Show TOC

Kerberos/SPNegoLocate this document in the navigation structure


If you access SAP Fiori apps from within your corporate network, you can enable Kerberos/SPNego authentication for the ABAP front-end server. This authentication is especially recommended, if you already have a Kerberos/SPNego infrastructure in place, for example, if you use Microsoft Active Directory.

Kerberos/SPNego authentication provides the following advantages:

  • It simplifies the logon process by reusing credentials that have already been provided, for example, during logon to the Microsoft Windows workstation. A separate logon to the ABAP front-end server is not required.

  • It is also supported for logon to the SAP GUI. Using Kerberos for both SAP GUI and HTTP access simplifies the Single Sign-On setup within your system landscape.

  • It is supported by a growing number of mobile device vendors.

During logon, Kerberos/SPNego authentication requires access to an issuing system (for example, Microsoft Active Directory). As this system is typically located within the corporate network, Kerberos/SPNego cannot be used for most internet-facing deployment scenarios. To enable Single Sign-On with Kerberos/SPNego authentication from outside your corporate network, you might have to set up a VPN connection.

Kerberos/SPNego is available with the SAP Single Sign-On product, which also provides additional authentication mechanisms, such as X.509 certificates or an SAML Identity Provider.

For an overview of SAP Single Sign-On, see published on SAP site.


For more information about the configuration that is required for Kerberos/SPNego, see the Secure Login for SAP Single Sign-On Implementation Guide on SAP Help Portal at