Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
https://www.stechies.com/create-ssosingle-sign-sap-
sysetm/?utm_source=google&utm_medium=ChromePush&utm_campaign=sign-sap-sysetm
Step by step guide to enable Single Sign-On (SSO) for SAP applications in a Microsoft Active
Directory environment using Kerberos authentication.
This tutorial is meant to be a step by step guide to enable Single Sign-On (SSO) for SAP
applications in a Microsoft Active Directoryenvironment using Kerberos authentication.This will
allow end users of the SAP System to logon to SAP with the Active Directory credentials, and avoid
having another system to maintain a password in.
Active Directory Account Setup
SAP recommends to perform a Domain installation
The following tasks will have to be completed by Domain Administrator
Create the new global group SAP__GlobalAdmin
Create the two new SAP system users adm and SAPService
Add the users adm and SAPService to the newly created group SAP__GlobalAdmin
In the Active Directory Users and Computers console, Right-click Users in Tree, and choose New
Group
Enter the following Group Name: SAP__GlobalAdmin
Note: Enter the SAP__GlobalAdmin group exactly as specified in the correct uppercase and
lowercase.
Group Scope: Global
Group Type: Security
In the Active Directory Users and Computers console, Right-click Users in Tree, and choose New
Group
Creating the New SAP System Users adm and SAPService
Note: Enter the adm and SAPService user exactly as specified in the correct uppercase and
lowercase.
Note the following Microsoft Updates should be applied to Windows systems to prevent unexpected
Kerberos related authentication errors for the SAP clients:
Windows 2003 RTM Systems – Kerberos Update for Domain Controllers
(www.support.micorosoft.com/kb/q829074)
Windows XP SP2 Systems – Kerberos Update for Clientshttp://support.microsoft.com/kb/q885887
A reference article from Microsoft detailing Kerberos and SPN’s is available at:
www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/4a1daa3e-b45c-44ea-
a0b6-fe8910f92f28.mspx
SAP System Client & Configuration Update
Copy current gsskrb5.dll to %windir%system32 directory on both clients and servers. Currently,
this file is dated 9/7/2004.
SAPGUI currently does not support the 64-bit gx64krb.dll or the gi64krb5.dll if the SAPGUI is
needed to run on a 64-bit machine then the 32-bit gsskrb5.dll will have to be used instead.
Set System Environment Variable for SNC_LIB on both clients and servers
Right Click My Computer & Left Click Properties
Click on the Advanced tab
Enter
Variable Name: SNC_LIB
Variable Value: %windir%system32gsskrb5.dll
A tab now appears titled SNC in the Maintain User screens, click on that tab
In the SNC name field, enter the name of the Active Directory user and their Fully Qualified Domain
Name (FQDN) preceded with a p: as it was listed in Active Directory Account Setup step from
above. For instance: p:test@ COMPANY.COM
SAPGUI Configuration
In SAP Logon update SNC configuration for the system
Select the desired system & Click Properties
Click Advanced on the Properties Window
Troubleshooting
The following section is a decision road-map that will step through the items to check if the
authentication mechanism is failing for the users trying to login to the SAP environment
Check Status of SAP Instance by logging in without SNC configuration. This step should be
performed on more than one client computer to ensure that it is not specific to the client running the
machine.
Check the Domain Controller availability of the server and if service are available
Check Client installation and ensure that configuration is correct and proper components have been
installed. (see section Active Directory SPN for Service Account)
rekha |
| 22 Dec 2010 7:33 am
Hi,
1. Download the verify.der file to your local (portal server) file system.
a) As portal user navigate to System Administration → System Configuration → Keystore Administration.
b) Choose Download verify.der File and store the file in your local file system.
c) UnZIP this file (e.g. using WinZIP or WinRAR) to be able to store verify.der.
2. Upload the verify.der file to your ABAP based backend system.
Note: Only one user can access the STRUSTSSO2 transaction, so you may have to wait until other groups
have left STRUSTSSO2.
a) Launch the SAP Logon shortcut on your portal’s server desktop.
b) Create an entry for you ABAP based backend system .
c) Logon to that system to client 100 with user.
d) Launch transaction STRUSTSSO2 and press the Import certificate icon (in area Certificate). In field File
path, browse to the verify.der file and press Enter.
e) Press the Add to Certificate List button and Save.
Hint: Do not exit the transaction, because to have to add the entry to the ACL (see next task).
f) From the certificates list (area Cert. List), double-click the entry for your portal server, e.g. CN=SID.
c) Choose Add to ACL and provide the following data:
System ID. Your portal server system ID, e.g. SID, Client your portal server client which should be 000
d) Save your entry and exit the transaction