Skip to end of metadata
Go to start of metadata

SNC Client Encryption is an optional feature of SAP GUI and SAP NetWeaver technology platform. This software component enables users to protect communication between SAP GUI and SAP NetWeaver Application Server (AS) ABAP. The component also enables encryption for RFC clients, such as BEx Query Designer.

SNC Client Encryption uses Secure Network Communications (SNC) to provide encryption and secure communication for the communication channel between the client and the AS ABAP. This protects the business user operating the client from eavesdroppers, who seek to capture or manipulate information, such as logon data or business data.

In a standard setup, users enter their user name and password into the logon screen of the SAP GUI. SAP GUI transfers data, such as user names and passwords, through the network without encryption.

SNC Client Encryption only offers encryption. To enable single sign-on (SSO), we offer SAP NetWeaver Single Sign-On. SAP NetWeaver Single Sign-On centralizes and greatly simplifies the way users log on to systems and applications in your IT landscape. Seamlessly integrated into your existing authentication processes, it offers enhanced security through state-of-the-art technology. But that's not the only benefit SAP NetWeaver Single Sign-On has to offer. Reduce your operating costs by eliminating password-related helpdesk calls, and improve user productivity - more than enough reasons to start thinking about implementing a single sign-on solution in your company.

SNC Client Encryption Installation steps

  • Create the technical Active Directory User for your AS ABAP system and assign a Service Principal Name (SPN)

    SPN name format : SAP/YourServiceUser
    Active Directory user need to be made domain member

  • Install Secure Login Library or CommonCryptoLib

    The new CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.30 (or higher) is fully compatible with previous versions of SAPCRYPTOLIB beginning with AS ABAP Kernel 7.20 PL88. In addition, CommonCryptoLib adds features of SAP Single Sign-On 2.0 Secure Login Library.
    You must not use CommonCryptoLib if you are running Kernel releases prior to 7.20 PL88, as CommonCryptoLib is not fully compatible with such old releases. Use SAPCRYPTOLIB 5.5 PL38 in such cases.

  • Create Keytab and Credential, set SECUDIR environment variable
  • Set RZ10 parameters (snc/identity/as and snc/gssapi_lib)
    snc/identity/as should be "p:CN=YourServiceUser@DOMAIN"
  • Restart AS ABAP

  • Install SNC Client Encryption on the client
  • Set SNC name for SAPGUI
    SNC name format : p:CN=SAP/YourServiceUser@DOMAIN

Prerequisit and recently supported platforms

Common configuration problems

Active Directory user

Service User does not exist
User is not logged in to domain (no domain user)
Service User has no Service Principal Name or it has been set with invalid syntax Mandatory form is "SAP/YourServiceUser
Multiple Service Principal Name (SPN) in same Active Directory was found

Keytab and credential

Keytab password and service user password does not match
Wrong PSE name was used (SAPSNCSKERB.pse or is mandatory)
SPN was used instead of Service User UPN to create the keytab

Credential was set for a different system user

SAPGUI SNC configuration

SNC User Name is configured in transaction SU01

Client side problems

User running the SNC Client encryption is not a member of domain

Error: No credentials were supplied (see client side trace for more details)

Create trace

1. Create the trace file directory in either %HOMEDRIVE%%HOMEPATH%\sec or C:\sec.

2. Create the file sec_log_file_filename.txt in the trace file directory. This file sets the name format for the trace files.

3. Enter the name format for the trace files in the sec_log_file_filename.txt file. Use the following format: <Path_to_Trace_File_Directory>\log-%.PID.%.txt

Example: C:\sec\log-%.PID.%.txt

This creates a log file in the sec directory with the process ID replacing %.PID.% in the name. The AS ABAP creates multiple work processes, so including the process ID in the name avoids parallel access to the same file by all processes.

4. Create the sec_log_file_level.txt in the trace file directory.This file sets the trace level.

5. To start the trace, enter a trace value as a single digit in the trace level file according to the table below.





No trace








Errors and Warnings




Errors, Warnings, and Logs




Errors, Warnings, Logs, and Infos

To disable the trace, enter 0 in the trace level file.

  • No labels