Single Sign-On (SSO) is a secure method of logging on to the SAP system that simplifies the logon procedure without reducing security. When your system is configured for SSO, an authorized user who has logged on to the operating system can access the SAP system simply by selecting it in the SAP logon window or clicking the shortcut. No SAP system user name or password is necessary. SSO makes it significantly easier for you to manage SAP system users.
In this section, we describe the option that is the easiest to implement when using a full 32-bit Microsoft Windows landscape (that is, Windows 9x, Windows ME, Windows NT, or Windows 2000 and higher). It is a tailored version for SSO with Secure Network Communications (SNC), which uses Microsoft's NT domain authentication, NT LAN Manager Security Service Provider (NTLM SSP).
The Microsoft NTLM SSP only provides authentication based on a challenge-response authentication scheme. It does not provide data integrity or data confidentiality protection for the authenticated network connection. SAP NetWeaver Single Sign-On and all third-party BC-SNC certified security products offer data integrity and privacy protection. To use these security features, you must obtain a security product.
If you only use Windows 2000 and higher, we offer an alternative library (gsskrb5.dll) that uses the Microsoft Kerberos SSP instead of the NTLM SSP for authentication. For more information, see Single Sign-On with Microsoft Kerberos SSP.
We distribute two different versions of the wrapper library for Microsoft's NTLM SSP. The older version is called gssapi32.dll and the newer version is called gssntlm.dll. For more information on how to get gssntlm.dll, see SAP Note 595341.
For more information on security aspects of this scenario, see SAP Note 165485.
When the code page of the SAP system is different from the code page on the Windows machines, it is not possible to enter Windows user IDs that contain 8-bit characters into the USRACL table (for example, by calling transaction SU01). The combination of Windows ANSI (=ISO Latin 1) and the default SAP code page 1100 provides the same encoding of 8-bit characters and permits the use of 8-bit characters with gssntlm.dll.
To implement SSO with the Microsoft NTLM SSP you: