Show TOC

Kerberos for SAP GUI AuthenticationLocate this document in the navigation structure

Use

The authentication mechanisms available for the AS ABAP also enable you to use Kerberos for SAP GUI authentication. You can use Kerberos authentication to enable access to AS ABAP from an SAP GUI with Single Sign-On, for example, by enabling Windows Integrated Authentication.

Kerberos is an authentication protocol, created by the Massachusetts Institute of Technology. You can use Kerberos to overcome the security weakness characteristic of more basic authentication mechanisms such as user ID and password authentication.

Prerequisites

  • To use Kerberos for authentication, your AS ABAP system must be enabled for using Secure Network Communications (SNC) with an external security provider that supports Kerberos. SNC is a software layer that provides a GSS API v2 interface to an external security product.

    For more information about SNC, see Secure Network Communications (SNC).

  • SAP provides a gsskrb5.dll library that enables the use of Kerberos for SAP GUI authentication for Microsoft Windows only system environments. You can use an alternative Kerberos supporting product certified by the SAP Partner Program.

    For more information about the SAP certified security products, see http://service.sap.com/securityInformation published on SAP site.

Implementation Considerations

Kerberos employs several systems in your landscape and cryptographic mechanisms for access authentication, thereby overcoming the disadvantages of weaker authentication mechanisms such as user ID and password. SAP GUI users that are authorized to use Kerberos logon must log on to their local computer and can subsequently access the AS ABAP from the SAP GUI without the need to interactively provide user IDs and passwords. For more information about the Kerberos authentication protocol and infrastructure, see Kerberos V5 Administrator's Guide, available from http://web.mit.eduInformation published on non-SAP site.

The Kerberos authentication process relies on the exchange of session tickets between the SAP GUI and the AS ABAP. The session tickets are issued by a Kerberos Key Distribution Center (KDC) when the user attempts to connect to the AS ABAP from the SAP GUI. The KDC itself establishes and verifies the user identity and the user is not required to interactively provide a user ID and password for the AS ABAP logon.

As a result of the use of session tickets, the AS ABAP authentication credentials of users are not communicated over the network for the connection between the SAP GUI and the AS ABAP. Thereby, the credential confidentiality and integrity protection is guaranteed.

The process of authenticating access to the AS ABAP, however, requires the exchange of several messages over the network. In a distributed system landscape this can result in performance lags related to network performance. In addition, Kerberos makes use of several systems in your landscape, which may result in additional administrative effort and costs.

Configuration

For information about configuring the use of Kerberos for SAP GUI authentication, see Single Sign-On with Microsoft Kerberos SSP.