Technical Articles
SAP Single Sign-On: Authenticate with Kerberos/SPNEGO
Overview
The SAP Single Sign-On product offers support for Kerberos/SPNEGO. You can use Kerberos authentication tokens to easily implement a single sign-on solution for your SAP systems. This requires little implementation effort, but provides a considerable simplification to your employees’ authentication processes. Using Kerberos technology via SNC or SPNEGO, a trust relationship is established between the user’s front end (SAP GUI for Windows or a web browser, for example) and the back-end Application Server ABAP or Java.
Employees log in once when they start their computers by signing on to their Windows domain. Any subsequent authentication processes are left to a Kerberos token mechanism provided by SAP Single Sign-On and based on Microsoft Active Directory. No additional server is required in this scenario. Working on the front-end software, the user experiences streamlined, easy accessibility.
Implementing Single Sign-On with Kerberos
The following videos provide a step-by-step configuration tutorial for setting up Kerberos-based single sign-on for AS ABAP and AS Java.
Part 1: Kerberos-Based SSO to Application Server ABAP (6:20 min)
The video guides you step-by-step through the tasks required for setting up Secure Network Communication (SNC) and configuring SSO based on Kerberos/SPNEGO on the ABAP backend. Learn how easy this is using the SNC Wizard and Kerberos transaction.
Part 2: Kerberos-Based SSO to Application Server ABAP – Mass User Mapping (1:56 min)
One configuration task required for Kerberos-based SSO is user mapping. You need to map the SNC user name (based on the Windows domain user name) to the SAP ABAP user name. But how to configure user mapping for thousands of users? The video guides you through the options available for mass user mapping in Application Server ABAP.
Part 3: Kerberos-Based SSO to Application Server Java (3:52 min)
The video guides you step-by-step through the tasks required for configuring SSO based on Kerberos/SPNEGO in the Application Server Java.
Recommendations and Troubleshooting
Single Sign-On with Kerberos: Recommendations & Troubleshooting
Troubleshooting SPNego for ABAP (SAP Note 1732610)
Blogs
Kerberos Authentication Flow for Browser-Based Applications Provided by the AS ABAP
Kerberos/SPNEGO for SAP AS ABAP in a Multi-Domain Environment
SAP Single Sign-On: Protect Your SAP Landscape with X.509 Certificates
Additional Resources
Single Sign-On to SAP HANA DB using Kerberos (SAP Note 1837331)
Single Sign-On to SAP BusinessObjects BI Platform 4.0
Mobile Single Sign On from iOS 7 to SAP NetWeaver
Take the SAP Fiori Experience to a New Level with SAP Single Sign-On
More Information
For more information about SAP Single Sign-On, visit our community here:
https://community.sap.com/topics/single-sign-on.
Hello All,
I get a error while validating the password .
But the user exists in Active directory with never expire and also AD admin was able to login with below ID and password.
Can you please guide if iam missing anything.
Check user in Active Directory - We can't sign you in with this credential because
Message no. SPN028
Requirements
You have installed and licensed SAP Single Sign-On 2.0 or higher. It comes with a front-end control that enables you to validate users from the Active Directory database of the Microsoft Windows domain controller. See SAP Note 1943266.
Diagnosis
This message comes from Active Directory.
This function tries to verify whether the selected Kerberos Principal Name exists in Active Directory. The Check User Principal in AD button enables you to validate the Kerberos Principal User against Active Directory. You enter the password of Active Directory, and the front-end control checks whether Active Directory has a user with this Kerberos Principal Name in the userPrincipalName attribute.
Procedure
If you get this error message, contact your Active Directory administrator. Make sure that the Active Directory administrator configures this user correctly in Active Directory.
Regards
Shekar
SSO
Hello Shekar,
it looks like you are not in the right domain. Therefore, the verification does not work.
You can try to generate the keyTab without password validation and go to the tab Service Principal Names. There you will see that you don't have the domain as your service account.
Regards,
Martina
Hello Martina,
Thanks for your reply.
Can you please let me know how to overcome the issue.
regards
Shekar
Service Principal Name
Hello Martina,
After logging with the user in domain, the issue is resolved.
Currently iam having another issue, please see screen below.
Token check in in status RED
Regards
Shekar
Hello Shekar,
please open a customer ticket to resolve your problem.
Thanks,
Martina
Hi Shekar,
Have you got the right solution for the above issue?I am also stuck with the same " Token Check"Error,If possibile could you share the fix information.
Best Regards
Sreekanth
We are able to download the SAP Single Sign On 3.0 which is appearing when we go to the SAP Marketplace or Support center.
However when we check with our SAP Sales Executive, he mentioned that we don't have license.
But if we are not wrong according to one of the SAP Note - 1876552 - Unable to find SAP Single Sign-On product on ONE Support Launchpad - SAP ONE Support Launchpad, it mentioned the SAP Single Sign On 3.0 will only appear for download if customer already have a license.
Any idea on this discrepancy ?
Thanks.
Hello Steven,
you will only be able to download the SAP Single Sign-On 3.0 product if you have a license for it, as stated in the SAP Note you mentioned above. Please check again with your SAP Account Executive for investigation.
Thanks,
Martina
HI Martina,
We have raise ticket to SAP support, SAP support checked and feedback that we have licensed.
So we are not sure why SAP SE provide us with incorrect information.
How is the license work? Is it by user count or just by one block ?
Thanks.
Martina,
Do you know how the license work?
By user count or one bulk license?
Hi Steven,
licensing for the SAP Single Sign-On product is user-based. For the details, please get in contact with your SAP Account Executive.
Best regards,
Martina
Hi Martina,
Just would like to ask if it is also possible to integrate Azure AD with SAP Java AS 7.0 using the same method as shown in the video in the blog post?
If not, any place where I can find some steps and guideline on how it can be done if this is feasible.
Thanks.
Hi Francis,
Azure AD only supports SAML. This blog post and the configuration videos are about SSO using Kerberos/SPNEGO with the SAP Single Sign-On product, and for that you need the on-premise Active Directory.
Please also note that SAP NetWeaver 7.0 AS JAVA has been out of maintenance for several years already, and it is not recommended to use it.
Best regards,
Martina
Hi Martina,
Excellent blog. Currently i am trying to configure SSO SNC for Mac GUI. Will the setup be similar as this document or is there something else i need to consider? Appreciate your response
Thanks
Jega
Hi Jega,
in general, configuration is the same as with Windows clients. You only need to consider the documentation how to install the Secure Login Client on macOS. You will find the documentation here:
https://help.sap.com/docs/SAP_SINGLE_SIGN-ON/df185fd53bb645b1bd99284ee4e4a750/f304002c0e794013b438a535bc158759.html
Best regards,
Martina
Hi Martina,
Excelent blog. I have a problem. Already configurate SSO to GUI with Kerberos Authentication, but when run a fiori URL (server is the some backend and frontend), or run webgui, appear popup to logon in AD, if put the user and pass user AD, not working. Can help me please?
Best Regards
Graciete
Hi Graciete,
You can refer to the following information for troubleshooting:
https://wiki.scn.sap.com/wiki/display/Security/Single+Sign-On+with+Kerberos%3A+Recommendations+and+Troubleshooting
Or refer to SAP Note 1732610 - SPNego ABAP: Troubleshooting Note:
https://launchpad.support.sap.com/#/notes/0001732610
Hope this helps.
Best regards,
Martina
Hi Martina,
Great blog, and have used it a few times.
Is it possible to make use of SSO for SAP GUI on Windows, when the SAP application servers are running on Linux, and the SAP Users (<sid>adm, and SAPService<sid>) is not on the domain?
Thanks
Henri
Hi Henri,
Yes, that is possible. When using SAP Single Sign-On, the application server does not need to be part of the Windows domain.
Best regards,
Martina