Skip to Content
Technical Articles
Author's profile photo Martina Kirschenmann

SAP Single Sign-On: Authenticate with Kerberos/SPNEGO

Overview

The SAP Single Sign-On product offers support for Kerberos/SPNEGO. You can use Kerberos authentication tokens to easily implement a single sign-on solution for your SAP systems. This requires little implementation effort, but provides a considerable simplification to your employees’ authentication processes. Using Kerberos technology via SNC or SPNEGO, a trust relationship is established between the user’s front end (SAP GUI for Windows or a web browser, for example) and the back-end Application Server ABAP or Java.

Employees log in once when they start their computers by signing on to their Windows domain. Any subsequent authentication processes are left to a Kerberos token mechanism provided by SAP Single Sign-On and based on Microsoft Active Directory. No additional server is required in this scenario. Working on the front-end software, the user experiences streamlined, easy accessibility.

 

Implementing Single Sign-On with Kerberos

The following videos provide a step-by-step configuration tutorial for setting up Kerberos-based single sign-on for AS ABAP and AS Java.

 

Part 1: Kerberos-Based SSO to Application Server ABAP (6:20 min)

The video guides you step-by-step through the tasks required for setting up Secure Network Communication (SNC) and configuring SSO based on Kerberos/SPNEGO on the ABAP backend. Learn how easy this is using the SNC Wizard and Kerberos transaction.

Part 2: Kerberos-Based SSO to Application Server ABAP – Mass User Mapping (1:56 min)

One configuration task required for Kerberos-based SSO is user mapping. You need to map the SNC user name (based on the Windows domain user name) to the SAP ABAP user name. But how to configure user mapping for thousands of users? The video guides you through the options available for mass user mapping in Application Server ABAP.

Part 3: Kerberos-Based SSO to Application Server Java (3:52 min)

The video guides you step-by-step through the tasks required for configuring SSO based on Kerberos/SPNEGO in the Application Server Java.

Recommendations and Troubleshooting

Single Sign-On with Kerberos: Recommendations & Troubleshooting

Troubleshooting SPNego for ABAP (SAP Note 1732610)

Blogs

Kerberos Authentication Flow for Browser-Based Applications Provided by the AS ABAP

Kerberos/SPNEGO for SAP AS ABAP in a Multi-Domain Environment

SAP Single Sign-On: Protect Your SAP Landscape with X.509 Certificates

Additional Resources

Single Sign-On to SAP HANA DB using Kerberos (SAP Note 1837331)

Single Sign-On to SAP BusinessObjects BI Platform 4.0

Mobile Single Sign On from iOS 7 to SAP NetWeaver

Take the SAP Fiori Experience to a New Level with SAP Single Sign-On

More Information

For more information about SAP Single Sign-On, visit our community here:

https://community.sap.com/topics/single-sign-on.

 

Assigned Tags

      148 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Wiprox Cloud
      Wiprox Cloud

      Hello All,

      I get a error while validating the password .

      But the user exists in Active directory with never expire and also AD admin was able to login with below ID and password.

       

      Can you please guide if iam missing anything.

      SSO

       

      Check user in Active Directory  -  We can't sign you in with this credential because

      Message no. SPN028

      Requirements

      You have installed and licensed SAP Single Sign-On 2.0 or higher. It comes with a front-end control that enables you to validate users from the Active Directory database of the Microsoft Windows domain controller. See SAP Note 1943266.

      Diagnosis

      This message comes from Active Directory.

      This function tries to verify whether the selected Kerberos Principal Name exists in Active Directory. The Check User Principal in AD button enables you to validate the Kerberos Principal User against Active Directory. You enter the password of Active Directory, and the front-end control checks whether Active Directory has a user with this Kerberos Principal Name in the userPrincipalName attribute.

       

      Procedure

      If you get this error message, contact your Active Directory administrator. Make sure that the Active Directory administrator configures this user correctly in Active Directory.

       

      Regards

      Shekar

      SSO

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello Shekar,

      it looks like you are not in the right domain. Therefore, the verification does not work.

      You can try to generate the keyTab without password validation and go to the tab Service Principal Names. There you will see that you don't have the domain as your service account.

      Regards,

      Martina

      Author's profile photo Wiprox Cloud
      Wiprox Cloud

      Hello Martina,

       

      Thanks for your reply.

      Can you please let me know how to overcome the issue.

      Service%20Principal%20Name

       

      regards

      Shekar

      Service Principal Name

      Author's profile photo Wiprox Cloud
      Wiprox Cloud

      Hello Martina,

      After logging with the user in domain, the issue is resolved.

      Currently iam having another issue, please see screen below.

       

      Token check in in status RED

       

      Regards

      Shekar

       

       

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello Shekar,

      please open a customer ticket to resolve your problem.

      Thanks,

      Martina

      Author's profile photo Sreekanth Muraleedharan Nair
      Sreekanth Muraleedharan Nair

      Hi Shekar,

       

      Have you got the right solution for the above issue?I am also stuck with the same " Token  Check"Error,If possibile could you share the fix information.

      Best Regards

      Sreekanth

      Author's profile photo Steven Foo
      Steven Foo

      We are able to download the SAP Single Sign On 3.0 which is appearing when we go to the SAP Marketplace or Support center.

      However when we check with our SAP Sales Executive, he mentioned that we don't have license.

      But if we are not wrong according to one of the SAP Note - 1876552 - Unable to find SAP Single Sign-On product on ONE Support Launchpad - SAP ONE Support Launchpad, it mentioned the SAP Single Sign On 3.0 will only appear for download if customer already have a license.

      Any idea on this discrepancy ?

      Thanks.

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello Steven,

      you will only be able to download the SAP Single Sign-On 3.0 product if you have a license for it, as stated in the SAP Note you mentioned above. Please check again with your SAP Account Executive for investigation.

      Thanks,

      Martina

      Author's profile photo Steven Foo
      Steven Foo

      HI Martina,

      We have raise ticket to SAP support, SAP support checked and feedback that we have licensed.

      So we are not sure why SAP SE provide us with incorrect information.

      How is the license work? Is it by user count or just by one block ?

      Thanks.

       

       

      Author's profile photo Steven Foo
      Steven Foo

      Martina,

      Do you know how the license work?

      By user count or one bulk license?

       

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Steven,

      licensing for the SAP Single Sign-On product is user-based. For the details, please get in contact with your SAP Account Executive.

      Best regards,

      Martina

      Author's profile photo Francis S.K. LUK
      Francis S.K. LUK

      Hi Martina,

      Just would like to ask if it is also possible to integrate Azure AD with SAP Java AS 7.0 using the same method as shown in the video in the blog post?

      If not, any place where I can find some steps and guideline on how it can be done if this is feasible.

      Thanks.

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Francis,

      Azure AD only supports SAML. This blog post and the configuration videos are about SSO using Kerberos/SPNEGO with the SAP Single Sign-On product, and for that you need the on-premise Active Directory.

      Please also note that SAP NetWeaver 7.0 AS JAVA has been out of maintenance for several years already, and it is not recommended to use it.

      Best regards,

      Martina

      Author's profile photo Jegadesh Karthikeyan
      Jegadesh Karthikeyan

      Hi Martina,

      Excellent blog. Currently i am trying to configure SSO SNC for Mac GUI. Will the setup be similar as this document or is there something else i need to consider? Appreciate your response

       

      Thanks

      Jega

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Jega,

      in general, configuration is the same as with Windows clients. You only need to consider the documentation how to install the Secure Login Client on macOS. You will find the documentation here:

      https://help.sap.com/docs/SAP_SINGLE_SIGN-ON/df185fd53bb645b1bd99284ee4e4a750/f304002c0e794013b438a535bc158759.html

      Best regards,

      Martina

      Author's profile photo Graciete Martins
      Graciete Martins

      Hi Martina,

      Excelent blog. I have a problem. Already configurate SSO to GUI with Kerberos Authentication, but when run a fiori URL (server is the some backend and frontend), or run webgui, appear popup to logon in AD, if put the user and pass user AD, not working. Can help me please?

       

      Best Regards

      Graciete

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Graciete,

      You can refer to the following information for troubleshooting:

      https://wiki.scn.sap.com/wiki/display/Security/Single+Sign-On+with+Kerberos%3A+Recommendations+and+Troubleshooting

      Or refer to SAP Note 1732610 - SPNego ABAP: Troubleshooting Note:

      https://launchpad.support.sap.com/#/notes/0001732610

      Hope this helps.

      Best regards,

      Martina

      Author's profile photo Henri van Blerk
      Henri van Blerk

      Hi Martina,

      Great blog, and have used it a few times.

      Is it possible to make use of SSO for SAP GUI on Windows, when the SAP application servers are running on Linux, and the SAP Users (<sid>adm, and SAPService<sid>) is not on the domain?

       

      Thanks

      Henri

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Henri,

      Yes, that is possible. When using SAP Single Sign-On, the application server does not need to be part of the Windows domain.

      Best regards,

      Martina

      Author's profile photo Kim Heckscher
      Kim Heckscher

      Hello Mrs. Kirchenmann, Hello Martina,

      I'm new with SAP SSO 3.0 and we just configured the 1st System "SBT" with Kerberos.

      On Transaction SPNEGO we didn't see the User Principals or User Mapping.

      SPNEGO%20missing%20UserPrincipals%20and%20User%20Mapping

      SPNEGO missing UserPrincipals and User Mapping

      I saw this one Time just after restart of my client but not now...
      Any Ideas why it didn't show the UPNs? Ther is no Error Message at all..

      SSO 3.0 SP 2 Patch 16. but this is not relevant as I see.
      (I checked allready SAP Note 2729769 - SPNEGO transaction - tab "Service Principal Names" is blank during SAP Single Sign-On configuration

      On Tracing I couldn't find anythink..

      Thanks for Info or shoul I better create a Ticket on SAP 4 ME?

       

      Hope you can Help me, best Regards,

      Kim

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello Kim,

      Your configuration looks fine and SNC is working. Sometimes this could happen that the UPNs are not shown correctly. Maybe you can try again. Or refer to SAP Note 3279986 as a workaround.

      If the problem persists, please open a ticket and our support team will assist you.

      Thanks,

      Martina

      Author's profile photo Tatjana Schumakowa
      Tatjana Schumakowa

      Hello Martina,

      Thank you for this blog.

      Is it possible to install SSO with Kerberos without a Secure Login Server? How are the user tickets (without SLS) distributed automatically? Does AD to have certain functions? What advantage does SLS have in this case? is Kerberos still recommended as SSO?

      Many Thanks

      Best regards

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello Tatjana,

      When using Kerberos for SSO, you don’t need the Secure Login Server. You only need the Secure Login Client on the client side (together with SAP GUI). On the server side, the functionality of verifying the Kerberos tokens is provided by the SAP Cryptographic Library that already comes with the ABAP kernel.

      SSO via Kerberos technology requires a local Microsoft Active Directory (AD). The Microsoft AD (KDC) issues the Kerberos token upon successful Windows domain login. Yes, Kerberos is still recommended as SSO technology, and many of our customers are still using it.

      Please note that last month we launched a new solution for SSO with SAP GUI: the SAP Secure Login Service for SAP GUI. This new solution also includes SSO via Kerberos, same as with the previous SAP Single Sign-On product. More information is available in the release blog here: https://blogs.sap.com/2023/05/04/sap-secure-login-service-for-sap-gui-now-available/

      Best regards,

      Martina

      Author's profile photo Kim Heckscher
      Kim Heckscher

      Hi Martina, I just created an Ticket.

      Ticket-ID: 528328 / 2023

      Test with kerberostest.exe was successful:
      Kerberostest

      Kerberostest

      Author's profile photo Grzegorz Ciula
      Grzegorz Ciula

      Hello Martina,

      I have configured SPNEGO according to your description "Kerberos-Based SSO to Application Server ABAP".
      Work for GUI. but it doesn't work for HTTPS WEBGUI.
      I have registered HTTP/FQDN, and added entries to the registry - 3183026(Edge, Chrome). But still not working.
      Something else I should do (some parameters in RZ10)?


      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello Grzegorz,

      please open a ticket for your issue and our support team will assist you.

      Thanks,

      Martina

      Author's profile photo Ajay Sehgal
      Ajay Sehgal

      Martina Kirschenmann , Thanks for posting this blog.  I have few questions & not sure if you can help me answering them.

      We have a requirement to configure Kerberos authentication in our ERP EHP5 (SAP Basis 702) using HTTPS (browser based).  As per SAP KBA 1798979 - SPNego ABAP: Downport, i believe it is supported.

      We have one landscape which is on domain A & has SPNEGO configured. We have another landscape which is running on domain B but accessible on same network as domain A. We want to configure the SPNEGO for system running on domain B but users will be from domain A. While i have also read your blog on - Kerberos/SPNEGO for SAP AS ABAP in a Multi-Domain Environment.  I believe that is for people accessing same system from multiple domains . Can you please confirm if accessing only from Domain A for system in Domain B is supported scenario.  Your response will be appreciated.

      Also if you can confirm if Secure Login Client 3.0 will be compatible with ERP EHP 5 (SAP Basis 702).

      Please let me know if above doesnt make sense to you.

      Many Thanks,

      Ajay

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello Ajay,

      Yes, you will find the configuration details in the blog:

      Kerberos/SPNEGO for SAP AS ABAP in a Multi-Domain Environment.

      For technical release information, please refer to the Product Availability Matrix here and the SAP Note 1798979 you mentioned.

      Best regards,

      Martina

      Author's profile photo SAP Basis Offshore Atos India
      SAP Basis Offshore Atos India

      Hi ,

      We are implementing SSO with OKTA. SSO works fine for WebGUI

      We would like to configure  SSO with OKTA  for SAP Gui. How can we achieve this?

       

      Best regards

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello,

      You can use the SAP Secure Login Service for SAP GUI to provide your SAP GUI users with SSO to their ABAP-based business applications. The solution is based on a lean cloud service and can integrate with your existing corporate identity provider (such as Azure AD or OKTA).

      You will find more information about our SAP Secure Login Service for SAP GUI (product overview, documentation, etc.) here:

      https://community.sap.com/topics/single-sign-on

      Best regards,

      Martina

      Author's profile photo Oliver Meinecke
      Oliver Meinecke

      Hi Martina,

      With transaction SPNEGO in an ABAP system, it is possible to provide user principal name and all that stuff pointing to an active directory. So far so good it is working.

      The connection normally is established via LDAP port 389 which is non-secure.

      Question for me:

      When switching to SSL over LDAP (LDAPS), port will be changed to 636. But where?

       

      Can you give me a hint? Reason behind is, LDAP here should only be offered for port 636 (LDAPS) in future.

       

      Best regards,

      Oliver

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello Oliver,

      Our implementation uses the same Microsoft functions as Microsoft itself to connect to Active Directory and it cannot be configured.

      Best regards,

      Martina

       

      Author's profile photo Rajaji Rajavelu
      Rajaji Rajavelu

      Hi Martina Kirschenmann,

      Thank you for the nice blog!

      We have followed and enable the SAP Single Sign-On: Authenticate with Kerberos/SPNEGO for SAP GUI it is working fine.

      For third party systems, example ServiceNow want to connect our SAP using  X.509 SSL Client Certificate / Single Sign on using SPNego in the SOAMANEGR webservice WSDL generated URL without id and password.

      Please let us know below this document will help to enable ?
      https://www.sap.com/documents/2015/07/b20f4c88-5b7c-0010-82c7-eda71af511fa.html

      SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates

      Can enable both Kerberos / X.509 Client Certificates for the Single sign-on in parallel?.

      Thanks.

       

      Regards,

      R Rajavelu

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello R Rajavelu,

      Even if using X.509 certificates would probably be technically possible, it is not the recommended way. For browser-based applications we recommend to use an identity provider, such as SAP’s Identity Authentication Service (IAS) or another third-party identity provider.

      Best regards,

      Martina