Show TOC Start of Content Area

Procedure documentation Configuring the Application Server  Locate the document in its SAP Library structure


       1.      Copy the gssntlm.dll file to the following directory on your central instance:


For more information on how to get the gssntlm.dll file see SAP Note 352295.

       2.      Set the environment variable SNC_LIB to the location of the library.

       3.      In the central instance profile, set the following SNC parameters:

        snc/data_protection/max = 1

        snc/data_protection/min = 1

        snc/data_protection/use = 1

        snc/enable = 1

        snc/gssapi_lib = (<DRIVE>:\USR\SAP\<SID>\SYS\EXE\RUN\<gssntlm.dll>)

        snc/identity/as = p:<DOMAIN_NAME>\SAPService<SID>

where SAPService<SID> is the user who runs the SAP system.

and < DOMAIN_NAME> is the Windows NT domain of this user.


Although you can freely choose the Windows NT account under which the SAP system runs, it is normally SAPService<SID>.


If you use a local account for SAPService<SID>, most operations are successful. However, any operations or communications where the SAP system initiates SNC-protected communication to a remote machine do not work with a local account for SAPService<SID>. Therefore, use a domain account.

Additional SNC Parameters

The following profile parameters let you continue with password-based access to the SAP system when SNC has been enabled. To log on to the SAP system as an administrator to maintain the mapping of Windows user accounts to SAP system user IDs (user and client), you have to use these additional parameters at least once after enabling SNC. Once the mapping (at least for the administrator) has been entered, you can disable further password-based logons by removing the respective profile parameters.

        snc/accept_insecure_cpic = 1

        snc/accept_insecure_gui = 1

        snc/accept_insecure_rfc = 1

        snc/permit_insecure_start = 1

        snc/permit_insecure_comm = 1

       4.      Stop and restart the SAP system to activate the profile parameters. Changes to SNC profile parameters always require an application server restart to take effect.


End of Content Area