Wednesday, August 14, 2013

SAP CRM Client Groupware update

With this weeks blog we want to inform you about some findings when implementing the latest SAP CRM Client groupware version (
We will be covering:
  • Performance improvement
  • Improved SSO settings
  • Office 365 support

Performance improvement

While implementing the Client Groupware functionality on several SAP CRM systems we noticed that the performance of the synchronization process was not as well as we expected.
So when debugging the synchronization process we found the system was taking a very long time on processing the selects on table: CRMD_BELVONAE
The issue was the SAP standard indexes for Predecessor and Successor search where not activated properly in the standard system:


So by changing the Non-unique index setting from "No database index" to "Index on all database systems" we activated the index for both Predecessor and Successor search.

And activating these two indexes improved the synchronization speed of the SAP CRM Client Groupware tool significantly!

Using Kerberos SSO for SAP CRM Client Groupware 

When using SAP CRM Groupware integration, in order not to frustrate users with logon popups, it is strongly advised to implement SSO for groupware integration. As we noticed, you have quite some options for this implementation which you have to decide on.

In order to use a single-sign-on solution to groupware, we faced a few challenges. SAP CRM client groupware only supports the use of X509 certificates out of the box, but doesn’t support Kerberos SSO.

Fortunately in our case the SAP portal does support SSO with Kerberos tickets using SPnego.

For our initial problem we wanted to use the windows account to logon to SAP CRM, so we could use two options:
  • Option 1 uses a reverse proxy (or an SAP webdispatcher) to fool the SAP CRM groupware application to think that it will be connecting directly to a SAP CRM backend. The flow will look like this:
SAP CRM Groupware > Reverse Proxy > SAP Portal with SPnego SSO > get SAPSSO2 cookie > Redirect to SAP CRM backend using the SAPSSO2 cookie for SSO
  • Option 2 uses the SAP J2EE directly by using a servlet. The flow will look like this:
SAP CRM Groupware > SAP J2EE servlet (Portal) with SPnego > get SAPSSO2 cookie > Redirect to SAP CRM backend using the SAPSSO2 cookie for SSO

These options worked as they supposed to, but with the latest support packages and latest version of the Client Groupware SAP introduced a similar mechanism.
In the GWI Profile it is now possible to use the parameters SSOAUTHURL and GWIServiceProtocol.

For a correct functioning SSO solution, we had to change the error redirect URL in the ICF service /sap/crm/crm_act_gwsync to a valid endpoint on the SAP J2EE.

This endpoint should be http://<Portal server>:50000/irj/portal
This entry is the same as the SSOAUTHURL parameter. The GWIServiceProtocol parameter indicates whether we should use HTTP or HTTPS.
For a correct synchronization result we need to set the parameter EnableSSOAuthentication to False as this is only used for x509 authentication.

Supporting Office 365

And last but not least as of Client Groupware version 10.30 sp02 Microsoft Office 365 is also supported, but only when you use it together with outlook 2010 sp01 or outlook 2013.