Troubleshoot Single Sign-On with SAP Logon TicketsSolutionThe following checks can help you in isolating and solving the problem:ABAP SystemCall transaction SSO2 and specify 'NONE' as RFC Destination.l Profile Parameter login/accept_sso2_ticket=1 is displayed. You can maintain this parameter intransaction rz11.l The certificate of the Portal must be listed in the Certificate List. The Owner of the J2EE(Portal) certificate must be unique in the Certificate List.l Under 'Systems for Which Accepts Verified Logon Tickets': The System ID to use for the Single Sign-On ACL must match the System ID of the MYSAPSSO2cookie. This ID is a three-letter uppercase ID. In EP 6 SP2 the System ID is specified inthe property login.ticket_issuer in the UM Configuration under Direct Editing (e.g.login.ticket_issuer=EP6). In Netweaver the System ID is fixed. The System ID in Netweaver isgiven e.g. in the System Information (accessible from http://:/index.html). The Client to use for the Single Sign-On ACL must match the client of the MYSAPSSO2 cookie.The ticket client can be specified by the parameter login.ticket_client (for example,login.ticket_client=000). In EP6, you can edit this value in the UM Configuration underDirect Editing. In NW'04, you can edit this property also in the Propertysheetcom.sap.security.core.ume.service. If no value is specified, the default client 000 is taken(in the example above, there needs to be an entry SAP System EP6 Client 000 in the SSO2transaction). The combination of System ID and Client must be unique in the Single Sign-On ACL of the ABAPSystem.l Check whether the SAPSECULIB or SAPCRYPTOLIB is up-to-date (see Note 177895). You can downloadthe most recent version from the Service Market Place, http://service.sap.com/download ->Download -> SAP Cryptographic Software. The profile parametersssf/ssfapi_lib = (SAP Security Library)ssf/name = SAPSECULIBsec/libsapsecu = (SAP Security Library)needs to be set correctly.J2EEl The User IDs needs to be the same in the J2EE (Portal) and the SAP System. As an alternative,you can use User Mapping in the Portal. In this case and only in this case, you need to specifyan R/3 Reference System under UM Configuration -> Security Settings. In Netweaver, you can also701205 - Single Sign-On using SAP Logon TicketsVersion 11 Validity: 29.10.2008 - active Language English (Master)Released On 29.10.2008 15:49:39Release Status Released for CustomerComponent BC-JAS-SEC-UME User Management EngineBC-JAS-SEC Security, User ManagementPriority Correction with medium priorityCategory ConsultingOther Componentsmaintain this property in the Propertysheet com.sap.security.core.ume.service. User Mapping isonly available if you run a Portal.l If you call the ABAP System via http(s), the J2EE and the ABAP System need to be called with thesame domain name in the browser (in this case the MYSAPSSO2 ticket is wrapped in a cookie and itis sent via a session cookie named MYSAPSSO2). SSO with SAP Logon tickets for multiple domain issupported starting with EP6 SP6. You can also use domain relaxing if the domains differ only ina subdomain name. In this case, specify the number of subdomains to be cut from the J2EE domainname using the parameter ume.logon.security.relax_domain.level in the sapum.properties (underDirect Editing in the UM Configuration).Example: If the host name for the Portal is portal.wdf.sap. com andume.logon.security.relax_domain.level=2, then the MYSAPSSO2 cookie is sent to all servers within thedomain sap.com (for more information on domains, see also Note 654326).l In an Add-In installation, you have to specify a different client for the J2EE Engine to use(see above), and you have to replace the key pair that the J2EE Engine uses to digitally signthe logon ticket. See the attached documentation for information about how to perform thesetasks.l You can download and deploy the attached Portal Component to display the most importantproperties of the MYSAPSSO2 ticket, like Portal User Name, ABAP User Name, SID of the Portal,Client of the Portal, timestamp of the ticket and the validity of the ticket. You can alsoverify the ticket against a certificate.Logging and TracingIf these checks do not resolve the problem, and you configure SSO to an ABAP system, create an SM50trace with only the security component turned to trace level 2. In order to do so, run transactionSM50 and select some of the dialog work processes (around 5). Then choose 'Processes -> Trace ->Active components' from the menu (or use CTRL-SHIFT-F7). Set the trace level to 2 and select onlythe 'Security' component. Reproduce the SSO problem, and note the time. Return to the SAP system tocheck the traces you just started (CTRL-SHIFT-F8 in SM50). This trace collects information on workprocess level. Therefore, you need to find the work process that has handled the authenticationattempt. This procedure is described in Note 495911 in more detail.If the checks do not resolve the problem, and you configure SSO to a Netweaver J2EE, increase thetrace level of the J2EE for the following locations to ALL, and recreate the problem: com.sap.engine.services.security com.sap.security.core.server.jaas com.sap.security.core.ticket com.sap.security.core.utilYou can find detailed information on setting the trace level in the Documentation for SAP NetWeaverRelease under SAP NetWeaver -> Security -> Identity Management -> User Management Engine -> UMEConfiguration -> Logging and Tracing.A more convient way is to use the Diagtool for making traces on the Java side.See SAPNotes:WebDiagtool -> SAP Note No. 1045019 andNote 957707 - Using Diagtool for Troubleshooting Single Sign-On