Skip to Content
Technical Articles
Author's profile photo Sumit Patel

Single Sign On ( SSO) Configuration For Hana DB Using Kerberos

Single Sign On ( SSO) Configuration For Hana DB Using Kerberos

This blog explain the steps on setting up of Single Sign On ( SSO) Configuration For Hana Database With Kerberos .

SSO allows a user to log on only once and provide access to multiple systems and services without being asked to produce credentials again.

Kerberos is one of many ways for realizing SSO (other examples are SAML or X.509 certificates).

Configuration File Description
<sidadm home>/etc/krb5_hdb.conf Configuration of the Kerberos realm to be used with the SAP HANA server installed under <sidadm>
<sidadm home>/etc/krb5_hdb.keytab List of service keys required to authenticate the services on the Kerberos server
<sidadm home>/etc/krb5_host.keytab One entry only to authenticate the host on the Kerberos server for the purpose of delegation

Step-by-Step Procedure

We have to create a Service User representing SAP HANA database in Active Directory, being mapped by a Service Principal Name(SPN), then we have to create a keytab file for this SPN on the DB server. On the DB server, we also need a krb5.conf file. Finally, we have to create an externally-mapped SAP HANA database user.


Make sure that the Kerberos client and server libraries are already installed on Hana database server , to verify that the software requirements are met, please run below command:

rpm -qa | grep krb5*

The version numbers don’t have to match exactly, but should be above 1.6.3-132 to include important security patches.

Configuration steps:

1-> Hostname Resolution

On Linux there are several tools for hostname resolution. Some of them use DNS directly (dig, host, nslookup), while others (hostname)

To verify , on the Db server run below command

>hostname –fqdn (This command gives the FQDN of the DB server.)

> hostname –ip-address(This command gives the respective IP address)

2->Setup a configuration file for the MIT Kerberos libraries, krb5.conf on database server shown as below example

Standard Kerberos configuration:

#> cat /etc/krb5.conf
default_realm = MYDOMAIN.COM
kdc =
kdc =
[domain_realm] = MYDOMAIN.COM = MYDOMAIN.COM

The [domain_realm] covers only the mapping for the DB server domain (it has nothing to do with the client domain(s)!). This will be used in mutual authentication when the SAP HANA database client tries to authenticate the SAP HANA database server.

The domain part in the [domain_realm] mapping must consist of the domain name in its full length. In case the FQDN of the DB server is,

then the [domain_realm] entry has to be = DOMAIN.COM = DOMAIN.COM


3->Create Active Directory user for the Kerberos authentication or use existing one.

The user should be created with “password never expires” option.

( This may change based on your organization structure)

In my case I have raised request to the Windows Service Team

  • SPN for HANA Studio:

setspn -S hdb/<server_name_fqdn> <user>

  • SPN for HANA XS (web access):

setspn -S HTTP/<server_name_fqdn> <user>


4->Verify Kerberos configuration using <SID>adm user:

When using the kinit and klist utilities, we rely on the proper configuration of the Windows AD test user aduser1. Using kinit we try to authenticate the test user against the AD domain and create a TGT:

/usr/bin/kinit <SPN_user>@MYDOMAIN.COM

If it succeed it will ask for password of the SPN_user

  • The next command should be used immediate after the kinit command (it will show the ticket of the previous login).

Using klist we can see this ticket:


Ticket cache: FILE:/tmp/krb5cc_1000

Default principal: SPN_user@MYDOMAIN.COM

Valid starting Expires Service principal
02/18/13 15:25:58 02/19/13 01:26:02 krbtgt/ MYDOMAIN.COM@MYDOMAIN.COM
renew until 02/19/13 15:25:58


5->Create the keytab file. We will use ktutil from the Linux server (the HANA server).

Ktutil can be used to edit the keytab file.

First we need to discover the kvno number to use. In order to know the kvno number run the commands:

  • run kinit command to get the TGT for the user (SPN_user):

For example: /usr/bin/kinit <SPN_user>@MYDOMAIN.COM

Next run kvno command to get the kvno number:

kvno hdb/<server_name_fqdn>@MYDOMAIN.COM

In the output we can see kvno= value.

->If kvno value is 3 , then in that case while creating keytab file we will use kvno value as 3


6->The commands for creating the keytab file (it requires root as a result of the keytab directory /etc permission):

  • Keytab for HANA STUDIO:

In shell run:


In ktutil run:

addent -password -p hdb/<server_name_fqdn>@MYDOMAIN.COM -k 3 -e rc4-hmac

wkt /etc/krb5.keytab


  • Keytab for HANA XS (web access):

In shell run:


addent -password -p HTTP/<server_name_fqdn>@MYDOMAIN.COM -k 3 -e rc4-hmac

wkt /etc/krb5.keytab



7->Securing the keytab file. This step is mandatory, without it the SSO will not work (requires root)

  • Change ownership of the file to <sid>adm:sapsys:

8->Verify The Keytab File using <SID>adm

  • Run klist command:

klist -k /etc/krb5.keytab -etK

The output should return both SPNs

  • Run kinit command to get the TGT for the user from step 3 (SPN_user):

/usr/bin/kinit <SPN_user>@FQDN

For example: kinit <SPN_user>@MYDOMAIN.COM

  • Next run the kvno command:

/usr/lib/mit/bin/kvno -k /etc/krb5.keytab hdb/<hostname_fqdn>@MYDOMAIN.COM

/usr/lib/mit/bin/kvno -k /etc/krb5.keytab HTTP/<hostname_fqdn>@MYDOMAIN.COM


9->Create/Change user in HANA

In authentication, check the Kerberos checkbox and in external ID fill the value <user_name_AD>@FQDN

10->Create connection in HANA Studio with SSO

Create system in HANA Studio. In the phase of the user and password – choose Authenticated by current OS user.


11->Try to login using the connection created in the previous step


For Reference:

Kerberos/ Active Directory

Any background information on Kerberos or Active Directory troubleshooting, the following web sites may be helpful:

Whitepaper AD/Kerberos Troubleshooting:

Switch on Windows System Event Log for Kerberos:

Things to check when Kerberos authentication fails using IIS/IE…:


SAP HANA Database




Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Johannes Goerlich
      Johannes Goerlich

      Thanks a lot for this guide, Sumit!

      Let me add an hint:

      You can set environment variable KRB5_CONFIG,  pointing to your krb5.conf, e.g. <HOME_DIRECTORY_of_<sid>adm>/etc/krb5.conf,

      and variable KRB5_KTNAME, pointing to your keytab file, e.g. <HOME_DIRECTORY_of_<sid>adm>/etc/krb5.keytab,

      for user <sid>adm to perform the configuration without using the root account. This makes it more flexible for us in terms of operations.

      Best regards


      Author's profile photo Penny Nguyen
      Penny Nguyen

      Thanks so much for your blog, Submit!

      Could you please share the link to download How-To Guide 2018 version for "Single Sign-On with SAP HANA Database using Kerberos and Microsoft Active Directory" .

      I just can find the old version in 2014.

      Thanks again,


      Author's profile photo Sumit Patel
      Sumit Patel
      Blog Post Author

      Hi Penny,


      Sorry for the late reply.

      You can download the latest version from the note 1837331 - HowTo configure Kerberos SSO to SAP HANA DB using Microsoft Windows Active Directory

      Hope it is useful.



      Author's profile photo Murtaza Najmi
      Murtaza Najmi

      Hi Sumit,


      Thanks for this document.


      I would appreciate If you can also explain SSO using CryptoLib? I did not find any document for this on SAP SDN


      Author's profile photo Gabor Nagy
      Gabor Nagy
      "if compromised, would allow unrestricted access to its host. The keytab file should be readable only by root"


      You shouldn't put sapsys group to /etc/krb5.keytab

      Author's profile photo Axel Utz
      Axel Utz

      Dear all,

      Find the latest revision of the document HowTo_HANA_SSO_Kerberos_*.pdf  describing how to configure Kerberos SSO to SAP HANA DB in

      SAP Note 1837331HowTo configure Kerberos SSO to SAP HANA DB using Microsoft Windows Active Directory

      This how-to guide describes the steps necessary to set up Single Sign-On (SSO) with SAP HANA database using Kerberos and Microsoft Active Directory (AD).

      Each step is accompanied by one or more verification steps allowing a systematic completion of the process.

      Starting from HANA 1 SPS12 and HANA 2 there is a new naming and location of the Kerberos configuration and Kerberos keytab files. Additionally, the required Kerberos libraries are installed within the SAP HANA DB server installation.

      Best regards

      Axel Utz