Single Sign-On with Microsoft NT LAN Manager SSP

Single Sign-On (SSO) is a secure method of logging on to the SAP system that simplifies the logon procedure without reducing security. When your system is configured for SSO, an authorized user who has logged on to the operating system can access the SAP system simply by selecting it in the SAP logon window or clicking the shortcut. No SAP system user name or password is necessary. SSO makes it significantly easier for you to manage SAP system users.

In this section, we describe the option that is the easiest to implement when using a full 32-bit Microsoft Windows landscape (that is, Windows 9x, Windows ME, Windows NT, or Windows 2000 and higher). It is a tailored version for SSO with Secure Network Communications (SNC), which uses Microsoft's NT domain authentication, NT LAN Manager Security Service Provider (NTLM SSP).

• Typically, SNC requires SAP NetWeaver Single Sign-On or an external security product that adheres to the Generic Security Service API V2 (GSS-API V2) interface and that has been certified by the SAP Software Partner Program. However, in this scenario, we provide a library that adheres to the GSS-API V2 interface on one side and that communicates with Microsoft's NTLM SSP on the other. Since NTLM SSP is already built into Microsoft Windows 32-bit platforms, you do not need to purchase an additional security product to use SSO.
  Note

  The Microsoft NTLM SSP only provides authentication based on a challenge-response authentication scheme. It does not provide data integrity or data confidentiality protection for the authenticated network connection. SAP NetWeaver Single Sign-On and all third-party BC-SNC certified security products offer data integrity and privacy protection. To use these security features, you must obtain a security product.

  If you only use Windows 2000 and higher, we offer an alternative library (gsskrb5.dll) that uses the Microsoft Kerberos SSP instead of the NTLM SSP for authentication. For more information, see Single Sign-On with Microsoft Kerberos SSP.

  We distribute two different versions of the wrapper library for Microsoft's NTLM SSP. The older version is called gssapi32.dll and the newer version is called gssntlm.dll. For more information on how to get gssntlm.dll, see SAP Note 595341.

  For more information on security aspects of this scenario, see SAP Note 165485.

• A pure Microsoft Win32 environment is required (that is, Windows 9x, Windows ME, Windows NT, Windows 2000 and higher). The Microsoft NTLM SSP is not available for UNIX or any other operating system.
• Bi-directional trust between Windows domains is required if there are separate domains for users, front-end PCs, and SAP application servers.
• The GSS-API V2 library wrapper (gssntlm.dll) must be installed on every application server.
• The GSS-API V2 library wrapper must also be installed on every front-end PC.
• We recommend that you use the 7-bit ASCII character set for all Windows user IDs.

  When the code page of the SAP system is different from the code page on the Windows machines, it is not possible to enter Windows user IDs that contain 8-bit characters into the USRACL table (for example, by calling transaction SU01). The combination of Windows ANSI (=ISO Latin 1) and the default SAP code page 1100 provides the same encoding of 8-bit characters and permits the use of 8-bit characters with gssntlm.dll.

To implement SSO with the Microsoft NTLM SSP you:

1. Start the service Windows LM Security Support Provider.
2. Configure the application server for Single Sign-On.
3. Configure SAP GUI and SAP Logon for Single Sign-On.
4. Map Windows users to SAP system users.