Step to configure SS0 using SAP NW SSO

1) Download SAP Netweaver SS0 1.0 SP3 from service market place
https://websmp230.sap-
ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/swdc/sps/index.do?pvnr=01200314690900004187&session
_id=saS000979435220120824014022SID%3aANON%3apwdf4971_OW2_01%3av41MaAKuV4_TXf6S909
0uBZqQRsUMxXDEwITL3cb-ATT
Secure Login Library: SLLIBRARY03_2-10010513.SAR
Secure Login Server: SLCLIENT03_2-10010508
2) Create folder SLL under /usr/sap/<SID>/<Inst No>/SLL
Copy secure login library file to this location
Uncar the SLLIBRARY03_2-10010513.SAR using command
SAPCAR xvf SLLIBRARY03_2-10010513.SAR

Select the correct OS. In our case it is AIX 6.1



Uncar SECURELOGINLIB.SAR



3) Use SNC command to check the version of library
Make sure env variable SECUDIR is set to /usr/sap/SID/<inst>/sec

4) Create PSE file using snc command line
snc crtpse x 1234567890

Snc command, should look like this.

5) For cluster environment

Library files must be deployed in each application servers (ASCS excluded)
Copy PSE.zip file from one server1 to server2 and then execute below command in server2

snc cred x <PSE passwd> -s <server2 host name>




6) Check if SID adm user has access to pse and its credential
snc o ersadm status v
7) Create user in Windiows AD
For non-prod environment user:KerberosERS is used.
For prod it is recommended to create users Kerberos<SID>
8) Define service principle name in AD
Use ADSIEDIT tool to map created user to SPN

For non prod SAP/KerberosERS will be used.
For PRD SAP/Kerberos<SID> will have to be created in AD

9) Create keytab in SAP application server
snc crtkeytab s SAP/KerberosERS@TCP_CENTRAL.TCPCORP.LOCAL.COM -p <AD user passwd>



10) Enable SNC in SAP ABAP
Change/create following parameters
a. snc/identity/as = p:CN=SAP/KerberosERS@TCP_CENTRAL.TCPCORP.LOCAL.COM
b. snc/enable = 1
c. snc/gssapi_lib = /usr/sap/ERS/DVEBMGS00/SLL/aix-6.1-ppc-64/libsecgss.so
(Instance specific)
d. snc/data_protection/max = 1
e. snc/data_protection/min = 1
f. snc/data_protection/use = 9
g. snc/accept_insecure_cpic = 1
h. snc/accept_insecure_gui = 1 (This parameter will have to be made 0 once
user mapping is complete)
i. snc/accept_insecure_r3int_rfc = 1
j. snc/accept_insecure_rfc = 1
k. snc/permit_insecure_start = 0
l. snc/extid_login_diag = 1
m. snc/extid_login_rfc = 1
11) Install SAPsecure login client
Note: SAPGUI must be 720
Start Installation
Use the appropriate MSI Installer for your operating system
Type File Name
Microsoft Windows 32Bit SecureLoginClient x86.msi
Microsoft Windows 64Bit SecureLoginClient x64.msi

After installation you will find at taskbar in your pc.
Double click on the icon and user must have been authenticated by AD.


12) Activate SNC in saplogon pad
Select the system and goto change mode Network tabCheck Activate Secure Network
Communication


13) User mapping
Logon to system go to SU01 transaction select the user SNC tab assign SNC
Namep:CN=<USERNAME>@ TCP_CENTRAL.TCPCORP.LOCAL.COM


SNC1 transaction can be used to activate mass users.

14) Once user mapping is done. User must be able to logon without passwd prompt

Reference:
Note 1711367 - Release Note SAP NetWeaver Single Sign-On 1.0 SP03


1696840
1678616
1662544
1677641
1687748
1672003
1696905
1635019


http://scn.sap.com/community/security
http://help.sap.com/nwsso10/#section2
https://websmp208.sap-ag.de/~form/sapnet?_SHORTKEY=01100035870000740254&