Skip to Content

How to configure SAP NetWeaver Single Sign-On for SAP GUI for Java with Kerberos Base solution using SNC

SAP will introduce solution for Secure Login Client for Mac OS as of SAP NW SSO 2.0 SP3.

This document will show you the step by step instructions to install and implement it.

System requirement for SLC for Mac OS is

OS X 10.7 or higher

SAP GUI for Java 7.20 or higher

Login to Mac OS using AD credentials

Note:   For Secure Login Client for Windows see URL below:

Most of the steps in this document have counterpart in document DOC-40178.

The steps below are performed in the following test environment:

Company Name: ABC


ERP 6.0 EHP5 (702 SP12)

Solaris SPARC 10.0 64bit Unicode

SAP Kernel 720 Unicode 64bit Patch 401

Host Name: sandbox



Active Directory Server (SC)

Windows 2008 R2

Domain Name: ABC.COM


Mac Client OS

OS 10.8.5

Client Login: JOHN_DOE

A- Install & Configure Secure Login Library

A.1- Create Service User for SAP AS ABAP in MS-ADS

Login to MS-Ads as administrator

Create a new user with complex password and options (“User Cannot change password” and “Password never expire”)

User ID Naming convention: SL-ABAP-<SID> (i.e. SL-ABAP-SBX)

/wp-content/uploads/2014/05/ldap_1_407166.jpg     /wp-content/uploads/2014/05/ldap_2_407167.jpg

A.2- Define SPNs for this user (one for SNC and one for SPNEGO)

          For SNC à SAP/SL-ABAP-SBX

          For SPNEGO à HTTP/ SL-ABAP-SBX

C:\Windows\system32> setspn –a HTTP/ SL-ABAP-SBX

C:\Windows\system32> setspn –a SAP/SL-ABAP-SBX SL-ABAP-SBX

Verify entries.

C:\Windows\system32> setspn –L SL-ABPA-SBX

Note:         HTTP is required for ABAP Access via web.

It is not required if your ABAP system does not comply with

note 1798979 or you do not want Web access to ABAP system.

SAP Note 1798979 – SPNego ABAP: Downport


B – Download NW SSO2.0 software from SAP Marketplace

       (You need a valid license)

      Login to SMP with your ‘S’ ID and download NW SSO2.0 software from location as shown below.    



C- Copy Secure Login Library files to SAP AS ABAP System (sandbox)

C.1- Login to your ABAP server (sandbox) as sbxadm account.

C.2- Go to DIR_INSTANCE and create a directory called SLL.

sandbox:sbxadm 67% cd /usr/sap/SBX/DVEBMGS02

sandbox:sbxadm 68% mkdir SLL

C.3- Extract SLLIBRARY00_1.SAR under the following path

<Path to 51045122 CD > 




sandbox:sbxadm 69% SAPCAR –xvf SLLIBRARY00_1.SAR

Go to extracted directory sunos-5.10-sparc-64 and extract SECURELOGINLIB.SAR into SLL directory

sandbox:sbxadm 70% SAPCAR –xvf SECURELOGINLIB.SAR –R /usr/sap/SBX/DVEBMGS02/SLL  (all in one line)

C.4- Verify the Secure Login Library status using the command sapgenpse

sandbox:sbxadm 71% cd /usr/sap/SBX/DVEBMGS02/SLL

sandbox:sbxadm 72% pwd

sandbox:sbxadm 73% ./sapgenpse


C.5- Download SECURE LOGIN LIBRARY 2.0 64BIT SP002 Patch level 3 and install it.

C.6- Extract SLLIBRARY02_3-10012577.SAR

sandbox:sbxadm 69% SAPCAR –xvf SLLIBRARY02_3-10012577.SAR

Go to extracted directory sunos-5.10-sparc-64 and extract SECURELOGINLIB.SAR into SLL directory

sandbox:sbxadm 70% SAPCAR –xvf SECURELOGINLIB.SAR –R /usr/sap/SBX/DVEBMGS02/SLL  (all in one line)

C.7- Verify the Secure Login Library status using the command sapgenpse

sandbox:sbxadm 71% cd /usr/sap/SBX/DVEBMGS02/SLL

sandbox:sbxadm 72% pwd

sandbox:sbxadm 73% ./sapgenpse


D- Define SAP instance profile parameters

D.1- Add all parameters as below into SBX instance profile


E- Create Kerberos KeyTab for SNC (SAP GUI à SAP AS ABAP)

E.1- Check for environment variable SECUDIR is set for <SID>adm user (sbxadm)

        If not, set it as below

sandbox:sbxadm 130% setenv SECUDIR /usr/sap/SBX/DVEBMGS02/sec

E.2- Create PSE file with KeyTab included

Go to /usr/sap/SBX/DVEBMGS02/SLL directory. Run the following command.

sandbox:sbxadm 131% cd /usr/sap/SBX/DVEBMGS02/SLL

sandbox:sbxadm 132% pwd

sandbox:sbxadm 133% ./sapgenpse keytab –p SAPSNCSKERB.pse –a SL-ABAP-SBX@ABC.COM  (all in one line)

First you should give a password for this PSE file. Then password for SL-ABAP-SBX user, which you have created in Active Directory earlier.


E.3- Create Credential file (cred_v2)

sandbox:sbxadm 135% pwd    

sandbox:sbxadm 136% ./sapgenpse seclogin -p SAPSNCSKERB.pse -O sbxadm


E.4- Verify Entries in credential file using the command

sandbox:sbxadm 138% pwd

sandbox:sbxadm 139% sapgenpse seclogin -l


Note:   See SAP Note 1798979 for SPNEGO usage on SAP required versions,

            otherwise skip step F and continue with step G.

SAP Note 1798979 – SPNego ABAP: Downport


F- Create Kerberos keyTab for SPNEGO (Web GUI à SAP AS ABAP)

F.1- Login to ABAP system and run new transaction code SPNEGO


Go to change mode


Click on Add icon


Create Kerberos keyTab using User Principal Name SL-ABA-SBX@ABC.COM


Click on checkmark and Save

G- Restart SAP AS ABAP system for all these changes to take affect.

H- Client Installation and User Mapping

     Note: This step has to be repeated in all clients.

     Note: Your system has to bind to your Active Directory Domain.

          You can check it under “System Preferences” –> “Usrs & Groups”


You should login to your Mac system using your Active directory credentials

If you login to your system using a local account, please follow the steps in the following document from Apple to switch from a local user to a network user.

Your system admin can help you on these settings.

H.1-     Download Secure Login Client from SMP (SecureLoginClient.pkg)

            Note: Available for General Access on May 12, 2014.

H.2-     Install it by double clicking the package

/wp-content/uploads/2014/05/mac_2_407200.jpg     /wp-content/uploads/2014/05/mac_3_407201.jpg

/wp-content/uploads/2014/05/mac_4_407202.jpg     /wp-content/uploads/2014/05/mac_5_407203.jpg

Verify installation

/wp-content/uploads/2014/05/mac_6_407204.jpg     /wp-content/uploads/2014/05/mac_7_407205.jpg

H.3-     Close SAP GUI and open it again for changes to take effect.

Note: Restart your Mac and login with AD credentials if it doesn’t work.

H.4-     Enable SNC in SAP GUI Application


Highlight SBX and click on change icon

SBX setting before SNC enabled:


SBX setting after SNC enabled:


Now try it. Click on SBX icon in your SAP GUI for Java


H.5-  Configure User Mapping for AS ABAP

         Login with your credentials to SBX system

         Go to transaction SU01 and modify SAP user JDOE

         Change to SNC tab.


Save your changes.

Note:   Step H.5 should be repeated for all users.

If your AD and SAP user IDs are in sync, you can use transaction SNC1 to populate SNC data for all of your users.



     Otherwise, you should do it manually or use SCAT to create script for it.

     Your developers can also help to create a custom report using report RSUSR300 as a template.

I- Now try it again.



You must be Logged on to comment or reply to a post.
  • Hi Carsten,

    I saw your video. Do you have steps for setting it up with X.509 certificate? I am having issue with that. Do you have steps which you can share?



  • Alexander, thank you for you reply.

    I want to configure it without binding to LDAP. I have verified it with that it is doable and supported. But there is no documentation for this scenario. I have to create a user certificate and import it into Keychain. Then SecureLogin Client for Mac and use this certificate for SSO.

    I don’t know how to set it up without LDAP binding.



    • Hi Ray,

      I do not fully understand what you mean with “LDAP binding”. Do you mean the membership to a Active Directory Domain (Kerberos)?

      In 2.0 SP03 the Secure Login Client for Mac does not have Secure Login Server Profile support.
      So it can only use a X.509 certificate which already exists in the Keychain.

      best regards


  • Hi Alex,

    I know that 2.0 SP03 Secure CLient for Mac does not support SLS profile.

    We login to our mac using our local ID. My X.509 certificate list is empty in my Keychain.

    I want to know how I can get a certificate from our AD and import it to Keychain. Our AD admin does not know any thing about it.

    We don’t have and PKI infrastructure in place if that is something must to have.



    • Hi Ray,

      it is as simple as for Windows. What you require is a PKCS#12 container (.p12 or .pfx file) which contains your user certificate incl. the CA chain, this you will need from your Windows PKI. To setup ADCS (certificate services) isn’t a big thing.. If no one can provide you support with this, you are able to test X.509 SSO also with your certificate from SAP Service Marketplace. You can import this on the MAC and the SAP Passport CA on the Mac too as well as on the SAP backend (SNC trusted certificates). 

      On the MAC all you need to do is to double click a certificate and install it to the keychain. You will find it at My Certificates. You open the certs and select “always trust”. You need to make sure your backend works and is configured properly for X.509 SSO first, test it on a windows client PC. Good luck


    • Hi Ray,

      I do not know how to push/request certificates into the Mac OSX keychain automatically via Active Directory/Microsoft Domain Server.
      I found something on the Apple documentation side for “request a certificate from a Microsoft Certificate Authority using DCE/RPC…”, but I do not know if this is helping you.
      Please check the Apple Support/Documentation if there are options to enroll certificates from a Microsoft Domain like the Group Policy features on Microsoft client.
      It would be nice if something is available.

      best regards

      Alexander Gimbel

    • Hi Igor, it would be most interesting if you told us what is wrong. Most probably this is only a copy/paste problem. Check the minuses in notepad.



      • Hi Lutz, I don’t know why, but in my case it didn’t work without DOMAIN\

        SETSPN -A HTTP/my-solman.domain.local  DOMAIN\SL-ABAP-SM1 (it works)

        and SETSPN -a SAP/ did’t work in any case 🙁

          • I’m facing with the problem

            ./sapgenpse keytab –p SAPSNCSKERB.pse –a SL-ABAP-SM1@DOMAIN.LOCAL

            Please enter PIN: ********

            Please reenter PIN: ********

            keytab: No keyTab content stored.

            I have only SAPGENPSE 2.0 Patch 1 (Mar 21 2013). Should I search for SECURE LOGIN LIBRARY 2.0 64BIT SP002 Patch level 3?

          • Hi Igor, today you should use the most current CommonCryptolib (CCL). Do NOT use SLL anymore (as long as CCL is supported for your system).

          • Lutz, I updated the CommonCryptolib, but faced with the same problem on step E.2:

            Please enter PIN: ********

            Please reenter PIN: ********

            keytab: No keyTab content stored.

            Help me please 🙂

          • Hi Igor, I think we should move to a separate discussion thread. Last answers here:

            Do you really do this with <SID>adm user? Did you check SECUDIR variable?

            To avoid problems with environment variables pointing to wrong libraries or security environments I always use absolute paths both for sapgenpse and for SAPSNCSKERB.pse.

            So my example for the (windows) command line looks like this:

            <DIR_EXECUTABLE>\sapgenpse keytab -p <DIR_INSTANCE>\sec\SAPSNCSKERB.pse -k “AES256 AES128” -a abc@XYZ.COM

            (we decided to retire RC4 and therefore always activate both AES flags on windows account level and only generate AES keys.)

            In the past there were problems with strange local language characters in the domain account’s password producing strange error messages like your’s. Since then we only use ASCII characters for passwords.

            More questions: open a discussion thread please.