Mapping Windows Users to SAP Users for NTLM SSO

To set up the use of Microsoft NTLM with SAP systems, you need to authorize SAP users to log on with SSO by assigning them to Windows users.

You have completed the following procedures:

• Starting the Windows LM Security Support Provider Service
• Preparing the Application Server
• Preparing SAP GUI and SAP Logon for Single Sign-On

1. Log on to the SAP system.
2. Choose Tools → Administration → User Maintenance → Users or call transaction SU01.

   The User Maintenance window appears.

3. Enter the name of the SAP system user and choose User names → Change.
4. Choose SNC.
5. In SNC name, use uppercase to enter the name of the Windows user that is to be assigned to the SAP system user:

   p:<DOMAIN_NAME>\<NT_USERNAME>

   where <DOMAIN_NAME> is the Windows domain that the Windows user belongs to

   and <NT_USERNAME> is the logon ID of the Windows user.

   p: is a prefix that all SNC names require.

   Tip

   For the Windows user Miller belonging to the domain MYDOMAIN, enter:

   p:MYDOMAIN\MILLER

6. If the user should also be allowed to log on with user ID and password, then select Insecure communication permitted. (This option is only available if the profile parameter snc/accept_insecure_gui is set to 1.)

   This can be useful, for example, to let the user work in a different domain where SSO using NTLM is not available.

7. Save your entries.

You have now finished setting up SSO. The next time this SAP system user logs on to the system, the application is opened without requiring the user to enter a user name and password.

If only one possible match exists between the Windows account and the SAP system user ID, the logon screen is skipped, unless the profile parameter snc/force_login_screen = 1 is present in the instance profile of the application server.