Enable SAP Single Sign On - on Windows (Part I)

If you dont want to pay any additional third-party SSO solution for your SAP enviroment, you can already use some out of the box utilities since WebAS 6.20 and up, including the lastest releases.



Before implementing SSO on SAP / Windows, there are a few things you should know:

• You requiere on your landscape, a Microsoft LDAP Server (Active Directory).
• Your SAP system NT accounts (sidadm and SAPServiceSID), must be running under an already created LDAP domain.
• If your Windows client computers are running on a different domain than the domain of where the SAP system NT accounts are (ex: PCs: clients.mycompany.org, SAP: servers.mycompany.org), you must create a trust relationship between these two domains.
• Please note that the SAP kerberos implementation its in its way a little restrictive, so you must always provide the correct information (example: domains are always UPPERCASE).
  

Additional pre-requisite steps you need to follow to set-up SSO:

• On the domain controller of the SAP server´s, execute:

SETSPN -A SAPServiceSID/dontcare MYDOMAIN\SAPServiceSID
(The Service Principal itself is not used, only the undocumented side-effect of re-enabling rfc-1964/rfc-4121 compliant authentication.)

• Download the win32sso.zip or win64sso.zip (from OSS Note 352295) according to your platform. Unzip it and place the kerberos file on %SYSTEMROOT%\System32 (for ex. on x64 the file should be gx64krb5.dll).

• Download and Install the SAPSSO.MSI, on each client PC on which you want to enable SSO. To get it, go to OSS Note 595341.
  

Enabling SSO on your SAP System server:

• Create a system environment called "SNC_LIB" pointing to "C:\Windows\System32\gx64krb5.dll".
• Set the following parameters on your instance profile:

snc/enable = 1
snc/gssapi_lib = C:\Windows\System32\gx64krb5.dll

snc/identity/as = p:SAPServiceSID@SERVERS.MYCOMPANY.ORG

• Also set these additional parameters if you want to enable a fail-back mechanism in case the LDAP server is down (this will allow users to still log-on into the system by using their SAP username and password):

snc/accept_insecure_cpic = 1
snc/accept_insecure_rfc = 1
snc/permit_insecure_start = 1

• Restart your SAP system and enter providing client, user and pass. If you are unable to logon, check the dev_w* traces to see what part of the SSO mechanism is failing.
• Check on transaction SU01 that a new tab "SNC" is displayed.
  

Enabling SSO on your SAPGUI computers:

• Install the before mentioned file SAPSSO.MSI. Also make sure that the variable SNC_LIB on these computers are created globally for all users (if not, change it).
• Right click on your SAPLogon connection --> Properties --> and flag "Enable SNC", below enter the following: "p:SAPServiceSID@SERVERS.MYCOMPANY.ORG".
  

Linking LDAP users with SAP users:

• Log on your SAP system and go to transaction SU01. In this example SAP User ID is "WAYNE", while its LDAP User ID is "jwayne".
• Select SNC tab, and provide the following information: "p:jwayne@CLIENTS.MYCOMPANY.ORG". Intro to validate the SNC entry and you should see a green message "SNC Canonical Name determined".

Now the LDAP user ID "jwayne" is able to logon to the SAP system under user ID "WAYNE".
Please note, you have to set the user SNC properties for each mandt you want to enable SSO.


Next post will deal with the SSO setup mechanism between a non-SAP Microsoft plataform (UNIX) and a Microsoft LDAP Server.