Skip to Content
Technical Articles
Author's profile photo Martina Kirschenmann

SAP Single Sign-On: Authenticate with Kerberos/SPNEGO

Overview

The SAP Single Sign-On product offers support for Kerberos/SPNEGO. You can use Kerberos authentication tokens to easily implement a single sign-on solution for your SAP systems. This requires little implementation effort, but provides a considerable simplification to your employees’ authentication processes. Using Kerberos technology via SNC or SPNEGO, a trust relationship is established between the user’s front end (SAP GUI for Windows or a web browser, for example) and the back-end Application Server ABAP or Java.

Employees log in once when they start their computers by signing on to their Windows domain. Any subsequent authentication processes are left to a Kerberos token mechanism provided by SAP Single Sign-On and based on Microsoft Active Directory. No additional server is required in this scenario. Working on the front-end software, the user experiences streamlined, easy accessibility.

 

Implementing Single Sign-On with Kerberos

The following videos provide a step-by-step configuration tutorial for setting up Kerberos-based single sign-on for AS ABAP and AS Java.

 

Part 1: Kerberos-Based SSO to Application Server ABAP (6:20 min)

The video guides you step-by-step through the tasks required for setting up Secure Network Communication (SNC) and configuring SSO based on Kerberos/SPNEGO on the ABAP backend. Learn how easy this is using the SNC Wizard and Kerberos transaction.

Part 2: Kerberos-Based SSO to Application Server ABAP – Mass User Mapping (1:56 min)

One configuration task required for Kerberos-based SSO is user mapping. You need to map the SNC user name (based on the Windows domain user name) to the SAP ABAP user name. But how to configure user mapping for thousands of users? The video guides you through the options available for mass user mapping in Application Server ABAP.

Part 3: Kerberos-Based SSO to Application Server Java (3:52 min)

The video guides you step-by-step through the tasks required for configuring SSO based on Kerberos/SPNEGO in the Application Server Java.

Recommendations and Troubleshooting

Single Sign-On with Kerberos: Recommendations & Troubleshooting

Troubleshooting SPNego for ABAP (SAP Note 1732610)

Blogs

Kerberos Authentication Flow for Browser-Based Applications Provided by the AS ABAP

Kerberos/SPNEGO for SAP AS ABAP in a Multi-Domain Environment

SAP Single Sign-On: Protect Your SAP Landscape with X.509 Certificates

Additional Resources

Single Sign-On to SAP HANA DB using Kerberos (SAP Note 1837331)

Single Sign-On to SAP BusinessObjects BI Platform 4.0

Mobile Single Sign On from iOS 7 to SAP NetWeaver

Take the SAP Fiori Experience to a New Level with SAP Single Sign-On

More Information

For more information about SAP Single Sign-On, visit our community here:

https://community.sap.com/topics/single-sign-on.

 

Assigned Tags

      132 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Wiprox Cloud
      Wiprox Cloud

      Hello All,

      I get a error while validating the password .

      But the user exists in Active directory with never expire and also AD admin was able to login with below ID and password.

       

      Can you please guide if iam missing anything.

      SSO

       

      Check user in Active Directory  -  We can't sign you in with this credential because

      Message no. SPN028

      Requirements

      You have installed and licensed SAP Single Sign-On 2.0 or higher. It comes with a front-end control that enables you to validate users from the Active Directory database of the Microsoft Windows domain controller. See SAP Note 1943266.

      Diagnosis

      This message comes from Active Directory.

      This function tries to verify whether the selected Kerberos Principal Name exists in Active Directory. The Check User Principal in AD button enables you to validate the Kerberos Principal User against Active Directory. You enter the password of Active Directory, and the front-end control checks whether Active Directory has a user with this Kerberos Principal Name in the userPrincipalName attribute.

       

      Procedure

      If you get this error message, contact your Active Directory administrator. Make sure that the Active Directory administrator configures this user correctly in Active Directory.

       

      Regards

      Shekar

      SSO

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello Shekar,

      it looks like you are not in the right domain. Therefore, the verification does not work.

      You can try to generate the keyTab without password validation and go to the tab Service Principal Names. There you will see that you don't have the domain as your service account.

      Regards,

      Martina

      Author's profile photo Wiprox Cloud
      Wiprox Cloud

      Hello Martina,

       

      Thanks for your reply.

      Can you please let me know how to overcome the issue.

      Service%20Principal%20Name

       

      regards

      Shekar

      Service Principal Name

      Author's profile photo Wiprox Cloud
      Wiprox Cloud

      Hello Martina,

      After logging with the user in domain, the issue is resolved.

      Currently iam having another issue, please see screen below.

       

      Token check in in status RED

       

      Regards

      Shekar

       

       

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello Shekar,

      please open a customer ticket to resolve your problem.

      Thanks,

      Martina

      Author's profile photo Steven Foo
      Steven Foo

      We are able to download the SAP Single Sign On 3.0 which is appearing when we go to the SAP Marketplace or Support center.

      However when we check with our SAP Sales Executive, he mentioned that we don't have license.

      But if we are not wrong according to one of the SAP Note - 1876552 - Unable to find SAP Single Sign-On product on ONE Support Launchpad - SAP ONE Support Launchpad, it mentioned the SAP Single Sign On 3.0 will only appear for download if customer already have a license.

      Any idea on this discrepancy ?

      Thanks.

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hello Steven,

      you will only be able to download the SAP Single Sign-On 3.0 product if you have a license for it, as stated in the SAP Note you mentioned above. Please check again with your SAP Account Executive for investigation.

      Thanks,

      Martina

      Author's profile photo Steven Foo
      Steven Foo

      HI Martina,

      We have raise ticket to SAP support, SAP support checked and feedback that we have licensed.

      So we are not sure why SAP SE provide us with incorrect information.

      How is the license work? Is it by user count or just by one block ?

      Thanks.

       

       

      Author's profile photo Steven Foo
      Steven Foo

      Martina,

      Do you know how the license work?

      By user count or one bulk license?

       

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Steven,

      licensing for the SAP Single Sign-On product is user-based. For the details, please get in contact with your SAP Account Executive.

      Best regards,

      Martina

      Author's profile photo Francis S.K. LUK
      Francis S.K. LUK

      Hi Martina,

      Just would like to ask if it is also possible to integrate Azure AD with SAP Java AS 7.0 using the same method as shown in the video in the blog post?

      If not, any place where I can find some steps and guideline on how it can be done if this is feasible.

      Thanks.

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Francis,

      Azure AD only supports SAML. This blog post and the configuration videos are about SSO using Kerberos/SPNEGO with the SAP Single Sign-On product, and for that you need the on-premise Active Directory.

      Please also note that SAP NetWeaver 7.0 AS JAVA has been out of maintenance for several years already, and it is not recommended to use it.

      Best regards,

      Martina

      Author's profile photo Jegadesh Karthikeyan
      Jegadesh Karthikeyan

      Hi Martina,

      Excellent blog. Currently i am trying to configure SSO SNC for Mac GUI. Will the setup be similar as this document or is there something else i need to consider? Appreciate your response

       

      Thanks

      Jega

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Jega,

      in general, configuration is the same as with Windows clients. You only need to consider the documentation how to install the Secure Login Client on macOS. You will find the documentation here:

      https://help.sap.com/docs/SAP_SINGLE_SIGN-ON/df185fd53bb645b1bd99284ee4e4a750/f304002c0e794013b438a535bc158759.html

      Best regards,

      Martina

      Author's profile photo Graciete Martins
      Graciete Martins

      Hi Martina,

      Excelent blog. I have a problem. Already configurate SSO to GUI with Kerberos Authentication, but when run a fiori URL (server is the some backend and frontend), or run webgui, appear popup to logon in AD, if put the user and pass user AD, not working. Can help me please?

       

      Best Regards

      Graciete

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Graciete,

      You can refer to the following information for troubleshooting:

      https://wiki.scn.sap.com/wiki/display/Security/Single+Sign-On+with+Kerberos%3A+Recommendations+and+Troubleshooting

      Or refer to SAP Note 1732610 - SPNego ABAP: Troubleshooting Note:

      https://launchpad.support.sap.com/#/notes/0001732610

      Hope this helps.

      Best regards,

      Martina

      Author's profile photo Support Beacon
      Support Beacon

      Hi Martina,

      Great blog, and have used it a few times.

      Is it possible to make use of SSO for SAP GUI on Windows, when the SAP application servers are running on Linux, and the SAP Users (<sid>adm, and SAPService<sid>) is not on the domain?

       

      Thanks

      Henri

      Author's profile photo Martina Kirschenmann
      Martina Kirschenmann
      Blog Post Author

      Hi Henri,

      Yes, that is possible. When using SAP Single Sign-On, the application server does not need to be part of the Windows domain.

      Best regards,

      Martina