Preparing the Central Instance

Copy the dll file for the security product that is certified for SSO with X.509 client certificates to a directory on the central instance.

In the instance profile of the central instance, configure the SNC parameters as shown below:

snc/enable = 1

snc/gss api_lib = <full_path>\ <filename>.dll

snc/identity/as = p:< DN name of the AS ABAP >

1. Observe the following:
   Note

   Although you can freely choose the Windows account under which the SAP system runs, it is normally SAPService<SID>.

   Single Sign-On using the Microsoft Kerberos SSP with the Kerberos wrapper library is only available for user accounts that belong to the Active Directory, that is, domain accounts. It cannot be used with local computer accounts.

2. Set the following parameters to allow users to be able to log on to the SAP system using user ID and password.
   Note

   The following profile parameters permit users to continue to use password-based access to the SAP system when SNC has been enabled. You have to use these additional parameters at least once after enabling SNC to be able to log on to the SAP system as an administrator for maintaining the mapping of Windows NT user accounts to SAP system user IDs (user and client). Once the mapping (at least for the administrator) has been entered, you can disable further password-based logons by removing the respective profile parameter(s).

   • snc/accept_insecure_cpic = 1
   • snc/accept_insecure_gui = 1
   • snc/accept_insecure_rfc = 1
   • snc/permit_insecure_start = 1

To disable the user of user ID and password as a logon mechanism altogether, you can reset these parameters after maintaining the user mappings.

Stop and restart the SAP system so that the profile parameters take effect.