Show TOC Start of Content Area

Function documentation Single Sign-On with Microsoft Kerberos SSP  Locate the document in its SAP Library structure

Use

Kerberos Single Sign-On (SSO) is a secure method of logging on to the SAP system that simplifies the logon procedure. It is suitable if you use Windows 2000 or later in your system landscape.

When your system is configured for SSO, an authorized user who has logged on to Windows can access the SAP system simply by selecting it in the SAP logon window or using a shortcut. There is no need to enter a user ID and password every time that the user logs on to the SAP system with SAP GUI for Windows. Therefore, SSO makes it easier for you to manage SAP system users.

The Microsoft Kerberos Security Service Provider (SSP) provides secure authentication plus encryption of the network communication. In contrast, SSO with Microsoft NTLM SSP, as described in the next section, does not provide encryption of the network communication.

Recommendation

When using the Kerberos wrapper library (gsskrb5.dll), the Microsoft Kerberos SSP might be interoperable with Kerberos implementations from other vendors and suppliers.  However, we do not provide support for third-party libraries loaded at the BC-SNC interface. Documentation and support must be provided by the vendor(s)/supplier(s) of the third-party software.  Therefore, we recommend that you only use BC-SNC certified Single Sign-On solutions for which the vendor has committed to provide implementation, documentation, and support.

For more information, see www.sap.com/partners/directories/SearchSolution.epx.

Under Certification Category, select Secure network communication and choose Search.

Prerequisites

      SSO based on Kerberos can only be set up for users that are members of a Windows 2000 or higher domain.

      Before beginning with the configuration, read SAP Notes 352295 and 595341.

Activities

To implement SSO with the Microsoft Kerberos SSP, you have to:

...

       1.      Prepare the primary application server instance.

       2.      Configure the SAP front ends.

       3.      Configure the SAP Logon.

       4.      Map Windows users to SAP users.

The sections that follow describe these steps in detail.

Note

In the directory paths specified in the topics that follow, \%windir%\ refers to the location of the Windows directory corresponding to the Windows operating system release.

End of Content Area