Kerberos Single Sign-On (SSO) is a secure method of logging on to the SAP system that simplifies the logon procedure. It is suitable if you use Windows 2000 or later in your system landscape.
When your system is configured for SSO, an authorized user who has logged on to Windows can access the SAP system simply by selecting it in the SAP logon window or using a shortcut. There is no need to enter a user ID and password every time that the user logs on to the SAP system with SAP GUI for Windows. Therefore, SSO makes it easier for you to manage SAP system users.
The Microsoft Kerberos Security Service Provider (SSP) provides secure authentication plus encryption of the network communication. In contrast, SSO with Microsoft NTLM SSP, as described in the next section, does not provide encryption of the network communication.
When using the Kerberos wrapper library (gsskrb5.dll), the Microsoft Kerberos SSP might be interoperable with Kerberos implementations from other vendors and suppliers. However, we do not provide support for third-party libraries loaded at the BC-SNC interface. Documentation and support must be provided by the vendor(s)/supplier(s) of the third-party software. Therefore, we recommend that you only use BC-SNC certified Single Sign-On solutions for which the vendor has committed to provide implementation, documentation, and support.
For more information, see www.sap.com/partners/directories/SearchSolution.epx.
Under Certification Category, select Secure network communication and choose Search.
● SSO based on Kerberos can only be set up for users that are members of a Windows 2000 or higher domain.
● Before beginning with the configuration, read SAP Notes 352295 and 595341.
To implement SSO with the Microsoft Kerberos SSP, you have to:
The sections that follow describe these steps in detail.
In the directory paths specified in the topics that follow, \%windir%\ refers to the location of the Windows directory corresponding to the Windows operating system release.