Single Sign-On with Microsoft Kerberos SSP

Use

Kerberos Single Sign-On (SSO) is a secure method of logging on to the SAP system that simplifies the logon procedure. It is suitable if your clients use Windows 2000 or higher. The Application Server ABAP can run on the operating systems specified in the relevant Product Availability Matrix.

When your system is configured for SSO, an authorized user who has logged on to Windows can access the SAP system simply by selecting it in the SAP logon window or using a shortcut. There is no need to enter a user ID and password every time that the user logs on to the SAP system with SAP GUI for Windows. Therefore, SSO makes it easier for you to manage SAP system users.

The Microsoft Kerberos Security Service Provider (SSP) provides secure authentication plus encryption of the network communication. In contrast, SSO with Microsoft NTLM SSP, as described in the next section, does not provide encryption of the network communication.

Note

When using the Kerberos wrapper library (gsskrb5.dll), the Microsoft Kerberos SSP might be interoperable with Kerberos implementations from other vendors and suppliers. However, we do not provide support for third-party libraries loaded at the BC-SNC interface. Documentation and support must be provided by the vendor(s)/supplier(s) of the third-party software. SAP SAP NetWeaver Single Sign-On and all third-party BC-SNC certified security products offer data integrity and privacy protection. To use these security features, you must obtain a product license.

Prerequisites

SSO based on Kerberos can only be set up for users that are members of a Windows 2000 or higher domain.
Before beginning with the configuration, read SAP Notes 352295 and 595341 .

Activities

To implement SSO with the Microsoft Kerberos SSP, you have to take the following steps:

Note

In the directory paths specified in the related topics, \%windir%\ refers to the location of the Windows directory corresponding to the Windows operating system release.