To set up Single Sign-On (SSO) using Microsoft Kerberos, modify the instance profile of the primary application server and make sure
that the SNC library is located in the Windows directory.
Prerequisites
You have registered a Service Principal Name (SPN) for SAP NetWeaver Application Server (SAP NetWeaver AS)
with the domain controller.
For example, enter the following command:
setspn -A SAPService<SID>/<do_not_care> SAPService<SID>
Context
Restriction You cannot use this SNC library to protect outbound RFC connections.
Procedure
- Determine which variant of the library is appropriate for your application server platform.
See the following table.
Table 1:
Kerberos Wrapper Library According to PlatformPlatform |
Library |
32-bit Windows NT (Intel x86)
|
gsskrb5.dll
|
64-bit Windows NT (x86_64)
|
gx64krb5.dll
|
64-bit Windows NT (ia64/Itanium)
|
gi64krb5.dll
|
For more information about how to download the library, see SAP Note 352295 .
- Copy the library to the appropriate Windows system directory on the primary application server instance.
- <Drive>:\%windir%\system32
- <Drive>:\%windir%\SysWOW64
- In the instance profile of the primary application server instance, set the profile parameters.
- Set the following parameters to enable users to log on to the SAP system using user ID and password.
Note
The following profile parameters permit users to continue to use password-based access to the SAP system when SNC has been
enabled. Use these additional parameters at least once after enabling SNC to be able to log on to the SAP system as an
administrator for maintaining the mapping of Windows NT user accounts to SAP system user IDs (user and client). Once the mapping
(at least for the administrator) has been entered, you can disable further password-based logons by removing the respective
profile parameters.
- snc/accept_insecure_cpic = 1
- snc/accept_insecure_gui = 1
- snc/accept_insecure_rfc = 1
- snc/permit_insecure_start = 1
To disable the user of user ID and password as a logon mechanism altogether, you can reset these parameters after maintaining the
user mappings.
- Stop and restart SAP NetWeaver AS so that the profile parameters take effect.