Appendix: SSO Starting a Windows GUI Session 
When you start an SAP GUI for Windows session, the combinations of possible server and client configurations and the effect they have on SSO are explained in the following. For some of these combinations, an additional logon is required, while for some, SSO is sufficient. For example, no additional logon to a remote system is required when the logon system creates logon tickets that are trusted by the remote system. However, an additional logon is required when a user starts a session in a remote system using an assertion ticket and re-entrance ticket[REEN].
The table gives an overview of the possible server and client configurations that have an effect on SSO when you start a new SAP GUI for Windows session:
Logon System/ Remote System |
Logon Description with SNC[LOGDESC] |
Logon Ticket (MYSAPSSO2) |
Assertion Ticket + Re-entrance Ticket[REEN] |
|---|---|---|---|
Logon Description with SNC[LOGDESC][LOGDYN] |
Session started in logon system: SSO Session started in remote system: SSO |
Session started in logon system: SSO Session started in remote system: SSO[DOMCOOK] |
Session started in logon system: SSO Session started in remote system: SSO |
Logon Ticket (MYSAPSSO2) |
Session started in logon system: SSO[DOMCOOK] Session started in remote system: Logon |
Session started in logon system: SSO Session started in remote system: SSO[TRUST] |
Session started in logon system: SSO[DOMCOOK] Session started in remote system: Logon |
Assertion Ticket + Reentrance Ticket[REEN] |
Session started in logon system: SSO Session started in remote system: Logon |
Session started in logon system: SSO Session started in remote system: Logon[DOMCOOK] |
Session started in logon system: SSO Session started in remote system: Logon |
Note
The entry “SSO” in a table cell means that no additional logon is required. The entry “Logon” means that an additional logon is required unless a client certificate automates the logon process.
[LOGDESC]: An SAP logon description such as SYS [PUBLIC] and its corresponding SNC setting in SAP Logon has priority over logon and re-entrance tickets. In this case, Windows GUI ignores the ticket if, and only if, SNC is on.
[REEN]: To retrieve re-entrance tickets, the NWBC ABAP runtime >= SAP NetWeaver 7.0x must be installed on the target server.
[LOGDYN]: NWBC tries to retrieve a re-entrance ticket once, which might lead to a logon dynpro. NWBC can only (Worauf bezieht sich only?) start logon windows for systems with an NWBC ABAP runtime installed and the /sap/bc/nwbc ICF node enabled. This authentication is needed because NWBC does not know the settings inside the SAP Logon Description; in particular it does not know whether SNC is on or off.
[DOMCOOK]: If the MYSAPSSO2 cookie is issued for the domain that is not for the server, and both systems are in the same domain, it is sent to both systems. This might lead to the error “The system is unable to interpret the SSO2 ticket received” or to a similar error after the cookie has been issued. Therefore, you should configure the logon ticket to be issued for the server only in such hybrid scenarios. You need to configure the RZ11 parameter login/ticket_only_to_host.
[TRUST]: Trusted relationship between the two systems must be configured correctly. The remote system must accept the MYSAPSSO2 issued by the logon system.