Skip to Content

Kerberos/SPNEGO for SAP AS ABAP in a Multi Domain Environment.

What to consider when implementing Kerberos/SPNego scenario for SAP AS ABAP using SAP Single Sign-On product in a Multi Domain environment.

Windows domain and forest containers are used to meet different authentication and authorization requirements in the corporate landscape, like for example centralizing resource management, organizing network objects into a logical hierarchical structure, implementing rules for sharing resources across a network, etc. Domain containers can be segregated into Domain Name System (DNS) namespace hierarchies known as domain trees.The domain tree hierarchy is based on trust relationships.

When implementing Kerberos/SPNego using SAP Single Sign-On product for multi domain environment, it is necessary to have in mind some specifics that are important, depending on the trust availability between the domains. In this blog we will represent the specifics, using these two options:

  • Option 1:There is trust relationship between Microsoft domains
  • Option 2:There is no trust relationship between Microsoft domains

Now let’s see what you have to consider for these two options.

Service account The implementation of Kerberos/SPNego using SAP Single Sign-On product requires a service account to be created on the Windows domain controller. This service account is used for the Kerberos-based authentication.

Option 1: When there is trust between the domains it is enough to create a service account only on the central domain.

Option 2: When there are domains in the landscape that are not trusted and the Kerberos-based SSO has to be working also for users from these domains, you have to make sure that a service account is created also on every non-trusted Windows domain controller.

Service principal name – A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. SPN is configured, using ADSI Edit (LDAP editor for managing objects and attributes in Microsoft Active Directory). Service Principal Name is required for the SNC configuration or SPNego for ABAP and is used to provide Kerberos service tokens to the requested users.

Option 1: When there is trust between the domains, it is enough to create a service account and to configure the respective Service Principal Name for this account only on the central domain. Such configuration is sufficient because the Microsoft technology ensures that users from all trusted domains are visible in the central domain. It is also ensured that the authentication chain will reach the required trusted domain, where the KDC (Kerberos Key Distribution Center) will issue the Kerberos token to this user for the requested service, coming from the SAP AS ABAP system.

Option 2: When the trust between the domains is missing, you need to configure service accounts on all non-trusted domains and to make sure that one and the same Service Principal Name is configured for these service accounts. This configuration is necessary because non-trusted domains work independent from each other and every one of them has to be configured to recognize the service, coming from the SAP AS ABAP system.

Note: A common configuration mistake is to use different Service Principal Names on different domains. You have to know that it is possible to create different service account names on different Microsoft Domain Controllers, but you have to make sure that these accounts are configured with one and the same Service Principal Name.

Kerberos Keytab – On the SAP ABAP server side, the implementation of SNC with Kerberos/SPNego requires generation of a Keytab file with the SPNEGO or SNCWIZARD transactions, available with the new AS ABAP versions (for more details use the link to the documentation at the end of the blog). The Keytab includes information about the User Principal and the password of the service account for this service, created on the Windows domain controller. For more details, see: Using the Single Sign-On Wizard to Configure SNC and SPNego

Option 1 & Option 2: Irrespective of the trust existence between the domains, when we have more than one Microsoft Domain to integrate into our Kerberos/SPNego implementation, it is necessary to create a Keytab for every one of these domains. Such configuration is required because the SAP AS ABAP server has to be configured to trust every one of these domains.

Note: Common configuration mistake made for Kerberos Keytab generation is the wrong typing of the User Principal. Please notice that the User Principal from the Active Directory has the following format: sAMAccountName@WINDOWS2000-DOMAIN, where sAMAccountName is case sensitive and the domain part is in upper case. Here is one example: SAPServiceUserABC@IT.CUSTOMER.DE .

For more details about SNC/SPNego see the documentation: SNC Kerberos Configuration & Using the Single Sign-On Wizard to Configure SNC and SPNego.

You must be Logged on to comment or reply to a post.
  • Hi Donka,

    Thanks for sharing the Details on multi domain Configuration.

    I have a Issue with SSO Multi Domain.

    We have 2 Domain one is windows AD(A Company) and other is uses citrix Domain(B Company)

    Changed the password of the service and updated in config tool and rested the system.

    Company A user don’t have issue to login to SSO and citrix Users domains are unable to login via SSO.

    Please let me know how can i fix the issue.

    Thanks in Advance.



    #2.0 #2015 10 12 18:04:07:759#0-




    000000749776#4d77e728714611e5a6c6000000749776#0#Thread[HTTP Worker


    Could not search for user by logon id: saptest



    for logonid “xxxxxxxx” not found!



  • Hello,

    Thanks for sharing valuable information. I need some help in similar case. I have a scenario, we have company A and HR portal with in company A. Now company B is acquired by company A. we have to facilitate company B to access HR portal of company A in company B domain. I think, we need LDAP/AD integration. Can any one suggest and share the necessary document how we can achieve this. HR portal version is 7.0 and company B ip can be able to ping in company A domain. This is very critical and urgent. Highly appreciated, pls help.

    Thanks in Advance


  • Hello Donka,

    we have implemented SSO(SNC with Kerberos) on Windows server. and we would like to migrate our ERP server to Linux Redhat6 from Windows 2012.

      I wonder if we need to do some prerequisite on Linux server for SSO or SSO cannot be implemented on Linux Server?

    Thanks in advance

    Ming Feng

  • Hi Donka, Thanks for this very helpful blog. I have a question regarding SSO in the multiple domains. We are talking about two domains and which do not have a trust in between them. The System XYZ in question is residing in the domain . The users of Domain A are able to access it (both SAP GUI or Webgui) through SSO2.0. Until then everythings seems good. The Service Principal User has two Service Principal Names: HTTP/ SAP/KerberosXYZ . Now comes the second domain The users in the second domain are required to access the System XYZ (just the webgui) per SSO which is otherwise accessible WITHOUT SSO since the firewall rules let it in the domain We have created a service prinicpal user in domain B with the same Service Principal Names as in the first one (HTTP/ and SAP/KerberosXYZ) Only the name of the Service Principal user is different ! We expected just to use the transaction spnego get it done with. which means adding the second entry in the transaction for the  Kerberos User Principal also. So the entries in Transaction now look like this : Unfortunately SSO just the first one with the same domain is still working. The Keytab was previously generated for the first case in the first domain ABC.DE  using:  Keytab 1 (set and working already) /usr/sap/xyz/DVEBMGS00/sec sapgenpse keytab -p SAPSNCSKERB.pse -x pass1 -a KerberosXYZ@ABC.DE sapgenpse seclogin -p /usr/sap/XYZ/DVEBMGS00/sec/SAPSNCSKERB.pse -x pass1 -O xyzadm Keytab 2 (not set yet) what do we do for the second one? Generate another keytab under: /usr/sap/XYZ/DVEBMGS00/sec using… sapgenpse keytab -p SAPSNCSKERB.pse -x pass2 -a KerberosXYZ@EFG.COM sapgenpse seclogin -p /usr/sap/XYZ/DVEBMGS00/sec/SAPSNCSKERB.pse -x pass2 -O xyzadm Should we generate both the keytabs after setting the snc_enable to 0 afresh?? I look forward to your valued input. perhaps it could help those who are strugling with the same issue. Thanks and Best Regards, Rahila Zahir

    • Hello Rahila,

      When there is no trust between the domains you have to use the Option 2 described in the blog. If you face some issues, Please, create a CSS ticket.


      Donka Dimtirova

  • Hi Donka,

    I´m facing some Problems while implementing SSO Kerberos for SOLMAN. AS ABAP (SOLMAN) is in one domain and users are in second Domain.

    SSO via SAPGUI works, but not via WebBrowser. In SPNEGO I´ve set up Key Tab, somehow I have the impession it is not complete – no Tabs in lower part of screen (pls. compare attached pic). Could you please advise.

    Furthermore, as you explained in your tab, do I have to set up one key tab for every Domain anyway?



  • Hello Donka

    Thank you for sharing the information. It was really helpful

    I would like to seek your expert advice on the approach to be followed for SSO. Is it mandatory to go for  SAP Single Sign-On product to achieve kerberos scenario or can we do AD integration with SAP stack to achieve the same. Are there any disadvantages by going for AD integration with SAP stack.



    Hi Donka,

    we have a multi-domain environment with no trusts between the domains. I successfully configured spnego on a portal system working for both domains.

    We also want to use SNC encryption without SSO. Unfortunatly I  was not able to get this working yet. We have The User Kerberos<SID> created in both domains and also the Service Principal Name was created in both domains. Is it possible to use SNC encryption in a multi domain environment without trusts between the domains?

    Thanks and best Regards,


  • Hi All,

    I have a query with respect to Kerberos Token in SLC Client.

    1. Is it possible to set the time out for this token?
    2. Can anybody login simply by picking my token(Kerberos) and my user ID into the SAP System?

    Thanks a lot and much appreicated for your valuable answers.


  • Hi all,

    in regards to Kerberos (SNC and SPNEGO) in a multi-domain multi-forest environment check my post here to make your life easier, if you have two-way-trusts between your forests/domains

    Cheers, Carsten


    • Hello Carsten,

      Thanks for the sharing on the details.

      We were able to setup SSO in a multi-domain environment with two-way-trusts. Only 1 keytab was maintained in the system.

      We were not aware of the fact that <SERVICE ACCOUNT NAME>@<DOMAIN> should be used as the SNC identity in a multi-domain environment. (We used <SERVICE ACCOUNT NAME> only for example and it didn’t work out of course).

      I totally agree with you that it’s a bit challenging to understand the above article, in particular,

      • Option 1: When there is trust between the domains it is enough to create a service account only on the central domain
      • Option 1 & Option 2: Irrespective of the trust existence between the domains, when we have more than one Microsoft Domain to integrate into our Kerberos/SPNEGO implementation, it is necessary to create a Keytab for every one of these domains.

      So one service account has to be created in the domain and on the other hand, each keytab has to be created in every domain involved. This is definitely not the way we made it.




  • Hi  Donaka and Martina Kirschenmann

    I am very new to SAP SSO,my landscape contains 5 sap server and one windows domain where i want to implement SSO among the them.

    can i get complete document for the same to complete the implementation?



    Ravi A