Skip to Content

Reusing Kerberos Token for Issuing X.509 Client Certificates with Secure Login Server

Your company is using Secure Login Server (SAP Single Sign-On) for issuing short lived X.509 client certificates for authentication to the SAP and non-SAP business systems across your landscape.

Your company is also using Microsoft Active Directory and now you want to re-use Kerberos tokens, issued by the MS Domain Controller (KDC), for the Single Sign-On with Secure Login Server X.509 client certificates.SPNedo_SLS_Scenario.png

After implementing this scenario, your domain users will have to authenticate only once, using their Microsoft Active Directory credentials, and they will be authenticated automatically to any SAP and non-SAP system, that requires short lived X.509 client certificates and where they have been granted authorizations.

In my new guide SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates you will be able to find step-by-step instructions how to implement this scenario:


You must be Logged on to comment or reply to a post.
  • Hi,

    We have implemented the exact configuration steps that are published in your document to enable SSO. SSO for ABAP system works fine but SSO for webgui does not work even after maintaining RootCA certificate in STRUST and user is mapped in transaction EXTIN_DN. Could you please advise what am I missing or can you share documentation for enabling SSO for wbgui using " SPNEGO based single sign -on using secure login server X.509 client certificate.

    Thank you in advance.

    Syes Rasheed.

    • Hello Syes,

      Please, create a CSS message and provide the icm traces. The information, you provide, is not enough to find what you are missing.


      Donka Dimitrova

  • Good Morning Donka

    ihave  ERP 6.0 SR3   using  only  ABAP  System  install     with  all   latest  support  stack but    T-Code  SPNEGO   is not  working . We  do not  install  JAVA Stack.

    Please  review  Screen shot




  • Hello Donka,

    thank you for this dokumentation. It works fine, but now I have to find a way to do user mapping between SAP NW SSO 3.0 and some SAP AS JAVA without homogenous users. Can you recommend a documentation describing the nessessary configuration?

    Best Regards