Technical Articles
SAP Single Sign-On: Authenticate with Kerberos/SPNEGO
Overview
The SAP Single Sign-On product offers support for Kerberos/SPNEGO. You can use Kerberos authentication tokens to easily implement a single sign-on solution for your SAP systems. This requires little implementation effort, but provides a considerable simplification to your employees’ authentication processes. Using Kerberos technology via SNC or SPNEGO, a trust relationship is established between the user’s front end (SAP GUI for Windows or a web browser, for example) and the back-end Application Server ABAP or Java.
Employees log in once when they start their computers by signing on to their Windows domain. Any subsequent authentication processes are left to a Kerberos token mechanism provided by SAP Single Sign-On and based on Microsoft Active Directory. No additional server is required in this scenario. Working on the front-end software, the user experiences streamlined, easy accessibility.
Implementing Single Sign-On with Kerberos
The following videos provide a step-by-step configuration tutorial for setting up Kerberos-based single sign-on for AS ABAP and AS Java.
Part 1: Kerberos-Based SSO to Application Server ABAP (6:20 min)
The video guides you step-by-step through the tasks required for setting up Secure Network Communication (SNC) and configuring SSO based on Kerberos/SPNEGO on the ABAP backend. Learn how easy this is using the SNC Wizard and Kerberos transaction.
Part 2: Kerberos-Based SSO to Application Server ABAP – Mass User Mapping (1:56 min)
One configuration task required for Kerberos-based SSO is user mapping. You need to map the SNC user name (based on the Windows domain user name) to the SAP ABAP user name. But how to configure user mapping for thousands of users? The video guides you through the options available for mass user mapping in Application Server ABAP.
Part 3: Kerberos-Based SSO to Application Server Java (3:52 min)
The video guides you step-by-step through the tasks required for configuring SSO based on Kerberos/SPNEGO in the Application Server Java.
Recommendations and Troubleshooting
Single Sign-On with Kerberos: Recommendations & Troubleshooting
Troubleshooting SPNego for ABAP (SAP Note 1732610)
Blogs
Kerberos Authentication Flow for Browser-Based Applications Provided by the AS ABAP
Kerberos/SPNEGO for SAP AS ABAP in a Multi-Domain Environment
SAP Single Sign-On: Protect Your SAP Landscape with X.509 Certificates
Additional Resources
Single Sign-On to SAP HANA DB using Kerberos (SAP Note 1837331)
Single Sign-On to SAP BusinessObjects BI Platform 4.0
Mobile Single Sign On from iOS 7 to SAP NetWeaver
Take the SAP Fiori Experience to a New Level with SAP Single Sign-On
More Information
For more information about SAP Single Sign-On, visit our community here:
https://community.sap.com/topics/single-sign-on.
Hello All,
I get a error while validating the password .
But the user exists in Active directory with never expire and also AD admin was able to login with below ID and password.
Can you please guide if iam missing anything.
Check user in Active Directory - We can't sign you in with this credential because
Message no. SPN028
Requirements
You have installed and licensed SAP Single Sign-On 2.0 or higher. It comes with a front-end control that enables you to validate users from the Active Directory database of the Microsoft Windows domain controller. See SAP Note 1943266.
Diagnosis
This message comes from Active Directory.
This function tries to verify whether the selected Kerberos Principal Name exists in Active Directory. The Check User Principal in AD button enables you to validate the Kerberos Principal User against Active Directory. You enter the password of Active Directory, and the front-end control checks whether Active Directory has a user with this Kerberos Principal Name in the userPrincipalName attribute.
Procedure
If you get this error message, contact your Active Directory administrator. Make sure that the Active Directory administrator configures this user correctly in Active Directory.
Regards
Shekar
SSO
Hello Shekar,
it looks like you are not in the right domain. Therefore, the verification does not work.
You can try to generate the keyTab without password validation and go to the tab Service Principal Names. There you will see that you don't have the domain as your service account.
Regards,
Martina
Hello Martina,
Thanks for your reply.
Can you please let me know how to overcome the issue.
regards
Shekar
Service Principal Name
Hello Martina,
After logging with the user in domain, the issue is resolved.
Currently iam having another issue, please see screen below.
Token check in in status RED
Regards
Shekar
Hello Shekar,
please open a customer ticket to resolve your problem.
Thanks,
Martina
Hi Shekar,
Have you got the right solution for the above issue?I am also stuck with the same " Token Check"Error,If possibile could you share the fix information.
Best Regards
Sreekanth
We are able to download the SAP Single Sign On 3.0 which is appearing when we go to the SAP Marketplace or Support center.
However when we check with our SAP Sales Executive, he mentioned that we don't have license.
But if we are not wrong according to one of the SAP Note - 1876552 - Unable to find SAP Single Sign-On product on ONE Support Launchpad - SAP ONE Support Launchpad, it mentioned the SAP Single Sign On 3.0 will only appear for download if customer already have a license.
Any idea on this discrepancy ?
Thanks.
Hello Steven,
you will only be able to download the SAP Single Sign-On 3.0 product if you have a license for it, as stated in the SAP Note you mentioned above. Please check again with your SAP Account Executive for investigation.
Thanks,
Martina
HI Martina,
We have raise ticket to SAP support, SAP support checked and feedback that we have licensed.
So we are not sure why SAP SE provide us with incorrect information.
How is the license work? Is it by user count or just by one block ?
Thanks.
Martina,
Do you know how the license work?
By user count or one bulk license?
Hi Steven,
licensing for the SAP Single Sign-On product is user-based. For the details, please get in contact with your SAP Account Executive.
Best regards,
Martina
Hi Martina,
Just would like to ask if it is also possible to integrate Azure AD with SAP Java AS 7.0 using the same method as shown in the video in the blog post?
If not, any place where I can find some steps and guideline on how it can be done if this is feasible.
Thanks.
Hi Francis,
Azure AD only supports SAML. This blog post and the configuration videos are about SSO using Kerberos/SPNEGO with the SAP Single Sign-On product, and for that you need the on-premise Active Directory.
Please also note that SAP NetWeaver 7.0 AS JAVA has been out of maintenance for several years already, and it is not recommended to use it.
Best regards,
Martina
Hi Martina,
Excellent blog. Currently i am trying to configure SSO SNC for Mac GUI. Will the setup be similar as this document or is there something else i need to consider? Appreciate your response
Thanks
Jega
Hi Jega,
in general, configuration is the same as with Windows clients. You only need to consider the documentation how to install the Secure Login Client on macOS. You will find the documentation here:
https://help.sap.com/docs/SAP_SINGLE_SIGN-ON/df185fd53bb645b1bd99284ee4e4a750/f304002c0e794013b438a535bc158759.html
Best regards,
Martina
Hi Martina,
Excelent blog. I have a problem. Already configurate SSO to GUI with Kerberos Authentication, but when run a fiori URL (server is the some backend and frontend), or run webgui, appear popup to logon in AD, if put the user and pass user AD, not working. Can help me please?
Best Regards
Graciete
Hi Graciete,
You can refer to the following information for troubleshooting:
https://wiki.scn.sap.com/wiki/display/Security/Single+Sign-On+with+Kerberos%3A+Recommendations+and+Troubleshooting
Or refer to SAP Note 1732610 - SPNego ABAP: Troubleshooting Note:
https://launchpad.support.sap.com/#/notes/0001732610
Hope this helps.
Best regards,
Martina
Hi Martina,
Great blog, and have used it a few times.
Is it possible to make use of SSO for SAP GUI on Windows, when the SAP application servers are running on Linux, and the SAP Users (<sid>adm, and SAPService<sid>) is not on the domain?
Thanks
Henri
Hi Henri,
Yes, that is possible. When using SAP Single Sign-On, the application server does not need to be part of the Windows domain.
Best regards,
Martina
Hello Mrs. Kirchenmann, Hello Martina,
I'm new with SAP SSO 3.0 and we just configured the 1st System "SBT" with Kerberos.
On Transaction SPNEGO we didn't see the User Principals or User Mapping.
SPNEGO missing UserPrincipals and User Mapping
I saw this one Time just after restart of my client but not now...
Any Ideas why it didn't show the UPNs? Ther is no Error Message at all..
SSO 3.0 SP 2 Patch 16. but this is not relevant as I see.
(I checked allready SAP Note 2729769 - SPNEGO transaction - tab "Service Principal Names" is blank during SAP Single Sign-On configuration
On Tracing I couldn't find anythink..
Thanks for Info or shoul I better create a Ticket on SAP 4 ME?
Hope you can Help me, best Regards,
Kim
Hello Kim,
Your configuration looks fine and SNC is working. Sometimes this could happen that the UPNs are not shown correctly. Maybe you can try again. Or refer to SAP Note 3279986 as a workaround.
If the problem persists, please open a ticket and our support team will assist you.
Thanks,
Martina
Hello Martina,
Thank you for this blog.
Is it possible to install SSO with Kerberos without a Secure Login Server? How are the user tickets (without SLS) distributed automatically? Does AD to have certain functions? What advantage does SLS have in this case? is Kerberos still recommended as SSO?
Many Thanks
Best regards
Hello Tatjana,
When using Kerberos for SSO, you don’t need the Secure Login Server. You only need the Secure Login Client on the client side (together with SAP GUI). On the server side, the functionality of verifying the Kerberos tokens is provided by the SAP Cryptographic Library that already comes with the ABAP kernel.
SSO via Kerberos technology requires a local Microsoft Active Directory (AD). The Microsoft AD (KDC) issues the Kerberos token upon successful Windows domain login. Yes, Kerberos is still recommended as SSO technology, and many of our customers are still using it.
Please note that last month we launched a new solution for SSO with SAP GUI: the SAP Secure Login Service for SAP GUI. This new solution also includes SSO via Kerberos, same as with the previous SAP Single Sign-On product. More information is available in the release blog here: https://blogs.sap.com/2023/05/04/sap-secure-login-service-for-sap-gui-now-available/
Best regards,
Martina
Hi Martina, I just created an Ticket.
Ticket-ID: 528328 / 2023
Test with kerberostest.exe was successful:
Kerberostest
Hello Martina,
I have configured SPNEGO according to your description "Kerberos-Based SSO to Application Server ABAP".
Work for GUI. but it doesn't work for HTTPS WEBGUI.
I have registered HTTP/FQDN, and added entries to the registry - 3183026(Edge, Chrome). But still not working.
Something else I should do (some parameters in RZ10)?
Hello Grzegorz,
please open a ticket for your issue and our support team will assist you.
Thanks,
Martina
Martina Kirschenmann , Thanks for posting this blog. I have few questions & not sure if you can help me answering them.
We have a requirement to configure Kerberos authentication in our ERP EHP5 (SAP Basis 702) using HTTPS (browser based). As per SAP KBA 1798979 - SPNego ABAP: Downport, i believe it is supported.
We have one landscape which is on domain A & has SPNEGO configured. We have another landscape which is running on domain B but accessible on same network as domain A. We want to configure the SPNEGO for system running on domain B but users will be from domain A. While i have also read your blog on - Kerberos/SPNEGO for SAP AS ABAP in a Multi-Domain Environment. I believe that is for people accessing same system from multiple domains . Can you please confirm if accessing only from Domain A for system in Domain B is supported scenario. Your response will be appreciated.
Also if you can confirm if Secure Login Client 3.0 will be compatible with ERP EHP 5 (SAP Basis 702).
Please let me know if above doesnt make sense to you.
Many Thanks,
Ajay
Hello Ajay,
Yes, you will find the configuration details in the blog:
Kerberos/SPNEGO for SAP AS ABAP in a Multi-Domain Environment.
For technical release information, please refer to the Product Availability Matrix here and the SAP Note 1798979 you mentioned.
Best regards,
Martina
Hi ,
We are implementing SSO with OKTA. SSO works fine for WebGUI
We would like to configure SSO with OKTA for SAP Gui. How can we achieve this?
Best regards
Hello,
You can use the SAP Secure Login Service for SAP GUI to provide your SAP GUI users with SSO to their ABAP-based business applications. The solution is based on a lean cloud service and can integrate with your existing corporate identity provider (such as Azure AD or OKTA).
You will find more information about our SAP Secure Login Service for SAP GUI (product overview, documentation, etc.) here:
https://community.sap.com/topics/single-sign-on
Best regards,
Martina
Hi Martina,
With transaction SPNEGO in an ABAP system, it is possible to provide user principal name and all that stuff pointing to an active directory. So far so good it is working.
The connection normally is established via LDAP port 389 which is non-secure.
Question for me:
When switching to SSL over LDAP (LDAPS), port will be changed to 636. But where?
Can you give me a hint? Reason behind is, LDAP here should only be offered for port 636 (LDAPS) in future.
Best regards,
Oliver
Hello Oliver,
Our implementation uses the same Microsoft functions as Microsoft itself to connect to Active Directory and it cannot be configured.
Best regards,
Martina
Hi Martina Kirschenmann,
Thank you for the nice blog!
We have followed and enable the SAP Single Sign-On: Authenticate with Kerberos/SPNEGO for SAP GUI it is working fine.
For third party systems, example ServiceNow want to connect our SAP using X.509 SSL Client Certificate / Single Sign on using SPNego in the SOAMANEGR webservice WSDL generated URL without id and password.
Please let us know below this document will help to enable ?
https://www.sap.com/documents/2015/07/b20f4c88-5b7c-0010-82c7-eda71af511fa.html
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
Can enable both Kerberos / X.509 Client Certificates for the Single sign-on in parallel?.
Thanks.
Regards,
R Rajavelu
Hello R Rajavelu,
Even if using X.509 certificates would probably be technically possible, it is not the recommended way. For browser-based applications we recommend to use an identity provider, such as SAP’s Identity Authentication Service (IAS) or another third-party identity provider.
Best regards,
Martina