Enterprise SSO Instal and Configure Guide

PUBLIC

Document Version: 1.2 – 10/2011

© Copyright 2011 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any

form or for any purpose without the express permission of SAP AG.

The information contained herein may be changed without prior

notice.

Some software products marketed by SAP AG and its distributors

contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered

trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p,

System p5, System x, System z, System z10, System z9, z10, z9,

iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390,

OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM,

Power Architecture, POWER6+, POWER6, POWER5+, POWER5,

POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System

Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks,

OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner,

WebSphere, Netfinity, Tivoli and Informix are trademarks or

registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and

other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either

trademarks or registered trademarks of Adobe Systems Incorporated in

the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the

Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,

VideoFrame, and MultiWin are trademarks or registered trademarks of

Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered

trademarks of W3C®, World Wide Web Consortium, Massachusetts

Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used

under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP

BusinessObjects Explorer, and other SAP products and services

mentioned herein as well as their respective logos are trademarks or

registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects,

Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and

other Business Objects products and services mentioned herein as well

as their respective logos are trademarks or registered trademarks of

Business Objects Software Ltd. in the United States and in other

countries.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere,

and other Sybase products and services mentioned herein as well as

their respective logos are trademarks or registered trademarks of

Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of

their respective companies. Data contained in this document serves

informational purposes only. National product specifications may

vary.

These materials are subject to change without notice. These materials

are provided by SAP AG and its affiliated companies ("SAP Group")

for informational purposes only, without representation or warranty of

any kind, and SAP Group shall not be liable for errors or omissions

with respect to the materials. The only warranties for SAP Group

products and services are those that are set forth in the express

warranty statements accompanying such products and services, if any.

Nothing herein should be construed as constituting an additional

warranty.

Disclaimer

Some components of this product are based on Java™. Any

code change in these components may cause unpredictable

and severe malfunctions and is therefore expressively

prohibited, as is any decompilation of these components.

Any Java™ Source Code delivered with this product is

only to be used by SAP’s Support Services and may not be

modified or altered in any way.

Terms for Included Open

Source Software

This SAP software contains also the third party open source software

products listed below. Please note that for these third party products

the following special terms and conditions shall apply.

1. domainname-parser (http://code.google.com/p/domainname-parser/)

Copyright (c)

Permission is hereby granted, free of charge, to any person obtaining a

copy of this software and associated documentation files (the

"Software"), to deal in the Software without restriction, including

without limitation the rights to use, copy, modify, merge, publish,

distribute, sublicense, and/or sell copies of the Software, and to permit

persons to whom the Software is furnished to do so, subject to the

following conditions:

The above copyright notice and this permission notice shall be

included in all copies or substantial portions of the Software.

SAP AG

Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com

Typographic Conventions

Type Style Description

Example Text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.

Cross-references to other documentation

Example text Emphasized words or phrases in body text, graphic titles, and table titles

EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.

Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

<Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

EXAMPLE TEXT Keys on the keyboard, for

example, F2 or ENTER.

Icons

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more

information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.

Installation and Configuration Guide: Enterprise Single Sign-On

4 10/2011

Contents

1 Introduction ......................................................................................... 6

1.1 About this Document ............................................................................. 6

2 Planning ............................................................................................... 7

2.1 Hardware Requirements ........................................................................ 7

2.2 Software Requirements ......................................................................... 7

2.3 Smart Card Requirements ..................................................................... 7

3 Preparation .......................................................................................... 8

3.1 Preparations Steps for Windows XP .................................................... 8

3.2 Preparation Steps for Java Applications ............................................. 8

3.3 Install Secure Login Client .................................................................... 9

3.4 Preparation Steps for Citrix Use ........................................................... 9

4 Installation, Update, and Removal................................................... 12

4.1 Manual Installation ............................................................................... 12

4.2 Unattended Installation ........................................................................ 15

4.3 Modify Enterprise Single Sign-On Components ................................ 17

4.4 Remove Enterprise Single Sign-On .................................................... 18

4.5 Complete Removal Options ................................................................ 19

4.6 Update Enterprise Single Sign-On ...................................................... 20

5 Configuration ..................................................................................... 21

5.1 Card Reader Configuration ................................................................. 21

5.2 Adding Group Policy Templates via Group Policy Editor ................ 22

5.3 Windows Vista and Windows 7 Credential Provider (CRP) Common Options ....................................................................................... 24

5.4 Apply E-SSO Filter ............................................................................... 27

5.5 Password Credential Options ............................................................. 29

5.6 Certificate Credential Options ............................................................. 31

5.7 Customize Tile Image Bitmaps............................................................ 32

5.8 Logon Settings ..................................................................................... 33

5.9 Customizing Bitmaps for Smart Card ................................................. 35

5.10 Customizing PIN Pane Image Bitmap ............................................... 37

5.11 Local Management Console Options ............................................... 38

5.12 SSO User Activity Trace and Log Filter ............................................ 40

5.13 Web Setting......................................................................................... 40

5.14 LMC Setting ........................................................................................ 41

5.15 Soft Token Settings ............................................................................ 41

5.16 Terminal Emulator Host Configuration ............................................ 43

5.17 Configuration of Smart Card Removal Behavior ............................. 44

6 Additional Information ...................................................................... 45

6.1 Preparing Smart Cards for E-SSO ...................................................... 45 6.1.1 E-SSO Smart Card Preparation Tool.......................................................................... 45 6.1.2 Preparing Smart Cards via Windows XP GINA .......................................................... 46 6.1.3 Preparing Smart Cards via Windows Vista and Windows 7 Login ............................. 46

10/2011 5

6.2 Distribute Applications, Blacklist and Policies to Users .................. 47

6.3 Handling Certificates ........................................................................... 49 6.3.1 Preparing the Microsoft Management Console for Certificates .................................. 49 6.3.2 Where to Get More Information .................................................................................. 50

7 Troubleshooting ................................................................................ 51

7.1 Preliminary Troubleshooting .............................................................. 51

7.2 No Permission to Install, Modify Components or Remove Enterprise Single Sign-On ......................................................................... 51

7.3 Smart Card Troubleshooting ............................................................... 52

7.4 Multiple Smart Card Readers .............................................................. 52

7.5 Enterprise Single Sign-On Login/GINA Dialog Not Appearing ......... 52

7.6 Unable to Log In to the Network ......................................................... 52

7.7 CRP Filter Does Not Disable Specified CRPs .................................... 53

7.8 Web SSO Toolbar Does Not Appear ................................................... 54

7.9 Group Policies do Not Display Correctly ........................................... 54

1 Introduction

6 10/2011

1 Introduction Enterprise Single Sign-On (E-SSO) helps end users log in to multiple systems or applications without the need to remember every password or logon dialog. After the end user is successfully authenticated to the Enterprise Single Sign-On application, further logon procedures to applications running under the system‟s control are carried out automatically.

Enterprise Single Sign-On supports the following methods of signing-on to an application:

Windows logon (for smart card-based authentication only)

This method can either be certificate-based or can use a user ID/password combination stored on the smart card.

Certificate-based authentication (for smart card-based authentication only)

Certificate-based authentication is provided via the standard interfaces such as Microsoft Crypto-API or the GSS-API. The requirements of most applications can be fulfilled via these interfaces, such as Internet browsers, e-mail clients, VPN clients, and so on.

Windows logon and certificate-based authentication are not available for operation with a soft token.

Logon to Windows applications

This feature allows you to use Single Sign-On for password-protected Windows, .NET, terminal emulator, and Java applications.

Logon to Web sites (Web Single Sign-On)

This feature allows you to log in to password-protected Web sites using Single Sign-On. A toolbar for Microsoft Internet Explorer and Mozilla Firefox enables the registration and management of sites for Single Sign-On.

1.1 About this Document

Purpose

This document describes how to install, customize, and remove Enterprise Single Sign-On on Windows XP and Windows Vista, and Windows 7.

Integration

To use Enterprise Single Sign-On you will need to install the following components on each client computer prior to Enterprise Single Sign-On:

.NET 3.0 or later (Windows XP only)

Oracle Java JRE/JDK 1.6

Oracle Java access bridge 2.0.2 for 32-bit and 64-bit systems

SAP NetWeaver Single Sign-On - Secure Login Client 1.0 SP1

Constraints

This guide does not provide information about how to use Enterprise Single Sign-On. For such information please see the User Guide.

2 Planning

10/2011 7

2 Planning

2.1 Hardware Requirements The hardware requirements of the operating system must be met.

At least 25 MB of free hard disk space for Enterprise Single Sign-On. For information about the space required by the Secure Login Client see the Secure Login Installation, Configuration and Administration Guide. For other components please see the respective documentation.

If smart cards are to be used then a PC/SC-compliant smart card reader will be needed.

2.2 Software Requirements Windows XP Professional 32-bit SP3.

The computer must be a member of a domain to allow the Enterprise Single Sign-On Login (GINA dialog) feature. For more information, see Preparations Steps for Windows XP Users [page 8].

Microsoft Windows Vista SP2 32-bit (Business, Enterprise, or Ultimate)

Microsoft Windows 7 SP1 32-bit / 64-bit (Professional, Enterprise, or Ultimate)

2.3 Smart Card Requirements Verify that a smart card reader is properly connected and recognized by the operating system.

It is possible to connect a smart card reader after you have installed Enterprise Single Sign-On. However, we recommend connecting a card reader before the product installation.

If you want to use Enterprise Single Sign-On with a third-party PKCS#11 library, you must first install the PKCS#11 library provided by the smart card vendor. To use third-party libraries, you will need a license from the library vendor.

Only smart cards and middleware certified by SAP are supported in Enterprise Single Sign-On.

3 Preparation

8 10/2011

3 Preparation

3.1 Preparations Steps for Windows XP

Use

For Windows XP users, the computer must be a member of a domain to allow the Enterprise Single Sign-On Login (GINA dialog) feature. Normally, the configuration of Enterprise Single Sign-On clients is defined globally for an Active Directory domain or an organizational unit and the workstations are members of this domain. This section details how to use the Group Policy Editor to add domain/organizational unit to Enterprise Single Sign-On.

If you intend to use Enterprise Single Sign-On with Windows XP, the .NET Framework 3.0 needs to be installed.

Prerequisites

You must start Active Directory Users and Computers from either an Exchange server or from a workstation that has the Exchange System Management Tools installed.

Microsoft Windows XP Professional 32-bit SP3. The computer must be a member of a domain to allow the Enterprise Single Sign-On Login (GINA dialog) feature.

Procedure

1. On the server or workstation, create a domain/organizational unit. For more information, see the Microsoft documentation: http://technet.microsoft.com/en-us/library/cc785077(WS.10).aspx.

2. Download and install .NET Framework v.3.0 or above. To download and get more information, see the Microsoft Website: http://www.microsoft.com/downloads/en/default.aspx.

3.2 Preparation Steps for Java Applications

Use

Enterprise Single Sign-On uses Java technology to login to Java-based applications. A certain amount of manual configuration is needed to ensure correct operation.

Prerequisites

Close all running applications prior to installation.

Procedure

1. Download and install the latest Java Runtime Environment (JRE) or Java Development Kit (JDK) 1.6 for the target environment (32-bit or 64-bit). To download the JRE/JDK see the Java website: http://www.oracle.com/technetwork/java/javase/downloads/index.html

1. Download Java Access Bridge 2.0.2 (for both 32-bit and 64-bit systems): http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136191.html

2. Manually configure the Java Access Bridge component. This will vary according to version:

For information about how to install Java Access Bridge 2.0.2 under 32-bit systems see: http://download.oracle.com/javase/accessbridge/2.0.2/setup.htm#installing-jab-32-bit

http://technet.microsoft.com/en-us/library/cc785077(WS.10).aspx

http://technet.microsoft.com/en-us/library/cc785077(WS.10).aspx

http://www.microsoft.com/downloads/en/default.aspx

http://www.oracle.com/technetwork/java/javase/downloads/index.html

http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136191.html

http://download.oracle.com/javase/accessbridge/2.0.2/setup.htm#installing-jab-32-bit


3 Preparation

10/2011 9

For information about how to install Java Access Bridge 2.0.2 under Windows 7 64-bit see: http://download.oracle.com/javase/accessbridge/2.0.2/setup.htm#installing-jab-64-bit

3.3 Install Secure Login Client

Use

The Secure Login Client installer will install base components and functions that are necessary for the correct operation of Enterprise Single Sign-On. The Secure Login Client can be downloaded from the SAP Marketplace (also as a part of the NetWeaver Single Sign-On package).

Prerequisites

Close all running applications prior to installation.

Procedure

Download and install the Secure Login Client package. For more information on installation, see the Secure Login Client Installation, Configuration and Administration Guide.

3.4 Preparation Steps for Citrix Use

Use

If you wish to use Enterprise Single Sign-On in a Citrix environment, you must prepare the server and client machines. This section details the specific steps for each component.

This version of Enterprise Single Sign-On only supports soft tokens under Citrix – smart cards are not supported.

Prerequisites

If you want to use Citrix, you must buy a license from Citrix Systems, Inc. (see www.citrix.com). Read the license agreement carefully. You are only allowed to install the library if you have paid the license fee.

Citrix Presentation Server 4.5 must be installed. For a detailed description on the installation and configuration of the Citrix Presentation Server, consult the relevant Citrix documentation (see www.citrix.com).

Citrix ICA Client software must be installed. For a detailed description on the installation and configuration of the Citrix Presentation Server, consult the relevant Citrix documentation (see www.citrix.com).

Ensure that no smart card reader is connected to the server and the client before proceeding.

Prepare the Server Machine

1. Switch Citrix Presentation Server to install mode:

Turn on: change user /install

Turn off: change user /execute

2. Install .NET Framework 3.0. See Preparations Steps for Windows XP [page 8].

3. Install JRE. See Preparation Steps for Java Applications [page 8].



3 Preparation

10 10/2011

4. When installing the Secure Login Client, enable the Terminal Server Components custom setup). For more information, see the Secure Login Client Installation, Configuration and Administration Guide.

5. When installing Enterprise Single Sign-On disable all smart card components (custom setup). See Installation, Update, and Removal [page 12].

6. Restart the computer to complete Enterprise Single Sign-On installation.

7. Configure the server desktop via the Citrix Access Management Console to ensure that the client can connect to the Citrix Presentation Server and access all Enterprise Single Sign-On features and components. You can consult the relevant Citrix documentation For more information.

Prepare the Client Machine

8. In the Citrix Program Neighborhood main menu, select Tools > ICA Settings. The ICA Settings dialog will appear. Enable Pass-Through Authentication and Use local credentials to log on.

3 Preparation

10/2011 11

9. In the Citrix Program Neighborhood toolbar, click the Settings icon. The Settings dialog will appear. Enter information in the User name and Domain fields and click OK.

4 Installation, Update, and Removal

12 10/2011


4.1 Manual Installation

Use

Manual installation of Enterprise Single Sign-On.

Prerequisites

Make sure that the following components have been installed before installing Enterprise Single Sign-On:

Windows XP only: Install Microsoft .NET Framework 3.0 or above. See Preparations Steps for Windows XP Users [page 8].

Install the latest Java JRE/JDK 1.6. See Preparation Steps for Java Applications [page 8].

Install Java Access Bridge. See Preparation Steps for Java Applications [page 8].

If you want to use a smart card install the third-party middleware. See Smart Card Requirements [page 7].

Install the Secure Login Client version that is released in the same NetWeaver Single Sign-On download package. For information about the installation, see the Secure Login Client Installation, Configuration and Administration Guide.

Procedure

1. Open the Enterprise Single Sign-On MSI package (double-click Enterprise Single

Sign-On.msi, or Enterprise Single Sign-On_x64.msi).

2. The Welcome dialog will appear.

Click Next.


10/2011 13

3. The Setup Type dialog will appear:

This dialog helps you choose between the following types of installation:

Typical – Select this if you want to install the most common Enterprise Single Sign-On components.

Custom – Select this if you want to manually select specific components for installation.

Click Next and proceed to the next step.

4. If you selected Custom in the previous step, on 64-bit systems, the following dialog will appear:

The Custom Setup dialog helps you modify Enterprise Single Sign-On components. You can select the following components for installation:

Smartcard support > Credential Provider: Install support for PKCS#11 providers.

Smartcard support > Checkpoint Support: Install support for the Checkpoint VPN client.

Internet browser plug-ins > Microsoft Internet Explorer Support: Install the Enterprise Single Sign-On plug-in for Internet Explorer 64-bit.

Internet browser plug-ins > Microsoft Internet Explorer Support for x86: Install the Enterprise Single Sign-On plug-in for Internet Explorer 32-bit.


14 10/2011

Internet browser plug-ins > Mozilla Firefox Support for x86: Install the Enterprise Single Sign-On plug-in for Mozilla Firefox 32-bit.

5. The Authentication Method dialog will appear. Depending on your requirement, select Smart Card or Soft Token.

If you selected Smart Card Support components in the Custom Setup dialog and select Soft Token as authentication method in the Authentication Method dialog, the features of the Smart Card Support components will be deployed but deactivated. You can activate the Smart Card Support components by switching to Smart Card Mode via the Local Management Console. For more information on switching authentication methods, see the Enterprise Single Sign-On User Guide.

6. The Ready to Install the Program dialog will appear:

Click Install to start the installation (this can take a few minutes).

7. The completion dialog will appear. Click Finish.

8. You will be prompted to restart your computer to complete Enterprise Single Sign-On installation. Select Yes.


10/2011 15

9. The product is now installed using default values for most of the settings. For information about how to customize Enterprise Single Sign-On to your requirements, see Configuration [page 21].

4.2 Unattended Installation

Use

Unattended installation allows Enterprise Single Sign-On to be installed without the need for user interaction.

Prerequisites

Windows XP only: Install Microsoft .NET Framework 3.0. See Preparations Steps for Windows XP Users [page 8].

Install Java JRE/JDK 1.6. See Preparation Steps for Java Applications [page 8].

Install Java Access Bridge 2.0.1. See Preparation Steps for Java Applications [page 8].

Install third-party middleware. For list of supported middleware, see Smart Card Requirements [page 7].

Install Secure Login Client 1.0. For more information, see the Secure Login Client Installation, Configuration and Administration Guide.

Procedure

1. Open the Enterprise Single Sign-On MSI package - open a Command window.

Windows XP: Select Start > Run. Enter cmd in the Open field and click OK.

Windows Vista and Windows 7: Select Windows logo > Search programs and

files. Enter cmd in the Search programs and files field and click OK.

2. The Command window will appear. Navigate to the directory in which the installation package is located.

3. To install in quiet mode with no user interaction use the following syntax with options: msiexec /i "Enterprise Single Sign-On.msi" <PROPERTY> /qn

Enterprise Single Sign-On Installation Properties

Property Description

GINA (Windows XP only) Install support for Windows XP Graphical Identification and Authentication (GINA)

CRP (Windows Vista and

Windows 7 only)

Install support for Windows Vista and Windows 7 Credential Provider (CRP)

CHECKPOINT Install support for the Checkpoint VPN Client.

IE Install support for Internet Explorer 64-bit.

IE_X86 Install support for Internet Explorer 32-bit on 32-bit and 64-bit systems..

FIREFOX Install support for Firefox 32-bit.

FIREFOX_x86 Install support for Firefox 32-bit on 64-bit systems.

AUTH=Smartcard Enable smart card as the primary authentication method. Note: This parameter is case-sensitive.

AUTH=Softtoken Enable soft token as the primary authentication method.

Note: This parameter is case-sensitive.


16 10/2011

SCRIPT Enable COM-based scripting to log in to legacy applications with credentials stored on smartcards.

Example Syntax for Unattended Installation

Operating System

Authentication Method

Syntax

Windows XP Smart Card msiexec /i "Enterprise Single Sign-

On.msi" ADDLOCAL=GINA,CHECKPOINT,IE,

FIREFOX AUTH=Smartcard

Windows XP Soft Token msiexec /i "Enterprise Single Sign-

On.msi" ADDLOCAL=GINA,CHECKPOINT,IE,

FIREFOX AUTH=Softtoken

Windows Vista/

Windows 7 32-bit

Smart Card msiexec /i "Enterprise Single Sign-

On.msi" ADDLOCAL=CRP,CHECKPOINT,IE_X86,

FIREFOX AUTH=Smartcard

Windows Vista/

Windows 7 32-bit

Soft Token msiexec /i "Enterprise Single Sign-

On.msi" ADDLOCAL=CRP,CHECKPOINT,IE_X86,

FIREFOX AUTH=Softtoken

Windows 7 64-bit

Smart Card msiexec /i "Enterprise Single Sign-

On.msi" ADDLOCAL=CRP,CHECKPOINT,IE,

IE_x86, FIREFOX AUTH=Smartcard

Windows 7 64-bit

Soft Token msiexec /i "Enterprise Single Sign-

On.msi" ADDLOCAL=CRP,CHECKPOINT,IE,

IE_x86, FIREFOX AUTH=Softtoken


10/2011 17

4.3 Modify Enterprise Single Sign-On Components

Use

Display the Custom Setup dialog to modify Enterprise Single Sign-On components.

Prerequisites

You need administrator rights (role or group member) to be able to modify Enterprise Single Sign-On.

Procedure

1. Open the Enterprise Single Sign-On MSI package - double-click Enterprise Single Sign-On.msi.

2. The Welcome dialog will appear. Click Next.

3. The Program Maintenance dialog will appear. Select Modify and click Next.

4. The Custom Setup dialog will appear. Modify each of the components in the list by clicking an entry and selecting the appropriate action from the context menu and click Next. For more information on these components, see Manual Installation [page 21].

If you installed Firefox after installing Enterprise Single Sign-On, you will need to use the „modify‟ feature to install the Firefox support component to enable the Web SSO toolbar in Firefox. See Web SSO Toolbar Does Not Appear [page 54].

5. The Ready to Modify the Program dialog will appear. Click Install to execute the changes.

6. After a while, the completion dialog will appear. Click Finish.

7. You will be prompted to restart your computer to complete Enterprise Single Sign-On installation. Select Yes. Enterprise Single Sign-On is now modified.


18 10/2011

4.4 Remove Enterprise Single Sign-On

Use

Remove Enterprise Single Sign-On via the Control Panel or MSI package.

Prerequisites

You need administrator rights (role or group member) to remove Enterprise Single Sign-On.

Please close Microsoft Internet Explorer and Mozilla Firefox before removing Enterprise Single Sign-On. This will aid the removal of the Enterprise Single Sign-On browser plugin.

Remove Enterprise Single Sign-On via the Control Panel

1. Open the following Windows Control Panel:

Windows XP: Start > Settings> Control Panel > Add or Remove Programs

Windows Vista and Windows 7 (classic view): Windows logo > Control Panel > Programs and Features

2. Select Enterprise Single Sign-On from the programs list and click Uninstall. The removal process will start.

3. A dialog will appear asking you to confirm the removal. Click Yes. If the Windows Vista or Windows 7 User Account Control is active then a dialog will appear asking you to confirm the action. Click Allow to continue.

4. You will be prompted to reboot the computer. Click Yes to complete the removal.

This process does not remove user data or registry entries made by Enterprise Single Sign-On. If you want to remove these as well see Complete Removal Options [page 20].

Remove Enterprise Single Sign-On via the MSI Package

1. Open the Enterprise Single Sign-On MSI package – double-click Enterprise Single

Sign-On.msi.

1. The Welcome dialog will appear. Click Next.

2. The Program Maintenance dialog will appear:

3. Select Remove and click Next.


10/2011 19

4. The Remove the Program dialog will appear:

5. The completion dialog will appear. Click Finish to close the dialog and complete the procedure.

2. You will be prompted to restart your computer to complete Enterprise Single Sign-On removal.


Unattended Removal

1. Open a Command window:

Windows XP: Select Start > Run. Enter cmd in the Open field and click OK.

Windows Vista and Windows 7: Select Windows logo > Search programs and files. Enter cmd in the Search programs and files field and click OK.

2. The Command window will appear. Navigate to the directory in which the Enterprise

Single Sign-On installation package (Enterprise Single Sign-On.msi) is located.

3. To start the removal, enter the following syntax: msiexec /x "Enterprise Single Sign-On.msi"


4.5 Complete Removal Options

Use

Removing Enterprise Single Sign-On via the MSI installer does not remove some user data and files, for example, soft tokens (this mechanism has been implemented to allow an administrator to remove an older version of the product and install a new version without having to re-initialize the application and re-capture credentials).

This section details how to remove user data after the main application has been removed (as detailed in the previous sections). This section does not detail how to remove Secure


20 10/2011

Login. Those details can be found in the SAP Secure Login Installation, Configuration and Administration Guide.

Prerequisites

Remove Enterprise Single Sign-On. See as of Remove Enterprise Single Sign-On [page 18].

Procedure

1. Remove the rest data and files from the installation directory:

Windows XP: Select Start > Run. Enter %AppData%\SAP in the Open field and

click OK.

Windows Vista and Windows 7: Select Windows logo > Search programs and files. Enter %AppData%\SAP in the Search programs and files field and click OK.

2. Delete the signon directory.

3. To remove registry entries made by Enterprise Single Sign-On, open the Windows Registry Editor (regedit) and delete the following entries:

HKEY_LOCAL_MACHINE\SOFTWARE\SAP\signon

HKEY_CURRENT_USER\Software\SAP\signon

4.6 Update Enterprise Single Sign-On

Use

Update Enterprise Single Sign-On to the latest version. For E-SSO 1.0.0 it is also necessary to update the Java Access Bridge and Secure Login Client to newer versions.

Prerequisites

You need administrator rights (role or group member) to perform the update procedure.

Procedure

1. Update the Secure login Client. For information see the Secure Login Configuration and Installation Guide.

2. Remove Enterprise Single Sign-On. See Remove Enterprise Single Sign-On [page 18]. It is not necessary to restart the computer.

This does not remove user data or registry entries made by Enterprise Single Sign-On. If you want to remove these as well see Complete Removal Options [page 20].

3. If upgrading from E-SSO 1.0.0, remove Java Access Bridge 2.0.1.

4. Restart the computer.

5. If upgrading from E-SSO 1.0.0, install Java Access Bridge 2.0.2. See Preparation Steps for Java Applications [page 8].

6. Install Enterprise Single Sign-On 1.x. See Preparation Steps for Java Applications [page 12]

If you intend to re-use the existing credential store (soft token or smart card) make sure you re-install the correct authentication method – this can also be changed after installation via the Local Management Console.

5 Configuration

10/2011 21

5 Configuration

Some of the steps in this chapter involve modification to the Windows registry. Incorrectly modifying the registry can cause serious problems that may require the reinstallation of the operating system. We cannot guarantee that problems resulting from modifications to the registry can be solved. Although the modification process has been made as foolproof as possible (semi-automated via group policies) there may still be unforeseen conflicts – most of them are out-of-scope of this product. Manual modification of the registry is not considered part of this product and may be attempted at your own risk.

5.1 Card Reader Configuration

Use

If you have more than one smart card reader connected to the client computer and you intend to use one of them with Enterprise Single Sign-On, you must use the Enterprise Single Sign-On Card Configuration Tool to define the card reader intended for use with Enterprise Single Sign-On. You can configure the card reader any time after installing Enterprise Single Sign-On.

Procedure

1. Start the Enterprise Single Sign-On Card Configuration Tool as follows:

Windows XP: Start > All Programs > SAP > signon > E-SSO Card Configuration Tool

Windows Vista and Windows 7: Windows logo > All Programs > SAP > signon > E-SSO Card Configuration Tool

2. The Enterprise Single Sign-On Card Configuration Tool dialog will appear:

The active card reader configuration is listed in the upper field Current Configuration.

Click Refresh to update the list of currently connected smart card readers in the Available PC/SC smart card readers combo-box.

Enable Favour readers with inserted smart card if you want to automatically display only those readers that currently have a smart card inserted in them (click Refresh first!).

Click Reset in the lower left corner to erase the active settings.

3. Select the card reader you want from the Available PC/SC smart card readers combo-box and click OK. The E-SSO Card Configuration Tool dialog will close.

4. To complete card reader configuration:

Windows XP: Restart your system.

Windows Vista and Windows 7: Log off and log back in to the system.

5 Configuration

22 10/2011

5.2 Adding Group Policy Templates via Group Policy Editor

Use

Add Enterprise Single Sign-On templates to the Group Policy Editor for the purpose of E-SSO configuration.

Local configuration: If you are not member of a domain, you can also define the settings locally using the Microsoft Group Policy Editor.

As a member of a Domain: You can run the Microsoft Group Policy Editor if your workstation is member of a domain.

Prerequisites

If you are running the Microsoft Group Policy Editor as a member of a domain, your workstation must be connected to the domain for the settings to take effect. If your workstation is offline, the settings will not be applied to the registry. For a detailed description, consult the relevant Microsoft documentation

Procedure

1. To start the Microsoft Group Policy Editor:

Windows Vista / Windows 7: click Start and enter gpedit.msc in the Search

programs and files field and press Return.

Windows XP: click Start > Run, enter gpedit.msc in the Open field and click OK.

2. The Group Policy Editor window will appear.

3. Open the Computer Configuration node, right-click the Administrative Templates node and select Add/Remove Templates from the context menu.

4. The Add/Remove Templates dialog will appear.

5 Configuration

10/2011 23

5. Click Add.

6. The Policy Templates dialog is shown. Locate the following directory in the Enterprise

Single Sign-On delivery package: Extras\adm\en:

For Windows XP: Use the Ctrl key to select the files csp_xp.adm,

gina_xp.adm, and signon.adm. Click Open.

For Windows Vista and Windows 7: Use the Ctrl key to select the files crp.adm,

and signon.adm. Click Open.

7. The Add/Remove Templates dialog will reappear; click Close.

8. The templates are now imported to the Group Policy Editor. Click Administrative Templates > SAP AG to view the Enterprise Single Sign-On configuration options.

9. You are now ready to configure Enterprise Single Sign-On. The following sections detail each of the configuration options.

5 Configuration

24 10/2011

5.3 Windows Vista and Windows 7 Credential Provider (CRP) Common Options

Use

Configure the parameters related to the behavior of the CRP. These parameters apply only to smart card-based authentication – they cannot be used for soft token authentication.

Prerequisites

See Adding Group Policy Templates via Group Policy Editor [page 22]

Location

Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > CRP Common Options

Parameters

Parameter Description

Allow logon

certificate

expiration

check

This parameter will allow the certificate on the smart card to be checked for validity and only continues with the logon process if the certificate is valid.

Enabled: The certificate validity check is performed after the user clicks the OK button in the Windows logon PIN dialog. The certificate is valid if the system date and time is within the validity range of the authentication certificate. If the certificate is invalid, an error message is displayed.

Disabled: The certificate validity check is deactivated for both the Windows logon and the screen unlock.

5 Configuration

10/2011 25

Allow logon

certificate

expiration

warning

The parameter sets an integer value that indicates the number of days before a certificate expires. A maximum of 60 days is possible. This will appear as a text message in the Windows Logon user interface.

Allow logon

certificate

update

Enabled: The CRP checks for new certificates during logon and screen unlock.

Disabled: No CRP check will be performed.

Allow logon

help wizard Enabled: Logon Help link is visible in selected CRP. It supports the

functions that allow user to change PIN and unblock token.

Disabled: Logon Help like is not displayed in selected CRP.

Allow

unlock

certificate

expiration

check

This parameter allows certificate validity check on Windows unlock. The setting can only be enabled if the parameter Allow logon certificate expiration check is also enabled.

When the parameter is enabled, the certificate is checked using the same rules as for Windows logon.

Default key

container

label

This parameter defines the certificate to be used for certificate-based Windows logon via its label.

Enter the PKCS#11 label of certificate you want to use. It can either be User Certificate or Signing Certificate.

Enable SAP

Certificate

Based Logon

This parameter will enable logon to Windows using the credentials contained within the certificate – the user need only quthenticate via a PIN.

Enabled: The E-SSO certificate-based logon will not be filtered.

Disabled: The E-SSO certificate-based logon is filtered.

Enable SAP

Password

Based Logon

This parameter will enable logon to Windows using the username and password of the user contained on the smart card.

Enabled: The E-SSO password-based logon will not be filtered.

Disabled: The E-SSO password -based logon is filtered.

Filter This parameter allows you to disable any registered Credential Provider (CRP) used for the Windows Logon. Basic description (For a full description see Apply E-SSO Filter [page 27]):

Double-click the Filter entry to open the Filter Properties dialog.

Enable the parameter and click Show… to display the Show contents dialog.

Click Add to display the Add Item dialog for filter entries:

The Enter the name of the item to be added field should contain the value of the GUID enclosed in „{ }‟ (braces). For example: {<25CBB996-92ED-457e-B28C-47s74084BD562>}

The Enter the value of the item to be added field should contain the

scenarios in which E-SSO filter is applied to, separated by ';'

(semicolon), with no spaces between each scenario. For example: <LOGON;UNLOCK;CHANGE;CREDUI>.

The scenarios in which E-SSO filter is applied to are as follows:

LOGON (restarting computer, switching user, logging off computer)

UNLOCK (pressing Ctrl-Alt-Delete to unlock a locked

workstation)

CHANGE (pressing Ctrl-Alt-Delete then selecting 'Change

5 Configuration

26 10/2011

Password'; forced password change)

PLAP (Pre-Logon-Access Provider screen)

CREDUI (for authentication on remote machines, prompting in User

Account Control)

If you leave an empty string, the default filter values are applied to all 5 scenarios.

Prevent

smart card

lock on

workstation

lock

If this parameter is enabled, it prevents the smart card from being locked when the workstation is locked. This parameter can be used for example, by PMF scripts for underlying applications that still require smart card access.

Per default, this parameter is set to disabled and the smart card is always locked.

5 Configuration

10/2011 27

5.4 Apply E-SSO Filter

Use

The E-SSO Filter has been provided to disable any registered CRP for logon under Microsoft Windows Vista/7. The E-SSO Filter can be administrated from a central location via Group Policy Objects. This parameter allows you to, for example, filter out (hide) all CRP‟s so that the only one left can be used for Windows logon via smart card / Enterprise Single Sign-On. To remove a CRP from the Windows logon, the administrator has to enable the E-SSO filter policy in the Group Policy Object Editor. The Filter parameter applies only to smart card-based authentication – it cannot be used for soft token authentication!

Prerequisites


Procedures

1. In the Group Policy Object Editor, open Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > CRP Common Options.

2. Double click Filter.

3. The Filter dialog will appear. Select Enabled and click Show (in the Options panel).

4. The Show Contents dialog will appear.

5 Configuration

28 10/2011

The Value name field is for the GUID of the CRP that you want to filter out - and therefore will not be available to the user. The GUID must be obtained via the Registry Editor and is detailed in the next steps.

The Value field is for the scenarios to which E-SSO filter will be applied.

5. Open the Windows Registry Editor. Click Start and enter regedit into the Search

programs and files field.

6. Open the folder HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

Authentication\CredentialProviders.

7. You should now see a list of folders, each with a number/letter combination. This combination is also known as the GUID. Each of them represents a CRP registered with Windows. Click each one to display its values in the right panel – and therefore identify the purpose of the CRP.

8. Copy & paste the number/letter combination of the folder (the GUID) – including brackets! For example: {25CBB996-92ED-457e-B28C-47s74084BD562}. To copy the

folder/GUID name:

Right-click the folder and select Rename from the context menu. The folder will be highlighted and ready to be changed.

Press Ctrl-C to copy the name – DO NOT change it!

Abort the Rename function by clicking elsewhere in the Registry Editor window.

A list of default GUIDs in Windows Vista and Windows 7 can be found at the end of this section. See Default GUIDs [page 29].

9. Go back to the Show Contents dialog. Paste the folder/GUID name into the Value name field.

10. In the Value field, enter the names of the scenarios to which the CRP filter will be applied. The scenarios must be separated by ';' (semicolon), with no spaces between each one.

For example: <LOGON;UNLOCK;CHANGE>. The scenarios in which Enterprise Single

Sign-On filter are applied are as follows:

LOGON (restarting computer, switching user, logging off computer)

UNLOCK (pressing Ctrl-Alt-Delete to unlock a locked workstation)

CHANGE (pressing Ctrl-Alt-Delete then selecting 'Change Password'; forced

password change)

PLAP (Pre-Logon-Access Provider screen)

5 Configuration

10/2011 29

CREDUI (for authentication on remote machines, prompting in User Account

Control)

If you leave an empty string, the filter will be applied for all 5 scenarios.

11. Click OK to close the Add Item dialog. The GUID of the CRP has now been added to the CRP filter.

12. Repeat steps to add other providers to the CRP list.

13. To delete CRPs:

Windsows Vista / 7: highlight an entry and press the Del (delete) key.

Default GUIDs

Credential Provider Description

Generic Provider {25CBB996-92ED-457e-B28C-4774084BD562}

Network Provider (NPProvider) {3dd6bec0-8193-4ffe-ae25-e08e39ea4063}

Password Provider {6f45dc1e-5384-457a-bc13-2cd81b0d28ed}

Smartcard Credential Provider {8bf9a910-a8ff-457f-999f-a5ca10b4a885}

Additional third-party CRPs can be found in the following registry hive: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Creden

tial Providers.

5.5 Password Credential Options

Use

Configure the parameters related to the appearance of the Enterprise Single Sign-On Logon dialog for the password provider. These parameters apply only to smart card-based authentication – they cannot be used for soft token authentication.

Prerequisites


5 Configuration

30 10/2011

Location

Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Password Credential Options

Parameters


Allow auto

password

generation

This parameter will support the automatic generation of a Windows logon password for Windows logon, if a password change is requested.

Per default, this parameter is disabled. When the parameter is disabled, the CRP performs a normal interactive password change.

Allow view

UPN

certificate

This parameter allows you to enable or disable Enable certificate user name presentation. This parameter is only used by the password-based CRP that has an additional certificate stored on the smart card. The CRP for certificate-based logon presents the certificate subject as soon as the smart card is entered.

If this parameter is disabled, a default text is used.

With this parameter enabled, the “User Principle Name” attribute of the public authentication certificate on the smart card is read out by the CRP and presented to the user as text. The parameter should show the name of the user, for example, <John.Doe@domain> without the domain

name. If no name could be extracted, the policy is treated as disabled.

By default, this parameter is disabled in the CRP.

Prevent

password

expire

message

In case the Windows password is about to expire, a message is displayed where you can choose if you want to change the password now. If the user rejects then a normal logon is performed. If the user accepts the message by clicking the OK button, then a password change is performed.

If this parameter is activated (and automatic password change policy is activated), the message will not be shown and the password will be changed immediately without user interaction.

Per default the parameter is deactivated and the message is always shown.

Set custom

tile image

for

password

credential

The customer image bitmap (256x256 pixels) is normally installed and configured when installing the product. Custom bitmaps must be deployed with the correct size before the installation.

The bitmap cannot be located on a network drive and must be stored in a user- and language-independent location (for example: C:\logonbitmaps, and not in the %Program Files%

directory).

See Customize Tile Image Bitmaps [page 32] for more information about customizing tile image bitmaps.

5 Configuration

10/2011 31

5.6 Certificate Credential Options

Use

Configure the parameters related to the appearance of the Enterprise Single Sign-On Logon dialog for the certificate provider. This parameter applies only to smart card-based authentication – it cannot be used for soft token authentication.

Prerequisites


Location

Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Certificate Credential Options

Parameters


Set custom

tile image

for

certificate

credential

The customer image bitmap (256x256 pixels) is normally installed and configured when installing the product.

Custom bitmaps must be deployed with the correct size before the installation.

The bitmap cannot be located on a network drive and must stored in a user- and language-independent location (for example:

C:\logonbitmaps, and not in the %Program Files% directory).

See Customize Tile Image Bitmaps [page 32].

5 Configuration

32 10/2011

5.7 Customize Tile Image Bitmaps

Use

Customize tile image bitmaps for a password or certificate credential. This parameter applies only to smart card-based authentication – it cannot be used for soft token authentication.

Prerequisites


Procedures

1. In the Group Policy Object Editor, open Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Password Credential Options or Certificate Credential Options.

2. Double-click Set custom tile image for password (or certificate) credential.

3. The Set custom tile image for password (or certificate) credential Properties dialog will appear.

4. Select Enabled.

5. Enter the location of the bitmap into the field. The bitmap cannot be located on a network drive and must be stored in a user- and language-independent location (for example: C:\logonbitmaps\CRP_tile_logo.bmp, and not in the %Program Files%

directory).

6. Click Apply to save the changes and click OK to close the window.

5 Configuration

10/2011 33

5.8 Logon Settings

Use

Configure the parameters related to Windows XP logon. The parameters in this section apply only to smart card-based authentication – it cannot be used for soft token authentication.

Prerequisites


Location

Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Logon Settings

Parameters


Background

refresh for

fast screen

unlock

Enter either of the following values to the Background refresh enabled/disabled:

0: Background refresh disabled

1: Background refresh enabled

If this parameter is enabled, the parameter Timeout for fast screen unlock is ignored.

Custom

Bitmaps

The smart card image bitmap is normally installed and configured during product installation. Use this parameter to define a custom smart card image:

Enable the parameter and enter the absolute path, filename and extension into the field. The image must be available in the correct size (160 wide x 100 high – in pixels) and format (*.bmp). The bitmap cannot be located on a network drive and must be stored in a user- and language-independent location. For example: C:\CustomBitmaps\SC.bmp

See Customizing Bitmaps for Smart Card [page 35].

Default

Domain

This parameter defines the default domain to use for the Windows logon if more than one Windows domain exists.

Display

Options

You can specify the display options of the E-SSO Logon dialog:

Disable GINA dialog elements: You can disable either or both the Dialup Checkbox and the Domain Selection.

Select Show Enter PIN Options to display all PIN options on the E-SSO Logon dialog.

To show the PIN option that was used during the previous login, select Show Enter PIN Options persistent.

Enable Check ‘Logon with certificate’ persistent to limit the Windows logon options to certificate-based logon only.

Note: This parameter is only applicable if the parameter Enable certificate-based logon is enabled.

Enable

certificate

-based

logon

This parameter enables certificate-based logon.

5 Configuration

34 10/2011

Enable

‘Generate

new

password’

for new

entry

If this parameter is enabled, new passwords will automatically be generated for new entries on logon. Passwords will automatically be changed if the domain requires changing the logon password.

Enable

password-

based logon

This parameter enables password-based logon.

Generated

password

length

This parameter specifies the default password length. It might be possible that another policy that sets the minimum password length exists. To ensure that this parameter does not interfere with other parameters, make sure that the default password length is more than or equal to the minimum password length set by other policy settings.

You can check the policies in the following registry settings:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentV

ersion\Policies\Network]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current

Version\Policies\Network]

Value Name: MinPwdLen

Data Type: REG_BINARY (Binary Value)

Lock token

if

workstation

is locked

When enabled, this parameter closes the token if the workstation is locked and the token remains on the reader.

Attention: A locked token is more secure but can cause some conflict (for example, if an application needs to access the token in locked workstation mode).

Logging

location

If logging is enabled, this parameter specifies the location of a log. The

default log file is located in C:\temp\login.log.

Logon

password

not stored

If this parameter is enabled, the Windows logon password will not be stored on the smart card. The user will be asked for the Windows logon password on every logon.

Message box

caption

Specify a message box caption. This parameter is enabled per default.

PIN pane

image

Instead of a white background image, you can specifiy a new image on for the Enterprise Single Sign-On logon and unlock dialogs.

Enable the parameter and enter the absolute path, filename and extension into the field. The image must be available in the correct size (455 wide x 70 high – in pixels) and format (*.bmp). The bitmap cannot be located on a network drive and must be stored in a user- and language-

independent location. For example: C:\CustomBitmaps\PINpane.bmp

See Customizing PIN Pane Image Bitmap [page 35].

Prevent

logon

without

smart card

If this parameter is enabled, you can only log in using a smart card.

If this parameter is disabled, you can log in using CTRL-ALT-DEL and

entering User ID and password.

NOTE: If this parameter is enabled, logging in to the system with a defective card reader or an absent smart card will not be possible.

This parameter will be set after the first successful smart card logon.

5 Configuration

10/2011 35

ShowPwdExpi

resMsg

In case the Windows password is about to expire, a message will be displayed prompting the user to change the password now or later.

If this parameter is disabled and automatic password change is activated, the message will not be shown and the password will be changed without user interaction.

Timeout for

fast screen

unlock

This parameter defines the period of time (in minutes) for the fast screen unlock.

If the value is 0, fast screen unlock is inactive and the system performs full authentication.

If the last screen unlock or login is less than the time window set, then a fast screen unlock is carried out.

If the last screen unlock is greater than the time window set, a full screen unlock including refresh of the Kerberos tickets is performed.

Use

certificate

-based

logon by

default

This parameter defines the default logon option if both the certificate-based logon and password-based logon are enabled.

Validate

logon

certificate

expiration

If this parameter is enabled, the expiry date of the logon certificate will be checked during logon. Optionally, the certificate expiry date can be checked during unlock. The user will not be allowed to logon if the certificate has expired.

Note: No CRL checking is performed!

This feature can delay the logon procedure for password logon.

Warn for

logon

certificate

expiration

If this parameter is enabled, the expiry date of the logon certificate will be checked during logon and unlock. A warning message will be displayed if the certificate will expire within a defined number of days.

5.9 Customizing Bitmaps for Smart Card

Use

Customize the image used to represent the smart card image in the Unlock Computer (PIN pane) dialog.

5 Configuration

36 10/2011

Prerequisites


Procedures

1. Create a new image that must adhere to the following:

The image should be in BMP format.

The image size should be 160x100 pixels.

2. In the Group Policy Object Editor, open Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Logon Settings.

3. Double-click Custom Bitmaps.

4. The Custom Bitmaps Properties dialog will appear:

5. Enable the setting. The Enter <path>\<filename> field will be enabled.

6. Enter the location of a language-related PIN Pane Image bitmap. The image cannot be located on a network drive and must be stored in a user- and language-independent location. For example, <%Programfiles%\smartcard.bmp>.

7. Click Apply to save the changes, and click OK to close the window.

5 Configuration

10/2011 37

5.10 Customizing PIN Pane Image Bitmap

Use

Customize the image used as a banner in the Unlock Computer (PIN pane) dialog.

Prerequisites


Procedures

1. Create a new image that must adhere to the following:

The image should be in BMP format.

The image size should be 455x70 pixels.

2. In the Group Policy Object Editor, open Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Logon Settings.

3. Double-click PIN pane image.

4. The Custom Bitmaps Properties dialog will appear:

5 Configuration

38 10/2011

5. Enable the setting. The Enter <path>\<filename> fields will be enabled.

6. Enter the location of a language-related PIN Pane Image bitmap. The image cannot be located on a network drive and must be stored in a user- and language-independent location. For example, <%Programfiles%\PINpane.bmp>.

7. Click Apply to save the changes, and click OK to close the window.

5.11 Local Management Console Options

Use

Configure options related to the Local Management Console.

Prerequisites


Location

Windows XP: Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Local Management Console Options

Windows Vista and Windows 7: Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Local Management Console Options

Parameters


Backup

Expiry Time

This parameter defines the number of days a deleted entry remains flagged as „deleted‟ until it will be erased.

To ensure correct synchronization, deleted entries will be first flagged as deleted before they are finally removed from the password file.

If you disable this parameter or do not configure it, the default value of 90 days will be applied.

Backup

History

Path

This parameter defines the full path to the folder in which the backup history files will be stored.

Note: Every Enterprise Single Sign-On user will need read/write permission to the folder specified by this parameter.

Backup

History

Size

This parameter applies to smart card-based authentication only.

For every change made (for example, change, create or delete), a backup will be created to the password file stored on the card. This parameter defines the maximum amount of backup files per user.

Note: Every Enterprise Single Sign-On user will need read/write permission to the folder specified by this parameter.

Disable

Drag and

Drop

Credentials

Submenu

If this parameter is enabled, a user will be unable to open the Drag and Drop Credentials dialog from the SSO Tray Utility menu.

For more information about the Drag and Drop Credentials feature, see the Enterprise Single Sign-On User Guide.

Disable

Feature of

SSO

If this parameter is enabled, the SSO Learning Wizard features (automatically detect and register new application) will be inactive.

For more information about the Register a New Application feature, see

5 Configuration

10/2011 39

Learning

Wizard

the Enterprise Single Sign-On User Guide.

Disable

Features of

SSO Monitor

If this parameter is enabled, the features of SSO Monitor (automatically register a new application and automatic login to applications) will be inactive.

For more information about the Register a New Application and Automatic Login features, see the Enterprise Single Sign-On User Guide.

Drag & Drop

Characters

Send Speed

This parameter allows you to specify the speed with which characters are sent to the destination window during a drag & drop operation. The send speed refers to the latency between the sending of characters.

The send speed is defined in milliseconds. Per default, the send speed is 40 milliseconds. However, some applications such as Terminal Service clients on slow connections need a lower send speed to guarantee that all characters reach the destination window.

The drag & drop operation sends KEYDOWN, then delays for half of the

latency time until KEYUP is sent. It delays for half of the speed until the

next character KEYDOWN is sent.

Drag & Drop

Characters

Erase Input

Fields

If this parameter is enabled, the content of a destination field is erased before the drag & drop content is dropped into the field.

Hide LMC

Dialog

If this parameter is enabled, the Local Management Console submenu will not be displayed in the context menu available via the system tray icon.

Hide SSO

Tray Icon

If this parameter is enabled, the E-SSO icon in the system tray will be hidden.

Local

Backup Path

This parameter defines the full path to the folder in which the backup files will be stored.

Note: The destination folder must be accessible while the user is not logged in.

Show

credentials

dialog

If this parameter is enabled, the dialog will be shown, containing the list of credentials linked to the application. From this dialog, user can select the credential to log in with.

SSO Monitor

trace and

log

If this parameter is enabled, trace messages from the E-SSO Monitor component will be logged. This setting is useful for debugging purposes.

SSO User

Activity

Trace and

Log

If this parameter is enabled, E-SSO will trace and log the activities performed by the user.

5 Configuration

40 10/2011

5.12 SSO User Activity Trace and Log Filter

Use

The Secure Login Notification Viewer (Log Console) will also display E-SSO user trace messages. Use the filter feature to view only user trace information.

Prerequisites

Before using this feature, make sure that the ADM setting SSO User Activity Trace and Log is enabled. See Local Management Console Options [page 38].

Procedures

The Secure Login Notification Viewer (Log Console) can be accessed via:

C:\Program Files\SAP\FrontEnd\SecureLogin\bin\sbustrace.exe. For

more information about this utility, see the Secure Login Installation, Configuration, and Administration Guide.

Click the Secure Login taskbar icon to open the certificate/token dialog. Select the menubar entry View > Log Console.

5.13 Web Setting

Use

Configure parameters related to the Web settings.

Prerequisites


Location

Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Web Settings

Parameters


Auto detect

Web login

form

This parameter will allow E-SSO to automatically detect Web application authentication fields and pop up the registration wizard.

Enabled: E-SSO will automatically detect Web application authentication fields and pop up the registration wizard.

Disabled: If this parameter is disabled, automatic detection will not take effect. The user can register the Web application by using the Save button in the E-SSO Internet browser toolbar.

5 Configuration

10/2011 41

5.14 LMC Setting

Use

Configure parameters related to the Local Management Console (LMC) settings.

Prerequisites


Location

Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > LMC Settings

Parameters


Hide

password

policy for

normal user

This parameter allows E-SSO to hide the password policy node in the Local Management Console.

Enabled: The password policy will either be hidden or set to read-only.

Disabled: If this parameter is disabled, the password policy in the LMC will be visible to a normal user.

5.15 Soft Token Settings

Use

Configure parameters related to soft tokens.

Prerequisites


Location

Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > SAP Signon > Soft token setting

Parameters


Minimum

characters

of answer

or password

string

Define the minimum number of Characters used for the security Question and Answer fields.

Softtoken

Path

Configurati

on

This parameter defines the full path to the folder in which the soft token files will be stored. Each user needs read/write permissions to this folder.

For example: To configure the soft token path to a company‟s network location <G:\ShareAll>, click Enabled, enter the network location into

the Softtoken Path field, and click Apply.

5 Configuration

42 10/2011

Softtoken

Password

File Size

This parameter defines the size of the soft token file. There are three options for the password file size:

Small: 1280 bytes (approximately 20 entries)

Medium: 3840 bytes (approximately 40 entries)

Large: 7680 bytes (approximately 60 entries)

If you disable this setting or do not configure it, the default value (Small) will be used.

5 Configuration

10/2011 43

5.16 Terminal Emulator Host Configuration

Use

Configure parameters related to terminal emulator hosts.

Prerequisites


Location

Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > SAP AG > Terminal Emulator Host Configuration

Parameters


Configure

the first

host,

Configure

the second

host,

Configure

the third

host,

Configure

the fourth

host,

Configure

the fifth

host

These parameters define the values to be used for each terminal emulator host.

Hostname or IP: The host name or IP address of the host.

The string to detect Username: The title of user name field. This string must be the same as the label of the field in which the user enters the user name in the host machine.

The string to detect Password: The title of password field. This string must be the same as the label of the field in which the user enters the password in host machine

Control key after Username: The key value that the user presses after inputting the user name. For example:

If the user presses the Enter key after entering their Username, the value here is {ENTER}

If the user presses the Tab key after entering their Username, the value here is {TAB}

If the user presses the Tab key twice after entering their Username, the value here is {TAB}{TAB}

Control key after Password: Input the key value that user presses after inputting their password. For example:

If the user presses the Enter key after entering in their password, the value here is {ENTER}

If the user presses the Tab key after entering their password, the value here is {TAB}

If the user presses the Enter key twice after entering their password, the value here is {ENTER}{ENTER}

MaxLength of Username field: The maximum number of characters that the user can enter into the user name field

MaxLength of Password field: The maximum number of characters that the user can enter into password field

5 Configuration

44 10/2011

5.17 Configuration of Smart Card Removal Behavior

Use

It is also possible to define the behaviour of the smart card when it is removed from the reader. This parameter is defined for the Windows operating system.

Procedure

1. In the Group Policy Object Editor, open Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

2. The security options will appear in the right panel:

3. Double click Interactive logon: Smart card removal behaviour.

4. Select the behaviour from the combo-box and click OK. This is the behaviour that will occur when a smart card is removed. For example, to lock the workstation after the smart card is removed, select Lock workstation.

6 Additional Information

10/2011 45


6.1 Preparing Smart Cards for E-SSO

Use

To use a smart card with Enterprise Single Sign-On, you must first enable it by partitioning the card in readiness for the PMF file. This can be done via:

The E-SSO Smart Card Preparation Tool. See Preparing Smart Cards via E-SSO Smart Card Preparation Tool [page 45].

Windows XP GINA: See Preparing Smart Cards via Windows XP GINA [page 46].

Windows Vista or Windows 7 CRP: See Preparing Smart Cards via Windows Vista and Windows 7 Login [page 46].

6.1.1 E-SSO Smart Card Preparation Tool 1. Start the E-SSO Smart Card Preparation Tool located in the product download package

under: \Utilities\E-SSO_SmartCardPrep.exe.

2. The E-SSO Smart Card Preparation Tool dialog will appear:

3. First, it is necessary to authenticate to the smart card. Click Enter Smart Card PIN.

4. A PIN prompt will appear. Enter the PIN and click OK.

5. Now the smart card is ready for preparation. Click Add Sign-On.

Add Sign-On will be disabled if the smart card has already been enabled for Windows logon. If you wish to continue adding a sign-on object to the smart card, click Remove Sign-On.

6. The Please enter user name dialog will appear:


46 10/2011

7. Enter the user‟s Windows credentials into the fields User name, Password and Log on to (domain). Select Write Windows login data to card to enable the Password and Log on to fields.

8. Select Verify before writing to card to check if the credential is correctly entered before adding the credential to the smart card.

9. The Token Type ID displays the token type of the current smart card system configuration and cannot be edited.

10. Click OK to add the E-SSO object to the smart card. If the Windows credentials were not previously entered, then the user will have to perform initial Windows logon (see the following sections for more information).

6.1.2 Preparing Smart Cards via Windows XP GINA 1. Insert the smart card into the card reader. If the smart card is recognized by Enterprise

Single Sign-On, a PIN prompt will appear. Enter the smart card PIN. If not, the user will be prompted to use this card for Enterprise Single Sign-On:

2. Click Yes.

3. The Windows Logon Credentials dialog will appear:

Enter your user name and password for the Windows logon into the User name and Password fields, respectively.

Select the domain for the Windows Logon from the Log on to drop-down menu and click OK.

4. Enterprise Single Sign-On will automatically add the data to the smart card and perform Windows logon.

5. You can now use Enterprise Single Sign-On for Windows logon. For more information see the Enterprise Single Sign-On User Guide.

For security reasons, we strongly recommend that you replace the initial PIN as soon as you start using a smart card. For more information see the Enterprise Single Sign-On User Guide.

6.1.3 Preparing Smart Cards via Windows Vista and Windows 7 Login 1. Insert the smart card into the card reader. If the smart card is recognized by Enterprise

Single Sign-On, a PIN prompt will appear. Enter the smart card PIN.


10/2011 47

2. If the smart card meets the minimum requirements, you can enable the card for Enterprise Single Sign-On as follows:

Enter your user name into the first input field.

Enter your password into the second input field.

Enter the computer or network domain to which you want to log in to into the third input field. Per default, this field displays the computer name or network domain to which the last user has been logged in to.

Click Save logon password on token in the Windows logon dialog.

3. The user will be prompted to use the currently connected smart card for Enterprise Single Sign-On. Click OK.

4. Enterprise Single Sign-On will automatically add the data to the smart card and perform Windows logon. You can now use Enterprise Single Sign-On for Windows logon. For more information see the Enterprise Single Sign-On User Guide.

For security reasons, we strongly recommend that you replace the initial PIN as soon as you start using a smart card. For more information see the Enterprise Single Sign-On User Guide.

6.2 Distribute Applications, Blacklist and Policies to Users

Use

Distribute pre-registered applications, blacklists, and policies to multiple users.

Soft Token

5. On the primary computer register applications, create blacklist and policies:

Register applications and link them to appropriate credentials.

Register or add applications to the blacklist.

Create password policies.


48 10/2011

After this step, the application (<*.api>), blacklist (<*bll>) and policy file

(<*.plc>) will be created. For example: <user1.api>, <user1.bll>,

<user1.plc>.

6. On the primary computer create credentials in the soft token.

After this step, the credential file (<*.bin>) will be created. For example:

user1.bin

7. On each secondary computer terminate the process SSOMonitor.exe (launch Windows

Task Manager, select SSOmonitor.exe, and click End Process).

8. Now to start distribution. To distribute applications, blacklist and policies:

Copy folder AppInfo (located under %appdata%\SAP\signon) from primary

computer to the same path on each the secondary computer.

On the secondary computer, open the AppInfo folder and rename the *.api,

*.bll and *.plc files to the correct username (<%username%>.api,

<%username%>.bll, <%username%>.plc). For example: user2.api,

user2.bll, user2.plc.

9. To distribute credentials:

Copy the folder Softtoken (located in %appdata%\SAP\signon) from the

primary computer to the same path on each the secondary computer.

On the secondary computer, open the Softtoken folder and rename the *.bin to

file to the correct username (<%username%>,bin). For example: user2.bin.

10. Restart the process SSOMonitor.exe on each secondary computer: double-click the

SSOMonitor.exe file in %installation path%\SAP\signon folder.

Smart Card

1. On the primary computer register applications, create blacklist and policies:

Register applications and link it to appropriate credentials.

Register or add applications to the blacklist.

Create password policies.

After this step, the application (<*.api>), blacklist (<*bll>) and policy file

(<*.plc>) will be created. For example: <user1.api>, <user1.bll>,

<user1.plc>.

2. On the primary computer create credentials in the soft token.

After this step, the credential file (<*.bin>) will be created. For example:

user1.bin

3. On each secondary computer terminate the process SSOMonitor.exe (launch Windows

Task Manager, select SSOmonitor.exe, and click End Process).

4. To distribute applications, blacklist and policies:

Copy folder AppInfo (located under %appdata%\SAP\signon) from primary

computer to the same path on each the secondary computer.

On the secondary computer, open the AppInfo folder and rename the *.api,

*.bll and *.plc files to the correct username (<%username%>.api,

<%username%>.bll, <%username%>.plc). For example: user2.api,

user2.bll, user2.plc.


10/2011 49

5. To distribute credentials via the Local Management Console to smart cards (credentials have already been created in step 2 and stored in a soft token):

Open the Local Management Console and go to Authentication > Copy Token Contents. The Enterprise Single Sign-On Soft Token utility dialog will appear.

To copy the credentials to smart card, select the credentials from the Credentials Stored in Soft Token list and click the transfer arrow („up‟). Once transferred the credentials will appear in the Credentials Stored in Smart Card list. For more information about the Soft Token utility, see the Enterprise Single Sign-On User Guide.

6. Restart the process SSOMonitor.exe on each secondary computer: double-click the

SSOMonitor.exe file in %installation path%\SAP\signon folder.

6.3 Handling Certificates

Use

The information in the section applies to smart card-based authentication only.

The E-SSO Certificate Store Provider enables you to access certificates stored on a smart card, via the Microsoft certificate store Personal. In this way smart card certificates are available for all applications using CAPI (Cryptographic Application Interface), enabling for example, secure communication via Microsoft Outlook, the Intranet and the Internet (SSL environment), without having to import the certificates manually.

If a smart card is removed from the card reader, the certificates are no longer accessible in the Microsoft certificate stores. In fact, the E-SSO certificate stores are physical stores, administered by the logical Microsoft certificate store Personal.

An application is only meant to view and examine certificates; deleting, relocating, adding and modifying certificates are not possible.

6.3.1 Preparing the Microsoft Management Console for Certificates

Use

Prepare Windows for certificates in order to view, install, and export certificates.

Procedure

1. Start the Microsoft Management Console:

Windows XP: select Start > Run, enter mmc in the Run dialog and click OK.

Windows Vista / Windows 7: select Start, enter mmc in the Search programs and

files field and click OK.

2. The Microsoft Management Console will appear. Select File > Add/Remove Snap-in from the menu.

3. Windows XP only: The Add/Remove Snap-in dialog will appear. Click Add.

4. The Add Standalone Snap-in (Windows XP) or Add or Remove Snap-ins (Windows Vista/7) dialog will appear. Select Certificates and click Add.

5. The Certificates snap-in dialog will appear.

6. Select the option My User Account and click Finish. Click OK to close the dialog.

7. Close the Microsoft Management Console.


50 10/2011

6.3.2 Where to Get More Information

View Certificates

Windows XP: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_cmprocsviewstores.mspx?mfr=true

Windows Vista and Windows 7: http://windows.microsoft.com/en-US/Windows7/View-or-manage-your-certificates

Import and Export Certificates

Windows XP: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_cmintrocerts.mspx?mfr=true

Windows Vista and Windows 7: http://windows.microsoft.com/en-us/Windows7/Import-or-export-certificates-and-private-keys

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_cmprocsviewstores.mspx?mfr=true

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_cmprocsviewstores.mspx?mfr=true

http://windows.microsoft.com/en-US/Windows7/View-or-manage-your-certificates

http://windows.microsoft.com/en-US/Windows7/View-or-manage-your-certificates

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_cmintrocerts.mspx?mfr=true

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_cmintrocerts.mspx?mfr=true

http://windows.microsoft.com/en-us/Windows7/Import-or-export-certificates-and-private-keys

http://windows.microsoft.com/en-us/Windows7/Import-or-export-certificates-and-private-keys

7 Troubleshooting

10/2011 51

7 Troubleshooting Use

Overcome the most common problems to do with the installation or configuration of Enterprise Single Sign-On.

7.1 Preliminary Troubleshooting Make sure that the system to which you are installing Enterprise Single Sign-On meets

the minimum hardware and software requirements. For more information see Planning [page 7].

Is the version of Enterprise Single Sign-On up-to-date? Each release adds new features and fixes issues. Installing the latest version may clear any problems without the need for further troubleshooting. For more information see Installation, Update, and Removal [page 12].

7.2 No Permission to Install, Modify Components or Remove Enterprise Single Sign-On Windows XP: You need administrator access rights (role or group member) to be able to

install, modify components or remove Enterprise Single Sign-On. If you do not have the administrator access rights, contact your system administrator for more assistance.

Windows Vista and Windows 7: The Enterprise Single Sign-On installation package is signed to allow the system to identify the program. However, if this signature fails, the following User Account Control dialog will appear (providing User Account Control is active):

To continue the installation process, select the option Allow – I trust this program. I know where it’s from or I’ve used it before. The installation will proceed.

7 Troubleshooting

52 10/2011

7.3 Smart Card Troubleshooting

Use

Overcome problems when the smart card is not available and/or not recognized by the system.

Procedure

1. Verify that a smart card reader is properly connected and recognized by the operating system.

7. Verify that the latest version of the smart card middleware (PKCS#11 library / middleware) is installed in the system.

8. If you are still prompted with the error dialog Smart card is not available, try re-inserting the smart card and/or restarting the system.

9. If all of the above fail please contact your system administrator.

7.4 Multiple Smart Card Readers

Use

Troubleshoot problems if there are multiple card readers connected to the computer.

Procedure

Define the default smart card reader via using the E-SSO Card Configuration Tool. For more information see Card Reader Configuration [page 21]. The tool may be started via the Local Management Console or via the menu entry Start > All Programs > SAP > signon > E-SSO Card Configuration Tool.

7.5 Enterprise Single Sign-On Login/GINA Dialog Not Appearing

Use

This applies for Windows XP users only.

Procedure

In Windows XP Professional it is not possible to use the Windows Logon feature of Enterprise Single Sign-On if the computer is not member of a domain. Microsoft does not support this for computers that are just members of a workgroup. If the Enterprise Single Sign-On login or

GINA dialog does not appear after pressing Ctrl-Alt-Delete, make sure that the

computer is a member of a domain.

7.6 Unable to Log In to the Network Ensure that the user has correctly entered their user name and the domain name.

Verify that the computer is a member of a domain. Otherwise, add the user in Windows User Management. See Preparations Steps for Windows XP [page 8].

7 Troubleshooting

10/2011 53

7.7 CRP Filter Does Not Disable Specified CRPs

Use

The CRP Filter has been provided to disable any registered CRP for Windows logon. Follow this procedure if you have added a filter but it does not disable the specified CRPs.

Procedure

1. Access the Filter properties > Show Contents dialog (see Apply E-SSO Filter [page 27]) and check the following values:

2. The Value Name field should display the GUID of the CRP that you want to filter. The GUID is a number/letter combination - including brackets! For example: <{25CBB996-

92ED-457e-B28C-4774084BD562}>.

3. The Value field should display the scenarios to which the filter will be applied, separated by a semicolon „;‟ with no spaces between each entry. For example: <LOGON;UNLOCK;CHANGE>

4. If any of these values are incorrectly set, click Remove and add a new entry to the CRP list. See Apply E-SSO Filter [page 27].

7 Troubleshooting

54 10/2011

7.8 Web SSO Toolbar Does Not Appear This issue will occur in one of the following situations.

Enterprise Single Sign-On Installed Before Installing a Browser

1. Reinstall the Internet Browser plug-in for your Internet browser. See Modify Enterprise Single Sign-On Components [page 17].

2. Make sure the computer is restarted to apply the changes.

When Snag-It Toolbar is Enabled

If Snag-It is installed in your system, the Web SSO Toolbar can disappear in Internet Explorer 8 when opening a new tab or another similar operation. If you encounter this issue, disable the Snag-It toolbar and restart Internet Explorer.

7.9 Group Policies do Not Display Correctly

Use

After successfully adding E-SSO ADM entries to the Microsoft Group Policy Editor the content does not appear as described in Adding Group Policy Templates via Group Policy Editor [page 22].

Cause

The „Filter‟ option is active.

Procedure

1. To display the policy settings in the Microsoft Group Policy Editor right-click the respective node in the left pane and de-select the option Filter on.

2. The navigation tree will close. Re-open the respective node to view the policy settings.

Enterprise SSO Instal and Configure Guide

Documents

mfr true windows vista

installation path sap signon folder

appdata sap signon

enterprise single signon

enterprise single sign

classic administrative templates

sap signon

microsoft management console