Skip to Content


The SAP Single Sign-On product offers support for Kerberos/SPNEGO. You can use Kerberos authentication tokens to easily implement a single sign-on solution for your SAP systems. This requires little implementation effort, but provides a considerable simplification to your employees’ authentication processes. Using Kerberos technology via SNC or SPNEGO, a trust relationship is established between the user’s front end (SAP GUI for Windows or a web browser, for example) and the back-end Application Server ABAP or Java.

Employees log in once when they start their computers by signing on to their Windows domain. Any subsequent authentication processes are left to a Kerberos token mechanism provided by SAP Single Sign-On and based on Microsoft Active Directory. No additional server is required in this scenario. Working on the front-end software, the user experiences streamlined, easy accessibility.


Implementing Single Sign-On with Kerberos

The following videos provide a step-by-step configuration tutorial for setting up Kerberos-based single sign-on for AS ABAP and AS Java.


Part 1: Kerberos-Based SSO to Application Server ABAP (6:20 min)

The video guides you step-by-step through the tasks required for setting up Secure Network Communication (SNC) and configuring SSO based on Kerberos/SPNEGO on the ABAP backend. Learn how easy this is using the SNC Wizard and Kerberos transaction.

Part 2: Kerberos-Based SSO to Application Server ABAP – Mass User Mapping (1:56 min)

One configuration task required for Kerberos-based SSO is user mapping. You need to map the SNC user name (based on the Windows domain user name) to the SAP ABAP user name. But how to configure user mapping for thousands of users? The video guides you through the options available for mass user mapping in Application Server ABAP.

Part 3: Kerberos-Based SSO to Application Server Java (3:52 min)

The video guides you step-by-step through the tasks required for configuring SSO based on Kerberos/SPNEGO in the Application Server Java.

Recommendations and Troubleshooting

Single Sign-On with Kerberos: Recommendations & Troubleshooting

Troubleshooting SPNego for ABAP (SAP Note 1732610)


Kerberos Authentication Flow for Browser-Based Applications Provided by the AS ABAP

Kerberos/SPNEGO for SAP AS ABAP in a Multi Domain Environment

SAP Single Sign-On: Protect Your SAP Landscape with X.509 Certificates

Additional Resources

Single Sign-On to SAP HANA DB using Kerberos (SAP Note 1837331)

Single Sign-On to SAP BusinessObjects BI Platform 4.0

Mobile Single Sign On from iOS 7 to SAP NetWeaver

Take the SAP Fiori Experience to a New Level with SAP Single Sign-On

More Information

For more information about SAP Single Sign-On, visit our community here:


To report this post you need to login first.


You must be Logged on to comment or reply to a post.

  1. Former Member

    Very Nice Videos!! Easy to understand..

    Please let me know, how to configure SSO for AS ABAP, where windows domain ids and sap login ids are different.

  2. Former Member

    HI Martina ,

    we planned to use sap sso authenticate with kerbos , but i faced an issue when i add a connection in sap gui using  connection type ” group/server ” , in secure network setting  i can’t enable ” activate secure network communication ” as shown below . i ask if there is any  missing thing to enable SNC when using server group connection .

    1. Martina Kirschenmann Post author

      Hi Ahmed,

      the connection using connection type “group/server” retrieves SNC parameters from the ABAP server. If SNC is not configured on the server, you cannot activate/deactivate SNC in SAP GUI. Please use the transaction “sncwizard” to configure your ABAP server for SNC first.



  3. Former Member

    Hi Martina,


    I followed your configuration in video 1. I did exactly the same. When I try to login with SNC the following error comes up:

    SAP Secure Login Client is running. SPNEGO indicates green light. I used the same SPN and parameters like you.




      1. Former Member

        Hi Matrina,


        I am trying to configure SSO for our system as per SSO Guide.

        While trying to set following ABAP profile parameters, its saying the parmeter is not known.


        Common Crypto Library version is 8.5.19

        NW 7.31 SP 05 ,

        Kernel 7.21 SP 402

        Could you please advise why these parameters are not availiable and how can i configure SSO for this system.


        Abuzar Ehteshamuddin

  4. Dinis Félix

    Hello Martina.

    Do I need to have “Secure login Client” instaled? It’s the only option to implement single sign-on?

    Do I need an aditional license for this client?


    Thank you

    1. Martina Kirschenmann Post author

      Hello Dinis,

      the Secure Login Client is required for Kerberos-based authentication to the SAP Application Server ABAP when Windows-based SAP clients, such as SAP GUI, are used. SPNEGO does not require a client (no Secure Login Client is needed).

      When you want to implement SSO based on Kerberos/SPNEGO for AS ABAP server, you need a license for the SAP Single Sign-On product even if you don’t need a client.



  5. Former Member

    Hi Martina- This is a very helpful post

    We are in process of performing a cloud migration of our client SAP landscape from on-prem to Azure.  The client currently leverages Kerberos for SSO to SAP GUI


    As we move the cloud the client SAP system will be running on a separate domain with a separate AD (different than the one where the front users currently authenticate to login to the system)


    Theoretically we understand we that Kerberos can be used for cross domain authentication if a trust is established between the two domains.  Need your help to understand couple of things

    Is there any end to end  documentation available to setup cross domain Kerberos authentication for SAP GUI (ABAP), if you have and can email us to :

    Will the client have to sync the two Active Directories (between 2 domains) for Kerberos based SSO to work – This is their biggest challenge and would want to avoid it

    If we setup trust between the two domains –  will the Active directory have to be synced



    Bhanu Saxena


  6. Jing Biscocho

    Hi Martina,

    Wonderful blog … a couple of questions

    1. We have a rather old system, ERP 6.0 EHP5 on NW 7.02. We want to have SAPGUI SSO functionality. Can we use the SAP SSO products, either 2.0 or 3.0?
    2. Do we need standard maintenance license before we can purchase license for SAP SSO Products?



  7. Former Member

    Hello Martina,


    We are configureing SSO on our system.

    Active directory configuration has been completed .

    Now in sncwizard we are not getting the option to validate the  password of the user against active directory.


    I have attached the image and highlighted the option with yellow which we are not getting while configuration.

  8. Former Member

    hi Martina,

    following my previous comment.


    We continued without validating password and then came across these issues also



    1. Martina Kirschenmann Post author


      you need to install the Secure Login Client (SLC) in order to be able to validate the password.

      The DLL SNCAX.DLL is part of the Secure Login Client.

      Best regards,



Leave a Reply