Show TOC Start of Content Area

Procedure documentation Preparing the Primary Application Server Instance  Locate the document in its SAP Library structure

Use

To set up Single Sign-On (SSO) using Microsoft Kerberos, you need to modify the primary application server’s instance profile and make sure that the SNC library is located in the Windows directory.

Prerequisites

You have registered a Service Principal Name (SPN) for SAP NetWeaver Application Server (SAP NetWeaver AS) with the domain controller.

For example, enter the following command:

setspn -A SAPServiceSID/do_not_care SAPServiceSID

Procedure

...

       1.      Determine which variant of the library is appropriate for your application server platform. See the table below.

Kerberos Wrapper Library According to Platform

Platform

Library

32-bit Windows NT (Intel x86)

gsskrb5.dll

64-bit Windows NT (x86_64)

gx64krb5.dll

64-bit Windows NT (ia64/Itanium)

gi64krb5.dll

For more information about how to get the library, see SAP Note 352295.

       2.      Copy the library to the appropriate Windows system directory on the primary application server instance:

       Drive:\%windir%\system32

       Drive:\%windir%\SysWOW64

       3.      In the instance profile of the primary application server instance, set the profile parameters:

       snc/enable = 1

       snc/gssapi_lib = <DRIVE>:\%windir%\system32\<library>

       snc/identity/as = p:SAPService<SID>@<KERBEROS_REALM_NAME>

where <KERBEROS_REALM_NAME> is the Kerberos realm that the SAPService<SID> user belongs to. This is typically the Microsoft Windows domain converted to uppercase characters. This is typically the Microsoft Windows domain converted to uppercase characters.

Caution

<KERBEROS_REALM_NAME> and the SAPService<SID> user are case-sensitive. Make sure that you enter the case correctly, for example: p:SAPServiceC11@REALM.EXAMPLE.COM.

Note

Although you can freely choose the Windows account under which the SAP system runs, it is normally SAPService<SID>.

Single Sign-On using the Microsoft Kerberos SSP with the Kerberos wrapper library is only available for user accounts that belong to the Active Directory, that is, domain accounts. It can not be used with local computer accounts.

       4.      Set the following parameters to allow users to be able to log on to the SAP system using user ID and password.

       snc/accept_insecure_cpic = 1

       snc/accept_insecure_rfc = 1

       snc/permit_insecure_start = 1

Note

This step is required at least once so that the administrator can log on and maintain the user mappings between the Windows accounts and the SAP System user IDs. To disable the user of user ID and password as a logon mechanism altogether, you can reset these parameters after maintaining the user mappings.

       5.      Stop and restart the SAP system so that the profile parameters take effect.

 

End of Content Area