Skip to Content

SingleSignOn ( SSO) in SAP HANA

This blog will give you details on setting up Single sign on (SSO) with SAP Hana using Kerberos.

Why do we need SSO ?

By enabling SSO, users can directly login from BO ( or any Front end Application) & access Hana database without providing login credentials again

There are different teams involved for this set up ( This may change based on your organization structure)

1) System administrator needs to install Kerberos Client on Hana server

2) Active Directory & Service account set up is done by of Identity Management Administrator

3) Hana Administrator needs to set  up  the configuration & user creation

Note: I have greyed out server names & service account names in screen shots for security reasons

Kerberos Client Installation:

Please make sure that the Kerberos client & libraries are installed on the Hana Database server


Creation of service account:

Identity Management Administrator will need to create a service user & a Service Principal Name( SPN) for each host on the system . For scale out box, we need to create 1 SPN for each host . Please find screen shot



The SPN needs to have the following syntax:

hdb/ <Domain Name >@Kerberos realm name

<Domain Name>: fully qualified domain name of the host

Generating a key Tab :

ktpass -princ hdb/ <servername.Domain Name>@ <REALM> -mapuser  <Domain>\<serviceuser> -pass <password> -out <keytabfile >.keytab -ptype<PRINCIPAL> -crypto <CRYPTOGRAPHIC TYPE>




Using the above syntax key tab file is generated

Hana Admin configuration:

Login  as root & update the krb5.conf file. This is located at /etc/krb5.conf

Entries in the file


default_realm= <realm>


<realm>={ kdc=<kdc_name>}

Where <realm> and <kdc name>are the names of your Kerberos realm and KDC.

Realm is your domain name in uppercase letters, such as DOMAIN_NAME.

Note : if you are not aware of the above parameters like realm , KDC Name , Domain Name please contact your Active directory Adminstrator

Import the key tab which was generated into Hana Box.

Make sure the permissions are changed


Creation of  user  in HANA:

This can be done via GUI screen or via sql syntax


Please assign the appropriate role to this user

While configuring the user in Hana studio , Please check the authentication by OS user as shown below


Hope this information is useful for you . Thank you for reading this blog


Kiran Musunuru.

You must be Logged on to comment or reply to a post.
  • Hi Kiran,

    that is an excellent blog thank you.

    There are also some useful OSS Notes on this subject:

    OSS 1811398 - How to setup BI components to login to hana via AD kerberos SSO

    OSS 1813724 - HANA SSO/Kerberos: create keytab and validate conf

    OSS 1826673 - How to configure LDAP kerberos SSO to hana DB

    All the best,


  • Great job, Kiran! I know you were an early adopter of HANA and have more experience than most people out there. I look forward to you sharing much more of your wisdom! 🙂



  • It's worth to mention that the AD (service) user (where you can assign multiple SPNs) should have a strong password (cf. WPA2 key).

    Reason: if that password can be guessed (or cracked), it will be possible to request arbitrary kerberos tokens and thus allow to impersonate just any user in the same Windows Domain.

    PS: same is true for setting up SPNego (e.g. for NWAS Java or ABAP).

  • Please also consider the offical HOWTO HANA DB SSO Kerberos/ Active Directory in SAP Note 1837331.

    It comprehensively covers

    • Background know-how
    • Preparation steps
    • Step-by-step guidance (with verification for each step)
    • Troubleshooting

    This is complemented by the script for automatic validation of the Kerberos configuration and creation of the keytab in SAP Note 1813724.

  • Hi,

    i have a question -

    i have configured SSO on Hana db to active directory, now i am able to connect hana db with my system user and it is working.

    but when i tried to authenticate UIS application which activate on the hana db i am not able to login with ldap user - only with db user.

    can you please help me understand if it is possible to login with ldap user?