Mapping Windows Users to SAP Users for Kerberos SSO

To set up the use of Microsoft Kerberos with SAP systems, you need to authorize SAP users to log on with SSO by assigning them to Windows users.

You have completed the following:

• Preparing the Primary Application Server Instance
• Configuring the SAP Front End
• Configuring the SAP Logon

1. Log on to the SAP system as an administrator.
2. Choose Tools → Administration → Maintain Users → Users or call transaction SU01.

   The User Maintenance window appears.

3. Enter the name of the SAP user and choose User names → Change.
4. Choose SNC.
5. In SNC name, enter the case-sensitive name of the Kerberos principal for the Windows user that is to be assigned to the SAP user:

   p:<WINDOWS_USERNAME>@<KERBEROS_REALM_NAME>

   where <WINDOWS_USERNAME> is the logon ID of the Windows user and <KERBEROS_REALM_NAME> is the Kerberos realm that the user belongs to. This is typically the Microsoft Windows domain converted to uppercase characters.

   Tip

   For the user MILLER, belonging to the domain realm.example.com, enter:

   p:MILLER@REALM.EXAMPLE.COM

6. If the user should also be allowed to log on with user ID and password, then select Insecure communication permitted. (This option is only available if the profile parameter snc/accept_insecure_gui is set to 1.)

   This can be useful, for example, to let the user work in a different domain where SSO using Kerberos is not available.

7. Save your entries.

Kerberos SSO is now set up. The next time this SAP system user logs on to the system, the application is opened without requiring the user to enter a user name and password.

If only one possible match exists between the Windows account and the SAP system user ID, the logon screen is skipped, unless the profile parameter snc/force_login_screen = 1 is present in the instance profile of the application server.