Scribd
Upload
1K views3 pages

SAP Single Sign On Using Kerberos

To configure SAP Single Sign-on using Kerberos authentication from Microsoft: 1. Prepare the SAP server by adding it to the Active Directory domain, copying Kerberos files, configuring the service principal name, enabling delegation, and setting SNC parameters. 2. Enable users by editing their profiles in transaction SU01 to include the service principal name. 3. Configure the SAP front-end by installing SAPSSO.MSI on users' computers and modifying the SNC security setting in GUI connections to the server.

Uploaded by

riveral64
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
1K views3 pages

SAP Single Sign On Using Kerberos

To configure SAP Single Sign-on using Kerberos authentication from Microsoft: 1. Prepare the SAP server by adding it to the Active Directory domain, copying Kerberos files, configuring the service principal name, enabling delegation, and setting SNC parameters. 2. Enable users by editing their profiles in transaction SU01 to include the service principal name. 3. Configure the SAP front-end by installing SAPSSO.MSI on users' computers and modifying the SNC security setting in GUI connections to the server.

Uploaded by

riveral64
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

SAP Single Sign-on Configuration Using

Kerberos Authentication from Microsoft


1) Prepare the SAP Server
a. Server has to be part of the Active Directory Domain
b. The server has to be started using the SAPService<SID> Domain account which has to have
administrative rights on the SAP server.
c. Copy the file gx64krb5.dll to the folder Windows\System32 or SysWOW64 if is a Windows 64 bit version.
You can get the file by seeing SAP Note 352295
d. On the Domain Where the SAPService<SID> resides run the following Kerberos command
setspn -A SAPServiceECS/CGI.CORP.CHAMBERLAIN.COM CGI_NT\SAPServiceECS (Domain dependant)

e. Enable SAPService<SID> for Kerberos delegation

f.
g. Create the following parameters on the Instance Profile of the SAP server
snc/enable = 1
snc/gssapi_lib = C:\Windows\SysWOW64\gx64krb5.dll
snc/identity/as = p:[email protected] (Domain dependant)
snc/accept_insecure_rfc = 1
snc/accept_insecure_cpic = 1
snc/permit_insecure_start = 1
snc/accept_insecure_gui = 1
h. Stop and restart server

2) Enabling Users to logon using SSO


a. On SAP system edit user by running SU01
b. Go to SNC tab and fill out the parameter with the following
i. p:SAPService<SID>@CGI.CORP.CHAMBERLAIN.COM (Domain dependant)
3) Configuring the SAP Front End
a. Install SAPSSO.MSI on user’s computers. see SAP note 595341
b. Modify SAP GUI connection to server by adding on the Network tab the SNC security setting
i. p:[email protected]

You might also like