Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

Overview

The SAP Single Sign-On product offers support for Kerberos/SPNEGO. You can use Kerberos authentication tokens to easily implement a single sign-on solution for your SAP systems. This requires little implementation effort, but provides a considerable simplification to your employees’ authentication processes. Using Kerberos technology via SNC or SPNEGO, a trust relationship is established between the user’s front end (SAP GUI for Windows or a web browser, for example) and the back-end Application Server ABAP or Java.

Employees log in once when they start their computers by signing on to their Windows domain. Any subsequent authentication processes are left to a Kerberos token mechanism provided by SAP Single Sign-On and based on Microsoft Active Directory. No additional server is required in this scenario. Working on the front-end software, the user experiences streamlined, easy accessibility.

 

Implementing Single Sign-On with Kerberos

The following videos provide a step-by-step configuration tutorial for setting up Kerberos-based single sign-on for AS ABAP and AS Java.

 

Video Title / DescriptionVideo (YouTube)


Kerberos-Based SSO to Application Server ABAP (6:20 min)

The video guides you step-by-step through the tasks required for setting up Secure Network Communication (SNC) and configuring SSO based on Kerberos/SPNEGO on the ABAP backend. Learn how easy this is using the SNC Wizard and Kerberos transaction.


Kerberos-Based SSO to Application Server ABAP - Mass User Mapping (1:56 min)

One configuration task required for Kerberos-based SSO is user mapping. You need to map the SNC user name (based on the Windows domain user name) to the SAP ABAP user name. But how to configure user mapping for thousands of users? The video guides you through the options available for mass user mapping in Application Server ABAP.


Kerberos-Based SSO to Application Server Java (3:52 min)

The video guides you step-by-step through the tasks required for configuring SSO based on Kerberos/SPNEGO in the Application Server Java.

 

Recommendations and Troubleshooting

Single Sign-On with Kerberos: Recommendations & Troubleshooting

Troubleshooting SPNego for ABAP (SAP Note 1732610)

Blogs

Kerberos Authentication Flow for Browser-Based Applications Provided by the AS ABAP

Kerberos/SPNEGO for SAP AS ABAP in a Multi Domain Environment

SAP Single Sign-On: Protect Your SAP Landscape with X.509 Certificates

Additional Resources

Single Sign-On to SAP HANA DB using Kerberos (SAP Note 1837331)

Single Sign-On to SAP BusinessObjects BI Platform 4.0

Mobile Single Sign On from iOS 7 to SAP NetWeaver

Take the SAP Fiori Experience to a New Level with SAP Single Sign-On

More Information

For more information about SAP Single Sign-On, visit https://www.sap.com/community/topic/sso.html.

 

  • No labels

24 Comments

  1. Former Member

    Hello,

    Can anyone inform as to the correct settings in the SAP Logon pad? When I set the SNC Name value in the Network tab, I receive an error when launching the system:

    GSS-API(maj): Miscellaneous Failure
    GSS-API(min): SSPI::IniSctx#1()==Specified target us unknown or unreachable ...

    I followed video one, Kerberos-Based SSO to Application Server ABAP, and everything worked as expected up until this point.

    Thanks,
    Shawn

     

    1. Hello Shawn,

      have you installed the Secure Login Client (SLC) on the end user side?

      Regards,

      Martina

      1. Former Member

        Hi Martina,

        Yes. I was having trouble determining the correct value for the SNC Name in the SAP Logon Pad. But, I did get the correct value and was able to get SSO working for that system just the other day! (smile)

        Thanks,
        Shawn

  2. Hi , 

    I am getting the below error ,


    "GSS-API(maj): No credentials were supplied Unable to establish the security context target="p:CN=SYSKerberosSAN@TEST.COM"

    I have the below doubts

    1)I have not performed the SPNEGO steps, Can I implement the parameters

    2)The SAN systems FQDN is DOMAIN.COM for client requirement we have created the AD account TEST.COM (It is the client network systems)

    Please suggest,

                Thanks in Advance.

    Best Regards, 
    Sunil  

     

  3. Former Member

    Hi Sunil,

    Your issue is not related to you ABAP configuration but to the fact, that the Secure Login Client did not get a ticket from the Service Principal Name (SPN) SAP/SYSKerberosSAN@TEST.COM Could you please check if you have configured such an SPN? Please open a command line on your Client Workstation and enter the following command: setspn -Q SAP/SYSKerberosSAN@TEST.COM . If you have configured another SPN for your Service account, please enter it in your SAP GUI entry for SNC Name configuration.

    The SNC Kerberos configuration expects, that you create a keytab on the Server side with the Service Account User Principal and that you enter the SPN of this Service Account in the SAP GUI configuration (not the Service Account User Principal).

     

    KR

    Valerie

  4. Hi Valerie, 

    Thanks for response:)

    I have updated the new cryptolib files please check below line ,( in the strust >environment> Display SSF version

    SSFLIB Version 1.850.40 ; CommonCryptoLib (SAPCRYPTOLIB) Version 8.5.1 (+MT) #Copyright (c)  SAP, 2011-2016#compiled for linux-gcc-4.3-x86-64#

     

    I have updated the parameters and restarted the system also.

    But while opening the SNCWIZARD t code am getting the  SAPCRYPTOLIB too old

     

    Please suggest, what I missed and wrong.

     

    Thanks , 
    Sunil  

     

     

    1. Former Member

      Hi Sunil,

      you have to implement SAP note 2304831 .

      KR

      Uwe 

      1. Hi Uwe, 

         

        Thanks for SAP note:) , I have crossed that error.

        Now I am facing the new issue, after refresh in the SPNEGO t code , getting the below error.

        No ABAP user found for the SNC user name p:CN=SUNIL.KANDIMAL@XXXX.COM. Check your SNC user mappings in transaction SU01.

        I have checked in SU01 , the values are there. 

         

        Please suggest, how to cross this issue.

         

        Thanks,
        Sunil k

  5. Thanks Bauer:)

    After implementing the 2304831 note I am not getting the error but , again it's going to configuration screen , those parameters changes already done. If I select continue button again I need to restart the systems or not required ? 

    Please note SSO is working for users but only am getting the error SAPCRYPTOLIB too old

    Can you please suggest , can I implement this note before changing the parameters ?

    Thanks,
    Sunil k  

  6. Former Member

     Thanks Martina but i would like to ask 2 questions i appropriate if any one has information:-

    1. Every Time user must select Kerberos Token in SAP Secure Login Client and Select Use Profile for SAP Applications
      is there is any method to automate that step
    2. For the SAP GUI is there any method to automate select Sap System Properties and SNC and Type SNC Name


  7. Hi , 

    Can you please suggest the steps, while doing the DB Refreshes.What are the table we need to take backup.
    It is very hard to doing the steps again.

    Thanks in advance.

    Regards,
    Sunil 

  8. Former Member

    Thanks for the video,it worked for fiori launchpad sso.

  9. Former Member

    Hi All,

    I am not able to use Kerberos SSO for my SAP SOLUTION MANAGER 7.1 and CommonCryptoLib 8.5.12 (Apr 12 2017).

    I am not able to lanuch the t-code SNCWIZARD and SPNEGO T-code does not have the SPN(Service Principal Name Mapping) and User Mapping tabs!

    Kindly advise

    Regards,

    Omkar

     

  10. Former Member

    Hi All,

    I have used the connventional method to generate the PSE and Keytab file as per below note

    1525059 - Analysis of Problems Accessing a PSE via Credentials.

    Thanks SAP for this Note.

    Regards,

    Omkar Kattimani

  11. Former Member

    Is it possible to implement SSO for SAP GUI using Kerberos without Secure Login Server and only use secure login client?

    I see that there are Authentication Methods without Secure Login Server in SSO Implementation Guide in below link but I can't find much information elsewhere.

    https://help.sap.com/viewer/df185fd53bb645b1bd99284ee4e4a750/3.0/en-US/ed9de17f21374673ac8118928eb77c72.html

    Regards,

    Abhi

     

    1. Former Member

      Hi Abhi,

      Please check the first 2 videos of this page. It is about SAP SSO using Kerberos with SNC without Secure Login Server.

       

      KR

      Valerie

  12. Hi Martina,

    thanks for information.

    Can you tell me these methods (Kerberos-Based SSO to Application Server ABAP ) is free? (do I need to buy something?)

    1. Hi Daulet,

      Kerberos/SPNEGO-based single sign-on to Application Server ABAP requires a license for the SAP Single Sign-On product. For specific licensing information, please contact your SAP Account Executive.

      Thanks,

      Martina

  13. Former Member

    Hi, 

    Thanks for this very nice video, I managed to make it work for SAPgui access to an ABAP system.

    However when trying to launch a BSP application or even accessing Webgui via a browser, SSO doesn't work. I understand that the intention of this is that it will also work on browser-based applications. Can please someone advise what I might be missing? I did follow the instructions in the first video.

    Appreciate if someone could give any insights.

     

    Thank you!

    Juvie

    1. Hi Juvie,

      please have a look at SAP Note 1732610: SPNego ABAP: Troubleshooting Note.

      If you still cannot solve the issue, please open a customer ticket.

      Thanks,

      Martina

  14. Former Member

     

    Hi,

    Is this the same way to achieve SSO  between MS AD, AS Java and  AS ABAP  where servers are in Suse Linux OS.

    in our case user id at each system e.g ECC, BO, CRM, Portal are different for the same user. can we achieve SSO still, if so could you explain how?

     Many Thanks

    1. Hi Murali,

      you need to map the SNC user name (based on the Windows domain user name) to the SAP ABAP user name. If your users have different user names in various backend systems, you need a system-specific user mapping.

      You will find further information in the SAP Single Sign-On implementation guide here:

      https://help.sap.com/viewer/df185fd53bb645b1bd99284ee4e4a750/3.0/en-US/be38170f4b2d4913a0845b5f921a06f2.html

      Regards,

      Martina

  15. Former Member

    Hi All,

    I have a query with respect to Kerberos Token in SLC Client.

    1. Is it possible to set the time out for this token?
    2. Can anybody login simply by picking my token(Kerberos) and my user ID into the SAP System?

    Thanks a lot and much appreicated for your valuable answers.

    Regards,

    Omkar

    1. Hello Omkar,

      in the Secure Login Client it is not possible to influence the timeout for the Kerberos token. However, you can influence the single sign-on behavior by using the parameter SSOMODE. Find the details in the documentation here:

      https://help.sap.com/viewer/df185fd53bb645b1bd99284ee4e4a750/3.0/en-US/8b5500efc24147758cbf918cd829bbdb.html

      Regards,

      Martina