Skip to Content
Technical Articles

Using KeePass Instead of SAP Logon

Together with Renald Wittwer I am preparing SAP Inside Track 2012 in Hamburg. Instead of the usual InnoJam we decided to create something new, which we called “Solution Jam” (short: SolJam). The idea is to present within 8 minutes innovative solutions / ideas / tools with or on top of SAP technology. I decided to show the participants how I use KeePass instead of SAP Logon.

As soon as I had posted the title, Uli Burner came up with I am very interested in your #sithh soljam topic “keepass instead of sap login” – any information about this available yet? and also Gregor Wulf was interested. Both managed to find out themselves before I could answer – only knowing the title was already a benefit for them.

Since a good story can always be told twice, I decide to write this blog even before I am going to show it to you in May.

1. The Open Source Software KeePass

So how did I came across this? Well, being a busy consultant my SAP Logon is flooded with system entries and I somehow had to remember all these passwords. The most  people I know use either more or less the same password for all the systems or they use something like excel where they keep their passwords protected with a master password.

Both ways of doing it are not very secure. Since I have to remember not only the user an passwords of the SAP systems, but also of a lot of websites and other applications, I was very happy to find this excellent open source software KeePass, a light-weight and easy-to-use password manager.

You can create different databases, each of them protected with a master password. It also allows to create  (sub-) directories and the content is encrypted (see Figure 1 – KeePass – Main Screen).


Figure 1 – KeePass – Main Screen

If you enter an entry you have data fields for e.g. title, user name, password, quality of the password and URL of the application. If you enter the password, it is not shown. You have to repeat it, as if you would logon to a system (see Figure 2). But you can also switch to visible password (if nobody is looking over your shoulder).

Entry Screen

Figure 2 – KeePass Entry Screen

2. How to Logon to a SAP System via KeePass

As you can see in the screenshots I have used the URL field to connect to the SAP system. With command “cmd” you can call a program. The program I am calling is SAP Shortcut (sapshcut). It is in the same directory as saplogon. Maybe you have to extend the path, if the program is not found. SAP Shortcut has a lot of parameters, which are all described in sapnote 103019.

What I have entered is the following:

cmd://sapshcut -system=NSP -client=100 -user={USERNAME} -pw={PASSWORD} –maxgui

The parameters have the following meaning:

  • system – System name
  • client – The client you want to login to
  • user – Your username. The “{USERNAME}” is a feature of KeePass to refer to the user name you have entered in the KeePass entry.
  • pw – Your password. The “{PASSWORD}” is a feature of KeePass to refer to the password you have entered in the KeePass entry.
  • language – The language you want to logon with (I omitted that).
  • maxgui – Maximize SAPGUI after login

If you select the entry and click on the link shown in the lower area of  the main screen, you are immediately logged into the selected system.

Watch yourselve:

You must be Logged on to comment or reply to a post.
  • Hi Peter,

    I've used the variant described by Florian Keller at SAP-GUI Anmeldung automatisieren mit KeePass. Unfortunately this solution requires that the need entry is selected in KeePass. So your solution is very elegant as you can start the connection from within KeePass. But with SAP GUI 7.20 SP 10 Hotfix 1 I get the error message "Name or Password incorrect". That also happens when I run SAPSHCUT from the command line.

    Hope you have a tip.

    Best regards

    • Hello Gregor,

      I am pleased, that you find my blog helpful.

      Regarding your question: yes it runs with SAP GUI 7.20. I am currently using also using Patch 10 Hotfix 1 and everything runs fine. Also lower versions are not problem (I am using KeePass since two years in this way).

      The message you have mentioned normaly occurs, if the username or password is wrong. Please check, that they are correct in KeePass resp. in the commandline and that there is no whitespace somewhere.

      Please let me know, if you could solve your problem.


    • @Gregor

      I had the same issue and tried removing the -maxgui and it worked.  I then moved -maxgui closer to the beginning of the URL and it also worked.

      cmd://sapshcut -maxgui -system=HT1 -client=240 -user={USERNAME} -pw={PASSWORD}

  • Hi Peter,/sap/bc/bsp/sap/crm_ui_start/default.htm?sap-client=002&sap-sessioncmd=open&sap-user=&sap-password=&sap-language=DE<br/><br/>Best regards<br/>Gregor

  • Hi, I'm using KeePass since a while now, and now I found this....<nice>


    And the best of it: It works also with the SAPGUI 7.30 (Patch 0)

    Thank you som much !!!

  • Great blog. To further optimize this I'm looking for a hotkey solution:

    Now I still have to go to Keepass, select the system I want to logon to and type the CTRL-U shortcut. It would be even better if I just could type CTRL-F1 (or any other keycombo) from any application, and it would log me on to the system I assigned to CTRL-F1.



    • Hi Xavier,

      thank you for your interest in this subject. What you request would be an extension of KkeePass, because as of today such a feature is not available. The best way to implement it would be to program a KeePass plugin, with which you can define short cuts. But still you would have to login to KeePass once, before you can login to a SAP system...

      May be you are the right one to supply this plugin?



  • The "magic sequence" with SAPGUI 7.30 (patch 0) is:

    cmd://sapshcut -maxgui  -user={USERNAME} -pw={PASSWORD} -language=E -system=SY1 -client=200



    • Hi Antonio,

      thank you for sharing your experience! As I can see, you have moved -maxgui to the front. Others like Marc above, have it in another position also using SAPGUI 7.30. So I think it has nothing to do with the GUI version but with something else... I you (or somebody else) found out, what it is, I really would like to know...

      By the way, the parameter is optional.



    • Dear Jan,

      please describe the problem you are having in more detail. Do you receive an error message? Just because I am curious: Why do you have more than one SAP Logon on your client? One should be enough...

      I am looking forward to help you,


      • Hello Peter,

        we have many customers, so we need five SAPLogon with different names.

        It works only with customers from "SAP Logon" not for example "SAP Logon A-F".

        Thank you for your support.


        • Dear Jan,

          The problem might be, that SAP shortcut does not know how to resolve the systems name to the actual server. Please check the following:

          Are all the System-IDs and instance numbers unique?

          If not, try to identify the system via its system name, which of cause must be unique too, by using the option -sysname="<name of your system>" instead of -system=<system-id>.

          I hope, that this works for you. I am looking forward to your feedback.



  • Great blog, I found it very helpful.

    I prefer the URL in the form:

    cmd://sapgui.exe /SHORTCUT="–maxgui -sid=XYZ -clt=123
    -u={USERNAME} -pw={PASSWORD}"

    but everything else is great!

    • Hi Rainer,

      thank you for your feedback. Please let us know, why you prefer your version of the URL. What are the advantages? Or is it just a matter of taste?



      • Hi Peter,

        it's more or less a matter of taste. The only argument I have: I'd like to be indepentent from a wrapper applicatoin such as sapshcut.exe. One can never know if this wrapper still exists in the next release.

        For all command line parameters I prefer the short version i.e. clt instead of client. But this doesn't really matter.

        By the way, the URL:

        cmd://<path to SAPGUI for Java>/bin/guistart.bat"

        works for the SAPGUI for Java as well



  • Hi Peter,

    everything is working fine with this solution. But I got a question:

    The IS-U password has to be changed regularly, how to manage the change? Is there a functionality for changing automatically?

    Because if I use the reference option in KeePass and change the password of the referencing entry because of the change via sapgui. The referenced entry will have a wrong password for the next open of a different system.


    Best regards


    • Hi Roman,

      first of all yes, there are functionalities you can use. As you already found out, that can not use the reference option regarding the password. You have to deactivate that.

      If you use the link to logon to the system it will show up with the "enter new password" windows as soon as the password is expired or if you have logged in with an initial password or if you have requested an new password manually.

      In such case you use the autotype functionality of keepass. Therefore you must enable additional information in the window title of SAPGUI (>7.30 needed). You do so in SAPGUI->options->visualization 2.

      In Keepass you edit the entry, go to the Auto-Type tab and enter e new user defines sequence. The target window is the window with the new password request and the user defined sequence is


      If you do a right click on the entry and choose auto-type keepass will identify the selected window and will generate a new password for you and enter it into the dialog.

      If you want to initiate an new password, the sequence could be


      if you are in the client field the insert button is pressed and the systems goes into overwrite mode. The client is taken from a user defined field, username and password are entered and than it goes back three fields and presses the "change password" button.

      You can't combine both. Be aware, that you might already be logged in. Then the "you naughty boy"-window pops up und will disrupt the process...

      Hope this quick answer helps,


      • Hi Peter,

        thank you very much for your detailed explanation. "Unfortunately" in our company the SAP GUI 7.20 is still in use, so at the moment it won't help me.

        But i will remember when it will be updated.

        Thank you and have a nice day!

        Best regards


          • Hi Roman,

            you can show the information by setting the registry entry 'ShowAdditionalTitleInFo' under [HKEY_CURRENT_USER\Software\SAP\SAPGUI Front\SAP Frontend Server\Administration] to 1 (REG_DWORD). Default is 0.



  • Hello Peter,

    thanks for sharing this very interesting information.

    One question: is it possible to open SAP entries which also includes a router string?

    (e.g. /H/

    Best regards,


    • Hi Tortsen,

      yes, it is possible. In the above mentioned note it says in section 2.2.:

      "...specifies a logon using system name and logon group.




      Hope that helps.


  • Hi Peter,

    thank you so much. Good idea! Works for me. I had to use the fully qualified path. But it was not difficult to figure out the following

    cmd://"C:\Program Files (x86)\SAP\FrontEnd\SAPgui\sapshcut.exe" -system=xyz -client=300 -user={USERNAME} -pw={PASSWORD}

    Thanks again


  • Peter, thanks a lot for share this feature with the community, it very helpful! Congrats!

    Let me ask you something. I have in my SAP Logon Pad, at least two entries with the same system name (PRD, QAS, DEV...). This way, if I press CTRL + U to open a determined entry, SAP tries to access the fisrt entry found in the entries list whose system name is "PRD", for example.

    This is the parameter that I'm using:

    cmd://sapshcut –maxgui -system=BFP -client=500 -user={USERNAME} -pw={PASSWORD} -command=SE16N

    I tried to use the parameter -guiparm with the description of the intended entry, but SAP issues the message:

    "Cannot split connection string: %s"

    How should I do in this case?

    Thanks a lot,


    • Hi Douglas,

      I think instead of "system name" you mean the system ID, right? If two systems have the same ID you can use the the option -sysname="<name of your system>" instead of -system=<system-id> which make the entries unique again.

      I hope this helps.



  • Very useful info. But, I guess if you use SSO and don't know your SAP password, it doesn't really apply. At our company we have 400+ systems (yes, four hundred), and SSO is really the only viable solution. Entering (and regularly changing!) such a number of passwords would not be possible.

    So, I guess KeePass is only a solution for non-SSO sites, right?



  • Hi all,

    Since I am using various SAP systems simultaneously, I make use of the saplogon icon in the Windows taskbar. I right click on saplogon icon and I can select an active session. SID and client nr and user-id are mentioned.

    I miss this option when I use KeePass .. or .. actually I miss this option when using sapshcut.

    Do you know a solution for this?

    Nice scn contribution!
    Kind regards

    • Dear R,

      when I click the link in Keepass I am not only logged in to the system, but also my saplogon opens. Then, when I left click the saplogon icon, I can see the open modus.

      So from my point of view it works as you requested. I am using


         SAP Logon for Windows

         730 Final Release


      on Windows 7 professional.



  • Great tips !

    Just one remark : on production system, it is easy : one system id, one client, 1 keepass entry. Just for that it is very useful.

    For development and quality environments, I have the same password for both environments and all clients and only 1 keepass entry.

    I can create 2 lines in keepass for the 2 system id, but for each client it is too huge

    I wonder if I can choose the client as a parameter after typing the "open url" option ?

    The other solution is to put the default client in the URL and use the auto-type option for the others.

    Thank you

    • Dear Anthony,

      in your case I would put the client number into the notes field.

      in the auto-type section the notes field can be used as {notes}.

      Then _duplicate_ the entry (right-click and choose option duplicate).

      In the upcoming popup choose "Replace user/pwd by reference".

      Thus you get a new entry which references to the old one. Username and password have to be maintained in the original entry only. in the new entry you just change the client in the notes field.

      Hope it's comprehensive and helps.

      BR, Rainer

      • Hello,

        Sorry for my late answer. I found 2 useful tools :

        - The "duplicate" option as you mentionned to have only one password to maintain.

        Disadvantage : You have to create one entry for each environment / clients. I my case, I have access to 13 environments and the developpement environments have sometimes 2 or 3 clients ...

        - The "PICKCHARS" key words that allow to enter a parameter before opening the URL

        Disadvantage : the pop-up needs to be more customizable (name of the field), more user-friendly

        The URL used for all SAP entries

        cmd://sapshcut –maxgui -system={S:SYST} -client={S:CLIENT} -user={USERNAME} -pw={PASSWORD}

        The custom parameters changes for each keepass entry :

        CLIENT : fixed entry if only one exist or  {PICKCHARS::ID=Mandant, Hide=False, C=3} for a parameter of 3 characters

        SYST : fixed entry

      • 3 of the systems are now SSO enabled. In this case, the URL in keepass must be :

        cmd://sapshcut -system={S:SYST}  -snc_name="p:{USERNAME}@<your_domain>" -snc_qop=9 -pw=dummy -l={S:LANG}

        And the password is useless

        • Hello

          I know about sapshcut -?

          your reply is showing arguments



          Are these unsupported keywords for sapshcut?

          Are there any other keywords?

          We are using some wrappers which are 'designing' command lines like ...

          "c:\Program Files (x86)\SAP\FrontEnd\SAPgui\sapgui.exe" 'FQDN' 03 SNC_PARTNERNAME="p:L=WOB, SN=GID: 12345678, CN=AAA, OU=Prozesse, O=company"  SNC_QOP=9 SNC_LIB="C:\Program Files (x86)\SAP\FrontEnd\SecureLogin\lib\secgss.dll"

          ... to start different sap systems automatically with smartcard logon

          snc_qop  -snc_name

            are looking like the 'secrets' to force sapshcut.exe to try a smartcard based logon

          Cheers Claus-Dieter

          • found answer by myself ... see sapnote 103019 ... next time google rather than program -? 8. Folgende Parameter sind seit 46D GUI Compilation 3 verfügbar: (File version: sapshcut.exe >= 659 and sapsmlib.dll >= 642) (File version: sapgui.exe >= 8852, bitte Hinweis 396559 lesen) a) Zur Unterstützung von SNC-Anmelden:     -snc_name="p:CN=SID, O=SAP-AG, C=DE" (SNC Name)     -snc_qop=9  (schaltet SNC-Anmeldung an)

  • Hi community,

    Unfortunately the mentioned Keepass Solutions are not working in my case, maybe the reason is that I am using SAP Logon 740. Could somebody support me with a working script?

    Thanks a lot in advance.


    • Hi Yaj, Rainer,

      unfortunately has SAP changed the rule for the use of parameters as of SAPGUI 7.4 (see note 146173 (yes, it realy THAT old note!).

      So, what SAP says, the <password> parameter doesn't work for new entries made with SAPGUI 7.4.

      DONT BLAME ME FOR LOST DATA !! STOP here, when you are not experienced with text editors and manuall changes to the saplogon.ini  🙂

      You act on your own risk...

      However, MY workaround (sucessfully tested with SAPGUI 7.4 all versions including PL3, is as follows:

      0) Be carefull, manuall changes via SAPGUI 7.4 are LOST !! So be carefull !

      1) close SAP GUI (all systems incl. SAPLOGON Pad)

      2) that I maintain new systems and changes of parameters (appServer/IP-adress, name etc.)  manually by editing the saplogon.ini with a text editor.

      3) Then I make a backup of the file C:\Users\[myname]\AppData\Roaming\SAP\Common\SAPUILandscape.xml

      4) delete the original file (see 3)

      With the next start of SAPGUI the SAPUILandscape.xml file is created based on the updated saplogon.ini. And voilá, works fine for me.

      Good luck, and again, don't blame me for lost system-information !


      • Hi Marc,

        many thanks for your reply. Could you please explain me what I have exactly to configure within the saplogon.ini? By the way I do not have a SAPUILandscape.xml, instead of that my folder contains the SapLogonTree.xml.

        Thanks for your support.


        • Hi Yaj,

          please check the path you find in SAPLogon, Options, Options for SAP Logon, Local Configuration, and at the first path (local configuration path). I think, the SapLogonTree.xml is not used anymore (you can check be changing something and save, then the last modification date should be changed.

          In saplogon.ini at the following parameters need to be set;


          ItemXY=my system name


          ItemXY=123.234.345.456 (ot




          ItemXY=3 (seems to be always 3, but I don't have a documentation 🙂 )


          ItemXY=SL0 (your system ID)


 (or IP Adress)


          ItemXY=-1 (always -1)


          ItemXY= (always empty, except you have an SNC connection - but the you don't need Keepass)


          ItemXY=-1 (always -1 for no SNC)


          ItemXY=1100 (your preferred codepage (always 1100 for me)


          ItemXY=-1 (always -1 for me)


          ItemXY=USEREDIT (when you manually update the Appserver or MS_SEL_GROUPS when you've the message server lockup (I haven't used that)


          ItemXY=sapmsSL0 (replace the last three digits with your system ID (see MSSysName)


          ItemXY=0 (I have always high speed networks)


          ItemXY=0 (not sure what this means)


          ItemXY= (empty)


          ItemXY=DEFAULT_NON_UC (not sure what this means)


          ItemXY=0 (always 0)


          ItemXY= (always empty)


          ItemXY= (always empty)


          ItemXY= (always empty)


          ItemXY=0 (always 0)

          I added always all line, not sure, whether they are required or not - just to be sure. It's a pain in the neck, but i works fine 🙂

          Good luck.


          • Hi Marc,

            thanks a lot for your support so far. Unfortunately I am still getting the SAP Logon error message "Name or password is incorrect" after the execution of Rainers script in Keepass. As I mentioned the script is working fine, it just seems that the script is not able to insert the stored password from Keepass into SAP Logon 7.40. Would be happy if somebody has a solution for my problem.


          • Hi Yaj,

            I use this Script:

            cmd://sapshcut -system={S:SystemID} -client={S:Client} -language={S:Language} -user={USERNAME} -maxgui -pw={PASSWORD}

            That works fine for me. The parameter "SystemID", "Language" and "Client" under "advanced" and "string fields". When the response is Name or password is incorrect" then probably, the password or user is wrong. The reponse, when the password can not be saved is, that the SHortcut menu opens, and says, password will not be saved or something.

            So, propably, you have another problem 🙂



    • Hello Marko,

      Thank you for your plugin, I just tried it. Here are my 3 remarks :

      1) Seems to not work with system using SSO (I have all my systems in Keepass, even the ones where passwords are not required)
      2) The references doesn't work. If you duplicate one entry and decide to use references, you will get a message like "User name {REF....} has exceeded the maximum length 12"

      3) No error message when connexion failed (wrong password)

      • Hello Anthony,

        to 1)

        The plugin doesn't support SSO login, because of the way of handle SSO login is complete different. SSO logons provided by specific SSO clients which are use certificates, not passwords. This is not the purpose of the plugin.

        KeeSAPLogon uses the assistance of sapshcut.exe, which only supports password based logon.


        You can run both in parallel (password based and SSO based logon), but this need to be ensured by SAP configuration.

        The RZ10 profile parameter snc/accept_insecure_gui need to be set to '1' or 'U'. In case of value 'U' make sure that your user got the permission to password based logon (insecure logon) via SU01 setting (see tab SNC).

        Also ensure you stored a valid password within KeePass.

        See also...

        to 2)

        Need to research...

        to 3)

        Might be a leak of sapshcut.exe. Will have a look...

        I hope it helps.



        • Hi Marko, I confirm you can use SSO with sapshcut.

          I do it in Keepass using URL, of course if the configuration is done on both server and client sides.

          In that case, the password is useless, it is just to have all systems in a single tool.

          The syntax is (I now use your field names)

          cmd://sapshcut -system={S:SAP ID}  -snc_name="p:{USERNAME}@{S:Your domain}" -snc_qop=9 -pw=dummy -l={S:SAP Language} -client={S:SAP Client}


          • Hello Anthony,

            I think about to include the SSO logon style into the plugin.

            Do you think this would be valuable?

            Of course, at the end the plugin is only filling the sapshcut arguments with the right values. Same as you do with cmd, but I guess the plugin is doing so in a more convenient way.



          • Your plugin is useful to not have to fill each time the URL, and for someone that don't know the syntax expected by sapshcut.

            So yes please continue in this way !

            Don't know if it is possible, but a popup to fill system, client and langage ... without entering manually the variable names would be convenient ! (A nice to have for next versions 🙂 )

            Now I'm searching if I can display the column "SAP logon" only in SAP folders.

            In other folders, this column is useless

  • Hello Peter,

    Good works, I have a problem with keepass, now my system enable SSO by default, but I need logon with many users everytime for test purpose, when I click item in keepass that specific username and password, but every time, I logon with own user because of SSO, So I want to know whether is there a parameter to make SSO disable in keepass?

    thank you

    best regards,


  • Hi,

    I know that meanwhile there are maybe more convenient plug-ins available, but with bare KeePass 2.* functionality I have a proposal which I think isn't mentioned here: The way to re-use information without referencing or creating additional fields. It took a while until I found it. The key words in KeePass's manual are "Placeholder" and "Text Transformation".

    I guess most people will add the SID and the client number to the title of an entry just to find the right credentials. How can you use the information in the title? By using {TITLE} and substitute text by regular expressions

    Let's say title is ABC.666, so SID is ABC and client is 666. If you stick to this or any naming convention you could use the following as URL:

    	cmd://sapshcut -system={T-REPLACE-RX:/{TITLE}/....$//} -client={T-REPLACE-RX:/{TITLE}/^....//} -user={USERNAME} -pw={PASSWORD}

    This means for "-system=": Take the title and substitute the last four arbitrary characters by nothing. The substitution for "-client=" is the four first arbitrary characters. People familiar with sed, awk, vi or regular expressions in general will immediately understand. You can do anything with the text!

    For this entry this would be solved to:

    	cmd://sapshcut -system=ABC -client=666 -user={USERNAME} -pw={PASSWORD}

    So you can copy this URL into every entry. No additional custom fields, no references, no redundant data.



  • Hello,

    I began to use keepass and the command line to connect to SAP and it's working well except in one situation.

    When you put non latin characters (Greek, Cyrillic, Hebrew...) in password or in username, they are replaced by "?" by sapshcut.exe and of course connection fails.

    Did anyone face such an issue ? How did you solve it ?



  • Dear all,

    what would be the URL in KeePass when there are multiple entries for system-id but different group/server & instances in SAP logon?

    As KeePass uses the first hit of system-ID (e.g. ERP) but this one has group/server (e.g., instance 01) and the other entry is ERP with group/server (e.g., instance 02).

    How to use the right command string in KeePass to adress it correctly?




    • You can use the the option -sysname=”<name of your system>” instead of -system=<system-id>, see above ....

      In the SAPLOGON you also must have two different sysname for the same SID but with different servers and instances.

      Hope this will help.






  • Hi,

    is there a way to login to SAP via KeePass without creating an entry in SAP Logon? I tried to figure that out but it still does not work. 🙁

    Here is my not working result:

    cmd://sapshcut -gui="<SERVER> <INSTANCE> <SAPROUTER>" -system={S:SAP ID} -client={S:SAP Client} -user={USERNAME} -pw={PASSWORD} –maxgui