing Ctrl-Alt-Delete, make sure that the computer is a member of a domain.
7.6 Unable to Log In to the Network

Ensure that the user has correctly entered their user name and the domain name. Verify that the computer is a member of a domain. Otherwise, add the user in Windows User Management. See Preparations Steps for Windows XP [page 8].
52
10/2011
7 Troubleshooting
7.7 CRP Filter Does Not Disable Specified CRPs

Use
The CRP Filter has been provided to disable any registered CRP for Windows logon. Follow this procedure if you have added a filter but it does not disable the specified CRPs.
Procedure
1. Access the Filter properties > Show Contents dialog (see Apply E-SSO Filter [page 27]) and check the following values:
2. The Value Name field should display the GUID of the CRP that you want to filter. The GUID is a number/letter combination - including brackets! For example: <{25CBB99692ED-457e-B28C-4774084BD562}>. 3. The Value field should display the scenarios to which the filter will be applied, separated by a semicolon ; with no spaces between each entry. For example: <LOGON;UNLOCK;CHANGE> 4. If any of these values are incorrectly set, click Remove and add a new entry to the CRP list. See Apply E-SSO Filter [page 27].
10/2011
53
7 Troubleshooting
7.8 Web SSO Toolbar Does Not Appear

This issue will occur in one of the following situations.
Enterprise Single Sign-On Installed Before Installing a Browser

1. Reinstall the Internet Browser plug-in for your Internet browser. See Modify Enterprise Single Sign-On Components [page 17].
2. Make sure the computer is restarted to apply the changes.
When Snag-It Toolbar is Enabled

If Snag-It is installed in your system, the Web SSO Toolbar can disappear in Internet Explorer 8 when opening a new tab or another similar operation. If you encounter this issue, disable the Snag-It toolbar and restart Internet Explorer.
7.9 Group Policies do Not Display Correctly

Use
After successfully adding E-SSO ADM entries to the Microsoft Group Policy Editor the content does not appear as described in Adding Group Policy Templates via Group Policy Editor [page 22].
Cause
The Filter option is active.
Procedure
1. To display the policy settings in the Microsoft Group Policy Editor right-click the respective node in the left pane and de-select the option Filter on. 2. The navigation tree will close. Re-open the respective node to view the policy settings.
54
10/2011

Enterprise SSO Instal and Configure Guide

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Enterprise SSO Instal and Configure Guide

Uploaded by

Copyright:

Available Formats

PUBLIC Document Version: 1.

Terms for Included Open Source Software

Installation and Configuration Guide: Enterprise Single Sign-On

4 Installation, Update, and Removal................................................... 12

6 Additional Information ...................................................................... 45

1.1 About this Document

2.2 Software Requirements

2.3 Smart Card Requirements

3.2 Preparation Steps for Java Applications

3.3 Install Secure Login Client

3.4 Preparation Steps for Citrix Use

Prepare the Server Machine

Prepare the Client Machine

4 Installation, Update, and Removal

4 Installation, Update, and Removal

4 Installation, Update, and Removal

3. The Setup Type dialog will appear:

4 Installation, Update, and Removal

4 Installation, Update, and Removal

4.2 Unattended Installation

Enterprise Single Sign-On Installation Properties

4 Installation, Update, and Removal

Example Syntax for Unattended Installation

4 Installation, Update, and Removal

4.3 Modify Enterprise Single Sign-On Components

4 Installation, Update, and Removal

4.4 Remove Enterprise Single Sign-On

Remove Enterprise Single Sign-On via the Control Panel

Remove Enterprise Single Sign-On via the MSI Package

3. Select Remove and click Next.

4 Installation, Update, and Removal

4. The Remove the Program dialog will appear:

4.5 Complete Removal Options

4 Installation, Update, and Removal

4.6 Update Enterprise Single Sign-On

5.1 Card Reader Configuration

5.2 Adding Group Policy Templates via Group Policy Editor

4. The Add/Remove Templates dialog will appear.

Enable SAP Password Based Logon

The scenarios in which E-SSO filter is applied to are as follows:

5.4 Apply E-SSO Filter

4. The Show Contents dialog will appear.

5.5 Password Credential Options

Prevent password expire message

Set custom tile image for password credential

5.6 Certificate Credential Options

5.7 Customize Tile Image Bitmaps

5.8 Logon Settings

This parameter enables password-based logon.

Prevent logon without smart card

Timeout for fast screen unlock

Use certificate -based logon by default Validate logon certificate expiration

Warn for logon certificate expiration

5.9 Customizing Bitmaps for Smart Card

5.10 Customizing PIN Pane Image Bitmap

5.11 Local Management Console Options

Backup History Path Backup History Size

Disable Drag and Drop Credentials Submenu Disable Feature of SSO

Learning Wizard Disable Features of SSO Monitor

Drag & Drop Characters Send Speed

5.12 SSO User Activity Trace and Log Filter

5.13 Web Setting

5.14 LMC Setting