We will be covering:
- Performance improvement
- Improved SSO settings
- Office 365 support
Performance improvement
While implementing the Client Groupware functionality on several SAP CRM systems we noticed that the performance of the synchronization process was not as well as we expected.So when debugging the synchronization process we found the system was taking a very long time on processing the selects on table: CRMD_BELVONAE
The issue was the SAP standard indexes for Predecessor and Successor search where not activated properly in the standard system:
So by changing the Non-unique index setting from "No database index" to "Index on all database systems" we activated the index for both Predecessor and Successor search.
Using Kerberos SSO for SAP CRM Client Groupware
When using SAP CRM Groupware integration, in order not to frustrate users with logon popups, it is strongly advised to implement SSO for groupware integration. As we noticed, you have quite some options for this implementation which you have to decide on.In order to use a single-sign-on solution to groupware, we faced a few challenges. SAP CRM client groupware only supports the use of X509 certificates out of the box, but doesn’t support Kerberos SSO.
Fortunately in our case the SAP portal does support SSO with Kerberos tickets using SPnego.
For our initial problem we wanted to use the windows account to logon to SAP CRM, so we could use two options:
- Option 1 uses a reverse proxy (or an SAP webdispatcher) to fool the SAP CRM groupware application to think that it will be connecting directly to a SAP CRM backend. The flow will look like this:
SAP CRM Groupware > Reverse Proxy > SAP Portal with SPnego SSO > get SAPSSO2 cookie > Redirect to SAP CRM backend using the SAPSSO2 cookie for SSO
- Option 2 uses the SAP J2EE directly by using a servlet. The flow will look like this:
SAP CRM Groupware > SAP J2EE servlet (Portal) with SPnego > get SAPSSO2 cookie > Redirect to SAP CRM backend using the SAPSSO2 cookie for SSO
These options worked as they supposed to, but with the latest support packages and latest version of the Client Groupware SAP introduced a similar mechanism.
For a correct functioning SSO solution, we had to change the error redirect URL in the ICF service /sap/crm/crm_act_gwsync to a valid endpoint on the SAP J2EE.
This entry is the same as the SSOAUTHURL parameter. The GWIServiceProtocol parameter indicates whether we should use HTTP or HTTPS.
For a correct synchronization result we need to set the parameter EnableSSOAuthentication to False as this is only used for x509 authentication.
