Configuring the Application Server

<DRIVE>:\USR\SAP\<SID>\SYS\EXE\RUN

For more information on how to get the gssntlm.dll file see SAP Note 352295 .

• snc/data_protection/max = 1
• snc/data_protection/min = 1
• snc/data_protection/use = 1
• snc/enable = 1
• snc/gssapi_lib = (<DRIVE>:\USR\SAP\<SID>\SYS\EXE\RUN\<gssntlm.dll>)
• snc/identity/as = p:<DOMAIN_NAME>\SAPService<SID>

  where SAPService<SID> is the user who runs the SAP system.

  and < DOMAIN_NAME> is the Windows NT domain of this user.

  Note

  Although you can freely choose the Windows NT account under which the SAP system runs, it is normally SAPService<SID>.

  Note

  If you use a local account for SAPService<SID>, most operations are successful. However, any operations or communications where the SAP system initiates SNC-protected communication to a remote machine do not work with a local account for SAPService<SID>. Therefore, use a domain account.

Additional SNC Parameters

The following profile parameters let you continue with password-based access to the SAP system when SNC has been enabled. To log on to the SAP system as an administrator to maintain the mapping of Windows user accounts to SAP system user IDs (user and client), you have to use these additional parameters at least once after enabling SNC. Once the mapping (at least for the administrator) has been entered, you can disable further password-based logons by removing the respective profile parameters.

• snc/accept_insecure_cpic = 1
• snc/accept_insecure_gui = 1
• snc/accept_insecure_rfc = 1
• snc/permit_insecure_start = 1