Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

Recommendations

Microsoft Service Account

Use one service account for all SAP server systems or create for every SAP server system an extra service account?

We recommend to create for every SAP server system an extra service account, with own Service Principal Name (SPN) and different and complex passwords. This concept will increase security. Why?

  • If one Microsoft service account will be used for all SAP server systems and the password is no longer trustworthy, this would influence all SAP server systems. This is an issue that should be avoided.
  • If one Microsoft service account will be used for one SAP server system and the password is no longer trustworthy, this would affect this SAP server system only.

Troubleshooting

Troubleshooting SNC configuration -> SAP AS ABAP

SAP AS ABAP Server does not start after SNC is enabled

If the Application Server ABAP is not starting anymore after SNC was enabled, verify in log file dev_w0 why SNC is not activated. Alternatively, configure the CommonCryptoLib trace like described in the troubleshooting part of the SAP note 1848999

Missing Kerberos keyTab

Use the transaction sncwizard or spnego to configure the Service Account keyTab. The keyTab Service Account User Principal have the format <sAMAccountName>@<W2K-DOMAIN-NAME-IN-CAPITAL-LETTERS>.

Correct SPN configuration

Please verify the SPN configuration.

The prefix "SAP/" is mandatory, the rest is up to you - but it is recommended to follow a comprehensive and strict naming rule that always includes the ABAP system identifier (SID).

E.g: SAP/SAPServer<SID>

Duplicated SPNs

Verify if there are duplicated SPN entries configured in the Microsoft Active Directory system using the command line tool setspn –Q <SPN> .

Wrong SNC Name configuration in SAP GUI Application

The SPN is to configure in the SAP GUI Network Entry SNC Name. E.g.: p:CN=SAP/SAPServer<SID>

Client not part of Windows Domain

Please check if the user is really authenticated to the Windows domain or the computer is really joined in the Windows domain.

Wrong/Missing user mapping information

Please check the SNC name configuration for the user  in user maintenance ( transaction SU01).

Troubleshooting

SPNEGO Authentication on SAP AS Java

Correct SPN configuration

Please verify the SPN configuration.

Duplicated SPNs

Verify if there are duplicated SPN entries configured in the Microsoft Active Directory system using the command line tool  setspn –Q <SPN>.

Windows User Authentication not enabled in browser

Please check if Windows Authentication in the browser application is enabled. Please check the security zone too (e.g. Local Intranet Zone).

User available in UME?

You have the following options to verify the user name on the Application Server side:

  • Maintain the AD user in the UME.
  • Use your AD as UME Data Sources
  • Choose the option Mapping Mode=Principal@REALM and Source=virtual user during the SPNego configuration wizard (recommend).

Troubleshooting SPNEGO Authentication on SAP AS ABAP

In case you are observing problems related to SPNEGO authentication on an AS ABAP system, please refer to the SAP Note 1732610.

 

 

  • No labels