Skip to Content
Technical Articles
Author's profile photo Vijay Bhaskar Reddy

SAP Single Sign on (SSO) 3.0 configuration for SAP ABAP Application server using SNC Kerberos.

In these article, we covered all the steps which is required to implement Single Sign On (3.0) for SAP ABAP Application servers.


Single Sign On (SSO) Overview.


In a default SAP setup, users enter their SAP user name and password on the SAP GUI logon screen. SAP user names and passwords are transferred through the network without encryption.

To secure networks, SAP provides a “Secure Network Communications” interface (SNC) that enables users to log on to SAP systems without entering a user name or password. The SNC interface can also direct calls through the SAP Cryptographic Library to encrypt all communication between SAP GUI and the SAP server, thus providing secure single sign-on to SAP.

No additional Single Sign on (SSO) server is required in this scenario. Working on the front-end software, the user experiences streamlined, easy accessibility.




  • Secure authentication with one strong password, optionally with additionally factors
  • No more need for password reminders on post-it notes
  • All passwords kept in one protected, central place.

Cost saving.

  • Efficiency gains for users that only need to remember one password
  • Higher productivity due to reduced efforts for manual authentication, password reset,
  • helpdesk interaction, …
  • Functions to efficiently set up and manage server-side security capabilities


  • Lean product, fast implementation project, quick ROI
  • No more need to provision, protect and reset passwords across many systems
  • No more efforts to manage password policies across many systems


The following diagram is shown step by step workflow and communication in between different components


  • When user click on SAP GUI connection, The Secure Login Client retrieves the SNC name (User Principal Name of the service user) of the respective SAP server system.


  • The Secure Login Client starts at the Ticket Granting Service a request for a Kerberos Service token.


  • The Secure Login Client receives the Kerberos Service token


  • The Secure Login Client provides the Kerberos Service token for SAP single sign-on and secure communication between SAP Client and SAP server.


  • The user is authenticated, and the communication is secured.


Execution steps.


S. No Name of the activity Owner
1 Setup the AD Service account Network Team
2 Setup the Service principle name for Service account. Network Team
3 Upgrade the SAP Crypto lib version to 8.5 BASIS Team
4 SAP Note – 2304831 implementation BASIS Team
5 Set the profile parameters for SNC in the t-code SNCWIZARD BASIS Team
6 Restart the SAP Application server to affect the SNC parameters BASIS Team
7 Create or validate the key tab for Kerberos based SNC in the t-code SNCWIZARD BASIS Team
8 Mapping windows domain user ID to SAP User ID Using t-code SU01 Security team
9 Install Secure login client and setup the SNC Settings in the SAP GUI in the client machines Network Team


Step: – 1 Create a one service account in the Windows domain controller.

We recommend the format is Kerberos<SID>.

Note. We recommend that you do not use SAP Service<SID> because the Password Never Expires option is not set for this account by default. If the password for this account expires, single sign-on fails.

*** Go to Windows AD and create service account as SSA_SNC_SPNEGO.


Enable the Password Never Expires option for this account and click on finish


Step :-2. Registered the Service principle name for Service account.


Register the Service Principal Names (SPNs) for the service account for the host name of the SAP NetWeaver AS for ABAP and all AS ABAP aliases.


Ensure that all SPNs are unique. you can check the cmd as setspn -X SPN Name.


*** Go to Active Directory Users and computers and right click on Service account properties and assigned SPN name as per below steps



In Attribute Editor, edit the SPN name and set the required SPN name for service account.



In screenshot, we have set SAP/FQDN of SAP Server and HTTP/FQDN of SAP Server.

Once set the Service Principle Name, you can click on Apply and Ok




Step – 3. Upgrade the SAP Crypto lib version to 8.5 and restart the Application server



Step – 4.

Execute SNCWIZARD T- code in SAP. It will throw an error “ SAPCRYPTOLIB too old”.

As a solution apply SAP Note – 2304831.

Download the SAP Note using transaction SNOTE.

Select the SNOTE and execute it.

Note : SPNEGO and SNCWIZARD Transactions can work only SAP NetWeaver AS for ABAP 7.4 SPS08 or higher.


SAP Note is successfully implemented.below screenshot for reference.

Step – 5 Set the profile parameters for SNC in the t-code SNCWIZARD

Click on continue.

Keep it default value and continue.



In below  profile parameters set in default profile after complete this sncwizard. it’s required to restart the system to effect these parameter values.


Click on Complete and make sure Application server is restarted to affect the parameter values.



Step – 6 Create or validate the key tab for Kerberos based SNC in the Tx- SPNEGO.

Continue for next step and then enter the Service User ID.

Switch the Service principal names tab, it will shows SPN names we assigned for service user account.



In below screenshot, user principal uniqueness and Token checks are green mark. That is for no issues found in SPN’s.




Click on to continue.


Click on complete and close this wizard.


Step – 7 Mapping windows domain user ID to SAP User ID Using t-code SU01.

Step-8 Install secure Login software in client machines.

See below URl for more details.

Step-9 Set the SNC name in SAP GUI properties under secure network settings.



After logon to the application server with SSO with AD logins.


Here we can choose the client which we want to login and click on user tab..



Then it will logon to the SAP system with AD logins.

For troubleshooting steps, see below Information.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Robert Batliner
      Robert Batliner

      Hi Vijay Bhaskar Reddy

      Thank you for this guide 🙂 I've followed it step by step but I am facing an issue with the "Token Check" within T-Code SPNEGO.

      Do you have an idea what the problem could be?

      Best regards


      Author's profile photo Robert Batliner
      Robert Batliner

      Problem was solved by the SAP Support. The username is case sensitive!

      Kind regards, Robert

      Author's profile photo Sri Divya
      Sri Divya

      Nice blog Vijay 🙂

      Author's profile photo Admin Audioptic
      Admin Audioptic

      Hello Vijay Bhaskar Reddy, thank you for your how to.

      I have a question about the last step :

      Step-9 Set the SNC name in SAP GUI properties under secure network settings.

      How to activate the SNC when all users in my company are using SAP Logon Pad ?

      Author's profile photo Vijay Bhaskar Reddy
      Vijay Bhaskar Reddy
      Blog Post Author

      First we have to set all system connections with SNC name in one PC and distbutue same SAP logon Pad to all users with help of network team.

      Author's profile photo Peter Meyer
      Peter Meyer

      Hi Vijay Bhaskar Reddy


      Very nice blog…

      Just one question:

      Are you sure top put




      in the SNC Settings of the Network tab?

      In all other documentations I saw it like this:







      Author's profile photo Vijay Bhaskar Reddy
      Vijay Bhaskar Reddy
      Blog Post Author

      Hey peter,

      No need required HTTP , this is p:CN=HTTP settings  mentioned for SSO method which is used for  Webbased applications,


      We can set  p:CN=SAP/ as always used for GUI client applications.

      Author's profile photo Basis Team
      Basis Team

      Thanks for the detailed steps Vijay.


      Q) Do we need to enable SPNEGO(spnego\enable) for abap application?

      I see parameters spnego/enable and snc/gssapi_lib are pointing to same library file. So do we need to have both parameters in the system?

      Author's profile photo Vijay Bhaskar Reddy
      Vijay Bhaskar Reddy
      Blog Post Author


      SPNEGO configuration is the optional, if we want to enable SSO for SAP Web applications, we have to activate the SPNEGO.

      The SPNEGO features bring the SNC configuration, no need to do any separate setup for SPNEGO.



      Author's profile photo Volker Gottwald
      Volker Gottwald

      Hi Vijay,
      thanks for the nice guide.
      I installed SSO for our SAP systems.
      No I noticed that the connection from our BusinessObjects Anlayzer that is a PlugIn in MS Excel couldn't use the SSO functionality.
      In my knowledge BOA is using the SAPLogon for the connection, but the error message is:
      LOCATION CPIC (TCP/IP) on local host xxxxxx with Unicode
      ERROR partner '' not reached
      TIME Tue Mar 03 11:18:39 2020
      RELEASE 749
      COMPONENT NI (network interface)
      VERSION 40
      RC -10
      MODULE D:/depot/bas/749_REL/src/base/ni/nixxi.cpp
      LINE 3428
      DETAIL NiPConnect2:
      SYSTEM CALL connect
      ERRNO 10060
      ERRNO TEXT WSAETIMEDOUT: Connection timed out
      COUNTER 2

      RETURN CODE: 20

      Do you have any idea what we need to do in addition to your guide?

      Thanks in advance

      Author's profile photo Lutz Rottmann
      Lutz Rottmann

      Hi Volker,

      This BOA tool seems to use RFC (port 4800). While encrypted GUI-traffic uses the same port as unecrypted traffic (both 32xx), this is different for RFC. RFC unencrypted is 33xx. Encrypted RFC is 48xx. Now port 4800 seems to be blocked by some firewall ("not reached"). Make sure that opening ports 48xx to clients will be included in your standard configuration procedures for SAP systems.

      Cheers, Lutz

      PS: I would recommend to better post a question, than comment a blog in a case like yours.

      Author's profile photo Marco Valero
      Marco Valero

      Hello Vijay


      Really good topic, do you have the same configuration but for only Java Systems?

      I want to apply this for an Enterprise portal.


      Author's profile photo Prasad Pithani
      Prasad Pithani


      Did you configure this with only SAP GUI SSO we have SAP GUI 7.5 and 7.6 on Windows 10 across our company SAP Users and also few users login via RF Honeywell/Dell Rugged/IPAD Mini Scanners like tablets login via browser to use ITS Web Service applications. But our main focus is on SAP GUI SSO only.

      1. Do we need to pay SAP SSO 3.0 license?
      2. Where should I install SAP SSO 3.0?
      3.Is there any dependency for JAVA stack to install SAP SSO 3.0?
      4. All our SAP System running on SUSE Linux. Where can I download Secure Login Libraries for SUSE Linux 12.3?
      5. These Secure Login Libraries are part of SAP SSO 3.0 license?
      6. Can we use Azure Active directory for KERBEROS SNC? Is it supported.?

      I see several blogs trying to figure out which option to use KERBEROS or SAML?

      Thank You


      Author's profile photo Basis CG
      Basis CG

      Hi Prasad,

      I am also in process of configuring SSO with SAP GUI. Are you able to able to proceed further as I have queries on the same points raised by you earlier.


      Imran Hussain

      Author's profile photo Jitendra Singh
      Jitendra Singh

      You Will need a license for SSO using this method.

      Author's profile photo Jorge Velásquez
      Jorge Velásquez

      Hi Experts.


      In Attribute Editor should be ?





      I have a doubt about this step.



      Author's profile photo Graciete Martins
      Graciete Martins


      In my case, SSO working in SAP GUi, but when use link to Fiori or Webgui not working, can you help please.


      Best Regards


      Author's profile photo sandeep kukkudapu
      sandeep kukkudapu

      can you share the error/screenshot.