To set up Single Sign-On (SSO) using Microsoft Kerberos, you need to modify the primary application server’s instance profile and make sure that the SNC library is located in the Windows directory.
...
1. Determine which variant of the library is appropriate for your application server platform. See the table below.
Kerberos Wrapper Library According to Platform
Platform |
Library |
32-bit Windows NT (Intel x86) |
gsskrb5.dll |
64-bit Windows NT (x86_64) |
gx64krb5.dll |
64-bit Windows NT (ia64/Itanium) |
gi64krb5.dll |
For more information about how to get the library, see SAP Note 352295.
2. Copy the library to the appropriate Windows system directory on the primary application server instance:
○ Drive:\%windir%\system32
○ Drive:\%windir%\SysWOW64
3. In the instance profile of the primary application server instance, set the profile parameters:
○ snc/enable = 1
○ snc/gssapi_lib = <DRIVE>:\%windir%\system32\<library>
○ snc/identity/as = p:SAPService<SID>@<KERBEROS_REALM_NAME>
where <KERBEROS_REALM_NAME> is the Kerberos realm that the SAPService<SID> user belongs to. This is typically the Microsoft Windows domain converted to uppercase characters. This is typically the Microsoft Windows domain converted to uppercase characters.
<KERBEROS_REALM_NAME> and the SAPService<SID> user are case-sensitive. Make sure that you enter the case correctly, for example: p:SAPServiceC11@REALM.EXAMPLE.COM.
Although you can freely choose the Windows account under which the SAP system runs, it is normally SAPService<SID>.
Single Sign-On using the Microsoft Kerberos SSP with the Kerberos wrapper library is only available for user accounts that belong to the Active Directory, that is, domain accounts. It can not be used with local computer accounts.
4. Set the following parameters to allow users to be able to log on to the SAP system using user ID and password.
¡ snc/accept_insecure_cpic = 1
¡ snc/accept_insecure_rfc = 1
¡ snc/permit_insecure_start = 1
This step is required at least once so that the administrator can log on and maintain the user mappings between the Windows accounts and the SAP System user IDs. To disable the user of user ID and password as a logon mechanism altogether, you can reset these parameters after maintaining the user mappings.
5. Stop and restart the SAP system so that the profile parameters take effect.