PUBLIC Document Version: 1.2 – 10/2011
Oct 22, 2014
PUBLIC
Document Version: 1.2 – 10/2011
© Copyright 2011 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior
notice.
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered
trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p,
System p5, System x, System z, System z10, System z9, z10, z9,
iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390,
OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM,
Power Architecture, POWER6+, POWER6, POWER5+, POWER5,
POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System
Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks,
OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner,
WebSphere, Netfinity, Tivoli and Informix are trademarks or
registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and
other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either
trademarks or registered trademarks of Adobe Systems Incorporated in
the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the
Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,
VideoFrame, and MultiWin are trademarks or registered trademarks of
Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered
trademarks of W3C®, World Wide Web Consortium, Massachusetts
Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used
under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP
BusinessObjects Explorer, and other SAP products and services
mentioned herein as well as their respective logos are trademarks or
registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects,
Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and
other Business Objects products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of
Business Objects Software Ltd. in the United States and in other
countries.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere,
and other Sybase products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of
Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of
their respective companies. Data contained in this document serves
informational purposes only. National product specifications may
vary.
These materials are subject to change without notice. These materials
are provided by SAP AG and its affiliated companies ("SAP Group")
for informational purposes only, without representation or warranty of
any kind, and SAP Group shall not be liable for errors or omissions
with respect to the materials. The only warranties for SAP Group
products and services are those that are set forth in the express
warranty statements accompanying such products and services, if any.
Nothing herein should be construed as constituting an additional
warranty.
Disclaimer
Some components of this product are based on Java™. Any
code change in these components may cause unpredictable
and severe malfunctions and is therefore expressively
prohibited, as is any decompilation of these components.
Any Java™ Source Code delivered with this product is
only to be used by SAP’s Support Services and may not be
modified or altered in any way.
Terms for Included Open
Source Software
This SAP software contains also the third party open source software
products listed below. Please note that for these third party products
the following special terms and conditions shall apply.
1. domainname-parser (http://code.google.com/p/domainname-parser/)
Copyright (c)
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to permit
persons to whom the Software is furnished to do so, subject to the
following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
SAP AG
Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com
Typographic Conventions
Type Style Description
Example Text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.
Cross-references to other documentation
Example text Emphasized words or phrases in body text, graphic titles, and table titles
EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.
Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.
Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.
<Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.
EXAMPLE TEXT Keys on the keyboard, for
example, F2 or ENTER.
Icons
Icon Meaning
Caution
Example
Note
Recommendation
Syntax
Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more
information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.
Installation and Configuration Guide: Enterprise Single Sign-On
4 10/2011
Contents
1 Introduction ......................................................................................... 6
1.1 About this Document ............................................................................. 6
2 Planning ............................................................................................... 7
2.1 Hardware Requirements ........................................................................ 7
2.2 Software Requirements ......................................................................... 7
2.3 Smart Card Requirements ..................................................................... 7
3 Preparation .......................................................................................... 8
3.1 Preparations Steps for Windows XP .................................................... 8
3.2 Preparation Steps for Java Applications ............................................. 8
3.3 Install Secure Login Client .................................................................... 9
3.4 Preparation Steps for Citrix Use ........................................................... 9
4 Installation, Update, and Removal................................................... 12
4.1 Manual Installation ............................................................................... 12
4.2 Unattended Installation ........................................................................ 15
4.3 Modify Enterprise Single Sign-On Components ................................ 17
4.4 Remove Enterprise Single Sign-On .................................................... 18
4.5 Complete Removal Options ................................................................ 19
4.6 Update Enterprise Single Sign-On ...................................................... 20
5 Configuration ..................................................................................... 21
5.1 Card Reader Configuration ................................................................. 21
5.2 Adding Group Policy Templates via Group Policy Editor ................ 22
5.3 Windows Vista and Windows 7 Credential Provider (CRP) Common Options ....................................................................................... 24
5.4 Apply E-SSO Filter ............................................................................... 27
5.5 Password Credential Options ............................................................. 29
5.6 Certificate Credential Options ............................................................. 31
5.7 Customize Tile Image Bitmaps............................................................ 32
5.8 Logon Settings ..................................................................................... 33
5.9 Customizing Bitmaps for Smart Card ................................................. 35
5.10 Customizing PIN Pane Image Bitmap ............................................... 37
5.11 Local Management Console Options ............................................... 38
5.12 SSO User Activity Trace and Log Filter ............................................ 40
5.13 Web Setting......................................................................................... 40
5.14 LMC Setting ........................................................................................ 41
5.15 Soft Token Settings ............................................................................ 41
5.16 Terminal Emulator Host Configuration ............................................ 43
5.17 Configuration of Smart Card Removal Behavior ............................. 44
6 Additional Information ...................................................................... 45
6.1 Preparing Smart Cards for E-SSO ...................................................... 45 6.1.1 E-SSO Smart Card Preparation Tool.......................................................................... 45 6.1.2 Preparing Smart Cards via Windows XP GINA .......................................................... 46 6.1.3 Preparing Smart Cards via Windows Vista and Windows 7 Login ............................. 46
10/2011 5
6.2 Distribute Applications, Blacklist and Policies to Users .................. 47
6.3 Handling Certificates ........................................................................... 49 6.3.1 Preparing the Microsoft Management Console for Certificates .................................. 49 6.3.2 Where to Get More Information .................................................................................. 50
7 Troubleshooting ................................................................................ 51
7.1 Preliminary Troubleshooting .............................................................. 51
7.2 No Permission to Install, Modify Components or Remove Enterprise Single Sign-On ......................................................................... 51
7.3 Smart Card Troubleshooting ............................................................... 52
7.4 Multiple Smart Card Readers .............................................................. 52
7.5 Enterprise Single Sign-On Login/GINA Dialog Not Appearing ......... 52
7.6 Unable to Log In to the Network ......................................................... 52
7.7 CRP Filter Does Not Disable Specified CRPs .................................... 53
7.8 Web SSO Toolbar Does Not Appear ................................................... 54
7.9 Group Policies do Not Display Correctly ........................................... 54
1 Introduction
6 10/2011
1 Introduction Enterprise Single Sign-On (E-SSO) helps end users log in to multiple systems or applications without the need to remember every password or logon dialog. After the end user is successfully authenticated to the Enterprise Single Sign-On application, further logon procedures to applications running under the system‟s control are carried out automatically.
Enterprise Single Sign-On supports the following methods of signing-on to an application:
Windows logon (for smart card-based authentication only)
This method can either be certificate-based or can use a user ID/password combination stored on the smart card.
Certificate-based authentication (for smart card-based authentication only)
Certificate-based authentication is provided via the standard interfaces such as Microsoft Crypto-API or the GSS-API. The requirements of most applications can be fulfilled via these interfaces, such as Internet browsers, e-mail clients, VPN clients, and so on.
Windows logon and certificate-based authentication are not available for operation with a soft token.
Logon to Windows applications
This feature allows you to use Single Sign-On for password-protected Windows, .NET, terminal emulator, and Java applications.
Logon to Web sites (Web Single Sign-On)
This feature allows you to log in to password-protected Web sites using Single Sign-On. A toolbar for Microsoft Internet Explorer and Mozilla Firefox enables the registration and management of sites for Single Sign-On.
1.1 About this Document
Purpose
This document describes how to install, customize, and remove Enterprise Single Sign-On on Windows XP and Windows Vista, and Windows 7.
Integration
To use Enterprise Single Sign-On you will need to install the following components on each client computer prior to Enterprise Single Sign-On:
.NET 3.0 or later (Windows XP only)
Oracle Java JRE/JDK 1.6
Oracle Java access bridge 2.0.2 for 32-bit and 64-bit systems
SAP NetWeaver Single Sign-On - Secure Login Client 1.0 SP1
Constraints
This guide does not provide information about how to use Enterprise Single Sign-On. For such information please see the User Guide.
2 Planning
10/2011 7
2 Planning
2.1 Hardware Requirements The hardware requirements of the operating system must be met.
At least 25 MB of free hard disk space for Enterprise Single Sign-On. For information about the space required by the Secure Login Client see the Secure Login Installation, Configuration and Administration Guide. For other components please see the respective documentation.
If smart cards are to be used then a PC/SC-compliant smart card reader will be needed.
2.2 Software Requirements Windows XP Professional 32-bit SP3.
The computer must be a member of a domain to allow the Enterprise Single Sign-On Login (GINA dialog) feature. For more information, see Preparations Steps for Windows XP Users [page 8].
Microsoft Windows Vista SP2 32-bit (Business, Enterprise, or Ultimate)
Microsoft Windows 7 SP1 32-bit / 64-bit (Professional, Enterprise, or Ultimate)
2.3 Smart Card Requirements Verify that a smart card reader is properly connected and recognized by the operating system.
It is possible to connect a smart card reader after you have installed Enterprise Single Sign-On. However, we recommend connecting a card reader before the product installation.
If you want to use Enterprise Single Sign-On with a third-party PKCS#11 library, you must first install the PKCS#11 library provided by the smart card vendor. To use third-party libraries, you will need a license from the library vendor.
Only smart cards and middleware certified by SAP are supported in Enterprise Single Sign-On.
3 Preparation
8 10/2011
3 Preparation
3.1 Preparations Steps for Windows XP
Use
For Windows XP users, the computer must be a member of a domain to allow the Enterprise Single Sign-On Login (GINA dialog) feature. Normally, the configuration of Enterprise Single Sign-On clients is defined globally for an Active Directory domain or an organizational unit and the workstations are members of this domain. This section details how to use the Group Policy Editor to add domain/organizational unit to Enterprise Single Sign-On.
If you intend to use Enterprise Single Sign-On with Windows XP, the .NET Framework 3.0 needs to be installed.
Prerequisites
You must start Active Directory Users and Computers from either an Exchange server or from a workstation that has the Exchange System Management Tools installed.
Microsoft Windows XP Professional 32-bit SP3. The computer must be a member of a domain to allow the Enterprise Single Sign-On Login (GINA dialog) feature.
Procedure
1. On the server or workstation, create a domain/organizational unit. For more information, see the Microsoft documentation: http://technet.microsoft.com/en-us/library/cc785077(WS.10).aspx.
2. Download and install .NET Framework v.3.0 or above. To download and get more information, see the Microsoft Website: http://www.microsoft.com/downloads/en/default.aspx.
3.2 Preparation Steps for Java Applications
Use
Enterprise Single Sign-On uses Java technology to login to Java-based applications. A certain amount of manual configuration is needed to ensure correct operation.
Prerequisites
Close all running applications prior to installation.
Procedure
1. Download and install the latest Java Runtime Environment (JRE) or Java Development Kit (JDK) 1.6 for the target environment (32-bit or 64-bit). To download the JRE/JDK see the Java website: http://www.oracle.com/technetwork/java/javase/downloads/index.html
1. Download Java Access Bridge 2.0.2 (for both 32-bit and 64-bit systems): http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136191.html
2. Manually configure the Java Access Bridge component. This will vary according to version:
For information about how to install Java Access Bridge 2.0.2 under 32-bit systems see: http://download.oracle.com/javase/accessbridge/2.0.2/setup.htm#installing-jab-32-bit
3 Preparation
10/2011 9
For information about how to install Java Access Bridge 2.0.2 under Windows 7 64-bit see: http://download.oracle.com/javase/accessbridge/2.0.2/setup.htm#installing-jab-64-bit
3.3 Install Secure Login Client
Use
The Secure Login Client installer will install base components and functions that are necessary for the correct operation of Enterprise Single Sign-On. The Secure Login Client can be downloaded from the SAP Marketplace (also as a part of the NetWeaver Single Sign-On package).
Prerequisites
Close all running applications prior to installation.
Procedure
Download and install the Secure Login Client package. For more information on installation, see the Secure Login Client Installation, Configuration and Administration Guide.
3.4 Preparation Steps for Citrix Use
Use
If you wish to use Enterprise Single Sign-On in a Citrix environment, you must prepare the server and client machines. This section details the specific steps for each component.
This version of Enterprise Single Sign-On only supports soft tokens under Citrix – smart cards are not supported.
Prerequisites
If you want to use Citrix, you must buy a license from Citrix Systems, Inc. (see www.citrix.com). Read the license agreement carefully. You are only allowed to install the library if you have paid the license fee.
Citrix Presentation Server 4.5 must be installed. For a detailed description on the installation and configuration of the Citrix Presentation Server, consult the relevant Citrix documentation (see www.citrix.com).
Citrix ICA Client software must be installed. For a detailed description on the installation and configuration of the Citrix Presentation Server, consult the relevant Citrix documentation (see www.citrix.com).
Ensure that no smart card reader is connected to the server and the client before proceeding.
Prepare the Server Machine
1. Switch Citrix Presentation Server to install mode:
Turn on: change user /install
Turn off: change user /execute
2. Install .NET Framework 3.0. See Preparations Steps for Windows XP [page 8].
3. Install JRE. See Preparation Steps for Java Applications [page 8].
3 Preparation
10 10/2011
4. When installing the Secure Login Client, enable the Terminal Server Components custom setup). For more information, see the Secure Login Client Installation, Configuration and Administration Guide.
5. When installing Enterprise Single Sign-On disable all smart card components (custom setup). See Installation, Update, and Removal [page 12].
6. Restart the computer to complete Enterprise Single Sign-On installation.
7. Configure the server desktop via the Citrix Access Management Console to ensure that the client can connect to the Citrix Presentation Server and access all Enterprise Single Sign-On features and components. You can consult the relevant Citrix documentation For more information.
Prepare the Client Machine
8. In the Citrix Program Neighborhood main menu, select Tools > ICA Settings. The ICA Settings dialog will appear. Enable Pass-Through Authentication and Use local credentials to log on.
3 Preparation
10/2011 11
9. In the Citrix Program Neighborhood toolbar, click the Settings icon. The Settings dialog will appear. Enter information in the User name and Domain fields and click OK.
4 Installation, Update, and Removal
12 10/2011
4 Installation, Update, and Removal
4.1 Manual Installation
Use
Manual installation of Enterprise Single Sign-On.
Prerequisites
Make sure that the following components have been installed before installing Enterprise Single Sign-On:
Windows XP only: Install Microsoft .NET Framework 3.0 or above. See Preparations Steps for Windows XP Users [page 8].
Install the latest Java JRE/JDK 1.6. See Preparation Steps for Java Applications [page 8].
Install Java Access Bridge. See Preparation Steps for Java Applications [page 8].
If you want to use a smart card install the third-party middleware. See Smart Card Requirements [page 7].
Install the Secure Login Client version that is released in the same NetWeaver Single Sign-On download package. For information about the installation, see the Secure Login Client Installation, Configuration and Administration Guide.
Procedure
1. Open the Enterprise Single Sign-On MSI package (double-click Enterprise Single
Sign-On.msi, or Enterprise Single Sign-On_x64.msi).
2. The Welcome dialog will appear.
Click Next.
4 Installation, Update, and Removal
10/2011 13
3. The Setup Type dialog will appear:
This dialog helps you choose between the following types of installation:
Typical – Select this if you want to install the most common Enterprise Single Sign-On components.
Custom – Select this if you want to manually select specific components for installation.
Click Next and proceed to the next step.
4. If you selected Custom in the previous step, on 64-bit systems, the following dialog will appear:
The Custom Setup dialog helps you modify Enterprise Single Sign-On components. You can select the following components for installation:
Smartcard support > Credential Provider: Install support for PKCS#11 providers.
Smartcard support > Checkpoint Support: Install support for the Checkpoint VPN client.
Internet browser plug-ins > Microsoft Internet Explorer Support: Install the Enterprise Single Sign-On plug-in for Internet Explorer 64-bit.
Internet browser plug-ins > Microsoft Internet Explorer Support for x86: Install the Enterprise Single Sign-On plug-in for Internet Explorer 32-bit.
4 Installation, Update, and Removal
14 10/2011
Internet browser plug-ins > Mozilla Firefox Support for x86: Install the Enterprise Single Sign-On plug-in for Mozilla Firefox 32-bit.
5. The Authentication Method dialog will appear. Depending on your requirement, select Smart Card or Soft Token.
If you selected Smart Card Support components in the Custom Setup dialog and select Soft Token as authentication method in the Authentication Method dialog, the features of the Smart Card Support components will be deployed but deactivated. You can activate the Smart Card Support components by switching to Smart Card Mode via the Local Management Console. For more information on switching authentication methods, see the Enterprise Single Sign-On User Guide.
6. The Ready to Install the Program dialog will appear:
Click Install to start the installation (this can take a few minutes).
7. The completion dialog will appear. Click Finish.
8. You will be prompted to restart your computer to complete Enterprise Single Sign-On installation. Select Yes.
4 Installation, Update, and Removal
10/2011 15
9. The product is now installed using default values for most of the settings. For information about how to customize Enterprise Single Sign-On to your requirements, see Configuration [page 21].
4.2 Unattended Installation
Use
Unattended installation allows Enterprise Single Sign-On to be installed without the need for user interaction.
Prerequisites
Windows XP only: Install Microsoft .NET Framework 3.0. See Preparations Steps for Windows XP Users [page 8].
Install Java JRE/JDK 1.6. See Preparation Steps for Java Applications [page 8].
Install Java Access Bridge 2.0.1. See Preparation Steps for Java Applications [page 8].
Install third-party middleware. For list of supported middleware, see Smart Card Requirements [page 7].
Install Secure Login Client 1.0. For more information, see the Secure Login Client Installation, Configuration and Administration Guide.
Procedure
1. Open the Enterprise Single Sign-On MSI package - open a Command window.
Windows XP: Select Start > Run. Enter cmd in the Open field and click OK.
Windows Vista and Windows 7: Select Windows logo > Search programs and
files. Enter cmd in the Search programs and files field and click OK.
2. The Command window will appear. Navigate to the directory in which the installation package is located.
3. To install in quiet mode with no user interaction use the following syntax with options: msiexec /i "Enterprise Single Sign-On.msi" <PROPERTY> /qn
Enterprise Single Sign-On Installation Properties
Property Description
GINA (Windows XP only) Install support for Windows XP Graphical Identification and Authentication (GINA)
CRP (Windows Vista and
Windows 7 only)
Install support for Windows Vista and Windows 7 Credential Provider (CRP)
CHECKPOINT Install support for the Checkpoint VPN Client.
IE Install support for Internet Explorer 64-bit.
IE_X86 Install support for Internet Explorer 32-bit on 32-bit and 64-bit systems..
FIREFOX Install support for Firefox 32-bit.
FIREFOX_x86 Install support for Firefox 32-bit on 64-bit systems.
AUTH=Smartcard Enable smart card as the primary authentication method. Note: This parameter is case-sensitive.
AUTH=Softtoken Enable soft token as the primary authentication method.
Note: This parameter is case-sensitive.
4 Installation, Update, and Removal
16 10/2011
SCRIPT Enable COM-based scripting to log in to legacy applications with credentials stored on smartcards.
Example Syntax for Unattended Installation
Operating System
Authentication Method
Syntax
Windows XP Smart Card msiexec /i "Enterprise Single Sign-
On.msi" ADDLOCAL=GINA,CHECKPOINT,IE,
FIREFOX AUTH=Smartcard
Windows XP Soft Token msiexec /i "Enterprise Single Sign-
On.msi" ADDLOCAL=GINA,CHECKPOINT,IE,
FIREFOX AUTH=Softtoken
Windows Vista/
Windows 7 32-bit
Smart Card msiexec /i "Enterprise Single Sign-
On.msi" ADDLOCAL=CRP,CHECKPOINT,IE_X86,
FIREFOX AUTH=Smartcard
Windows Vista/
Windows 7 32-bit
Soft Token msiexec /i "Enterprise Single Sign-
On.msi" ADDLOCAL=CRP,CHECKPOINT,IE_X86,
FIREFOX AUTH=Softtoken
Windows 7 64-bit
Smart Card msiexec /i "Enterprise Single Sign-
On.msi" ADDLOCAL=CRP,CHECKPOINT,IE,
IE_x86, FIREFOX AUTH=Smartcard
Windows 7 64-bit
Soft Token msiexec /i "Enterprise Single Sign-
On.msi" ADDLOCAL=CRP,CHECKPOINT,IE,
IE_x86, FIREFOX AUTH=Softtoken
4 Installation, Update, and Removal
10/2011 17
4.3 Modify Enterprise Single Sign-On Components
Use
Display the Custom Setup dialog to modify Enterprise Single Sign-On components.
Prerequisites
You need administrator rights (role or group member) to be able to modify Enterprise Single Sign-On.
Procedure
1. Open the Enterprise Single Sign-On MSI package - double-click Enterprise Single Sign-On.msi.
2. The Welcome dialog will appear. Click Next.
3. The Program Maintenance dialog will appear. Select Modify and click Next.
4. The Custom Setup dialog will appear. Modify each of the components in the list by clicking an entry and selecting the appropriate action from the context menu and click Next. For more information on these components, see Manual Installation [page 21].
If you installed Firefox after installing Enterprise Single Sign-On, you will need to use the „modify‟ feature to install the Firefox support component to enable the Web SSO toolbar in Firefox. See Web SSO Toolbar Does Not Appear [page 54].
5. The Ready to Modify the Program dialog will appear. Click Install to execute the changes.
6. After a while, the completion dialog will appear. Click Finish.
7. You will be prompted to restart your computer to complete Enterprise Single Sign-On installation. Select Yes. Enterprise Single Sign-On is now modified.
4 Installation, Update, and Removal
18 10/2011
4.4 Remove Enterprise Single Sign-On
Use
Remove Enterprise Single Sign-On via the Control Panel or MSI package.
Prerequisites
You need administrator rights (role or group member) to remove Enterprise Single Sign-On.
Please close Microsoft Internet Explorer and Mozilla Firefox before removing Enterprise Single Sign-On. This will aid the removal of the Enterprise Single Sign-On browser plugin.
Remove Enterprise Single Sign-On via the Control Panel
1. Open the following Windows Control Panel:
Windows XP: Start > Settings> Control Panel > Add or Remove Programs
Windows Vista and Windows 7 (classic view): Windows logo > Control Panel > Programs and Features
2. Select Enterprise Single Sign-On from the programs list and click Uninstall. The removal process will start.
3. A dialog will appear asking you to confirm the removal. Click Yes. If the Windows Vista or Windows 7 User Account Control is active then a dialog will appear asking you to confirm the action. Click Allow to continue.
4. You will be prompted to reboot the computer. Click Yes to complete the removal.
This process does not remove user data or registry entries made by Enterprise Single Sign-On. If you want to remove these as well see Complete Removal Options [page 20].
Remove Enterprise Single Sign-On via the MSI Package
1. Open the Enterprise Single Sign-On MSI package – double-click Enterprise Single
Sign-On.msi.
1. The Welcome dialog will appear. Click Next.
2. The Program Maintenance dialog will appear:
3. Select Remove and click Next.
4 Installation, Update, and Removal
10/2011 19
4. The Remove the Program dialog will appear:
5. The completion dialog will appear. Click Finish to close the dialog and complete the procedure.
2. You will be prompted to restart your computer to complete Enterprise Single Sign-On removal.
This process does not remove user data or registry entries made by Enterprise Single Sign-On. If you want to remove these as well see Complete Removal Options [page 20].
Unattended Removal
1. Open a Command window:
Windows XP: Select Start > Run. Enter cmd in the Open field and click OK.
Windows Vista and Windows 7: Select Windows logo > Search programs and files. Enter cmd in the Search programs and files field and click OK.
2. The Command window will appear. Navigate to the directory in which the Enterprise
Single Sign-On installation package (Enterprise Single Sign-On.msi) is located.
3. To start the removal, enter the following syntax: msiexec /x "Enterprise Single Sign-On.msi"
This process does not remove user data or registry entries made by Enterprise Single Sign-On. If you want to remove these as well see Complete Removal Options [page 20].
4.5 Complete Removal Options
Use
Removing Enterprise Single Sign-On via the MSI installer does not remove some user data and files, for example, soft tokens (this mechanism has been implemented to allow an administrator to remove an older version of the product and install a new version without having to re-initialize the application and re-capture credentials).
This section details how to remove user data after the main application has been removed (as detailed in the previous sections). This section does not detail how to remove Secure
4 Installation, Update, and Removal
20 10/2011
Login. Those details can be found in the SAP Secure Login Installation, Configuration and Administration Guide.
Prerequisites
Remove Enterprise Single Sign-On. See as of Remove Enterprise Single Sign-On [page 18].
Procedure
1. Remove the rest data and files from the installation directory:
Windows XP: Select Start > Run. Enter %AppData%\SAP in the Open field and
click OK.
Windows Vista and Windows 7: Select Windows logo > Search programs and files. Enter %AppData%\SAP in the Search programs and files field and click OK.
2. Delete the signon directory.
3. To remove registry entries made by Enterprise Single Sign-On, open the Windows Registry Editor (regedit) and delete the following entries:
HKEY_LOCAL_MACHINE\SOFTWARE\SAP\signon
HKEY_CURRENT_USER\Software\SAP\signon
4.6 Update Enterprise Single Sign-On
Use
Update Enterprise Single Sign-On to the latest version. For E-SSO 1.0.0 it is also necessary to update the Java Access Bridge and Secure Login Client to newer versions.
Prerequisites
You need administrator rights (role or group member) to perform the update procedure.
Procedure
1. Update the Secure login Client. For information see the Secure Login Configuration and Installation Guide.
2. Remove Enterprise Single Sign-On. See Remove Enterprise Single Sign-On [page 18]. It is not necessary to restart the computer.
This does not remove user data or registry entries made by Enterprise Single Sign-On. If you want to remove these as well see Complete Removal Options [page 20].
3. If upgrading from E-SSO 1.0.0, remove Java Access Bridge 2.0.1.
4. Restart the computer.
5. If upgrading from E-SSO 1.0.0, install Java Access Bridge 2.0.2. See Preparation Steps for Java Applications [page 8].
6. Install Enterprise Single Sign-On 1.x. See Preparation Steps for Java Applications [page 12]
If you intend to re-use the existing credential store (soft token or smart card) make sure you re-install the correct authentication method – this can also be changed after installation via the Local Management Console.
5 Configuration
10/2011 21
5 Configuration
Some of the steps in this chapter involve modification to the Windows registry. Incorrectly modifying the registry can cause serious problems that may require the reinstallation of the operating system. We cannot guarantee that problems resulting from modifications to the registry can be solved. Although the modification process has been made as foolproof as possible (semi-automated via group policies) there may still be unforeseen conflicts – most of them are out-of-scope of this product. Manual modification of the registry is not considered part of this product and may be attempted at your own risk.
5.1 Card Reader Configuration
Use
If you have more than one smart card reader connected to the client computer and you intend to use one of them with Enterprise Single Sign-On, you must use the Enterprise Single Sign-On Card Configuration Tool to define the card reader intended for use with Enterprise Single Sign-On. You can configure the card reader any time after installing Enterprise Single Sign-On.
Procedure
1. Start the Enterprise Single Sign-On Card Configuration Tool as follows:
Windows XP: Start > All Programs > SAP > signon > E-SSO Card Configuration Tool
Windows Vista and Windows 7: Windows logo > All Programs > SAP > signon > E-SSO Card Configuration Tool
2. The Enterprise Single Sign-On Card Configuration Tool dialog will appear:
The active card reader configuration is listed in the upper field Current Configuration.
Click Refresh to update the list of currently connected smart card readers in the Available PC/SC smart card readers combo-box.
Enable Favour readers with inserted smart card if you want to automatically display only those readers that currently have a smart card inserted in them (click Refresh first!).
Click Reset in the lower left corner to erase the active settings.
3. Select the card reader you want from the Available PC/SC smart card readers combo-box and click OK. The E-SSO Card Configuration Tool dialog will close.
4. To complete card reader configuration:
Windows XP: Restart your system.
Windows Vista and Windows 7: Log off and log back in to the system.
5 Configuration
22 10/2011
5.2 Adding Group Policy Templates via Group Policy Editor
Use
Add Enterprise Single Sign-On templates to the Group Policy Editor for the purpose of E-SSO configuration.
Local configuration: If you are not member of a domain, you can also define the settings locally using the Microsoft Group Policy Editor.
As a member of a Domain: You can run the Microsoft Group Policy Editor if your workstation is member of a domain.
Prerequisites
If you are running the Microsoft Group Policy Editor as a member of a domain, your workstation must be connected to the domain for the settings to take effect. If your workstation is offline, the settings will not be applied to the registry. For a detailed description, consult the relevant Microsoft documentation
Procedure
1. To start the Microsoft Group Policy Editor:
Windows Vista / Windows 7: click Start and enter gpedit.msc in the Search
programs and files field and press Return.
Windows XP: click Start > Run, enter gpedit.msc in the Open field and click OK.
2. The Group Policy Editor window will appear.
3. Open the Computer Configuration node, right-click the Administrative Templates node and select Add/Remove Templates from the context menu.
4. The Add/Remove Templates dialog will appear.
5 Configuration
10/2011 23
5. Click Add.
6. The Policy Templates dialog is shown. Locate the following directory in the Enterprise
Single Sign-On delivery package: Extras\adm\en:
For Windows XP: Use the Ctrl key to select the files csp_xp.adm,
gina_xp.adm, and signon.adm. Click Open.
For Windows Vista and Windows 7: Use the Ctrl key to select the files crp.adm,
and signon.adm. Click Open.
7. The Add/Remove Templates dialog will reappear; click Close.
8. The templates are now imported to the Group Policy Editor. Click Administrative Templates > SAP AG to view the Enterprise Single Sign-On configuration options.
9. You are now ready to configure Enterprise Single Sign-On. The following sections detail each of the configuration options.
5 Configuration
24 10/2011
5.3 Windows Vista and Windows 7 Credential Provider (CRP) Common Options
Use
Configure the parameters related to the behavior of the CRP. These parameters apply only to smart card-based authentication – they cannot be used for soft token authentication.
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > CRP Common Options
Parameters
Parameter Description
Allow logon
certificate
expiration
check
This parameter will allow the certificate on the smart card to be checked for validity and only continues with the logon process if the certificate is valid.
Enabled: The certificate validity check is performed after the user clicks the OK button in the Windows logon PIN dialog. The certificate is valid if the system date and time is within the validity range of the authentication certificate. If the certificate is invalid, an error message is displayed.
Disabled: The certificate validity check is deactivated for both the Windows logon and the screen unlock.
5 Configuration
10/2011 25
Allow logon
certificate
expiration
warning
The parameter sets an integer value that indicates the number of days before a certificate expires. A maximum of 60 days is possible. This will appear as a text message in the Windows Logon user interface.
Allow logon
certificate
update
Enabled: The CRP checks for new certificates during logon and screen unlock.
Disabled: No CRP check will be performed.
Allow logon
help wizard Enabled: Logon Help link is visible in selected CRP. It supports the
functions that allow user to change PIN and unblock token.
Disabled: Logon Help like is not displayed in selected CRP.
Allow
unlock
certificate
expiration
check
This parameter allows certificate validity check on Windows unlock. The setting can only be enabled if the parameter Allow logon certificate expiration check is also enabled.
When the parameter is enabled, the certificate is checked using the same rules as for Windows logon.
Default key
container
label
This parameter defines the certificate to be used for certificate-based Windows logon via its label.
Enter the PKCS#11 label of certificate you want to use. It can either be User Certificate or Signing Certificate.
Enable SAP
Certificate
Based Logon
This parameter will enable logon to Windows using the credentials contained within the certificate – the user need only quthenticate via a PIN.
Enabled: The E-SSO certificate-based logon will not be filtered.
Disabled: The E-SSO certificate-based logon is filtered.
Enable SAP
Password
Based Logon
This parameter will enable logon to Windows using the username and password of the user contained on the smart card.
Enabled: The E-SSO password-based logon will not be filtered.
Disabled: The E-SSO password -based logon is filtered.
Filter This parameter allows you to disable any registered Credential Provider (CRP) used for the Windows Logon. Basic description (For a full description see Apply E-SSO Filter [page 27]):
Double-click the Filter entry to open the Filter Properties dialog.
Enable the parameter and click Show… to display the Show contents dialog.
Click Add to display the Add Item dialog for filter entries:
The Enter the name of the item to be added field should contain the value of the GUID enclosed in „{ }‟ (braces). For example: {<25CBB996-92ED-457e-B28C-47s74084BD562>}
The Enter the value of the item to be added field should contain the
scenarios in which E-SSO filter is applied to, separated by ';'
(semicolon), with no spaces between each scenario. For example: <LOGON;UNLOCK;CHANGE;CREDUI>.
The scenarios in which E-SSO filter is applied to are as follows:
LOGON (restarting computer, switching user, logging off computer)
UNLOCK (pressing Ctrl-Alt-Delete to unlock a locked
workstation)
CHANGE (pressing Ctrl-Alt-Delete then selecting 'Change
5 Configuration
26 10/2011
Password'; forced password change)
PLAP (Pre-Logon-Access Provider screen)
CREDUI (for authentication on remote machines, prompting in User
Account Control)
If you leave an empty string, the default filter values are applied to all 5 scenarios.
Prevent
smart card
lock on
workstation
lock
If this parameter is enabled, it prevents the smart card from being locked when the workstation is locked. This parameter can be used for example, by PMF scripts for underlying applications that still require smart card access.
Per default, this parameter is set to disabled and the smart card is always locked.
5 Configuration
10/2011 27
5.4 Apply E-SSO Filter
Use
The E-SSO Filter has been provided to disable any registered CRP for logon under Microsoft Windows Vista/7. The E-SSO Filter can be administrated from a central location via Group Policy Objects. This parameter allows you to, for example, filter out (hide) all CRP‟s so that the only one left can be used for Windows logon via smart card / Enterprise Single Sign-On. To remove a CRP from the Windows logon, the administrator has to enable the E-SSO filter policy in the Group Policy Object Editor. The Filter parameter applies only to smart card-based authentication – it cannot be used for soft token authentication!
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Procedures
1. In the Group Policy Object Editor, open Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > CRP Common Options.
2. Double click Filter.
3. The Filter dialog will appear. Select Enabled and click Show (in the Options panel).
4. The Show Contents dialog will appear.
5 Configuration
28 10/2011
The Value name field is for the GUID of the CRP that you want to filter out - and therefore will not be available to the user. The GUID must be obtained via the Registry Editor and is detailed in the next steps.
The Value field is for the scenarios to which E-SSO filter will be applied.
5. Open the Windows Registry Editor. Click Start and enter regedit into the Search
programs and files field.
6. Open the folder HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Authentication\CredentialProviders.
7. You should now see a list of folders, each with a number/letter combination. This combination is also known as the GUID. Each of them represents a CRP registered with Windows. Click each one to display its values in the right panel – and therefore identify the purpose of the CRP.
8. Copy & paste the number/letter combination of the folder (the GUID) – including brackets! For example: {25CBB996-92ED-457e-B28C-47s74084BD562}. To copy the
folder/GUID name:
Right-click the folder and select Rename from the context menu. The folder will be highlighted and ready to be changed.
Press Ctrl-C to copy the name – DO NOT change it!
Abort the Rename function by clicking elsewhere in the Registry Editor window.
A list of default GUIDs in Windows Vista and Windows 7 can be found at the end of this section. See Default GUIDs [page 29].
9. Go back to the Show Contents dialog. Paste the folder/GUID name into the Value name field.
10. In the Value field, enter the names of the scenarios to which the CRP filter will be applied. The scenarios must be separated by ';' (semicolon), with no spaces between each one.
For example: <LOGON;UNLOCK;CHANGE>. The scenarios in which Enterprise Single
Sign-On filter are applied are as follows:
LOGON (restarting computer, switching user, logging off computer)
UNLOCK (pressing Ctrl-Alt-Delete to unlock a locked workstation)
CHANGE (pressing Ctrl-Alt-Delete then selecting 'Change Password'; forced
password change)
PLAP (Pre-Logon-Access Provider screen)
5 Configuration
10/2011 29
CREDUI (for authentication on remote machines, prompting in User Account
Control)
If you leave an empty string, the filter will be applied for all 5 scenarios.
11. Click OK to close the Add Item dialog. The GUID of the CRP has now been added to the CRP filter.
12. Repeat steps to add other providers to the CRP list.
13. To delete CRPs:
Windsows Vista / 7: highlight an entry and press the Del (delete) key.
Default GUIDs
Credential Provider Description
Generic Provider {25CBB996-92ED-457e-B28C-4774084BD562}
Network Provider (NPProvider) {3dd6bec0-8193-4ffe-ae25-e08e39ea4063}
Password Provider {6f45dc1e-5384-457a-bc13-2cd81b0d28ed}
Smartcard Credential Provider {8bf9a910-a8ff-457f-999f-a5ca10b4a885}
Additional third-party CRPs can be found in the following registry hive: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Creden
tial Providers.
5.5 Password Credential Options
Use
Configure the parameters related to the appearance of the Enterprise Single Sign-On Logon dialog for the password provider. These parameters apply only to smart card-based authentication – they cannot be used for soft token authentication.
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
5 Configuration
30 10/2011
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Password Credential Options
Parameters
Parameter Description
Allow auto
password
generation
This parameter will support the automatic generation of a Windows logon password for Windows logon, if a password change is requested.
Per default, this parameter is disabled. When the parameter is disabled, the CRP performs a normal interactive password change.
Allow view
UPN
certificate
This parameter allows you to enable or disable Enable certificate user name presentation. This parameter is only used by the password-based CRP that has an additional certificate stored on the smart card. The CRP for certificate-based logon presents the certificate subject as soon as the smart card is entered.
If this parameter is disabled, a default text is used.
With this parameter enabled, the “User Principle Name” attribute of the public authentication certificate on the smart card is read out by the CRP and presented to the user as text. The parameter should show the name of the user, for example, <John.Doe@domain> without the domain
name. If no name could be extracted, the policy is treated as disabled.
By default, this parameter is disabled in the CRP.
Prevent
password
expire
message
In case the Windows password is about to expire, a message is displayed where you can choose if you want to change the password now. If the user rejects then a normal logon is performed. If the user accepts the message by clicking the OK button, then a password change is performed.
If this parameter is activated (and automatic password change policy is activated), the message will not be shown and the password will be changed immediately without user interaction.
Per default the parameter is deactivated and the message is always shown.
Set custom
tile image
for
password
credential
The customer image bitmap (256x256 pixels) is normally installed and configured when installing the product. Custom bitmaps must be deployed with the correct size before the installation.
The bitmap cannot be located on a network drive and must be stored in a user- and language-independent location (for example: C:\logonbitmaps, and not in the %Program Files%
directory).
See Customize Tile Image Bitmaps [page 32] for more information about customizing tile image bitmaps.
5 Configuration
10/2011 31
5.6 Certificate Credential Options
Use
Configure the parameters related to the appearance of the Enterprise Single Sign-On Logon dialog for the certificate provider. This parameter applies only to smart card-based authentication – it cannot be used for soft token authentication.
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Certificate Credential Options
Parameters
Parameter Description
Set custom
tile image
for
certificate
credential
The customer image bitmap (256x256 pixels) is normally installed and configured when installing the product.
Custom bitmaps must be deployed with the correct size before the installation.
The bitmap cannot be located on a network drive and must stored in a user- and language-independent location (for example:
C:\logonbitmaps, and not in the %Program Files% directory).
See Customize Tile Image Bitmaps [page 32].
5 Configuration
32 10/2011
5.7 Customize Tile Image Bitmaps
Use
Customize tile image bitmaps for a password or certificate credential. This parameter applies only to smart card-based authentication – it cannot be used for soft token authentication.
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Procedures
1. In the Group Policy Object Editor, open Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Password Credential Options or Certificate Credential Options.
2. Double-click Set custom tile image for password (or certificate) credential.
3. The Set custom tile image for password (or certificate) credential Properties dialog will appear.
4. Select Enabled.
5. Enter the location of the bitmap into the field. The bitmap cannot be located on a network drive and must be stored in a user- and language-independent location (for example: C:\logonbitmaps\CRP_tile_logo.bmp, and not in the %Program Files%
directory).
6. Click Apply to save the changes and click OK to close the window.
5 Configuration
10/2011 33
5.8 Logon Settings
Use
Configure the parameters related to Windows XP logon. The parameters in this section apply only to smart card-based authentication – it cannot be used for soft token authentication.
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Logon Settings
Parameters
Parameter Description
Background
refresh for
fast screen
unlock
Enter either of the following values to the Background refresh enabled/disabled:
0: Background refresh disabled
1: Background refresh enabled
If this parameter is enabled, the parameter Timeout for fast screen unlock is ignored.
Custom
Bitmaps
The smart card image bitmap is normally installed and configured during product installation. Use this parameter to define a custom smart card image:
Enable the parameter and enter the absolute path, filename and extension into the field. The image must be available in the correct size (160 wide x 100 high – in pixels) and format (*.bmp). The bitmap cannot be located on a network drive and must be stored in a user- and language-independent location. For example: C:\CustomBitmaps\SC.bmp
See Customizing Bitmaps for Smart Card [page 35].
Default
Domain
This parameter defines the default domain to use for the Windows logon if more than one Windows domain exists.
Display
Options
You can specify the display options of the E-SSO Logon dialog:
Disable GINA dialog elements: You can disable either or both the Dialup Checkbox and the Domain Selection.
Select Show Enter PIN Options to display all PIN options on the E-SSO Logon dialog.
To show the PIN option that was used during the previous login, select Show Enter PIN Options persistent.
Enable Check ‘Logon with certificate’ persistent to limit the Windows logon options to certificate-based logon only.
Note: This parameter is only applicable if the parameter Enable certificate-based logon is enabled.
Enable
certificate
-based
logon
This parameter enables certificate-based logon.
5 Configuration
34 10/2011
Enable
‘Generate
new
password’
for new
entry
If this parameter is enabled, new passwords will automatically be generated for new entries on logon. Passwords will automatically be changed if the domain requires changing the logon password.
Enable
password-
based logon
This parameter enables password-based logon.
Generated
password
length
This parameter specifies the default password length. It might be possible that another policy that sets the minimum password length exists. To ensure that this parameter does not interfere with other parameters, make sure that the default password length is more than or equal to the minimum password length set by other policy settings.
You can check the policies in the following registry settings:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentV
ersion\Policies\Network]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Policies\Network]
Value Name: MinPwdLen
Data Type: REG_BINARY (Binary Value)
Lock token
if
workstation
is locked
When enabled, this parameter closes the token if the workstation is locked and the token remains on the reader.
Attention: A locked token is more secure but can cause some conflict (for example, if an application needs to access the token in locked workstation mode).
Logging
location
If logging is enabled, this parameter specifies the location of a log. The
default log file is located in C:\temp\login.log.
Logon
password
not stored
If this parameter is enabled, the Windows logon password will not be stored on the smart card. The user will be asked for the Windows logon password on every logon.
Message box
caption
Specify a message box caption. This parameter is enabled per default.
PIN pane
image
Instead of a white background image, you can specifiy a new image on for the Enterprise Single Sign-On logon and unlock dialogs.
Enable the parameter and enter the absolute path, filename and extension into the field. The image must be available in the correct size (455 wide x 70 high – in pixels) and format (*.bmp). The bitmap cannot be located on a network drive and must be stored in a user- and language-
independent location. For example: C:\CustomBitmaps\PINpane.bmp
See Customizing PIN Pane Image Bitmap [page 35].
Prevent
logon
without
smart card
If this parameter is enabled, you can only log in using a smart card.
If this parameter is disabled, you can log in using CTRL-ALT-DEL and
entering User ID and password.
NOTE: If this parameter is enabled, logging in to the system with a defective card reader or an absent smart card will not be possible.
This parameter will be set after the first successful smart card logon.
5 Configuration
10/2011 35
ShowPwdExpi
resMsg
In case the Windows password is about to expire, a message will be displayed prompting the user to change the password now or later.
If this parameter is disabled and automatic password change is activated, the message will not be shown and the password will be changed without user interaction.
Timeout for
fast screen
unlock
This parameter defines the period of time (in minutes) for the fast screen unlock.
If the value is 0, fast screen unlock is inactive and the system performs full authentication.
If the last screen unlock or login is less than the time window set, then a fast screen unlock is carried out.
If the last screen unlock is greater than the time window set, a full screen unlock including refresh of the Kerberos tickets is performed.
Use
certificate
-based
logon by
default
This parameter defines the default logon option if both the certificate-based logon and password-based logon are enabled.
Validate
logon
certificate
expiration
If this parameter is enabled, the expiry date of the logon certificate will be checked during logon. Optionally, the certificate expiry date can be checked during unlock. The user will not be allowed to logon if the certificate has expired.
Note: No CRL checking is performed!
This feature can delay the logon procedure for password logon.
Warn for
logon
certificate
expiration
If this parameter is enabled, the expiry date of the logon certificate will be checked during logon and unlock. A warning message will be displayed if the certificate will expire within a defined number of days.
5.9 Customizing Bitmaps for Smart Card
Use
Customize the image used to represent the smart card image in the Unlock Computer (PIN pane) dialog.
5 Configuration
36 10/2011
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Procedures
1. Create a new image that must adhere to the following:
The image should be in BMP format.
The image size should be 160x100 pixels.
2. In the Group Policy Object Editor, open Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Logon Settings.
3. Double-click Custom Bitmaps.
4. The Custom Bitmaps Properties dialog will appear:
5. Enable the setting. The Enter <path>\<filename> field will be enabled.
6. Enter the location of a language-related PIN Pane Image bitmap. The image cannot be located on a network drive and must be stored in a user- and language-independent location. For example, <%Programfiles%\smartcard.bmp>.
7. Click Apply to save the changes, and click OK to close the window.
5 Configuration
10/2011 37
5.10 Customizing PIN Pane Image Bitmap
Use
Customize the image used as a banner in the Unlock Computer (PIN pane) dialog.
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Procedures
1. Create a new image that must adhere to the following:
The image should be in BMP format.
The image size should be 455x70 pixels.
2. In the Group Policy Object Editor, open Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Logon Settings.
3. Double-click PIN pane image.
4. The Custom Bitmaps Properties dialog will appear:
5 Configuration
38 10/2011
5. Enable the setting. The Enter <path>\<filename> fields will be enabled.
6. Enter the location of a language-related PIN Pane Image bitmap. The image cannot be located on a network drive and must be stored in a user- and language-independent location. For example, <%Programfiles%\PINpane.bmp>.
7. Click Apply to save the changes, and click OK to close the window.
5.11 Local Management Console Options
Use
Configure options related to the Local Management Console.
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Location
Windows XP: Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Local Management Console Options
Windows Vista and Windows 7: Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Local Management Console Options
Parameters
Parameter Description
Backup
Expiry Time
This parameter defines the number of days a deleted entry remains flagged as „deleted‟ until it will be erased.
To ensure correct synchronization, deleted entries will be first flagged as deleted before they are finally removed from the password file.
If you disable this parameter or do not configure it, the default value of 90 days will be applied.
Backup
History
Path
This parameter defines the full path to the folder in which the backup history files will be stored.
Note: Every Enterprise Single Sign-On user will need read/write permission to the folder specified by this parameter.
Backup
History
Size
This parameter applies to smart card-based authentication only.
For every change made (for example, change, create or delete), a backup will be created to the password file stored on the card. This parameter defines the maximum amount of backup files per user.
Note: Every Enterprise Single Sign-On user will need read/write permission to the folder specified by this parameter.
Disable
Drag and
Drop
Credentials
Submenu
If this parameter is enabled, a user will be unable to open the Drag and Drop Credentials dialog from the SSO Tray Utility menu.
For more information about the Drag and Drop Credentials feature, see the Enterprise Single Sign-On User Guide.
Disable
Feature of
SSO
If this parameter is enabled, the SSO Learning Wizard features (automatically detect and register new application) will be inactive.
For more information about the Register a New Application feature, see
5 Configuration
10/2011 39
Learning
Wizard
the Enterprise Single Sign-On User Guide.
Disable
Features of
SSO Monitor
If this parameter is enabled, the features of SSO Monitor (automatically register a new application and automatic login to applications) will be inactive.
For more information about the Register a New Application and Automatic Login features, see the Enterprise Single Sign-On User Guide.
Drag & Drop
Characters
Send Speed
This parameter allows you to specify the speed with which characters are sent to the destination window during a drag & drop operation. The send speed refers to the latency between the sending of characters.
The send speed is defined in milliseconds. Per default, the send speed is 40 milliseconds. However, some applications such as Terminal Service clients on slow connections need a lower send speed to guarantee that all characters reach the destination window.
The drag & drop operation sends KEYDOWN, then delays for half of the
latency time until KEYUP is sent. It delays for half of the speed until the
next character KEYDOWN is sent.
Drag & Drop
Characters
Erase Input
Fields
If this parameter is enabled, the content of a destination field is erased before the drag & drop content is dropped into the field.
Hide LMC
Dialog
If this parameter is enabled, the Local Management Console submenu will not be displayed in the context menu available via the system tray icon.
Hide SSO
Tray Icon
If this parameter is enabled, the E-SSO icon in the system tray will be hidden.
Local
Backup Path
This parameter defines the full path to the folder in which the backup files will be stored.
Note: The destination folder must be accessible while the user is not logged in.
Show
credentials
dialog
If this parameter is enabled, the dialog will be shown, containing the list of credentials linked to the application. From this dialog, user can select the credential to log in with.
SSO Monitor
trace and
log
If this parameter is enabled, trace messages from the E-SSO Monitor component will be logged. This setting is useful for debugging purposes.
SSO User
Activity
Trace and
Log
If this parameter is enabled, E-SSO will trace and log the activities performed by the user.
5 Configuration
40 10/2011
5.12 SSO User Activity Trace and Log Filter
Use
The Secure Login Notification Viewer (Log Console) will also display E-SSO user trace messages. Use the filter feature to view only user trace information.
Prerequisites
Before using this feature, make sure that the ADM setting SSO User Activity Trace and Log is enabled. See Local Management Console Options [page 38].
Procedures
The Secure Login Notification Viewer (Log Console) can be accessed via:
C:\Program Files\SAP\FrontEnd\SecureLogin\bin\sbustrace.exe. For
more information about this utility, see the Secure Login Installation, Configuration, and Administration Guide.
Click the Secure Login taskbar icon to open the certificate/token dialog. Select the menubar entry View > Log Console.
5.13 Web Setting
Use
Configure parameters related to the Web settings.
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Web Settings
Parameters
Parameter Description
Auto detect
Web login
form
This parameter will allow E-SSO to automatically detect Web application authentication fields and pop up the registration wizard.
Enabled: E-SSO will automatically detect Web application authentication fields and pop up the registration wizard.
Disabled: If this parameter is disabled, automatic detection will not take effect. The user can register the Web application by using the Save button in the E-SSO Internet browser toolbar.
5 Configuration
10/2011 41
5.14 LMC Setting
Use
Configure parameters related to the Local Management Console (LMC) settings.
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > LMC Settings
Parameters
Parameter Description
Hide
password
policy for
normal user
This parameter allows E-SSO to hide the password policy node in the Local Management Console.
Enabled: The password policy will either be hidden or set to read-only.
Disabled: If this parameter is disabled, the password policy in the LMC will be visible to a normal user.
5.15 Soft Token Settings
Use
Configure parameters related to soft tokens.
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Soft token setting
Parameters
Parameter Description
Minimum
characters
of answer
or password
string
Define the minimum number of Characters used for the security Question and Answer fields.
Softtoken
Path
Configurati
on
This parameter defines the full path to the folder in which the soft token files will be stored. Each user needs read/write permissions to this folder.
For example: To configure the soft token path to a company‟s network location <G:\ShareAll>, click Enabled, enter the network location into
the Softtoken Path field, and click Apply.
5 Configuration
42 10/2011
Softtoken
Password
File Size
This parameter defines the size of the soft token file. There are three options for the password file size:
Small: 1280 bytes (approximately 20 entries)
Medium: 3840 bytes (approximately 40 entries)
Large: 7680 bytes (approximately 60 entries)
If you disable this setting or do not configure it, the default value (Small) will be used.
5 Configuration
10/2011 43
5.16 Terminal Emulator Host Configuration
Use
Configure parameters related to terminal emulator hosts.
Prerequisites
See Adding Group Policy Templates via Group Policy Editor [page 22]
Location
Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > Terminal Emulator Host Configuration
Parameters
Parameter Description
Configure
the first
host,
Configure
the second
host,
Configure
the third
host,
Configure
the fourth
host,
Configure
the fifth
host
These parameters define the values to be used for each terminal emulator host.
Hostname or IP: The host name or IP address of the host.
The string to detect Username: The title of user name field. This string must be the same as the label of the field in which the user enters the user name in the host machine.
The string to detect Password: The title of password field. This string must be the same as the label of the field in which the user enters the password in host machine
Control key after Username: The key value that the user presses after inputting the user name. For example:
If the user presses the Enter key after entering their Username, the value here is {ENTER}
If the user presses the Tab key after entering their Username, the value here is {TAB}
If the user presses the Tab key twice after entering their Username, the value here is {TAB}{TAB}
Control key after Password: Input the key value that user presses after inputting their password. For example:
If the user presses the Enter key after entering in their password, the value here is {ENTER}
If the user presses the Tab key after entering their password, the value here is {TAB}
If the user presses the Enter key twice after entering their password, the value here is {ENTER}{ENTER}
MaxLength of Username field: The maximum number of characters that the user can enter into the user name field
MaxLength of Password field: The maximum number of characters that the user can enter into password field
5 Configuration
44 10/2011
5.17 Configuration of Smart Card Removal Behavior
Use
It is also possible to define the behaviour of the smart card when it is removed from the reader. This parameter is defined for the Windows operating system.
Procedure
1. In the Group Policy Object Editor, open Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
2. The security options will appear in the right panel:
3. Double click Interactive logon: Smart card removal behaviour.
4. Select the behaviour from the combo-box and click OK. This is the behaviour that will occur when a smart card is removed. For example, to lock the workstation after the smart card is removed, select Lock workstation.
6 Additional Information
10/2011 45
6 Additional Information
6.1 Preparing Smart Cards for E-SSO
Use
To use a smart card with Enterprise Single Sign-On, you must first enable it by partitioning the card in readiness for the PMF file. This can be done via:
The E-SSO Smart Card Preparation Tool. See Preparing Smart Cards via E-SSO Smart Card Preparation Tool [page 45].
Windows XP GINA: See Preparing Smart Cards via Windows XP GINA [page 46].
Windows Vista or Windows 7 CRP: See Preparing Smart Cards via Windows Vista and Windows 7 Login [page 46].
6.1.1 E-SSO Smart Card Preparation Tool 1. Start the E-SSO Smart Card Preparation Tool located in the product download package
under: \Utilities\E-SSO_SmartCardPrep.exe.
2. The E-SSO Smart Card Preparation Tool dialog will appear:
3. First, it is necessary to authenticate to the smart card. Click Enter Smart Card PIN.
4. A PIN prompt will appear. Enter the PIN and click OK.
5. Now the smart card is ready for preparation. Click Add Sign-On.
Add Sign-On will be disabled if the smart card has already been enabled for Windows logon. If you wish to continue adding a sign-on object to the smart card, click Remove Sign-On.
6. The Please enter user name dialog will appear:
6 Additional Information
46 10/2011
7. Enter the user‟s Windows credentials into the fields User name, Password and Log on to (domain). Select Write Windows login data to card to enable the Password and Log on to fields.
8. Select Verify before writing to card to check if the credential is correctly entered before adding the credential to the smart card.
9. The Token Type ID displays the token type of the current smart card system configuration and cannot be edited.
10. Click OK to add the E-SSO object to the smart card. If the Windows credentials were not previously entered, then the user will have to perform initial Windows logon (see the following sections for more information).
6.1.2 Preparing Smart Cards via Windows XP GINA 1. Insert the smart card into the card reader. If the smart card is recognized by Enterprise
Single Sign-On, a PIN prompt will appear. Enter the smart card PIN. If not, the user will be prompted to use this card for Enterprise Single Sign-On:
2. Click Yes.
3. The Windows Logon Credentials dialog will appear:
Enter your user name and password for the Windows logon into the User name and Password fields, respectively.
Select the domain for the Windows Logon from the Log on to drop-down menu and click OK.
4. Enterprise Single Sign-On will automatically add the data to the smart card and perform Windows logon.
5. You can now use Enterprise Single Sign-On for Windows logon. For more information see the Enterprise Single Sign-On User Guide.
For security reasons, we strongly recommend that you replace the initial PIN as soon as you start using a smart card. For more information see the Enterprise Single Sign-On User Guide.
6.1.3 Preparing Smart Cards via Windows Vista and Windows 7 Login 1. Insert the smart card into the card reader. If the smart card is recognized by Enterprise
Single Sign-On, a PIN prompt will appear. Enter the smart card PIN.
6 Additional Information
10/2011 47
2. If the smart card meets the minimum requirements, you can enable the card for Enterprise Single Sign-On as follows:
Enter your user name into the first input field.
Enter your password into the second input field.
Enter the computer or network domain to which you want to log in to into the third input field. Per default, this field displays the computer name or network domain to which the last user has been logged in to.
Click Save logon password on token in the Windows logon dialog.
3. The user will be prompted to use the currently connected smart card for Enterprise Single Sign-On. Click OK.
4. Enterprise Single Sign-On will automatically add the data to the smart card and perform Windows logon. You can now use Enterprise Single Sign-On for Windows logon. For more information see the Enterprise Single Sign-On User Guide.
For security reasons, we strongly recommend that you replace the initial PIN as soon as you start using a smart card. For more information see the Enterprise Single Sign-On User Guide.
6.2 Distribute Applications, Blacklist and Policies to Users
Use
Distribute pre-registered applications, blacklists, and policies to multiple users.
Soft Token
5. On the primary computer register applications, create blacklist and policies:
Register applications and link them to appropriate credentials.
Register or add applications to the blacklist.
Create password policies.
6 Additional Information
48 10/2011
After this step, the application (<*.api>), blacklist (<*bll>) and policy file
(<*.plc>) will be created. For example: <user1.api>, <user1.bll>,
<user1.plc>.
6. On the primary computer create credentials in the soft token.
After this step, the credential file (<*.bin>) will be created. For example:
user1.bin
7. On each secondary computer terminate the process SSOMonitor.exe (launch Windows
Task Manager, select SSOmonitor.exe, and click End Process).
8. Now to start distribution. To distribute applications, blacklist and policies:
Copy folder AppInfo (located under %appdata%\SAP\signon) from primary
computer to the same path on each the secondary computer.
On the secondary computer, open the AppInfo folder and rename the *.api,
*.bll and *.plc files to the correct username (<%username%>.api,
<%username%>.bll, <%username%>.plc). For example: user2.api,
user2.bll, user2.plc.
9. To distribute credentials:
Copy the folder Softtoken (located in %appdata%\SAP\signon) from the
primary computer to the same path on each the secondary computer.
On the secondary computer, open the Softtoken folder and rename the *.bin to
file to the correct username (<%username%>,bin). For example: user2.bin.
10. Restart the process SSOMonitor.exe on each secondary computer: double-click the
SSOMonitor.exe file in %installation path%\SAP\signon folder.
Smart Card
1. On the primary computer register applications, create blacklist and policies:
Register applications and link it to appropriate credentials.
Register or add applications to the blacklist.
Create password policies.
After this step, the application (<*.api>), blacklist (<*bll>) and policy file
(<*.plc>) will be created. For example: <user1.api>, <user1.bll>,
<user1.plc>.
2. On the primary computer create credentials in the soft token.
After this step, the credential file (<*.bin>) will be created. For example:
user1.bin
3. On each secondary computer terminate the process SSOMonitor.exe (launch Windows
Task Manager, select SSOmonitor.exe, and click End Process).
4. To distribute applications, blacklist and policies:
Copy folder AppInfo (located under %appdata%\SAP\signon) from primary
computer to the same path on each the secondary computer.
On the secondary computer, open the AppInfo folder and rename the *.api,
*.bll and *.plc files to the correct username (<%username%>.api,
<%username%>.bll, <%username%>.plc). For example: user2.api,
user2.bll, user2.plc.
6 Additional Information
10/2011 49
5. To distribute credentials via the Local Management Console to smart cards (credentials have already been created in step 2 and stored in a soft token):
Open the Local Management Console and go to Authentication > Copy Token Contents. The Enterprise Single Sign-On Soft Token utility dialog will appear.
To copy the credentials to smart card, select the credentials from the Credentials Stored in Soft Token list and click the transfer arrow („up‟). Once transferred the credentials will appear in the Credentials Stored in Smart Card list. For more information about the Soft Token utility, see the Enterprise Single Sign-On User Guide.
6. Restart the process SSOMonitor.exe on each secondary computer: double-click the
SSOMonitor.exe file in %installation path%\SAP\signon folder.
6.3 Handling Certificates
Use
The information in the section applies to smart card-based authentication only.
The E-SSO Certificate Store Provider enables you to access certificates stored on a smart card, via the Microsoft certificate store Personal. In this way smart card certificates are available for all applications using CAPI (Cryptographic Application Interface), enabling for example, secure communication via Microsoft Outlook, the Intranet and the Internet (SSL environment), without having to import the certificates manually.
If a smart card is removed from the card reader, the certificates are no longer accessible in the Microsoft certificate stores. In fact, the E-SSO certificate stores are physical stores, administered by the logical Microsoft certificate store Personal.
An application is only meant to view and examine certificates; deleting, relocating, adding and modifying certificates are not possible.
6.3.1 Preparing the Microsoft Management Console for Certificates
Use
Prepare Windows for certificates in order to view, install, and export certificates.
Procedure
1. Start the Microsoft Management Console:
Windows XP: select Start > Run, enter mmc in the Run dialog and click OK.
Windows Vista / Windows 7: select Start, enter mmc in the Search programs and
files field and click OK.
2. The Microsoft Management Console will appear. Select File > Add/Remove Snap-in from the menu.
3. Windows XP only: The Add/Remove Snap-in dialog will appear. Click Add.
4. The Add Standalone Snap-in (Windows XP) or Add or Remove Snap-ins (Windows Vista/7) dialog will appear. Select Certificates and click Add.
5. The Certificates snap-in dialog will appear.
6. Select the option My User Account and click Finish. Click OK to close the dialog.
7. Close the Microsoft Management Console.
6 Additional Information
50 10/2011
6.3.2 Where to Get More Information
View Certificates
Windows XP: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_cmprocsviewstores.mspx?mfr=true
Windows Vista and Windows 7: http://windows.microsoft.com/en-US/Windows7/View-or-manage-your-certificates
Import and Export Certificates
Windows XP: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_cmintrocerts.mspx?mfr=true
Windows Vista and Windows 7: http://windows.microsoft.com/en-us/Windows7/Import-or-export-certificates-and-private-keys
7 Troubleshooting
10/2011 51
7 Troubleshooting Use
Overcome the most common problems to do with the installation or configuration of Enterprise Single Sign-On.
7.1 Preliminary Troubleshooting Make sure that the system to which you are installing Enterprise Single Sign-On meets
the minimum hardware and software requirements. For more information see Planning [page 7].
Is the version of Enterprise Single Sign-On up-to-date? Each release adds new features and fixes issues. Installing the latest version may clear any problems without the need for further troubleshooting. For more information see Installation, Update, and Removal [page 12].
7.2 No Permission to Install, Modify Components or Remove Enterprise Single Sign-On Windows XP: You need administrator access rights (role or group member) to be able to
install, modify components or remove Enterprise Single Sign-On. If you do not have the administrator access rights, contact your system administrator for more assistance.
Windows Vista and Windows 7: The Enterprise Single Sign-On installation package is signed to allow the system to identify the program. However, if this signature fails, the following User Account Control dialog will appear (providing User Account Control is active):
To continue the installation process, select the option Allow – I trust this program. I know where it’s from or I’ve used it before. The installation will proceed.
7 Troubleshooting
52 10/2011
7.3 Smart Card Troubleshooting
Use
Overcome problems when the smart card is not available and/or not recognized by the system.
Procedure
1. Verify that a smart card reader is properly connected and recognized by the operating system.
7. Verify that the latest version of the smart card middleware (PKCS#11 library / middleware) is installed in the system.
8. If you are still prompted with the error dialog Smart card is not available, try re-inserting the smart card and/or restarting the system.
9. If all of the above fail please contact your system administrator.
7.4 Multiple Smart Card Readers
Use
Troubleshoot problems if there are multiple card readers connected to the computer.
Procedure
Define the default smart card reader via using the E-SSO Card Configuration Tool. For more information see Card Reader Configuration [page 21]. The tool may be started via the Local Management Console or via the menu entry Start > All Programs > SAP > signon > E-SSO Card Configuration Tool.
7.5 Enterprise Single Sign-On Login/GINA Dialog Not Appearing
Use
This applies for Windows XP users only.
Procedure
In Windows XP Professional it is not possible to use the Windows Logon feature of Enterprise Single Sign-On if the computer is not member of a domain. Microsoft does not support this for computers that are just members of a workgroup. If the Enterprise Single Sign-On login or
GINA dialog does not appear after pressing Ctrl-Alt-Delete, make sure that the
computer is a member of a domain.
7.6 Unable to Log In to the Network Ensure that the user has correctly entered their user name and the domain name.
Verify that the computer is a member of a domain. Otherwise, add the user in Windows User Management. See Preparations Steps for Windows XP [page 8].
7 Troubleshooting
10/2011 53
7.7 CRP Filter Does Not Disable Specified CRPs
Use
The CRP Filter has been provided to disable any registered CRP for Windows logon. Follow this procedure if you have added a filter but it does not disable the specified CRPs.
Procedure
1. Access the Filter properties > Show Contents dialog (see Apply E-SSO Filter [page 27]) and check the following values:
2. The Value Name field should display the GUID of the CRP that you want to filter. The GUID is a number/letter combination - including brackets! For example: <{25CBB996-
92ED-457e-B28C-4774084BD562}>.
3. The Value field should display the scenarios to which the filter will be applied, separated by a semicolon „;‟ with no spaces between each entry. For example: <LOGON;UNLOCK;CHANGE>
4. If any of these values are incorrectly set, click Remove and add a new entry to the CRP list. See Apply E-SSO Filter [page 27].
7 Troubleshooting
54 10/2011
7.8 Web SSO Toolbar Does Not Appear This issue will occur in one of the following situations.
Enterprise Single Sign-On Installed Before Installing a Browser
1. Reinstall the Internet Browser plug-in for your Internet browser. See Modify Enterprise Single Sign-On Components [page 17].
2. Make sure the computer is restarted to apply the changes.
When Snag-It Toolbar is Enabled
If Snag-It is installed in your system, the Web SSO Toolbar can disappear in Internet Explorer 8 when opening a new tab or another similar operation. If you encounter this issue, disable the Snag-It toolbar and restart Internet Explorer.
7.9 Group Policies do Not Display Correctly
Use
After successfully adding E-SSO ADM entries to the Microsoft Group Policy Editor the content does not appear as described in Adding Group Policy Templates via Group Policy Editor [page 22].
Cause
The „Filter‟ option is active.
Procedure
1. To display the policy settings in the Microsoft Group Policy Editor right-click the respective node in the left pane and de-select the option Filter on.
2. The navigation tree will close. Re-open the respective node to view the policy settings.