Show TOC

Preparing the Primary Application Server InstanceLocate this document in the navigation structure

To set up Single Sign-On (SSO) using Microsoft Kerberos, modify the instance profile of the primary application server and make sure that the SNC library is located in the Windows directory.

Prerequisites

You have registered a Service Principal Name (SPN) for SAP NetWeaver Application Server (SAP NetWeaver AS) with the domain controller.

For example, enter the following command:

setspn -A SAPService<SID>/<do_not_care> SAPService<SID>

Context

Restriction You cannot use this SNC library to protect outbound RFC connections.

Procedure

  1. Determine which variant of the library is appropriate for your application server platform.

    See the following table.

    Table 1: Kerberos Wrapper Library According to Platform
    Platform Library

    32-bit Windows NT (Intel x86)

    gsskrb5.dll

    64-bit Windows NT (x86_64)

    gx64krb5.dll

    64-bit Windows NT (ia64/Itanium)

    gi64krb5.dll

    For more information about how to download the library, see SAP Note 352295 Information published on SAP site.

  2. Copy the library to the appropriate Windows system directory on the primary application server instance.
    • <Drive>:\%windir%\system32
    • <Drive>:\%windir%\SysWOW64
  3. In the instance profile of the primary application server instance, set the profile parameters.
    • snc/enable = 1
    • snc/gssapi_lib = <DRIVE>:\%windir%\system32\<library>
    • snc/identity/as = p:SAPService<SID>@<KERBEROS_REALM_NAME>

      where <KERBEROS_REALM_NAME> is the Kerberos realm that the SAPService<SID> user belongs to. This is typically the Microsoft Windows domain converted to uppercase characters.

      Caution

      <KERBEROS_REALM_NAME> and the SAPService<SID> user are case-sensitive. Make sure that you enter the case correctly, for example: p:SAPServiceC11@REALM.EXAMPLE.COM.

      Note

      Although you can freely choose the Windows account under which the SAP system runs, it is normally SAPService<SID>.

      Single sign-on using the Microsoft Kerberos SSP with the Kerberos wrapper library is only available for user accounts that belong to the Active Directory, that is, domain accounts. It cannot be used with local computer accounts.

  4. Set the following parameters to enable users to log on to the SAP system using user ID and password.
    Note

    The following profile parameters permit users to continue to use password-based access to the SAP system when SNC has been enabled. Use these additional parameters at least once after enabling SNC to be able to log on to the SAP system as an administrator for maintaining the mapping of Windows NT user accounts to SAP system user IDs (user and client). Once the mapping (at least for the administrator) has been entered, you can disable further password-based logons by removing the respective profile parameters.

    • snc/accept_insecure_cpic = 1
    • snc/accept_insecure_gui = 1
    • snc/accept_insecure_rfc = 1
    • snc/permit_insecure_start = 1

    To disable the user of user ID and password as a logon mechanism altogether, you can reset these parameters after maintaining the user mappings.

  5. Stop and restart SAP NetWeaver AS so that the profile parameters take effect.