19 Oct 2010 12:07 pm ||

Step by step guide to enable Single Sign-On (SSO) for SAP applications in a Microsoft Active Directory environment using Kerberos authentication.

This tutorial is meant to be a step by step guide to enable Single Sign-On (SSO) for SAP applications in a Microsoft Active Directory environment using Kerberos authentication. This will allow end users of the SAP System to logon to SAP with the Active Directory credentials, and avoid having another system to maintain a password in.

Active Directory Account Setup

SAP recommends to perform a Domain installation

The following tasks will have to be completed by Domain Administrator

Create the new global group SAP__GlobalAdmin

Create the two new SAP system users adm and SAPService

Add the users adm and SAPService to the newly created group SAP__GlobalAdmin

In the Active Directory Users and Computers console, Right-click Users in Tree, and choose New Group

Enter the following Group Name: SAP__GlobalAdmin

Note: Enter the SAP__GlobalAdmin group exactly as specified in the correct uppercase and lowercase.

Group Scope: Global

Group Type: Security

In the Active Directory Users and Computers console, Right-click Users in Tree, and choose New Group

Creating the New SAP System Users adm and SAPService

Note: Enter the adm and SAPService user exactly as specified in the correct uppercase and lowercase.

Enter the password and select never expires

Adding the adm User to the SAP__GlobalAdmin Group

Choose Member and Add

Select the new SAP__GlobalAdmin group and choose Add to add it to the list

Note: By Default, the user is also a member of the Domain Users group

Adding the SAPService User to the SAP__GlobalAdmin Group

In the Users folder, double-click the newly created user account SAPService in the list on the right.

Choose Member Add

Select the new SAP__GlobalAdmin group

Choose Add to add it to the list

The SAPService user must not be a member of the Domain Users group

Select the SAP__GlobalAdmin group

Choose Set Primary Group.

Select the Domain Users group

Choose Remove to delete it from the Member of list

Choose OK to close SAPService Properties

In the Active Directory Users and Computers console, open the SAPService UserID

On the Account tab ensure the below fields are defined

UserID (ex. SAPServiceSLM )

) Note: The UserID is case sensitive

Domain (ex. @company.com)

Active Directory SPN for Service Account

Update Service Principle Name (SPN) for the SAP Service Account in the Active Directory

(This must be done on all Windows 2003 Native Mode Domains!)

On a Domain Controller in the SAP systems Domain, a Domain Admin must update the SPN for the SAPService

From the Windows 2003 Support Tools, setspn.exe must be installed

From a command prompt the Domain Admin will execute

setspn –A SAPService/HostComputerName DomainSAPService





Note the following Microsoft Updates should be applied to Windows systems to prevent unexpected Kerberos related authentication errors for the SAP clients:

Windows 2003 RTM Systems – Kerberos Update for Domain Controllers (www.support.micorosoft.com/kb/q829074)

Windows XP SP2 Systems – Kerberos Update for Clientshttp://support.microsoft.com/kb/q885887

A reference article from Microsoft detailing Kerberos and SPN’s is available at:

www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/4a1daa3e-b45c-44ea-a0b6-fe8910f92f28.mspx

SAP System Client & Configuration Update

Copy current gsskrb5.dll to %windir%system32 directory on both clients and servers. Currently, this file is dated 9/7/2004.

directory on both clients and servers. Currently, this file is dated 9/7/2004. SAPGUI currently does not support the 64-bit gx64krb.dll or the gi64krb5.dll if the SAPGUI is needed to run on a 64-bit machine then the 32-bit gsskrb5.dll will have to be used instead.

Set System Environment Variable for SNC_LIB on both clients and servers

Right Click My Computer & Left Click Properties

Click on the Advanced tab

Click on Environment Variables button at the bottom

Under System Variables Click New

Enter

Variable Name: SNC_LIB

Variable Value: %windir%system32gsskrb5.dll

Click OK, and OK and OK

SAP Instance Profile Configuration

In RZ10 update Instance Profile with the following additions

#Kerberos

snc/enable =1

snc/accept_insecure_cpic =1

snc/accept_insecure_gui =1

snc/accept_insecure_r3int_rfc =1

snc/accept_insecure_rfc =1

snc/data_protection/max =1

snc/data_protection/min =1

snc/data_protection/use =1

# Location of the dll used for kerberos

snc/gssapi_lib = C:windowssystem32gsskrb5.dll

snc/permit_insecure_start =1

# The Windows User Account used to run SAP Server

snc/identity/as = p:SAPService@corp.company.com

snc/r3int_rfc_secure = 0

Save the updates, and the instance must be restarted.

SAP UserID Update

Log on to the desired SAP system and client, and enter transaction SU01

Enter the UserID to modify, and click Change ( )

A tab now appears titled SNC in the Maintain User screens, click on that tab

In the SNC name field, enter the name of the Active Directory user and their Fully Qualified Domain Name (FQDN) preceded with a p: as it was listed in Active Directory Account Setup step from above. For instance: p:test@ COMPANY.COM

SAPGUI Configuration

In SAP Logon update SNC configuration for the system

Select the desired system & Click Properties

Click Advanced on the Properties Window

Check the box next to “Enable Secure Network Communication”

For the field “SNC name” Enter p:SAPService@company.com

entry is case sensitive, and the p: is required

Troubleshooting

The following section is a decision road-map that will step through the items to check if the authentication mechanism is failing for the users trying to login to the SAP environment





Check Status of SAP Instance by logging in without SNC configuration. This step should be performed on more than one client computer to ensure that it is not specific to the client running the machine.

Check the Domain Controller availability of the server and if service are available

Check Client installation and ensure that configuration is correct and proper components have been installed. (see section Active Directory SPN for Service Account)

Possible SSO Errors

The following error is from incorrect user added in the SNC configuration

The following errors are due to system outage