Skip to Content

How to configure SAP NetWeaver Single Sign-On for SAP GUI for Windows with Kerberos integration

Matthias comment on 15.04.2013

SAP released (RTC) the a new version of SAP NetWeaver Single Sign-On (version: 2.0). The screenshots in this blog are from version SAP NetWeaver Single Sign-On 1.0. So if you install the new version, some screens will be look different, since SAP improved the UI. 
There is a complete new option available for Kerberos (SPNego for ABAP):


SAP NetWeaver Single Sign-On provides various possibilities to configure/implement a single sign-on scenario. At the moment (there are coming more), there are the following scenarios available


The components of SAP NetWeaver Single Sign-On can be combined depending on the business case. This how to guide describes only how to configure the solution for SAP GUI for Windows with a Kerberos integration. If you are using SAP GUI and Web based applications, you should check the version with the certificates (out-of-the-box -> no external PKI required) especially for intranet use cases. Furthermore SAML (third option) provides Web single sign-On capabilities without the need to deploy anything on the client side.

If you are interested to implement the second option – please read this blog:

Detailed worklflow of the scenario


Prerequisites and information

You need to download the product SAP NetWeaver Single Sign-On from SAP marketplace (-> you need a valid license)

System name: TDI install an D:

Operation system: Windows (but the solution works of course also if the system is running on Linux/Unix -> see PAM)


1. Install the Secure Login Library (ON THE SERVER)

Create the folder D:\usr\sap\TDI\SLL

Change to folder D:\usr\sap\TDI\DVEBMGS00\exe\

sapcar –xvf SECURELOGINLIB.SAR –R D:\usr\sap\TDI\SLL

Change to the folder D:\usr\sap\TDI\SLL and verify the Secure Login Library status using the command snc.exe.
Verify if the PSE directory is defined to D:\usr\sap\TDI\DVEBMGS00\sec(existing)



2.   2. Check for Microsoft Environment Variable SNC_LIB and for the Kerberos Entry in MS Active Directory


Check if SNC_LIB is set to C:\Program Files (x86)\SAP\FrontEnd\SecureLogin\lib\secgss.dll

If not, please add the entry (FOR SAP GUI for Windows)


With the next steps we take a look at the Kerberos Configuration in Microsoft Active Directory. Call Start -> Run. Enter adsiedit.msc to call the MS Support-Tool for Active Directory. Press the OK button.

Open the tree Domain -> DC=fair .. (change to your enviroment) and OU=SCI266 (change to your enviroment). Click on CN=Kerberos TDI (change to your enviroment) with the right mouse button and select Properties .

The value of the attribute servicePrincipalName is set to SAP/KerberosTDI. Close the application without any savings.



3. Ceate and Configure the Secure Store Environment ( –> on the server

Make sure that you are in the folder D:\usr\sap\TDI\SLL.
Create the security store ( with the following command:

snc crtpse –x 1234567890 (use here a secure password instead!!!)

Verify if the secure security store is available using the command snc.exe. You will see that PSE does now exist [… (existing)]


Make sure that you are in  the folder D:\usr\sap\TDI\SLL.Create Kerberos KeyTab with the following command:

snc crtkeytab –s SAP/ -p abcd1234 (-> use the correct password in your enviroment).

Verify if Kerberos KeyTab entries are available using the command snc.exe. Everything is fine if 4 entries for Kerberos KeyTab are listed.


4. Configure SNC for SAP ABAP Server

Start transaction RZ10. Import the profiles of the active servers by selecting Utilities ->Import profiles -> Of active servers.

Select the Instance profile of the TDI system TDI_DVEBMGS00_MADR… and select Extended maintenance. Press the Change button.

Verify the listed snc parameters with the table of snc parameters on the next page.

You need to change the following snc parameters:

snc/enable           1

snc/gssapi_lib     D:\usr\sap\TDI\SLL\secgss.dll

snc/identity/as     p:CN=SAP/

(change this to your enviroment)

Information on related profile parameters:




Set this parameter to activate SNC on the AS ABAP.

1: SNC is activated


Specify the path and file name of the GSS-API V2 shared library.



Specify the SNC name of the AS ABAP with this parameter.


<name type>:<external name> or

<name type>/<product>:<external name>



Set this parameter to display the logon screen even if SNC is enabled.

0: the logon screen is only displayed when necessary

1: the logon screen is displayed for every logon


Set this parameter to permit the starting of programs without using SNC-protected communications, even when SNC is enabled…

1: start program without SNC protected communication


Set this parameter to accept unprotected incoming RFC-connections on an SNC-enabled AS ABAP.

1:accept all unprotected RFCs


Set this parameter to accept SAP GUI connections that are not protected with SNC on an SNC-enabled AS ABAP.

1: Except unprotected logons


Set this parameter that unprotected incoming CPIC connections on an SNC-enabled AS ABAP are be accepted.

1: Accept unprotected connections


Use this parameter to set the quality of protection for internal RFCs that use SNC protection.

8: Use the value from snc/data_protection/use


Use this parameter to specify that SNC should be used for internal RFC communications initiated by the AS ABAP.

0: Internal RFCs are unprotected


Use this parameter to set the default level of data protection for connections initiated by the AS ABAP. This parameter applies to CPIC and RFC connections only.

3: Data privacy protection


Use this parameter to set the minimum data protection level required for SNC communications.

2: Data integrity protection


Use this parameter to set the maximum data protection level for connections initiated by the AS ABAP.

3: Data privacy protection

Now you restart the application server in order to activate the new SNC parameters.

5. Install the Secure Login Client

Please install the secure login client on the PC/laptop where the SAP GUI is available. Please use the wizard an choose the complete option.

Start the Secure Login Client with the application icon in the taskbar.


The entry in the Secure Login Client should look like this:



6. Configure SNC for SAP GUI Application

Please create you entry in SAP GUI to connect to the system.

Set the flag for Activate Secure Network Communication. Enter the SNC Name to p:CN=SAP/


7. Configure SNC User Mapping in SAP User Management

Start transaction SU01 and enter SCI264 (choose your user who will access the system via SAP GUI (end user on the microsoft client)) for the User.

Maintain the field SNC name. SNC name: p:CN=SCI264@FAIR.SAP.CORP


Now you can test your scenario. You should be able to use SSO from the SAP GUI for Windows to a SAP system.

You must be Logged on to comment or reply to a post.
  • Hi Matthias very good blog which I’m trying to follow at the moment.

    One basic question, is the Kerberos Configuration check screenshot that you perform in Active Directory against the User Account or Computer Account  (in your example CN=Kerberos TDI) ?


      • So just to clarify, this is not the SAPServiceSID account for the SAP server that we install the libraries onto? Is this a totally new account not created by any SAP install?

        Thank again


      • Hello Matthias

        I have 2 questions?

          Item 2 in the configuration made in AD, the SPN would be on the server or User?

          Where is the User Service SAP” would be the name of the server?

             Example: In my case the User Service is named SVC-SAPPRD.

                     The Server Name and SRV-ECCPER.

             In this case the SPN is:

             SRV-ECCPER/svc-sapprd @ XXXXX.corp

          Thank you.

        • It is based on the user.

          In my example (SAP/KerberosTDI) TDI is the name of the system. It is independent from the server (system can run an several instances).

          So in my case the user is KerberosTDI with the SPN SAP/KerberosTDI.



          • Look you can help me:

            After changed the SPN > SRV-ECCPER/SVC-SAPPRD@localiza.corp

            Archive DEV_W




            SncInit(): Initializing Secure Network Communication (SNC)

            N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

            N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)

            N  SncInit():   found snc/data_protection/min=2, using 2 (Integrity Level)

            N  SncInit():   found snc/data_protection/use=3, using 3 (Privacy Level)

            N  SncInit(): found  snc/gssapi_lib=D:\usr\sap\EPE\SLL\secgss.dll

            N    File “D:\usr\sap\EPE\SLL\secgss.dll” dynamically loaded as GSS-API v2 library.

            N    The internal Adapter for the loaded GSS-API mechanism identifies as:

            N    Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2

            N  SncInit():   found snc/identity/as=p:CN=SRV-ECCPER/SVC-SAPPRD@Localiza.corp

            N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1439]

            N        GSS-API(maj): No credentials were supplied

            N      Could’t acquire ACCEPTING credentials for

            N      name=”p:CN=SRV-ECCPER/SVC-SAPPRD@Localiza.corp”

            N  SncInit(): Fatal — Accepting Credentials not available!

            N  <<- SncInit()==SNCERR_GSSAPI

            N           sec_avail = “false”

            M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    237]

            M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    239]

            M  in_ThErrHandle: 1

            M  *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c   11329]




            Here the parameters RZ10 Profile.


            snc/force_login_screen = 1

            login/create_sso2_ticket = 1

            ssf/name = SAPSECULIB

            ssf/ssfapi_lib = D:\usr\sap\EPE\DVEBMGS33\exe\sapcrypto.dll

            sec/libsapsecu = D:\usr\sap\EPE\DVEBMGS33\exe\sapcrypto.dll

            snc/r3int_rfc_qop = 8

            snc/identity/as = p:CN=SRV-ECCPER/SVC-SAPPRD@Localiza.corp

            snc/permit_insecure_start = 1

            snc/r3int_rfc_secure = 0

            snc/accept_insecure_r3int_rfc = 1

            snc/data_protection/use = 3

            snc/data_protection/max = 3

            snc/data_protection/min = 2

            snc/accept_insecure_rfc = 1

            snc/accept_insecure_cpic = 1

            snc/gssapi_lib = D:\usr\sap\EPE\SLL\secgss.dll                                                                       

            snc/enable = 1

            snc/accept_insecure_gui = U,1


            Many thanks for the help


            Ederson Meneses

  • Am I right assuming that this case does NOT require the secure login server?

    Also, can you add multiple keytabs so that you can support multiple kerberos realms?

    (i.e. Windows domains in my case).

    i.e.  and

    can both sso to a single SAP system so long as the relevant SU01 entry is defined in the SAP system. USERA and USERB are separate SAP users defined in SU01


    • Hi Andy

      Yes we are not using the Secure Login Server at all, just the Secure Login Client and the Secure Login Library.

      Yes you can also use multiple Domains, (see page 28 of the Secure Login Library guide). I am trying to configure this at the moment but having a few issues…

      I have created 2 service accounts with sPN’s – 1 in each Domain and generated a KeyTab for each, then added them both to the PSE, the 1 account works ok (snc test -n ….) but the other one fails. The 1 that passes is in the same Domain as the ABAP server whereas the failed one is in a different Domain to the server.

      Maybe Matthias can shed some light?


  • Matthias, I’ve read through many of your blogs and solutions and what is quite frustrating is you fail to mention in most of your documentation what version of Netweaver to which the specific solution is applicable. 

    We sold and installed for our client an ECC 6.0 EHP5 Netweaver 7.02 solution – (ABAP ONLY) with our Best Practices solution.  We also installed Netweaver Business Client for the majority of end users to use and SAP Gui for a few power users. 

    I installed SSO for the SAPGui using Kerberos certificates and authentication with the Domain controller and all is working well.   Our client is also expecting, naturally, SSO to work for NWBC as well. 

    Please tell me what solution to use for NWBC SSO on an ABAP only system with Netweaver 7.02 – is this even possible without a large capital expenditure?

    Possible options I’ve read about:

         1.     Netweaver SSO 1.0 SP4 (need NW 7.3?)

         2.     X.509 certificates using SAP TCS ( Need NW 7.3)

         3.     Install a Java instance (we have Netweaver 7.02) and use this for                authentication.

    Thank you.

    • Hi Dugan,

      I can understand you frustration. SCN is not a replacement of SAP PAM (release info), it is not replacing and it sharing knowledge by choice.

      I analysed also different SSO options for NWBC but I am not ready yet and I plan to share again my knowledge when I am ready.

      Based on my current knowledge, I would recommend to use:

      -SAP NW SSO 1.0 with X.509 certificates (so this blog is another implementation option), only secure login server needs a NW 7.2/7.3

      -SAP Logon Tickets (but there are perhaps some challenges with the encryption of SAP GUI communiction). If you want to have a MS AD integration you need here again a SAP NW Java server -> SPNego

      Both technologies are used already by many very large companies.

      I don’t know if SAP TCS is applicable for many end users.



      • Hi Matthias

        So are you saying that currently the configuration described in your blog here does not support NWBC and only supports SAPGui ?



        • Hi,

          This how to guide describes only how to configure the solution for SAP GUI for Windows with a Kerberos integration

          This scenario will work only for SAP GUI for Windows. Not for NWBC for Windows. NWBC for Windows is a combination of SAP GUI for Windows and a Web Browser. This makes it so difficult. The first request is always a HTTP request, after that NWBC can call also a SAP GUI for Windows based application.

          So for NWBC this will work:

          Please check also our new videos. Same scenario but a video.

          Of course this scenario allows also an integration with MS AD or any other LDAP.

          Have a nice weekend


          • Hi Matthias,

            Thanks for this blog. It guides a lot !!

            We are configuring the SSO for our SAB BI system( we have BEx reporting (Excel based) Web Reporting, Precalculation and IGS services) based on PKI cards. But the first scenario (SAP GUI for Windows with a Kerberos integration) does not support Web based applications as you mentioned in the blog. The 2nd scenario does not require PKI card.

            Can you provide some documentation on Combination of these 2 scenarios.

            Also we are testing for our Development system and GUI is logging fine but for BEx its giving error.

            Can you please provide some suggestions on my quesries.

            PS: I’m a BI consultant.

            Best Regards,


          • Hi Kiran,

            an answer depends on your PKI cards provider. The following scenario is a common one:

            Most PKI providers are integrated with the Microsoft Certificate store. So the card middleware put the X.509 certificate into this store automatically. So you can configure Secure Login Client to use this certificate for SSO for SAP GUI. Furthermore you an use this certificate for Web SSO. If this is the case you have to configure your landscape in the similar way I described in my blog with the X.509 certificates but without using Secure Login Server, because in your special case the certificate is coming from your third party PKI/smart card.

            So in this case you authenticate with the certificate on your smart card but you do not use the Kerberos integration of SAP NW SSO (as described in this blog).




    • Hey Vicki — we are also thinking of a very similar approach but we are in the piloting phase. Are you able to shed more insights on this? I’d love to connect with you to see the pros/cons in your deciding the SSO method as well as business feedback from users.


  • Hello Mathias

    We are planning to setup Windows Kerberos setup for SSO to SAPGUI (without using SLS). We see that it is possible for the user to “Log In” in the Secure Logon Client (SLC) with a blank user and password field (that is user has the possibility to enter another user’s credentials to get a kerberos ticket which would be a security risk that he could use that to login to any SAP system configured with SSO).

    Could you help us understand how we can prevent this? Also if you could help us understand why such an option would have been provided in the first place? Woud it be required for any “use case” ?



    • Hi,

      this logon screen is for use cases like:

      – authentication via LDAP in combination with secure login server

      – authentication via RADIUS in combination with secure login server

      – login/logoff manually

      The standard Kerberos integration does not require to type in user or password.

      So I would guess that you perhaps choose the wrong installation option of secure login client –> option: Kerberos Single Sign-On



  • Hi Matthias,

    I’ve implement SNC via sapcryprolib a year ago on a sandbox environment:

    • set principal name

    • install sapscryptolib + environment variables (SECUDIR (sec path) + SNC_LIB (gx64krb5.dll))

    • set instance parameters

    • install Kerberos DLL (gsskrb5.dll) + environment variable (SNC_LIB (gsskrb5.dll))

    • on 2k8 / 7 – re-enable local policies for kerberos

    • map users on ABAP

    For now, one customer want to implement SSO and buy NW-SSO-Licenses, but they don’t have any Java in their environment. I’ve searched and found some information (including your how-to), but I’m a bit confused.

    • What is the difference between the ‘simple’ way I’ve setup and the ‘new’ way via NW-SSO (SSO Client and SSO Library)?

    • Why should I buy NW-SSO-Licenses, if I get it worked without any investigations?

    • And what if, my company is hosting the SAP servers with an extra SAP domain and the customers just connect to the SAP servers through a SAPRouter?  What’s about the domain trust relationship between the SAP domain and the customer domain? Is it unnecessary with the ‘new’ NW-SSO implementation?

    Thanks for any advice.

    Best regards,


    • Hi Tobias,

      Not all scenarios of SAP NW SSO require a Java server. This blog is a scenario without a java server.

      You are describing an implementation without SAP NW SSO and you are asking, why you should use tSAP NW SSO The answer is very simple. You are describing a spot solution which works only in pure Windows environments and only for SAP GUI. But most customers expect more. They want to have a holistic SSO solution. They want support for non Windows OS systems on client or server, support of LDAP integration, Web SSO, NWBC support, non SAP support, integration into the cloud world, 2 factor authentication, partner integration, support of public authentication standards, support of other SAP native clients,….

      The advantage of SAP NW SSO is, that you get a “SSO suite”. The solution contains many modules and the customers choose the ones, which fits to his requirements and he can change it also later. We add also new innovations to the product.

      Furthermore you are describing a solution where SAP is not the owner of the whole code. So we are not able to make changes and customers expect a end to end support. Furthermore there are some security related arguments, which I don’t want to mention here.

      SAP NW SSO supports also scenarios without a trusted domain relationship.



      • Hi Matthias,

        thanks for your quick reply, that brings some light in the darkness.

        Ok, so switching to NW SSO implementation gives us and our customers the guaranty for the future to implement some other applications, like Java or Web SSO?

        Found the part for non trusted domains in the Secure Login Guide, I will check NW SSO out, thanks for your how to.



        • We are supporting already now Web applications (ABAP, Java, non-SAP) via SAML or automatic created short living certificates (secure login server). Furthermore we plan new Web SSO options. But you decide which component you will implement depending on your business needs.

          In secure login server you can maintain already today different independent domains. Same for SAML. For “Kerberos only” this question was answered by Frane Milicevic (SAP colleague) in this community. I need to find this information again 🙂



  • Hi Matthias

    We have a ASCS + 2 SAP app instances kind of setup. Which means load balancing.

    i setup Kerberos config and keytab for each app instance seperately.

    Does ASCS also require something?

    Also our GUI entry for these systems are setup for loadbalancing (messager server + smlg group based)

    I noticed that unless you specify a hostname in the GUI entry , you are not allowed to choose the SNC encryption check box in the network tab. But we rollout our sapgui configuration with sapmsg.ini and hence the GUI entries by default dont show the hostname. how do we deal with this problem

    also with SAP systems having multiple application servers, would it not be easy to have the configuration in the Default profile rather than each instance. Coudl we not put SLL in a shared location that each instance could access? The same question about how loadbalancing + SSO works for SAP  systems with multiple instances

    • Hi,

      The Kerberos keytab contains Kerberos principals and encrypted keys that are derived from the Microsoft Windows user password. Therefore a Microsoft Windows account in Microsoft Active Directory is required.

      –> so the service principle name depends on the SAP system not on the server. It is of course related to the server name of the MS AD.

      The solution works of course also for systems with many application servers.



      • hi Matthias,

        Sorry my question might not have been clear

        Yes we do understand that a AD user is required

        scenario :

        1 SAP system SID

        2 application servers : hosta and hostb

        1 ascs instance : hostc

        AD user created , setspn with SAP/KerberosSID

        Setup SLL on the 2 application servers and created ktabs on both servers with same spn

        a) Do i need to do any configuration on the ASCS instance for SSO?

        b) in the SAPGUI , for the sap system entry SID, if i put the message server details and the SNC name, will it perform load balancing like it used to without SNC configuration?

        c) Instead of doing the SLL configuration on each host, would it not be easy that we put SLL in a shared location to which all sap instances of that system have access, which is like /sapmnt/SID/SLL ?. This way maintenance could be easier because the update can only be done at one place and also the parameters can be made in the default profile instead of the sap instance profiles?



        • Hi Chandrakanth,

          here my answers to your questions:

          Answer to question a)

          ASCS will receive the “correct” SNC name from the application servers. So you don’t need to configure anything in ASCS.

          Answer to question b)
          Loadbalancing will work as before (with or without SNC). In this “group/server selection” mode you cannot change SNC name (only enable/disable SNC).

          Answer to question c)

          This is possible.

          Best regards,


          • Hello Frane

            About b) if you could please elaborate what you meant by “cannot change SNC name”

            About c). By putting the SLL directory on a shared path which can be accessed by all application servers, say /sapmnt/SID/SLL , do you think there could be any NFS, etc problems? The libraries within will be in use by all application servers of the SAP system from an nfs rather than a local directory. Would you foresee any problems with it?

            My idea was that putting SNC parameters  into a default profile and the SLL folders in a common directory would help reduce efforts . The guide somehow is very explicit about snc parameters to be in “instance profiles” and also about SLL under the local instance directory. Appreciate if you could help understand why this is

            Have a new question d). The guides mentions about two files to be maintained in $HOME/sec which are sec_log_file_filename.txt and sec_log_file_filelevel.txt. Typically for a SAP system with multiple application servers, the home directory of a sidadm user is shared . This means the two files mentioned would have the same content on all application servers.

            Is it possible that i can make these files read from a different directory than $HOME/sec so that i can have different content for each application server?

            If not, is there a way that i can put the content in the filename in such a way that it has “hostname” also in it? (it already has something for %.PID.%). This way i can be sure that the trace files on all four application servers will be differe

          • Hi Matthias, Frane

            Please could you clarify my questions above when you get the chance. We are almost ready to start our program to setup SSO.

            Also we already use kerberos/spnego for our portal applications. There we sometimes face the problems documented in SAP note 1283986. Could the same symptoms be experienced in SAP GUI SSO also?

          • Hi Chandrakanth,

            Related to answer b)
            I mean you cannot change the SNC name in SAP Logon (SAP GUI) application, if you are using the loadbalancing option (snc name is grayed).

            Related to answer c)
            This depends to you network access/right management.
            If you want to be on the safe side, deploy to every application server a “local” folder (local access).
            What about configure for the profile parameter snc/gssapi_lib the value $(DIR_INSTANCE)\SLL\secgss.dll ?

            Answer to question d)
            Typically this option will be enabled to analyze problems in Secure Login Library.
            Again my suggestion, use local Secure Login Library installation with local
            log file configuration.
            If there are different application servers available in one hardware, you can adjust/distinguish  the path in sec_log_file_filename.txt for every application server.

            You can use $HOME/sec or /etc/sec

            Answer to new question related to SPNEGO in AS JAVA
            This is an issue related to the Kerberos implementation (checking time/date information in Kerberos ticket).
            Yes, this has also an influence to the Kerberos implementation in AS ABAP.

            Best regards,

          • Hello Frane

            Many thanks.

            c) Yes we could put this in Default profile by using $(DIR_INSTANCE)\SLL\secgss.dll etc however would you know why the guide explicitly mentions “Instance profile” ? May be there were issues identified by putting this parameter in the Default?

            d) Understood that we can give a path in the sec_log_file_filename.txt. but this path must be the same on all application servers as the file content is going to be the same. And we dont have any such path common to all appliction servers which is meant for SAP use. Would there be any format i could use to ensure that these log files always get created inside $(DIR_INSTANCE)/SLL/logs etc? Or may be is it possible to put  %hostname% (like we have %.PID.%) ? to make the logs distinguishable etc? I tried these two options but wont work. Appreciate if you could suggest some ideas. 

            e) The kerberos time question. Thanks for highlighting. In case of portal, a nice message is given to the user indicating that the time is out of sync for the issued keberos token. How or what kind of message woudl a GUI user get? Though we have a good Active Directory domain setup and all the domain controllers are synced to a common time source, our unix servers (on which SAP is running) are synced to a different time source. Hence we could expect that this issue can happen. Would you know how the error message would look like? if not, can we reproduce this somehow?



          • Hi Chandrakanth,

            Answer to c)
            The guide provides configuration options. Please feel free to adapt to your own requirements.

            Answer to d)
            In this case i would like to recommend to ask for consulting support.
            This forum is maybe not the best place to provide customer specific solutions.

            Answer to e)
            You can test by yourself, if you change the time on the desired SAP AS ABAP (test) server.

            Best regards,

        • Hello, Chandrakanth.

          Did you manage to setup you SSO successfully for system with logon groups? Can I know how?

          I already setup SSO on our Sandbox and Dev systems which happened to have only 1 application server. Now I am about to setup SSO in our Test systems with the same as you have (ASCS and 2 apps server).

          Appreciate if you could share the setups you did for this..

          Have a great day!



  • Hi,

    when I try create Kerberos KeyTab, I get the following error.

    sapr3-test:prdadm 53> snc crtkeytab -s hosts/kerberosPRD@ORION.LOCAL -p password


    ———— crtkeytab ——————————————————-



    License Disclaimer SAP NetWeaver Single Sign-On

    You are about to configure trust for single sign-on or SNC Client Encryption.

    Please note that for single sign-on you require a license for

    SAP NetWeaver Single Sign-On.

    As exception, the usage of SNC Client Encryption only without SSO is free

    as described in SAP Note 1643878.


    PSE password          >********

    WARNING: Kerberos service user name contain a ‘/’, this is unusual !

    Syntax: <serviceUserName>@<domain> e.g. SAPService<sid>@SAP.COM

    Kerberos principle name must contain a ‘@’!

    Syntax: <serviceUserName>@<domain> e.g. SAPService<sid>@SAP.COM

  • Hello Matthias

    This was a a very helpful blog for setting up the SSO in our current project. Many thanks.

    We have a scenario of SSO to solution-ise and we are looking for support. We successfully established SSO for desktop and html (NWBC) to SAP ABAP server directly.

    The project has a requirement to login a blackberry user (only Managers – around 50) directly (SSO) to SAP to approve/reject leaves (There will be a direct link to NWBC from HCM).

    Is there any way to use SPNs and achieve this single sign-on for blackberry user?  Or how can the blackberry users receive the kerberos token which is normally installed via the secure logon client on desktops. Our blackberry users get an email in the Outlook with links to approve and reject leaves (using NWBC). When they open the links, the single sign on has to be achieved. We are struggling to pass on the Kerberos token to the blackberry client. ( Outlook on blackberry is already signed in and they try to open a link from the email which needs SSO to backend ABAP Server)

    Request your suggestion, please.



    • Hi Sai,

      I do not have much experience with Blackberry. The problem is that the devices itsself have to support SSO standards. Of course there are other techniques available like app wrapper … to provide a solution.

      I know that Apple start to support Kerberos and SPNEGO for Web based applications. In this case you can use SPNego for ABAP and SPNego for Java.

      Mobile Single Sign On from iOS 7 to SAP NetWeaver

      Similiar to Samsung. They plan to provide something in Samsung knox.

      Of course SAML supports also Web based applications on mobile devices. But you want to pass a Kerberos Ticket on the mobile device and I am not an Blackberry expert.

      Currently I would recommend to ask the question in the SAP mobile community:



  • Matthias,

    We do have SNC enabled with external PKI cards on our SAP systems.

    For our external business partners, since they don’t have PKI cards we are planning to use userid and password but we still like to use SNC (so that password is not sent in clear text).We are having issues when we try that with message

    “Unable to establish security context”.

    Do you have any suggestions.?



    • Dear Srinivasta,

      Please, provide more details:

      1) Do you have a success with enabling the SNC with external PKI cards for your company users?

      2) What is the application used by your external business partners for authentication and is this application inside or outside of the Firewall of your company?

      3) If possible, provide more details about the landscape (systems you are trying to connect with SNC).

      Best regards,

      Donka Dimitrova

      • 1.) Yes we have successfully implemented PKI card based authentication for our internal users

        2) External users are outside our firewall and they will use SAPGUI to login but they do not have PKI cards.

        • Hi Srini,

          you are currently using SAP NW SSO for SNC – right?

          About which userid and passwords are you talking (related to partners) -> maintained in SAP, LDAP, Domain users, …. ?



  • Hi Matthias,

    This is a great blog, thanks. We are looking to deploy Netweaver SSO 2.0 for SAP Windows GUI to connect to ABAP systems, which looks like exactly your use case. Could you confirm if the above blog is still current for SSO 2.0 SP2. Your comment above seems to suggest it is, but I wondered if there was a more current view. If not, I’ll try and create one as we deploy it.



  • hello,

    where i’m currently working (as extern) we use Sap single sign one.

    With a customre PC, i can use the single sign-on

    but as i have my own computer it doesnt work. i imagine that the reason is because the windows account i’m using to log on the taptop is different than the account provided by my customer

    is there a way to make it works?



    • Dear Sebastien,

      Most probably you have been provided with a Domain UserID and password by your customer in order to be able to work wuth their systems but you can use these credentials only from the “customer PC” because these PCs are recognized by the customer Domain. Your personal computer most probably is not registered in this customer domain and this is why you are not able to use the same credentials (UserID and Password) provided by your csutomer to log-on to their Domain and systems with your laptop. Also if you are using different credentials (UserID and Password), they most probaby authenticate you for log-in localy on your own laptop – outside of the customer Domain.

      Kind regards,

      Donka Dimitrova

  • Dear Experts,

    the demo above are excellent and gives deep insite for setting up SSO for SAP Application. we recently brought licenses for SAP SSO and currently in phase of Pilot run . we are done with SAP ABAP and JAVA system SSO Setup which is working fine with no issue, however non-sap web applications are challenge for example BMC remedy and couple of home development JAVA based applications. these application supports X.509 certificates. we tried to find docs but unfortunately no success.

    how do we take non-sap application sso enablement forward… any hint pls….



  • Hello Matthias,

    We have configured the SSO with SecureLibrary 1.0 and Secure Client 1.0 for SAP GUI two years ago. Now we would like to configure NWBC SSO. I read that the Secure Client and the Secure Library 2.0 is a must. Is there any document which describes the upgrade procedure?


    Alexander Tuerk

      • Hi Matthias

        We have configured SSO between SAP Portal 7.30 and SAP ECC 6.0 (ABAP only) servers. Both SAP ECC and SAP Portals servers are configured on

        AIX environment. In SAP Portal, user ID is created as firstname.lastname and in SAP ECC server, user ID is created as initial.lastname. SAP Reference server method has been used for user mapping between SAP Portal and SAP ECC. No issue in this environment and SSO is working good between SAP Portal and SAP ECC.

        Now, new requirement is to configure SSO between SAP Portal 7.30 and LDAP (MS Active Directory). In SAP Portal and MS ADS (Microsoft Active

        Directory Server), user ID is configured as Firstname.lastname. 


        • – What would be the best way to configure SSO between SAP Portal 7.30 and MS Active Directory?
        • – Do I need to install SPnego in SAP Portal server?
        • – How and where to map the user ID of SAP ECC servers? (In SAP Portal/MS ADS server, user ID is created as firstname.lastname and in SAP ECC server,

        user ID is created as initial.lastname). Here I’m assuming that user Mapping for SAP ECC server will be done in MS ADS server but not sure about it.Pls suggest.

        • – SSO with SAP LOGON Method is used for certificate between SAP ECC and SAP Portal. Does this certificate still work between ECC and Portal or do I need

        another certificate (between ECC and MS ADS). Pls suggest.

        or if you have any document to refer, pls send me the link.



          • Hi Matthias

            We used SAP NetWeaver Single Sign-On.

            We used following processing for SSO setting between SAP ECC and SAP Portal server:

            1. http://servername:port/sso2 ->Trusted System (added the ECC server as trusted         system)
            2. http://servername:port/nwa –> Authentication and  Single Sign-On (Here we can see the trusted system that is created in step 1)
            3.   http://servername:port/nwa –> Configuration ->  Certificate and Keys (Cretaed the ‘SAPLogonTicketKeypair’ and  ‘SAPLogonTicketKeypait-cert’). Download the  certificate of As Java system and upload it on As ABAP system.



          • Hi Amar,

            so this blog is about SSO for SAP GUI for Windows. So this would not work for SAP Portal.

            Configuration ->  Certificate and Keys (Cretaed the ‘SAPLogonTicketKeypair’ and  ‘SAPLogonTicketKeypait-cert’). Download the  certificate of As Java system and upload it on As ABAP system.

            So this looks like you are using SAP Logon Tickets and not SAP NetWeaver Single Sign-On (a separate product which is not part of the SAP NetWeaver Standard Package).

            –> check the SAP Portal community if you would like to continue with SAP Logon Tickets.



          • Hi Matthias. We have CRM system Release 7.01 (ABAP) and need configure SSO with Active Directory.

            All users logon in the Workstation with user and password in the domain. Open the Internet explorer and logon to the web gui CRM.

            Web GUI = https://server_CRM/sap/crm_logon

            which method we use SSO?

            Best Regards.

          • Hi,

            if you would have ABAP 7.02 SP14 -> SPNEGO for ABAP.

            In your case

            a) Secure Login Server (automatically generated certificates –> see my blog) out of SAP NW SSO (a MS AD integration is available)

            b) via SAML IDP on a SAP NW Java Server in combination with SPNEGO for Java

            if you use option a you have automatically SSO for SAP native clients and other non-SAP applications. I would recommend this for internal scenarios. I would recommend option b for extranet scenarios.

            You can of course also setup a SAP Portal with SAP Logon Tickets and SPNEGO for Java (but this is perhaps a little bit too complex for end users).



          • Hi Matthias, thanks for you information.

            The Software SSO 2.0 and addiotional license, Right?

            I cant a get DEMO the software SSO 2.0?

            Best Regards.


          • yes, this is not included in SAP NetWeaver. Yes, your SAP account manager can provide you a demo license so you can test it.



          • Dear Matthias,

            Sorry to go this way but …

            I am getting the error

            Sapgui 730 [Build 9027] Thu Feb 05 08:01:16 2015
            : ‘GSS-API(maj): No credentials were supplied
            Unable to establish the security context

            Error in SNC

            I have used the procedure described by

            The configuration is only to able SSO for SAPGUI.



  • Hi Matthias,

    Thanks, this is the good stufff.

    Actually we are using X509 method. In that we are going with secure login webclient for AS ABAP system

    i read the configuration doument of secure login webclient.

    in that they mention

    1. Start the Secure Login Administration Console.
    2. Choose the relevant client authentication profile.
    3. Select the Secure Login Web Client Settings tab.
    4. Using the Post Authentication Actions section, choose the action you want to use.    As an option for the connection types for direct connection, load balanced connection, and SAP logon pad, you can also define that the Secure Login Web Client redirects to a given URL after successful authentication.

      Several types of connections to SAP GUI are available. For more information, see the related links.

      • Simple redirect to URL

      •   Direct connection with Secure Login Web Client (Redirect to URL option also available)
      •   Load-balanced SAP GUI connection using the message server (Redirect to URL option also available)
      •   Launching your SAP logon pad directly (Redirect to URL option also available)

    I have a question, on X509 Webgui(URL), once the user click on the web link, it will prompt the user to authenticate with AD.  Once the user is authenticated, what happen next? 

    Does it get the SAPLogon and then double-click on XXX to get to SAP?  Will he login directly to SAP XXX then?

    Do you have any configuration documents or screen shots like above document on secure login webclient please provide




    • Hello Srinivas,

      When you want to implement Secure Login Web Client (SLWC) for Single Sign-On to the SAP GUI, you have to configure the connections to the SAP GUI as mentioned in the documentation, you copied in your message. When this is configured, after the authentication of the user the SAP GUI/SAP Logon Pad will start automatically as post authentication action.

      If you use Microsoft infrastructure and if the user is already authenticated to the directory and a Kerberos/SPNEGO token is available for him, it could be reused for authentication to the SLWC. This way the user will have only to click on the link for the SLWC and SAP GUI/SAP Logon Pad will be automatically opened for him.

      Best regards,

      Donka Dimitrova

      • Hello Dimitrova,

        i have so many questions here:

        This way the user will have only to click on the link for the SLWC and SAP GUI/SAP Logon Pad will be automatically opened for him.

        1. uning SLWC in this SAP GUI will i get all the SID’s  what ever we have in SAP logon pad on the desktop.

        2. if first one is right that means one URL for all the SAP instances

        3. After sucessfull athentication in URL. SAP GUI logon pad will display. in that we can choose any system(which ever i have access)

        4. have heard about Winshuttle application

        Some of the users still need SAPGUI access b/c they use Winshuttle application (for loading data into SAP, this requires SAPGui and Gui scripting).

        is this possible through SLWC ?

        please provide the information on this and thanks for the previous message



        • Hello Srinivas,

          When you implement Secure Login Web Client (SLWC) for Single Sign-On with configuration for SAP Logon Pad, after the successful authentication the SAP Logon Pad will be started as a post authentication action. The SAP Logon Pad will display all the system IDs and the user will have just to select the system that he wants to use and he will be logged in automatically.

          As part of the implementation process you have to make sure that all SAP systems are configured to trust the same Secure Login Server Root CA.

          Regarding the 3rd party solution Windshuttle, I am not able to confirm any integration. Please, get in contact with the vendor representatives for more information.

          Best regards,

          Donka Dimitrova

          • Hi Dimitrova,

            Thanks you so much for the information. This so useful for me.

            Regarding SSO for Business Explorer:

            If we configure SLWC. Is there any additional configuration required for business explorer or same configuration enough



          • Hello Srinivas,

            It is possible to implement Single Sign-On to SAP Business Explorer but you have to implement it it using the Secure Login Client.

            Best regards,

            Donka Dimitrova

          • Hi Dimitrova,

            Thanks you so much for helping me 

            while configering SLWC:(as per the installation guide)

            1. Start the Secure Login Administration Console.

                    i opend secure login URL : http://localhost:50000/securelogin

                    i got three options

                   a. sever configuration

                   b. instance management

                   c. console user

            i choosed sever configuration but in that ill get so many options(please find the attachments)

            2. Choose the relevant client authentication profile

            3.  Select the Secure Login Web Client Settings tab.

            i really confuse which option i need  to choose.

            Please route the right directions and help on 2 and 3 points

            Thanks soo…much again for helping


            Srinivas S1. secure sever administrator console.PNG2. server configuration.PNG  

          • Hi Dimitrova,

            We are integrating Microsoft Active directory to SAP in NW SSO configuration (X509-method->SLWC).

            Create a Service User Account in Windows Active Directory

            we created the Service user account.

            Define Service Principal Name for the newly created windows user

            Could you please help  me the format to create the service princpal name



          • Donka — to clarify, this solution in the original blog at the top requires full purchase of the SAP SSO license? Does the Secure Login Sever incur additional costs on top of this?

  • I’ve configured this, and it worked ok, until I changed an user password. What is the correct procedure for password changing?

    Here are the steps I’ve performed:

    1. Configured everything according to your document, added system variable SECUREDIR, using D:\usr\sap\SID\DVEBMGS00\sec

    2. Executed snc -s SAP/NEWUSER@MYDOMAIN.LOCAL -p PASSWORD (this is an user accesing from a client computer) This wordked ok.

    3. Changed AD password for NEWUSER, SNC stopped working. Received message error A2210217: The verification of the Kerberos ticket failed target “p:CN=NEWUSER@MYDOMAIN.LOCAL”

    4. Changed password on ABAP.


    Still get the error.


  • Hi All,

    SSO 2.0 secure login webclient is configurd and working fine for ABAP systems. can any one tell me the procedure for AS JAVA systems(only java).



  • Hello All

    I have  ERP 6.0 SR3   using  only  ABAP  System  install     with  all   latest  support  stack but    T-Code  SPNEGO   is not  working . We do not install  JAVA Stack.

    Please review Screen shot




      • Good Morning  Donka

        As per  your  suggestion  using  this  T-Code  SPNEGO require    Kernel Upgrade 7.21  with latest  support  stack. After  upgrade check  T-Code SPNEGO is  not  available.  Now  I  Try to  Configure SNC with SPNEGO Tcode

        Do you  have  any document  for  ERP 6(SR3) my  SAP_BASIS level 700 or  do you have any document without  SPNEGO  TCode



        • Hello Tejas,

          If you want to use SPNego (browser-based Kerberos) authentication with an ABAP system, you require these 3 components:

          • ABAP (component SAP_BASIS)- 7.40 SP 2 (or higher)/7.31 SP 7 (or higher)/7.30 SP 10 (or higher)/7.02 SP 14 (or higher)
          • Kernel: 7.21 (EXT) PL 41 (or higher) – recommended: 7.21 EXT PL 110 or higher
          • CommonCryptoLib (CCL) or Secure Login Library (SLL)

          Please, make sure you have the minimum SP/PL for these components.

          Please, notice that this capability is not available for SAP_BASIS level 700

          For more details, please, consider reading again the SAP Note

          Best regards,

          Donka Dimitrova

  • Hello   All

    Given Error  GSS-API(maj): NO  credential’s were supplied

    Unable to establish the security context

      I  try to configuring  SAP ERP SR3  with  SSO   1.   &  SSO 2  for    ABAP  Stack  only    with Window  Server  2008   R2.  my  SNC configuration done  successfully   here it is attach screen shots


      while using    SAP  GUI    given  following  Error 


    • Hello Eduardo,

      Yes, the SAP Single Sign-On product offers SSO solution also for SAP NetWeaver Business Client and users will not need their passwords once the SSO is implemented.


      Donka Dimitrova

      • Hi Donka,

        thanks for the quick response, I am implementing the sso with the integration with AD, implementing this way when you open the NWBC it will make SSO or have to implement something else?

        Best Regards,

        Eduardo Silva

  • Hello,

    i want to configure the SAP NetWeaver Single Sign-On for SAP GUI for Windows with Kerberos integration.

    the SAP username is made from the first letter of the firstname and the family name “flastname” but the Kerberos token generated by the SAP secure login client is  “CN=FIRSTNAME.LASTNAME@COMPANY.COM“.

    My question is the following: is there a way to use variables in the transaction SNC1 so that the SAP user “flastname” will be mapped to “CN=FIRSTNAME.LASTNAME@COMPANY.COM“?



  • Hi Matthias,

    I have a doubt, We are going to implement SSO with kerberos in SAP ECC and BW system.

    For BW – Our SAP component version is SAP Netweaver 2004 – SAP BASIS-640- 12 patch

    Kernel Version – 640_EX2- 414

    For ECC – Our SAP component version is SAP R/3 Enterprise 4.7 with SAP_BASIS – 620- 36 patch

    Kernel Version – 640_EX2- 414

    Can we implement SSO with kerbose for this version .

    Any prerequisiste needs to be taken care for the above version.



    • Hi Subbu,

      with SAP Single Sign-On you can use Kerberos based single sign-on for SAP GUI and RFC clients also on those releases. However, you cannot use SPNEGO to enable single sign-on for web applications. SPNEGO requires version 7.02 or higher.

      Best regards,


  • Hi All,

    My case is some particular. Some users can connect via SNC by single sign on, but others cann´t do it, the parth level are the same, cnd configuration. We have 3 apps server and 1 for database. The 3 AppServer are correctly configur. My account work properly at any App Server. Sap Gui present an error below the screen in message bar for some users like this:

    No user exists with SNC name “p:CN=WRONGSNCNAME

    Any clue?


    Thanks in advance.


  • Dear Matthias,

    Dear SAP Gurus,

    I have implemented SSO with kerberos, both ID’s AD and SAP are same in that case. I need this prerequisite written in any SAP note or SAP document.

    Or SSO with kerberos is possible if AD id is and SAP id is sachin?

    Waiting for urgent response. Please reply


  • Hi Matthias very nice blog.

    I have one query.

    How to map users when their windows id and sap ids differ from each other.

    Do we need to edit thousands of users manually in SU01 -> SNC tab?

    Thank you.



  • Hi,

    When a new user (user A) logon windows 7, SAP Gui SSO Works fine. But when a new user (user B) logon same Windows 7 client, SAP Gui get this error:

    Unable to load GSS-API DLL named “sncgss32.dll”. But user A still when logon same Windows 7 SAP Gui SSO Works fine.

  • Hello Matthias,

    Thanks for your blog.

    I have some concerns, could you please get back to me? I configure SSO and cannot login.

    1. To enable SSO, can we configure in Default profile? or it must be instance profile?
    2. These parameters are mandatory or not: snc/data_protection/use, snc/data_protection/min and snc/data_protection/max

    Thanks and have a great weekend!


  • Hello Experts,

    My need is to login from SAP Enterprise Portal via SAML SSO. I have two set-ups-

    1. In first environment, I am sitting on SAP Netwever BI 7.0 and SAP Basis 700. Is it possible for me to implement SAML SSO in this environment? If not, what upgrade is required on my system?
    2. My second system is on Netwever 7.4, but it is having AS ABAP stack only (no JAVA Stack). So, even Enterprise Portal doesn’t exist for same.

    Please guide me which system is easy to proceed with to achieve my target. and how?