Skip to Content
Technical Articles
Author's profile photo Martina Kirschenmann

SAP Single Sign-On: Authenticate with Kerberos/SPNEGO

Overview

The SAP Single Sign-On product offers support for Kerberos/SPNEGO. You can use Kerberos authentication tokens to easily implement a single sign-on solution for your SAP systems. This requires little implementation effort, but provides a considerable simplification to your employees’ authentication processes. Using Kerberos technology via SNC or SPNEGO, a trust relationship is established between the user’s front end (SAP GUI for Windows or a web browser, for example) and the back-end Application Server ABAP or Java.

Employees log in once when they start their computers by signing on to their Windows domain. Any subsequent authentication processes are left to a Kerberos token mechanism provided by SAP Single Sign-On and based on Microsoft Active Directory. No additional server is required in this scenario. Working on the front-end software, the user experiences streamlined, easy accessibility.

 

Implementing Single Sign-On with Kerberos

The following videos provide a step-by-step configuration tutorial for setting up Kerberos-based single sign-on for AS ABAP and AS Java.

 

Part 1: Kerberos-Based SSO to Application Server ABAP (6:20 min)

The video guides you step-by-step through the tasks required for setting up Secure Network Communication (SNC) and configuring SSO based on Kerberos/SPNEGO on the ABAP backend. Learn how easy this is using the SNC Wizard and Kerberos transaction.

Part 2: Kerberos-Based SSO to Application Server ABAP – Mass User Mapping (1:56 min)

One configuration task required for Kerberos-based SSO is user mapping. You need to map the SNC user name (based on the Windows domain user name) to the SAP ABAP user name. But how to configure user mapping for thousands of users? The video guides you through the options available for mass user mapping in Application Server ABAP.

Part 3: Kerberos-Based SSO to Application Server Java (3:52 min)

The video guides you step-by-step through the tasks required for configuring SSO based on Kerberos/SPNEGO in the Application Server Java.

Recommendations and Troubleshooting

Single Sign-On with Kerberos: Recommendations & Troubleshooting

Troubleshooting SPNego for ABAP (SAP Note 1732610)

Blogs

Kerberos Authentication Flow for Browser-Based Applications Provided by the AS ABAP

Kerberos/SPNEGO for SAP AS ABAP in a Multi-Domain Environment

SAP Single Sign-On: Protect Your SAP Landscape with X.509 Certificates

Additional Resources

Single Sign-On to SAP HANA DB using Kerberos (SAP Note 1837331)

Single Sign-On to SAP BusinessObjects BI Platform 4.0

Mobile Single Sign On from iOS 7 to SAP NetWeaver

Take the SAP Fiori Experience to a New Level with SAP Single Sign-On

More Information

For more information about SAP Single Sign-On, visit our community here:

https://community.sap.com/topics/single-sign-on.

 

Assigned Tags

      110 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Tobias Kübler
      Tobias Kübler

       

      Wow nice Posting, Thank you verry mutch

      Author's profile photo Former Member
      Former Member

      Very Nice Videos!! Easy to understand..

      Please let me know, how to configure SSO for AS ABAP, where windows domain ids and sap login ids are different.

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Mandar,

      you need to map the SNC user name (based on the Windows domain user name) to the SAP ABAP user name. Please see the video above, part 2.

      You will find further information in the SAP Single Sign-On implementation guide here:

      https://help.sap.com/viewer/df185fd53bb645b1bd99284ee4e4a750/3.0/en-US/be38170f4b2d4913a0845b5f921a06f2.html

      Regards,

      Martina

      Author's profile photo Ahmed Ragab
      Ahmed Ragab

      HI Martina ,

      we planned to use sap sso authenticate with kerbos , but i faced an issue when i add a connection in sap gui using  connection type " group/server " , in secure network setting  i can't enable " activate secure network communication " as shown below . i ask if there is any  missing thing to enable SNC when using server group connection .

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Ahmed,

      the connection using connection type "group/server" retrieves SNC parameters from the ABAP server. If SNC is not configured on the server, you cannot activate/deactivate SNC in SAP GUI. Please use the transaction "sncwizard" to configure your ABAP server for SNC first.

      Regards,

      Martina

      Author's profile photo Steffen Wetzler
      Steffen Wetzler

      Hi Martina,

       

      I followed your configuration in video 1. I did exactly the same. When I try to login with SNC the following error comes up:

      SAP Secure Login Client is running. SPNEGO indicates green light. I used the same SPN and parameters like you.

       

      Thanks,

      Steffen

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Steffen,

      you might have configured the wrong SNC library in the Secure Login Client. Please check the environment variable SNC_LIB and make sure it points to sapcrypto.dll. Then reinstall the Secure Login Client again.

      See also further details here:

      https://help.sap.com/viewer/df185fd53bb645b1bd99284ee4e4a750/3.0/en-US/26bb93534feb47e59a397a53bf5787fa.html

      Hope this helps.

      Regards,

      Martina

      Author's profile photo Steffen Wetzler
      Steffen Wetzler

      Thanks, this was the issue.

       

      Variable SNC_LIB had a wrong value. Now it works 🙂

      Author's profile photo Muhammad Bilal Barlas
      Muhammad Bilal Barlas

      Hi Matrina,

       

      I am trying to configure SSO for our system as per SSO Guide.

      While trying to set following ABAP profile parameters, its saying the parmeter is not known.

      spnego/construct_SNC_name
      spnego/enable
      spnego/krbspnego_lib

      Common Crypto Library version is 8.5.19

      NW 7.31 SP 05 ,

      Kernel 7.21 SP 402

      Could you please advise why these parameters are not availiable and how can i configure SSO for this system.

      Regards,

      Abuzar Ehteshamuddin

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Abuzar,

      SPNEGO is not supported with SAP_BASIS 7.31 SP05, this version is too old. You need SP07 or higher.

      Please see further details in SAP Note 1798979 "SPNego ABAP: Downport" here:

      https://launchpad.support.sap.com/#/notes/1798979

      Regards,

      Martina

      Author's profile photo Dinis Félix
      Dinis Félix

      Hello Martina.

      Do I need to have "Secure login Client" instaled? It's the only option to implement single sign-on?

      Do I need an aditional license for this client?

       

      Thank you

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello Dinis,

      the Secure Login Client is required for Kerberos-based authentication to the SAP Application Server ABAP when Windows-based SAP clients, such as SAP GUI, are used. SPNEGO does not require a client (no Secure Login Client is needed).

      When you want to implement SSO based on Kerberos/SPNEGO for AS ABAP server, you need a license for the SAP Single Sign-On product even if you don’t need a client.

      Regards,

      Martina

      Author's profile photo Former Member
      Former Member

      Hi Martina- This is a very helpful post

      We are in process of performing a cloud migration of our client SAP landscape from on-prem to Azure.  The client currently leverages Kerberos for SSO to SAP GUI

       

      As we move the cloud the client SAP system will be running on a separate domain with a separate AD (different than the one where the front users currently authenticate to login to the system)

       

      Theoretically we understand we that Kerberos can be used for cross domain authentication if a trust is established between the two domains.  Need your help to understand couple of things

      Is there any end to end  documentation available to setup cross domain Kerberos authentication for SAP GUI (ABAP), if you have and can email us to : bsaxena@deloitte.com

      Will the client have to sync the two Active Directories (between 2 domains) for Kerberos based SSO to work - This is their biggest challenge and would want to avoid it

      If we setup trust between the two domains -  will the Active directory have to be synced

       

      Thanks

      Bhanu Saxena

       

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello Bhanu,

      you can have a look at the following blog:

      Kerberos/SPNEGO for SAP AS ABAP in a Multi Domain Environment

      Hope this helps.

      Best regards,

      Martina

      Author's profile photo Jing Biscocho
      Jing Biscocho

      Hi Martina,

      Wonderful blog ... a couple of questions

      1. We have a rather old system, ERP 6.0 EHP5 on NW 7.02. We want to have SAPGUI SSO functionality. Can we use the SAP SSO products, either 2.0 or 3.0?
      2. Do we need standard maintenance license before we can purchase license for SAP SSO Products?

      Regards,

      Jing

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Jing,

      for the supported SAP NetWeaver versions for the different scenarios, please see the Product Availability Matrix (the presentation in section "Essential Information"):

      SAP Single Sign-On 3.0

      SAP Single Sign-On 2.0

      For questions concerning licensing, please contact your SAP account executive. Thanks.

      Best regards,

      Martina

      Author's profile photo Basis CG
      Basis CG

      Hello Martina,

       

      We are configureing SSO on our system.

      Active directory configuration has been completed .

      Now in sncwizard we are not getting the option to validate the  password of the user against active directory.

       

      I have attached the image and highlighted the option with yellow which we are not getting while configuration.

      Author's profile photo Basis CG
      Basis CG

      hi Martina,

      following my previous comment.

       

      We continued without validating password and then came across these issues also

       

       

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello,

      you need to install the Secure Login Client (SLC) in order to be able to validate the password.

      The DLL SNCAX.DLL is part of the Secure Login Client.

      Best regards,

      Martina

      Author's profile photo Sujith Krishna
      Sujith Krishna

      Dear Martina,

      Thank you very much for your blog, i was able to configure most of it, but have an issue in seeing the   SPNs in SPNEGO transaction.

      I will explain my issue.

      i have created AD service account which is being used in spnego.

      added SPNs :- SAP/SID and http/FQDN for this service account.

      i am able to add this account in SPNEGO. i am able to sucessfully validate it with AD.

      but when i click on service principal names tab i get a message.

      "The current Windows domain is abc.com
      Please log on to the Windows domain xyz.com to get more information."

      Strange part is i am logged on to xyz.com on my windows, and also the AD account is created in xyz.com.

      in SLC i see kerberos token from abc.com, i guess this is because our email server is hosted in cloud and has a different name, meaning my email is ks@abc.com and not ks@xyz.com.

      do you know how i should proceed.!

      thanks a lot in advance.

      Sujith

       

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Sujith,

      please create an additional KeyTab in transaction SPNEGO. Use your service account from domain xyz.com, but create the KeyTab with domain abc.com. Use the same password. No changes in the Active Directory are required.

      Click on the KeyTab with domain abc.com in order to perform SPN verification in transaction SPNEGO.

      Best regards,

      Martina

      Author's profile photo Sujith Krishna
      Sujith Krishna

      Hello Martina,

      Thank you so much for the reply. I updated SLC to latest patch level and this behaviour is gone now.

      But have another problem, Now in the Service Principal names TAB in SPNEGO, nothing is listed.

      No Service Principal Names found

      Message no. SPN016

      I have checked with setspn –F –X I don’t see any duplicate entry for the service account I have created , when I do setspn –Q SAP/SID it shows me the correct CN Name and also the SPNs or if I do setspn –L sAMAccountName I get the list of SPN associated with this service user.

      sAMAccountName:- SAPGLO<SID>

      UPN :- SVC_SAPGLOBAL_<SID>

      SPN created :- SAP/SID and HTTP/SAPSERVER.FQDN

      SAP server is based on Linux and not part of domain, AD is MS.

      Do you know why I am not able to see any SPNs in SPNEGO.

      thanks in advance.

       

      Warm Regards,

      Sujith

       

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Sujith,

      there could be several reasons for this. I would suggest that you open a customer incident for your problem.

      Thanks,

      Martina

      Author's profile photo Sujith Krishna
      Sujith Krishna

      Hi Martina,

      Thanks for the reply, i did open a OSS message, its running since several days back and forth.!

       

      Warm regards

      Sujith

      Author's profile photo Daniel Römer
      Daniel Römer

      Hello Martina,

      Thanks a lot for the provided videos. It would be great if you could also post a scenario with SAP server is based on Linux and is not part of domain, AD is MS. I think I face similar issues like posted in the former post. For me the requirements are not clear or the steps that must be run that I could use the scenario also when SAP server is based on Linux.

      It would be great if you maybe have notes or other links or best practice for that case that could help us to setup such a Scenario for SAP server on Linux. I think the “Secure Login for SAP Single Sign-On Implemenation Guide” is so general and is not providing the required details.

      At the moment we are not able to set the user and password in transaction SPNEGO for the User Principal name it is telling that the user or password is wrong. But my fear is that we can’t even connect to the AD and the Domain we have entered. I have found the note 2010613 with report SNCAX_TEST there we got the information when running the report that “no user prinicpal in the domain xxx.com was found“. No I don’t know if we have done somthing wrong in the user creation or if just noting is found in the domain because the domin is not reached. It is good to have a report like SNCAX_TEST but I think there should be also given hints how to solve the issues.

      Thanks and Best Regards,

      Daniel

      Author's profile photo Marco Bortolon
      Marco Bortolon

      Hi Martina! With SSO 3.0 all works fine with ABAP systems, but I cannot have Java systems to work (NW 7.50)

      I’ve done all what the video suggests, but it always asks me for user/password. Is it normal that with ABAP systems I have to map users in SU01 and with Java ones not ?
      (eg: MII, PO, etc)

       

      Thanks


      [EDIT] SOLVED!
      In SPNEGO configuration in NWA you have to set this if Logon Users are equal to domain users

      In the video the values are different

       

      Author's profile photo Project Parivartan
      Project Parivartan

      Dear Marco

      my  issue  is not  solve  same   problem  facing  can  can you help me

       

      Thanks

      Tejas

      Author's profile photo VenkataRao Daggupati
      VenkataRao Daggupati

      hi Martina,

      All our SAP ABAP systems are on AIX-Unix server, when i use the Kerberos sso set up here, it seems the Unix API is not working properly with SSO config and its not working. Could you please let us know, is there any restriction on OS version for Kerberos configuration.

      i have one questions on unix libraries used for kerboes, when we do any os maintenance or application patching, is it the current config will break or still it will continue to work.

      thanks

      Venkata

       

       

      Author's profile photo Serge Quodbach
      Serge Quodbach

      Hi Former Member

      Did you have a solution to setup correctly SSO on Unix where ABAP system is installed?

      Thanks

      Hic

      Author's profile photo Bernhard Schöberl
      Bernhard Schöberl

      Hello Martina,

      in our ECC 6.0 the transactions SNCWIZZARD adn SPNEGO are not available.

      I know haw to setup the snc parameters. But how can i link the Service Account create in the AD to the ABAP Server?

      In the video this is done in SAP but is there a way to perform this manuel?

      Kind regards,

      Bernhard

       

       

       

       

       

       

       

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello Bernhard,

      unfortunately, there currently doesn't exist any documentation in case you don't have transaction SPNEGO available. Please open a ticket and our primary support will be able to help you with this.

      Thanks,

      Martina

      Author's profile photo MD SHAHBAZ SHAKIL
      MD SHAHBAZ SHAKIL

      Hey,

       

      I followed your blog to configure SPNego for my dual stack system.

      ABAP stack: SSO is working perfect.

      Java Stack: SSO to NWA, SLD, Monitoring home is working fine but when I am trying to access Integration Builder and ESR I am getting pop up window to provide credential.

      It would be helpful if anyone faced similar issue  can suggest resolution.

      Author's profile photo Marco Bortolon
      Marco Bortolon

      Hello Martina. Is there the possibility to have an hybrid SSO, that is the user must insert the Windows Domain password in SAP every logon but without a “pure” SSO (without any password)

      SAP call it "Multiple Sign-On", but I cannot find any document

      Thanks,
      Marco

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello Marco,

      yes, we support multiple sign-on. For example, you can force users to enter their user name and password every time they log on to an Application Server ABAP using SNC.

      You will find the documentation here:

      https://help.sap.com/viewer/df185fd53bb645b1bd99284ee4e4a750/3.0/en-US/8b5500efc24147758cbf918cd829bbdb.html

      Best regards,

      Martina

      Author's profile photo Marco Bortolon
      Marco Bortolon

      Thaaanks Martina! It works! 🙂

      I knew that regkey, but one year ago I found a similar document that shown only 3 options (0-1-2) and not the other ones. With the option "4" it does what I want

      The only limitation I've found is that with WEBGUI or JAVA Systems is always a real SSO, so it doesn't ask me for a password (I've configured SPNEGO to work both via GUI and HTTP in ABAP systems)

       

      Marco

      Author's profile photo Naveen Seri
      Naveen Seri

      Hi  Martina

      I have a question ! we are presently using Java SSO server ( 2.0 ) and we have integrated all our  sap systems  with SSO using below set-up on single domain

      1) User AD authentication ( MS domain controller ) with Kerberos Token
      2) Client Certificate / SPNEGO Token from SSO server ( Java)
      3) Secure login client profile
      Now we have a requirement to enable new domain to connec sapt using the same above set-up
      .
      So we therefore enabled trust relationship between microsoft domains ( existing + new domain ) as per the below blog, but still the SSO mechanism is not working. Is there any limitations with SSO 2 that we can't have multi-domain set-up ? or is there any note or link where i can refer ?
      https://blogs.sap.com/2015/07/24/kerberosspnego-for-sap-as-abap-in-a-multi-domain-environment/
      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Naveen,

      I am not aware that there are any restrictions in this regard with SAP Single Sign-On version 2.0.

      However, I recommend to use version 3.0, since mainstream maintenance for version 2.0 will end 31.12.2019.

      Best regards,

      Martina

      Author's profile photo Itellibasis Itellibasis
      Itellibasis Itellibasis

      Hi Martina

      We have a requirement to setup SSO where user should be able to login to SAP with their Domain ID without prompting for user ID and password,we have backend system as S/4

      I was looking at blogs and understand that we need to have JAVA system to achieve this,is this true,could you please advise on how to proceed

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi,

      if you want to use SAP Single Sign-On to implement SSO for Application Server ABAP based on Kerberos (SAP GUI) or SPNEGO (web-based applications), you do not need the Secure Login Server. No additional server component is required in this scenario.

      Please refer to the first two video tutorials above.

      Best regards,

      Martina

       

      Author's profile photo Naveen Garg
      Naveen Garg

      Hi Martina,

      We need to establish SSO for ABAP stack systems whereas requirement is to not to use Secure Login client and non domain joined systems. Is it possible to perform any such configuration. We have established complete setup on ABAP stack and from domain joined systems we are able to perform SNC based SSO, but not all users use Domain joined laptops and sometime are authenticated from personal devices as well.

      Apart from that it is not possible to deploy SLC on each user machine. Please let us know the possibilities of implementing SSO for ABAP stack

      Thanks

      Naveen

      Author's profile photo Admin Audioptic
      Admin Audioptic

      Hello Martina,

      We are trying to implement SAP Single Sign-On 3.0 with Kerberos / SPNEGO.

      At the end of the configuration, we had the following error when trying to connect to the system with SNC and SSO :

      No user exist with SNC name "p:SECURE LOGIN ENCRYPTION ONLY MODE"

      It is a SAP_BASIS 7.02 SP12 release so transactions sncwizard and spnego does not exist.
      We configured the SSO manually. We have read the SAP Note 2554187 but it did not help.

      We configured successfully in a few minutes the SSO with Kerberos / SPNEGO in another system with a SAP_BASIS 7.02 SP18 release. In this system transaction spnego exists and sncwizard does not exist.

      Do you know how to perform manually the tasks of the spnego transaction ?

      Thank you.

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi,

      you are probably using an old kernel version. There could be several reasons for the error message you described above. Please open a customer ticket for the problem, and our support team can assist you with the manual configuration.

      Thanks,

      Martina

      Author's profile photo Raj Waran
      Raj Waran

      Hi Adamin,

      Were you able to solve this issue: No user exist with SNC name “p:SECURE LOGIN ENCRYPTION ONLY MODE” ? 

      I'm also getting the same error. Please let me know at which area this was causing the issue ? Thank you

       

      -Raj

      Author's profile photo Federico Pancucci
      Federico Pancucci

      Hi Martina,

      Thank you for the useful blog.

      I have some doubt regarding the possibility of configuring the SSO in our company system (ECC 6.0 EHP8 on Hana and Sles 12).

      When i read about SSO in sap i thought there were just free options:

      1 SPNEGO

      2 SAP SSO

      3 SAML

      In the comments to your article i can see you are talking about license for using the Secure Login Client, but i was thinking that with the SPNEGO you could do even without Secure Login Client and license, isn't it possible ? (if yes, is there and article about it? if no the license have to be per client/user or just for the sap instance?)

      Thanks and regards

      Federico

       

      Author's profile photo Moshe Ezra
      Moshe Ezra

      Hi Martina,

      We have Implemented SPNEGO solution to ABAP system.

      I have a question regarding this solution.

      Can I use this solution and connect with SSO to SAP system with a different user?

      I'll create a new Windows AD user - Test01 ,not known to SAP via SU01.

      I'll use the command with user Sap01 (AD user as-well) which is known to SAP via SU01.

      I'll use "runas" Sap01 "C:\Program Files (x86)\SAP\FrontEnd\SAPgui\saplogon.exe"

      Is it possible to set the user to the "Sap01" instead of Test01 the logged-in user ?

      Regards,

      Moshe Ezra.

       

       

       

       

      Author's profile photo Moshe Ezra
      Moshe Ezra

      Hi Martina,

      We've solved our problem by:

      we change the runas for the : Secure Login Client

      Now every things works!

      Thank's!

      Regards,

      Moshe

      Author's profile photo Christian Schmid
      Christian Schmid

      Hello Martina

      I try to get SSO running on a Java only system. I have read the articles about the mapping several times.

      The problem: My user id on the UME in Java is ABCD. My Windows Login is schmid.christian

      So no match there.

      We do have an Attribute in AD called "SAPID" where is abcd is maintained. Also the mail is the same on both system.

      But I can't get it mapped. Looks like the string always is schmid.christian and not ABCD.

       

      Can you enlighten me 🙂

       

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Christian,

      for SPNEGO you can configure user mapping. Please refer to the following documentation:

      https://help.sap.com/viewer/8d084639453b41579938aefc0bda7068/1909.001/en-US/f41978c3a37a441b87a89d61c1a08689.html

      Best regards,

      Martina

      Author's profile photo Maximiliano Lasalvia
      Maximiliano Lasalvia

      Hello Martina, I am an amateur Basis, and I have no experience in SSO, my company wants to hire a third-party portal and wants to integrate web dynpros into it.
      They ask me to investigate how to perform SSO on those web dynpro, I would like to know if this requires implementing SSO 3.0? What would be the best solution?
      Thank you!

      Author's profile photo Vinod Patil
      Vinod Patil
      Hello Martina,
      Thank you for excellent blog. I configured SNCWizard, created service user in AD and completed setup. After that maintained SNC username in SU01, installed Secure Login client for getting Kerberos tokens.
      Boom! I could login without userID password screen.
      In SNCWizard, I got below message:
      You are about to configure trust for single sign-on or SNC Client Encryption. Please note that for single sign-on you require a license for SAP Single Sign-on.
      As exception, the usage of SNC Client Encryption only without SSO is free as described in SAP Note 1643878.
      As per my understanding this is SSO using Kerberos tokens with help of Secure Login Client. 
      I am confused around licensing piece. Do we need any license for using Secure Login Client? I checked note 1643878 and did not get any direct answer. Do we need SAP Single Sign-On license for this setup? Please guide.
      Regards,
      Vinod
      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Vinod,

      yes, you need a license for the SAP Single Sign-On product.

      Best regards,

      Martina

      Author's profile photo Vinod Patil
      Vinod Patil

      Thank you and have a nice day ahead!

      Author's profile photo Pankaj Adhikari
      Pankaj Adhikari

      Hi Martina

      Thnx for the wonderful document. I need your advice in one situation where we migrated a client from AIX to Linux (new hosting partner). SSO was working fine with AIX. Our Linux version is SUSE 12 SP5 which is almost latest & SAP_BASIS version is 701. We have done all the required configuration but still SSO is not working for us. We don’t have SNCWIZARD or SNCCONFIG probably due to low version. The error we are getting is

      GSS-API(maj):Miscellaneous failure.

      GSS-API(min):SSPI::IniSctx10==specified target is unknown or unreac

      target=…..

      Error in SNC

      Can the issue be due to compatibility issue between Suse version (latest version) with SAP_BASIS version (low version)?

      Can you pls advice.

      Regards

      Pankaj

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Pankaj,

      are you using the GSSKRB5 library? This Kerberos solution is no longer supported by SAP. Please refer to SAP note 352295.

      Best regards,

      Martina

      Author's profile photo Pankaj Adhikari
      Pankaj Adhikari

      Thanks Martina. Yes SNC_LIB variable on AD is gsskrb5.dll. Any options we have now? Earlier it was working when on OS AIX but not working since migrated on Suse Linux. We just need it to login to GUI.

      Regards

      Pankaj

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Pankaj,

      you can use the SAP Single Sign-On product, as described in the blog post above.

      Best regards,

      Martina

      Author's profile photo Uday Kumar Avula
      Uday Kumar Avula

      Hi Martina

      We wanted to implement SSO between SAPGUI and FIORI,we proposed SAP SSO 3.0 to customer but due high license customer is not keen to buy it

      Could you let us know if we can still implement SSO with Kerberos using SNC for ABAP?

       

      Regards

      Uday

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Uday,

      if you want to access the ABAP systems via SAP GUI, then you need the SAP Single Sign-On product using Kerberos or X.509 certificates as SSO tokens.

      Best regards,

      Martina

      Author's profile photo Mohiuddin Subhani
      Mohiuddin Subhani

      Hello Martina Kirschenmann,

      Thank you very much for this blog.
      I am unable to access the below 3 videos. I am getting error "Video unavailable. This video is private."
      Can you kindly advise, how can I view the below 3 videos?

      1. Part 1: Kerberos-Based SSO to Application Server ABAP (6:20 min)
      2. Part 2: Kerberos-Based SSO to Application Server ABAP – Mass User Mapping (1:56 min)
      3. Part 3: Kerberos-Based SSO to Application Server Java (3:52 min)

      Thanks & Regards,
      Mohi

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello Mohi,

      The videos were temporarily unavailable, but they are up and running again. Sorry for the inconvenience.

      Best regards,

      Martina

      Author's profile photo SrinivasReddy M
      SrinivasReddy M

      Thank you Martina ,

      Can you please grant access to view the 3 videos related to kerberos-Based SSO.

      Thanks

      Srini

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello Srini,

      The videos were temporarily unavailable, but they are up and running again. Sorry for the inconvenience.

      Best regards,

      Martina

      Author's profile photo Hugo Cid
      Hugo Cid

      Thanks for sharing your SSO experience

      Please can you give me access to the 3 videos please.

      Part 1: Kerberos-Based SSO to Application Server ABAP
      Part 2: Kerberos-Based SSO to Application Server ABAP - Mass User Mapping
      Part 3: Kerberos-Based SSO to Application Server Java

      Thank you.

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello Hugo,

      The videos were temporarily unavailable, but they are up and running again. Sorry for the inconvenience.

      Best regards,

      Martina

      Author's profile photo Josep Paredes
      Josep Paredes

      Hello,

      Reading notes 2949593 and 1732610 we have doubts about the availability of SPNego method on JAVA Netweaver. It is still valid?

      This paragraph is a little confusing for us, only indicating ABAP.

      Note that the authentication method SPNego is only supported in AS ABAP if the product SAP Single-Sign-On 2.0 (or higher) was licensed and if the technical requirements (described in note 1798979) are fulfilled.

      Thanks a lot

      Best Regards

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello Josep,

      yes, SPNego is also supported for SAP NetWeaver Application Server Java. See the configuration video Part 3 above.

      Concerning SAP Note 1732610, this only applies to Application Server ABAP as SPNego with AS ABAP requires a license for the SAP Single Sign-On product. However, SPNego with AS Java is already provided in the SAP standard and does not require a separate license for the SAP Single Sign-On product.

      Hope this clarifies your question.

      Best regards,

      Martina

      Author's profile photo Josep Paredes
      Josep Paredes

      Hello Martina,

       

      Thanks for the response. I configured SPNego with AS Java following the video but it does not work, the MII page still show the user password screen.

      How can I test the SSO to found where is my problem? The users must be created in the AS JAVA? Thanks again for your help

      This is the error:

      LOGIN.FAILED
      User: N/A
      IP Address: XXX.XXX.XXX.XXX
      Authentication Stack: sap.com/xapps~xmii~ear*XMII
      Authentication Stack Properties:
      policy_domain = /XMII
      realm_name = Upload Protected Area

      Login Module Flag Initialize Login Commit Abort Details
      1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
      2. com.sap.security.core.server.jaas.SPNegoLoginModule SUFFICIENT ok exception true Trigger SPNEGO authentication.
      3. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok false false
      4. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok false true
      No logon policy was applied#

      LOGIN.OK
      User: Administrator
      IP Address: XXX.XXX.XXX.XXX
      Authentication Stack: sap.com/tc~lm~itsam~ui~mainframe~wd*webdynpro_resources_sap.com_tc~lm~itsam~ui~mainframe~wd
      Authentication Stack Properties:
      policy_domain = /webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd
      realm_name = Upload Protected Area

      Login Module Flag Initialize Login Commit Abort Details
      1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false false
      2. com.sap.security.core.server.jaas.SPNegoLoginModule SUFFICIENT ok exception true SPNego authentication has failed during previous attempt.
      3. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok true true
      4. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true true
      Central Checks true
      Logon policies are disabled#

      The last login is using the user/password prompt

      Best regards

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello Josep,

      if you cannot find a solution in the SPNego troubleshooting note, please open a customer ticket.

      Best regards,

      Martina

      Author's profile photo Bosco Thimmegowda
      Bosco Thimmegowda

      Hello Martina,

      I am trying to implement java-SAP GUI 7.50 rev 12 application in Mac-OS platform.We are using Kerberos based SSO in our landscape, I need to configure sncgss.dyld file to work further. which is not available in SAP Java GUI. Could you please help us on this.

      Java GUI connection parameter is on MAC OS conn=/H/hostname.domain.net/S/3200&sncon=true&sncname=p/krb5:SAPServiceSID@DOMAIN.NET&sncqop=4&manualLogin

       

      Connection failed

      Error: SNCERR_UNKNOWN_MECH SncPlmportPrName() parsing error.

      Thanks and Regards
      Bosco

      Author's profile photo Anastasio Molano
      Anastasio Molano

      Hello Martina,

       

      I configured SSO for SAP Netweaver 7.02 and login into the Netweaver portal is working fine but the following scenario is not working as I expected.

       

      I build a external Java program with Kerberos authentication which is able to connect agains SAP ERP and execute BAPIs.

      To make that works the application is able to get the SAP logon ticket using the following approach:

      1. Get Kerberos ticket from the logged-in used.
      2. Request Kerberos ticket for a SAP Nerweaver URL.
      3. Perform a GET operation on the URL with Kerberos ticket from previous step.
      4. From the HTTP response get the SAP login ticket from the cookie "MYSAPSSO2"

      My application only work if the Kerberos account(with their SPN) is configured with Open Delegation.

      So, If the account is configured with constraint delegation(enabling to delegate tickets for the service HTTP/<SAP_server>) the  application get the Kerberos ticket properly but the GET operation on the SAP Netweaver URL returns a 401(Unauthorized).

       

      I was looking information about this and I found that there is an Single Sign-On extension library which should allow to make contraint delegation to work properly.

      Bug the problem I found (in this document) is that only is supported for version 7.3 (or newer).

      Could you indicate me if there is any change to make constraint delegation work properly in SAP Netweaver 7.02?

      Regards

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Anastasio,

      as indicated in the system requirements, you can install the extension for Kerberos constrained delegation on SAP NetWeaver Application Server (AS) Java 7.30 or higher.

      Best regards,

      Martina

      Author's profile photo Anastasio Molano
      Anastasio Molano

      Thanks for the reply,

      As I understand there is no option to make constraint delegation work in SAP Netweaver 7.02 🙁

       

      Regards.

      Author's profile photo Romero Boris
      Romero Boris

      Hi Martina,

       

      Thank you for your blog which explains in details the SSO configuration. I have followed all the steps and when I try to check the AD service user against AD in transaction SPNEGO I get the following error:

      "Check user in Active Directory  -  Logon failure: the user has not been granted the r

      Message no. SPN028

      Requirements

      You have installed and licensed SAP Single Sign-On 2.0 or higher. It comes with a front-end control that enables you to validate users from the Active Directory database of the Microsoft Windows domain controller. See SAP Note 1943266.

      Diagnosis

      This message comes from Active Directory.

      This function tries to verify whether the selected Kerberos Principal Name exists in Active Directory. The Check User Principal in AD button enables you to validate the Kerberos Principal User against Active Directory. You enter the password of Active Directory, and the front-end control checks whether Active Directory has a user with this Kerberos Principal Name in the userPrincipalName attribute.

       

      Procedure

      If you get this error message, contact your Active Directory administrator. Make sure that the Active Directory administrator configures this user correctly in Active Directory."

       

      I have created the AD service user with the SPN:

       

      SAP/<SID>

      HTTP/<FQDN>

       

      Appreciate if you can provide your thoughts

       

      Regards

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Boris,

      for resolution of your problem, please open a customer ticket for component BC-SEC-LGN.

      Best regards,

      Martina

      Author's profile photo Sadeesh Murugesan
      Sadeesh Murugesan

      Hi Romero,

      I had also faced the exact issue while validating the service user in SPNEGO and contacted our AD team. They had provided full admin privileges to the service user created in AD.

      Once admin privileges had been provided, password validation was successful with the message "Password of user <user ID> successfully validated against AD".

      But our AD team had removed the given privileges and asking us for a justification why this user needs full admin privileges and what it is exactly doing? We reached out to SAP last month, but still no response.

      One thing I noticed was though the password validation fails (for new user without admin privilege), I continued saving the AD user password in SPNEGO and the keytab file got saved and token check against SPN & UPN was also successful. SSO is also working fine without any issues.

      SNCAX_TEST report also able to verify the SPN and kerberos token and only password check is failing. In secstore, for SPNEGO application, Keytab technical check and application check was also successful and all green.

      As per my understanding, though password validation against AD fails with error "Check user in Active Directory  -  Logon failure: the user has not been granted the r Message no. SPN028" will not impact the SSO configuration, as in my case SSO is working fine without any issues. Feel free to correct me if my understanding is wrong.

      Also, kindly let me know if you were able to fix the password validation issue?

      Thanks,

      Sadeesh M

      Author's profile photo Romero Boris
      Romero Boris

      Hi Sadeesh,  Yes I was able to fix it. Essentially what I did was to ignore the message and it went through. Although I had the message It seems it was all OK.

      Regards

       

      Author's profile photo Sadeesh Murugesan
      Sadeesh Murugesan

      Hi Romero,

      Thanks for the update! This was the case for me as well, I too ignored the message and SSO is working fine even though password validation against AD fails for the service user maintained in SPNEGO.

      Thanks,

      Sadeesh M

      Author's profile photo Jorge Cosso
      Jorge Cosso

      Hi Martina

       

      This procedure can be applied in a S4HANA on Linux?

       

       

      Best regards

       

      Jorge

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Jorge,

      please check the Product Availability Matrix, available here:

      https://apps.support.sap.com/sap/support/pam?hash=pvnr%3D67837800100900008795%26pt%3Dg%257Cd

      Best regards,

      Martina

      Author's profile photo DVPG Murthy
      DVPG Murthy

      Hi Martina,

      Thank very much for the detailed blog.

      We want to implement the SSO using the kerberos, under the assumption, there is no extra license. Just want to check with you, is the process mentioned in the below blog is same as the process mentioned by you ? why i'm asking this because as per the blog, we need to have a valid license to download the product SAP NetWeaver Single Sign-On from SAP marketplace.

      https://blogs.sap.com/2012/08/17/how-to-configure-sap-netweaver-single-sign-on-for-sap-gui-for-windows-with-kerberos-integration/#:~:text=Enter%20the%20SNC%20Name%20to,%40fair.sap.corp.&text=Start%20transaction%20SU01%20and%20enter,client))%20for%20the%20User.&text=Now%20you%20can%20test%20your,Windows%20to%20a%20SAP%20system.

       

      License

      License

      and also want to check with you, Can we enable the SSO integration (Kerberos) when Windows usernames differ from SAP usernames 

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello,

      the blog you are referring to is quite old and was written for the older product versions SAP NetWeaver Single Sign-On 1.0 and 2.0. The current release of the product is SAP Single Sign-On 3.0. In any case, if you want to use SSO via Kerberos/SPNEGO you need a license for the SAP Single Sign-On product.

      Concerning your second question: Yes, the Windows user names can differ from the SAP user names. You have to do a mapping. The configuration is done in the SAP ABAP system -> user management, SU01 -> SNC configuration (map SNC user name from Kerberos token to SAP ABAP user name). The procedure is also described in the first two videos above.

      Best regards,

      Martina

      Author's profile photo DVPG Murthy
      DVPG Murthy

      Thanks for the information Martina

      if we have license, we should be able to download the files. right ? or how do a make sure my Client has already has a license for the SSO.

      SSO3

       

      and also Can we enable the SNC only with out the SSO ? if so, please guide me to the process and also to do this also we need to have the license ?

      SSO3

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello,

      yes, once you have the license you will be able to download the files for the SAP Single Sign-On 3.0 product from the Software Downloads.

      Concerning your second question:

      If you don't require SSO functionality, you can use SNC Client Encryption 2.0. SNC Client Encryption 2.0 allows you to encrypt the communication between client (SAP GUI) and server (AS ABAP), and is part of the SAP NetWeaver Application Server license. But it does not offer single sign-on functionality.

      For more detailed information about SNC Client Encryption 2.0, here is the link to the central SAP note: https://launchpad.support.sap.com/#/notes/2440692

      Best regards,

      Martina

      Author's profile photo R. Veenman
      R. Veenman

      Great blog and videos.
      However, one thing should really be highlighted:

      RC4 and DES are deprecated nowadays. After disabling RC4 and DES on desktops/laptops webdynpro SSO stopped working.

      Hence, the tick boxes for "Kerberos AES 128 bit encryption" and/or "Kerberos AES 256 bit encryption" must be enabled for the AD service accounts. This will enable AES encryption in webdynpro sso and SNC sso which is a much stronger algorithm.

      Author's profile photo Pankaj Singh
      Pankaj Singh

      Hi Martina,

      With FIPS 140-2 certification of SAP’s CommonCryptoLib Crypto Kernel version 8.4.47.0 and higher.

      If we enable SAP's cryptographic Kernel (Crypto Kernel) following note https://launchpad.support.sap.com/#/notes/2117112. Would we still consider implementing SNC Client Encryption for GUI/RFC communication.

      Also regarding HTTPS communcation e.g. Fiori. How does Crypto Kernel help. Does it complement SSL TLS1.2.

      Author's profile photo Rajanikanth Valluri
      Rajanikanth Valluri

      Hi Martina,

      Want to check with you, if we want to enable SNC only, do we need to perform the below steps ? and also want to check if we go ahead with SSO, will the below steps will be taken care while installing the Secure Login Client? below documentation from the guide which is attached in note ::  https://launchpad.support.sap.com/#/notes/0002185235  

       

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Rajanikanth,

      SNC Client Encryption 1.0 is out of maintenance. Please use SNC Client Encryption 2.0, see detailed information in SAP Note 2440692.

      For Secure Login Client installation, please refer to our documentation.

      Best regards,

      Martina

      Author's profile photo Sadeesh Murugesan
      Sadeesh Murugesan

      Hi Martina,

      I would like to thank you for this wonderful step by step video, which helped me a lot to complete the SSO configuration in our SAP systems. 

      Excellent!

      Thanks.

      Sadeesh M

       

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Sadeesh,

      I am happy to hear this. Thank you!

      Best regards,

      Martina

      Author's profile photo Vanesa Molina
      Vanesa Molina

      Hi Martina, is it possible to implement SSO with Kerberos using SAP JCO in a java app? Thanks.

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Vanesa,

      No, you cannot use Kerberos for RFC with JCo. RFC with JCo only supports X.509 certificates.

      There is only one exception for RFC with Kerberos, see SAP Note 2780475.

      Best regards,

      Martina

      Author's profile photo Edgar Perez
      Edgar Perez

      Hello Martina ,

      I am using your blog to better understand the SSO configuration in our test environment, however the step-by-step videos are not available.

      Could you provide me access to the videos?

      Best regards,

      Edgar.

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello Edgar,

      The videos were temporarily unavailable, but they are up and running again. Sorry for the inconvenience.

      Best regards,

      Martina

      Author's profile photo Antonio Nicosia
      Antonio Nicosia

      Hi Martina, we want to apply SSO with Kerberos that resolves the name of the Active directory. We have SAP EHP4 but we don't have the SNCWIZARD. As SAP operating system it is installed on Red Hat 8.4. What do you recommend us to implement SSO? Thanks

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Antonio,

      Unfortunately, there currently doesn’t exist any documentation in case you don’t have transactions SPNEGO / SNCWIZARD available. Please open a ticket and our primary support will be able to help you with this.

      Thanks,

      Martina

      Author's profile photo Antonio Nicosia
      Antonio Nicosia

      Thanks Martina !!

      Author's profile photo Ali Hassan
      Ali Hassan

      Hi,

      Based on the following link in SAP help, does this a license free way of setting up SSO? The help document does not mention anything about licensing. Also if we use this approach do I need to run sncwizard?

      https://help.sap.com/saphelp_nw73/helpdata/en/44/0ebb40b9920d1be10000000a114a6b/frameset.htm

      regards

      Hasan

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Hasan,

      The old solution using gsskrb5.dll/gx64krb5.dll (MIT Kerberos solution) is no longer supported by us. For more details, please refer to SAP Note 352295 and SAP Note 150380. We recommend to use the SAP Single Sign-On product.

      Best regards,

      Martina

      Author's profile photo Ali Hassan
      Ali Hassan

      Hi Martina

      Well noted and thank you.

      BR

      Hasan

       

      Author's profile photo Anoop Shankaran
      Anoop Shankaran

      Martina, thanks for the detailed steps!

      We currently do not have the SNCWIZARD t-code. However, is it possible to achieve the same using t-codes SNC0 to SNC4?

      Thank you!

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Anoop,

      Unfortunately, there currently doesn’t exist any documentation in case you don’t have the transaction SNCWIZARD available. Please open a ticket and our primary support will be able to help you with this.

      Thanks,

      Martina

      Author's profile photo Abhijit Barui
      Abhijit Barui

      Dear Martina,

      We have a requirement in which the service user created in the domain for SSO will have a password expiry (password never expires cannot be set) and whenever we set the new password on expiry it should not be required to reconfigure the SPNego...is this possible?

      Please advice.

      Regards

       

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Abhijit,

      When the service account needs a new password, the old keyTab from the transaction SPNEGO needs to be deleted and the new keyTab (service account and new password) needs to be created. Otherwise SNC with Kerberos or SPNego in the browser will no longer work.

      Best regards,

      Martina

      Author's profile photo Eduardo da Cunha Kaminski
      Eduardo da Cunha Kaminski

      Hi Martina,

      thanks for the blog!

      I setup SSO to SAP Gui SSO with Kerberos that work's fine, but at Web/Fiori access is not working.

      Gui connect directly server by hostname like s4.domain.local

      Fiori connect by WebDispatcher by FQDN with other DNS suffix like s4.domain.com

      The Kerberos REAL is domain.local

      I set SPN for both

      SAP/<sid>

      HTTP/s4.domain.local

      HTTP/s4.domain.com

      When we access to s4.domain.com we are receiving a message "Authentication token is of type NTLM instead of SPNEGO."

      did you already see the same?

       

      Thanks

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Eduardo,

      please check the SPNego ABAP: Troubleshooting Note available here:

      https://launchpad.support.sap.com/#/notes/0001732610

      Refer to section "3.2.3 NTLM token received". And also check section 2.2 about how to enable your browser for SPNego.

      Hope this helps.

      Best regards,

      Martina

      Author's profile photo Hubert Pikus
      Hubert Pikus

      Hello Martina.

      Our SAP - Systems are outsorced and we must realize a SSO
      with the AzureAD.

      Is a SSO for the SAPGUI with the AzureAD possible?
      What must we configured in the transaction SPNEGO?
      What must i defined, that the SAP-System know, that the SSO is
      realized with the AzureAD?

      Many thanks for your help?

      Hubert

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Hubert,

      Azure AD is a cloud-based SAML Identity Provider and can be used with browser-based business applications. However, Azure AD does not support desktop clients such as SAP GUI, as these are not compatible with the SAML protocol. For these desktop clients, SAP Single Sign-On is required, using Kerberos or X.509 certificates as SSO tokens.

      You could use the Secure Login Web Client, which is a component of the SAP Single Sign-On product. The Secure Login Web Client can accept a SAML 2.0 assertion as security token and in return provision an X.509 certificate for single sign-on of desktop applications such as SAP GUI.

      See documentation here:

      https://help.sap.com/viewer/df185fd53bb645b1bd99284ee4e4a750/3.0/en-US/dce8de8d2b4547038b9c5b3c361ad502.html

      https://help.sap.com/viewer/df185fd53bb645b1bd99284ee4e4a750/3.0/en-US/bf25ca2ceb8f4baba6069d955fbb2a4c.html

      Best regards,

      Martina

      Author's profile photo Hubert Pikus
      Hubert Pikus

      Hello Martina.

      Many, many thanks for your information!!

      Best regards.

      Hubert

       

      Author's profile photo Muhammad Zaman Arshad
      Muhammad Zaman Arshad

      Hi Martina,

       

      I have configured SSO in our system. While creating the keytab in SPNego, we are getting the following error. Please suggest the way forward

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Muhammad,

      please open a customer ticket for your problem. Our support team will be able to assist you.

      Thanks,

      Martina