Skip to Content
Technical Articles

NWBC (4.0) meets Single Sign-On: Simplify Secure Data Access (Part 1)

NWBC was originally designed to enable users to access data using multiple UI technologies from a single ABAP back end system.

To make data access secure, we now recommend combining NWBC with SAP NetWeaver Single Sign-On.

This solution is both simple and secure.


As of release SAP NetWeaver Single Sign-On 2.0, SAP NetWeaver Single Sign-On offers support for SPNEGO for ABAP.

Setting up SPNEGO for ABAP is a simple and straightforward process that involves only a few

manual configuration steps:

  • Install the Secure Login Library on the SAP NetWeaver ABAP back end.
  • Set the system parameters spnego/enable and spnego/krbspnego in the SAP NetWeaver Application Server ABAP and configure the key Tab generated by the Active Directory Server in transaction SPNEGO.
  • Map the user’s Kerberos principal name to the ABAP user name using transaction SU01.

Leveraging this Kerberos-based single sign-on technology, you can implement an SAP NetWeaver Single Sign-On solution for your NWBC quickly and easily, and without the need for a Java stack.

With SAP NetWeaver Single Sign-On 2.0 and NWBC you can simply reuse your Windows domain authentication for Single Sign-On, even across different domains.

This tutorial-like blog describes how to connect securely and in just three easy steps to either a single ABAP back end system or to multiple ABAP back end systems.


NWBC 4.0, SSO 2.0, SAP NetWeaver 7.3


  1. After implementing SSO with Kerberos (see How-To-Videos), create your SAP GUI system connection, e.g. System 1, in SAP Logon.
  2. Activate Secure Network Communication (SNC) for your system.
  3. Open NWBC and create a system connection (System 1) referring  to SAP GUI system connection (enter exactly the same string: System 1) to make use of the SNC settings activated in SAP GUI.



Encrypted content.


Connecting to More than One System

If you’d like to implement safe connections to more than one ABAP backend system you have to repeat the steps described above for a second system (e.g. System 2).

Note: For the server configuration (transaction RZ11) you must set the profile parameter.  Enter the value 3 (default parameter in the kernel as of NetWeaver 7.40) to enable the AS ABAP to issue authentication assertion tickets and no logon tickets. We recommend you use this value.

(login/create_sso2_ticket to 0 =no logon or assertion tickets)

Recommendation: Create a new service user on the Microsoft Active Directory server for each SAP system (see first part of the second video “Implementing Single Sign-On with Kerberos”)

Hint: Activate the NWBC system selector at start-up to switch easily between your systems, see the following screenshot.


To see how to access multiple systems. Referencing from one system to the other via PFCG mapping read part 2:

NWBC meets Single Sign-On: Simplify Secure Data Access in Remote Scenarios (Part 2)

More information on Authentication and Single Sign-On with NWBC

Find more information about Single Sign-On 2.0 in the Community for SAP NetWeaver Single-Sign On.

See also:

NWBC and SSO: Logon with/without SNC (Secure Network Communication)


NWBC and SSO: SAP NetWeaver Single Sign-On 2.0 with native support for SPNEGO for ABAP (SAPinsider-Artikel)

You must be Logged on to comment or reply to a post.
  • Hi Sandra,

    Thanks for sharing this. One question I have is w.r.t the profile parameter login/create_sso2_ticket if you set that to 0 then there will be no SAP Logon Ticket created for the system and then each time you access a page I expect a new authentication might take place... could this be a performance issue?

    Just a thought/query I had when I read this.


    • Hi Simon,

      becoming a big fan of NWBC 🙂 ....

      No performance issues a.f.a. we've tested with Security Session Management active.



  • Hi Sandra,

    We have a requirement to use Microsoft AD as a source for passwords, from the NWBC.
    , but not using SSO, using manual username/password input.

    Will this work for our requirement? Please let me know...

    thanks so much,


      • Hi Sandra,

        Thanks for the reply.

        Just for some clarity... does manual un/pw refer to the SAP user database or AD authentication?

        I'd like to enter my un/pw manually using AD details, not SAP details (to access SAP).

        We would not like to use SSO as many employees share clients. Our requirement is to basically use AD details to login to all SAP systems with manual un/pw input.



  • Hi Sandra,

    We now have SNC/Kerberos working for SAPgui.

    We used same sapgui entry in NWBC 4.0SP12 however it does not appar to make any connection to sapgui at all.

    What could i be missing?

    • Hi Clinton,

      sorry, what do you mean by "any connection"?

      After implementing Single-Sign On 2.0 with Kerberos (as shown in our video series: you don't have to log on seperately to NWBC and you'll get secure data communication.

      If not working after implementation you have to open a message.


  • Hi Sandra,

    thanks for sharing.

    We use software from Quest as SSO for SAP GUI, and it should work like SAP single-Signon software.

    Parameter login/create_sso2_ticket = 2

    Even thouth I have added same name in SAP GUI Logon Description as in SAP GUI I cannot get it to work.

    NWBC still prompts for password - sometimes it has my username filled out and sometimes it has not.

    We have 5 different saplogon.ini files that we use. How can I see what ini tile NWBC is using, so I be100% sure about the SAP GUI Logon Description.

    We are on Windows 7.  



  • HI Sandra,

    We now have NW SSO with SPNEGO  setup working for SAPgui 730, So now are doing a POC with GUI 740 plus NWBC 5.0. Added one of ABAP system in SAP GUI 740 which works for SSO but when the same system description pulled in NWBC , it asks for Log in credentials.

    Can you help us if there any addition setting to be done for NWBC to work for SSO.

    Thanks in advance,


    • Hi Shravan,

      there are no additional settings on NWBC side. If you see the description, just choose it as you can see it on my screesshot:


      Please check your SPN-Entries. Different technologies (SCN and SPNEGO) need different Service Principle Names. I am afraid you have to open a message.  Here on Product Management Side we cannot reproduce your problem.

      Good luck,



  • Hi Sandra,

    this is very useful information indeed. Is this procedure limited to SPNEGO/Kerberos scenarios? We have a "full-blown" PKI infrastructure which we use with SAP Netweaver SSO 2.0 Secure Login Client to achive SSO. This works fine, but if I try to create a connection as outlined in step 3, the client still prompts for username and password. I even activated the "Use Secure Login Client" checkbox in the XML configuration file, but without success.

    Best regards,


  • Hi Sandra,

    Great articles!  I'm having a problem with NWBC 5.0 PL9 and SAPGUI 740 PL4.  I'm using the SAPUILandscapeGlobal.xml file stored on a central file share which all the NWBC clients point to.  It has worked well.  We just enabled SSO so I've added the SCN information to the xml file.  When I open SAPGUI, everything works like a charm.  When I open NWBC, it does not - I'm still getting prompted for a logon.  Any thoughts?

    Thanks in advance,


  • For those using the SSO scenario - Kerberos+SNC and already got it working on SAPGUI but struggling with NWBC SSO like me, please check your IE settings, under the security -> Any zone -> Custom Level -> Scroll to the bottom -> User Authentication -> Logon -> Select “Automatic logon with current user name and password”

    The SLC is only working with SAPGUI, but NWBC@business client is heavily rely on IE.