Skip to Content
Technical Articles

SAP Single Sign-On: Authenticate with Kerberos/SPNEGO


The SAP Single Sign-On product offers support for Kerberos/SPNEGO. You can use Kerberos authentication tokens to easily implement a single sign-on solution for your SAP systems. This requires little implementation effort, but provides a considerable simplification to your employees’ authentication processes. Using Kerberos technology via SNC or SPNEGO, a trust relationship is established between the user’s front end (SAP GUI for Windows or a web browser, for example) and the back-end Application Server ABAP or Java.

Employees log in once when they start their computers by signing on to their Windows domain. Any subsequent authentication processes are left to a Kerberos token mechanism provided by SAP Single Sign-On and based on Microsoft Active Directory. No additional server is required in this scenario. Working on the front-end software, the user experiences streamlined, easy accessibility.


Implementing Single Sign-On with Kerberos

The following videos provide a step-by-step configuration tutorial for setting up Kerberos-based single sign-on for AS ABAP and AS Java.


Part 1: Kerberos-Based SSO to Application Server ABAP (6:20 min)

The video guides you step-by-step through the tasks required for setting up Secure Network Communication (SNC) and configuring SSO based on Kerberos/SPNEGO on the ABAP backend. Learn how easy this is using the SNC Wizard and Kerberos transaction.

Part 2: Kerberos-Based SSO to Application Server ABAP – Mass User Mapping (1:56 min)

One configuration task required for Kerberos-based SSO is user mapping. You need to map the SNC user name (based on the Windows domain user name) to the SAP ABAP user name. But how to configure user mapping for thousands of users? The video guides you through the options available for mass user mapping in Application Server ABAP.

Part 3: Kerberos-Based SSO to Application Server Java (3:52 min)

The video guides you step-by-step through the tasks required for configuring SSO based on Kerberos/SPNEGO in the Application Server Java.

Recommendations and Troubleshooting

Single Sign-On with Kerberos: Recommendations & Troubleshooting

Troubleshooting SPNego for ABAP (SAP Note 1732610)


Kerberos Authentication Flow for Browser-Based Applications Provided by the AS ABAP

Kerberos/SPNEGO for SAP AS ABAP in a Multi-Domain Environment

SAP Single Sign-On: Protect Your SAP Landscape with X.509 Certificates

Additional Resources

Single Sign-On to SAP HANA DB using Kerberos (SAP Note 1837331)

Single Sign-On to SAP BusinessObjects BI Platform 4.0

Mobile Single Sign On from iOS 7 to SAP NetWeaver

Take the SAP Fiori Experience to a New Level with SAP Single Sign-On

More Information

For more information about SAP Single Sign-On, visit our community here:


You must be Logged on to comment or reply to a post.
  • HI Martina ,

    we planned to use sap sso authenticate with kerbos , but i faced an issue when i add a connection in sap gui using  connection type ” group/server ” , in secure network setting  i can’t enable ” activate secure network communication ” as shown below . i ask if there is any  missing thing to enable SNC when using server group connection .

    • Hi Ahmed,

      the connection using connection type “group/server” retrieves SNC parameters from the ABAP server. If SNC is not configured on the server, you cannot activate/deactivate SNC in SAP GUI. Please use the transaction “sncwizard” to configure your ABAP server for SNC first.



  • Hi Martina,


    I followed your configuration in video 1. I did exactly the same. When I try to login with SNC the following error comes up:

    SAP Secure Login Client is running. SPNEGO indicates green light. I used the same SPN and parameters like you.




  • Hello Martina.

    Do I need to have “Secure login Client” instaled? It’s the only option to implement single sign-on?

    Do I need an aditional license for this client?


    Thank you

    • Hello Dinis,

      the Secure Login Client is required for Kerberos-based authentication to the SAP Application Server ABAP when Windows-based SAP clients, such as SAP GUI, are used. SPNEGO does not require a client (no Secure Login Client is needed).

      When you want to implement SSO based on Kerberos/SPNEGO for AS ABAP server, you need a license for the SAP Single Sign-On product even if you don’t need a client.



  • Hi Martina- This is a very helpful post

    We are in process of performing a cloud migration of our client SAP landscape from on-prem to Azure.  The client currently leverages Kerberos for SSO to SAP GUI


    As we move the cloud the client SAP system will be running on a separate domain with a separate AD (different than the one where the front users currently authenticate to login to the system)


    Theoretically we understand we that Kerberos can be used for cross domain authentication if a trust is established between the two domains.  Need your help to understand couple of things

    Is there any end to end  documentation available to setup cross domain Kerberos authentication for SAP GUI (ABAP), if you have and can email us to :

    Will the client have to sync the two Active Directories (between 2 domains) for Kerberos based SSO to work – This is their biggest challenge and would want to avoid it

    If we setup trust between the two domains –  will the Active directory have to be synced



    Bhanu Saxena


  • Hi Martina,

    Wonderful blog … a couple of questions

    1. We have a rather old system, ERP 6.0 EHP5 on NW 7.02. We want to have SAPGUI SSO functionality. Can we use the SAP SSO products, either 2.0 or 3.0?
    2. Do we need standard maintenance license before we can purchase license for SAP SSO Products?



  • Hello Martina,


    We are configureing SSO on our system.

    Active directory configuration has been completed .

    Now in sncwizard we are not getting the option to validate the  password of the user against active directory.


    I have attached the image and highlighted the option with yellow which we are not getting while configuration.

  • hi Martina,

    following my previous comment.


    We continued without validating password and then came across these issues also



    • Hello,

      you need to install the Secure Login Client (SLC) in order to be able to validate the password.

      The DLL SNCAX.DLL is part of the Secure Login Client.

      Best regards,


  • Dear Martina,

    Thank you very much for your blog, i was able to configure most of it, but have an issue in seeing the   SPNs in SPNEGO transaction.

    I will explain my issue.

    i have created AD service account which is being used in spnego.

    added SPNs :- SAP/SID and http/FQDN for this service account.

    i am able to add this account in SPNEGO. i am able to sucessfully validate it with AD.

    but when i click on service principal names tab i get a message.

    “The current Windows domain is
    Please log on to the Windows domain to get more information.”

    Strange part is i am logged on to on my windows, and also the AD account is created in

    in SLC i see kerberos token from, i guess this is because our email server is hosted in cloud and has a different name, meaning my email is and not

    do you know how i should proceed.!

    thanks a lot in advance.



    • Hi Sujith,

      please create an additional KeyTab in transaction SPNEGO. Use your service account from domain, but create the KeyTab with domain Use the same password. No changes in the Active Directory are required.

      Click on the KeyTab with domain in order to perform SPN verification in transaction SPNEGO.

      Best regards,


      • Hello Martina,

        Thank you so much for the reply. I updated SLC to latest patch level and this behaviour is gone now.

        But have another problem, Now in the Service Principal names TAB in SPNEGO, nothing is listed.

        No Service Principal Names found

        Message no. SPN016

        I have checked with setspn –F –X I don’t see any duplicate entry for the service account I have created , when I do setspn –Q SAP/SID it shows me the correct CN Name and also the SPNs or if I do setspn –L sAMAccountName I get the list of SPN associated with this service user.

        sAMAccountName:- SAPGLO<SID>


        SPN created :- SAP/SID and HTTP/SAPSERVER.FQDN

        SAP server is based on Linux and not part of domain, AD is MS.

        Do you know why I am not able to see any SPNs in SPNEGO.

        thanks in advance.


        Warm Regards,



  • Hello Martina,

    Thanks a lot for the provided videos. It would be great if you could also post a scenario with SAP server is based on Linux and is not part of domain, AD is MS. I think I face similar issues like posted in the former post. For me the requirements are not clear or the steps that must be run that I could use the scenario also when SAP server is based on Linux.

    It would be great if you maybe have notes or other links or best practice for that case that could help us to setup such a Scenario for SAP server on Linux. I think the “Secure Login for SAP Single Sign-On Implemenation Guide” is so general and is not providing the required details.

    At the moment we are not able to set the user and password in transaction SPNEGO for the User Principal name it is telling that the user or password is wrong. But my fear is that we can’t even connect to the AD and the Domain we have entered. I have found the note 2010613 with report SNCAX_TEST there we got the information when running the report that “no user prinicpal in the domain was found“. No I don’t know if we have done somthing wrong in the user creation or if just noting is found in the domain because the domin is not reached. It is good to have a report like SNCAX_TEST but I think there should be also given hints how to solve the issues.

    Thanks and Best Regards,


  • Hi Martina! With SSO 3.0 all works fine with ABAP systems, but I cannot have Java systems to work (NW 7.50)

    I’ve done all what the video suggests, but it always asks me for user/password. Is it normal that with ABAP systems I have to map users in SU01 and with Java ones not ?
    (eg: MII, PO, etc)



    In SPNEGO configuration in NWA you have to set this if Logon Users are equal to domain users

    In the video the values are different


  • hi Martina,

    All our SAP ABAP systems are on AIX-Unix server, when i use the Kerberos sso set up here, it seems the Unix API is not working properly with SSO config and its not working. Could you please let us know, is there any restriction on OS version for Kerberos configuration.

    i have one questions on unix libraries used for kerboes, when we do any os maintenance or application patching, is it the current config will break or still it will continue to work.





  • Hello Martina,

    in our ECC 6.0 the transactions SNCWIZZARD adn SPNEGO are not available.

    I know haw to setup the snc parameters. But how can i link the Service Account create in the AD to the ABAP Server?

    In the video this is done in SAP but is there a way to perform this manuel?

    Kind regards,









    • Hello Bernhard,

      unfortunately, there currently doesn’t exist any documentation in case you don’t have transaction SPNEGO available. Please open a ticket and our primary support will be able to help you with this.



  • Hey,


    I followed your blog to configure SPNego for my dual stack system.

    ABAP stack: SSO is working perfect.

    Java Stack: SSO to NWA, SLD, Monitoring home is working fine but when I am trying to access Integration Builder and ESR I am getting pop up window to provide credential.

    It would be helpful if anyone faced similar issue  can suggest resolution.

  • Hello Martina. Is there the possibility to have an hybrid SSO, that is the user must insert the Windows Domain password in SAP every logon but without a “pure” SSO (without any password)

    SAP call it “Multiple Sign-On”, but I cannot find any document


  • Hi  Martina

    I have a question ! we are presently using Java SSO server ( 2.0 ) and we have integrated all our  sap systems  with SSO using below set-up on single domain

    1) User AD authentication ( MS domain controller ) with Kerberos Token
    2) Client Certificate / SPNEGO Token from SSO server ( Java)
    3) Secure login client profile
    Now we have a requirement to enable new domain to connec sapt using the same above set-up
    So we therefore enabled trust relationship between microsoft domains ( existing + new domain ) as per the below blog, but still the SSO mechanism is not working. Is there any limitations with SSO 2 that we can’t have multi-domain set-up ? or is there any note or link where i can refer ?
    • Hi Naveen,

      I am not aware that there are any restrictions in this regard with SAP Single Sign-On version 2.0.

      However, I recommend to use version 3.0, since mainstream maintenance for version 2.0 will end 31.12.2019.

      Best regards,


  • Hi Martina

    We have a requirement to setup SSO where user should be able to login to SAP with their Domain ID without prompting for user ID and password,we have backend system as S/4

    I was looking at blogs and understand that we need to have JAVA system to achieve this,is this true,could you please advise on how to proceed

    • Hi,

      if you want to use SAP Single Sign-On to implement SSO for Application Server ABAP based on Kerberos (SAP GUI) or SPNEGO (web-based applications), you do not need the Secure Login Server. No additional server component is required in this scenario.

      Please refer to the first two video tutorials above.

      Best regards,



      • Hi Martina,

        We need to establish SSO for ABAP stack systems whereas requirement is to not to use Secure Login client and non domain joined systems. Is it possible to perform any such configuration. We have established complete setup on ABAP stack and from domain joined systems we are able to perform SNC based SSO, but not all users use Domain joined laptops and sometime are authenticated from personal devices as well.

        Apart from that it is not possible to deploy SLC on each user machine. Please let us know the possibilities of implementing SSO for ABAP stack



  • Hello Martina,

    We are trying to implement SAP Single Sign-On 3.0 with Kerberos / SPNEGO.

    At the end of the configuration, we had the following error when trying to connect to the system with SNC and SSO :

    No user exist with SNC name “p:SECURE LOGIN ENCRYPTION ONLY MODE”

    It is a SAP_BASIS 7.02 SP12 release so transactions sncwizard and spnego does not exist.
    We configured the SSO manually. We have read the SAP Note 2554187 but it did not help.

    We configured successfully in a few minutes the SSO with Kerberos / SPNEGO in another system with a SAP_BASIS 7.02 SP18 release. In this system transaction spnego exists and sncwizard does not exist.

    Do you know how to perform manually the tasks of the spnego transaction ?

    Thank you.

    • Hi,

      you are probably using an old kernel version. There could be several reasons for the error message you described above. Please open a customer ticket for the problem, and our support team can assist you with the manual configuration.



    • Hi Adamin,

      Were you able to solve this issue: No user exist with SNC name “p:SECURE LOGIN ENCRYPTION ONLY MODE” ? 

      I’m also getting the same error. Please let me know at which area this was causing the issue ? Thank you



  • Hi Martina,

    Thank you for the useful blog.

    I have some doubt regarding the possibility of configuring the SSO in our company system (ECC 6.0 EHP8 on Hana and Sles 12).

    When i read about SSO in sap i thought there were just free options:

    1 SPNEGO

    2 SAP SSO

    3 SAML

    In the comments to your article i can see you are talking about license for using the Secure Login Client, but i was thinking that with the SPNEGO you could do even without Secure Login Client and license, isn’t it possible ? (if yes, is there and article about it? if no the license have to be per client/user or just for the sap instance?)

    Thanks and regards



  • Hi Martina,

    We have Implemented SPNEGO solution to ABAP system.

    I have a question regarding this solution.

    Can I use this solution and connect with SSO to SAP system with a different user?

    I’ll create a new Windows AD user – Test01 ,not known to SAP via SU01.

    I’ll use the command with user Sap01 (AD user as-well) which is known to SAP via SU01.

    I’ll use “runas” Sap01 “C:\Program Files (x86)\SAP\FrontEnd\SAPgui\saplogon.exe”

    Is it possible to set the user to the “Sap01” instead of Test01 the logged-in user ?


    Moshe Ezra.





  • Hi Martina,

    We’ve solved our problem by:

    we change the runas for the : Secure Login Client

    Now every things works!




  • Hello Martina

    I try to get SSO running on a Java only system. I have read the articles about the mapping several times.

    The problem: My user id on the UME in Java is ABCD. My Windows Login is schmid.christian

    So no match there.

    We do have an Attribute in AD called “SAPID” where is abcd is maintained. Also the mail is the same on both system.

    But I can’t get it mapped. Looks like the string always is schmid.christian and not ABCD.


    Can you enlighten me 🙂


  • Hello Martina, I am an amateur Basis, and I have no experience in SSO, my company wants to hire a third-party portal and wants to integrate web dynpros into it.
    They ask me to investigate how to perform SSO on those web dynpro, I would like to know if this requires implementing SSO 3.0? What would be the best solution?
    Thank you!

  • Hello Martina,
    Thank you for excellent blog. I configured SNCWizard, created service user in AD and completed setup. After that maintained SNC username in SU01, installed Secure Login client for getting Kerberos tokens.
    Boom! I could login without userID password screen.
    In SNCWizard, I got below message:
    You are about to configure trust for single sign-on or SNC Client Encryption. Please note that for single sign-on you require a license for SAP Single Sign-on.
    As exception, the usage of SNC Client Encryption only without SSO is free as described in SAP Note 1643878.
    As per my understanding this is SSO using Kerberos tokens with help of Secure Login Client. 
    I am confused around licensing piece. Do we need any license for using Secure Login Client? I checked note 1643878 and did not get any direct answer. Do we need SAP Single Sign-On license for this setup? Please guide.