Step by step guide to enable Single Sign-On (SSO) for SAP applications in a Microsoft Active Directory environment using Kerberos authentication.
This tutorial is meant to be a step by step guide to enable Single Sign-On (SSO) for SAP applications in a Microsoft Active Directory environment using Kerberos authentication. This will allow end users of the SAP System to logon to SAP with the Active Directory credentials, and avoid having another system to maintain a password in.
Active Directory Account Setup
SAP recommends to perform a Domain installation
The following tasks will have to be completed by Domain Administrator
- Create the new global group SAP__GlobalAdmin
- Create the two new SAP system users adm and SAPService
- Add the users adm and SAPService to the newly created group SAP__GlobalAdmin
In the Active Directory Users and Computers console, Right-click Users in Tree, and choose New Group
- Enter the following Group Name: SAP__GlobalAdmin
Note: Enter the SAP__GlobalAdmin group exactly as specified in the correct uppercase and lowercase.
- Group Scope: Global
- Group Type: Security
In the Active Directory Users and Computers console, Right-click Users in Tree, and choose New Group
Creating the New SAP System Users adm and SAPService
- Note: Enter the adm and SAPService user exactly as specified in the correct uppercase and lowercase.
- Enter the password and select never expires
Adding the adm User to the SAP__GlobalAdmin Group
- Choose Member and Add
- Select the new SAP__GlobalAdmin group and choose Add to add it to the list
- Note: By Default, the user is also a member of the Domain Users group
Adding the SAPService User to the SAP__GlobalAdmin Group
In the Users folder, double-click the newly created user account SAPService in the list on the right.
- Choose Member Add
- Select the new SAP__GlobalAdmin group
- Choose Add to add it to the list
The SAPService user must not be a member of the Domain Users group
- Select the SAP__GlobalAdmin group
- Choose Set Primary Group.
- Select the Domain Users group
- Choose Remove to delete it from the Member of list
- Choose OK to close SAPService Properties
In the Active Directory Users and Computers console, open the SAPService UserID
- On the Account tab ensure the below fields are defined
- UserID (ex. SAPServiceSLM)
- Note: The UserID is case sensitive
- Domain (ex. @company.com)
Active Directory SPN for Service Account
Update Service Principle Name (SPN) for the SAP Service Account in the Active Directory
(This must be done on all Windows 2003 Native Mode Domains!)
- On a Domain Controller in the SAP systems Domain, a Domain Admin must update the SPN for the SAPService
- From the Windows 2003 Support Tools, setspn.exe must be installed
- From a command prompt the Domain Admin will execute
setspn –A SAPService/HostComputerName DomainSAPService
Note the following Microsoft Updates should be applied to Windows systems to prevent unexpected Kerberos related authentication errors for the SAP clients:
- Windows 2003 RTM Systems – Kerberos Update for Domain Controllers (www.support.micorosoft.com/kb/q829074)
- Windows XP SP2 Systems – Kerberos Update for Clientshttp://support.microsoft.com/kb/q885887
A reference article from Microsoft detailing Kerberos and SPN’s is available at:
- www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/4a1daa3e-b45c-44ea-a0b6-fe8910f92f28.mspx
SAP System Client & Configuration Update
- Copy current gsskrb5.dll to %windir%system32 directory on both clients and servers. Currently, this file is dated 9/7/2004.
- SAPGUI currently does not support the 64-bit gx64krb.dll or the gi64krb5.dll if the SAPGUI is needed to run on a 64-bit machine then the 32-bit gsskrb5.dll will have to be used instead.
Set System Environment Variable for SNC_LIB on both clients and servers
- Right Click My Computer & Left Click Properties
- Click on the Advanced tab
- Click on Environment Variables button at the bottom
- Under System Variables Click New
- Enter
Variable Name: SNC_LIB
Variable Value: %windir%system32gsskrb5.dll
- Click OK, and OK and OK
SAP Instance Profile Configuration
In RZ10 update Instance Profile with the following additions
- #Kerberos
- snc/enable =1
- snc/accept_insecure_cpic =1
- snc/accept_insecure_gui =1
- snc/accept_insecure_r3int_rfc =1
- snc/accept_insecure_rfc =1
- snc/data_protection/max =1
- snc/data_protection/min =1
- snc/data_protection/use =1
- # Location of the dll used for kerberos
- snc/gssapi_lib = C:windowssystem32gsskrb5.dll
- snc/permit_insecure_start =1
- # The Windows User Account used to run SAP Server
- snc/identity/as = p:SAPService@corp.company.com
- snc/r3int_rfc_secure = 0
- Save the updates, and the instance must be restarted.
SAP UserID Update
- Log on to the desired SAP system and client, and enter transaction SU01
- Enter the UserID to modify, and click Change ( )
- A tab now appears titled SNC in the Maintain User screens, click on that tab
- In the SNC name field, enter the name of the Active Directory user and their Fully Qualified Domain Name (FQDN) preceded with a p: as it was listed in Active Directory Account Setup step from above. For instance: p:test@ COMPANY.COM
SAPGUI Configuration
In SAP Logon update SNC configuration for the system
- Select the desired system & Click Properties
- Click Advanced on the Properties Window
- Check the box next to “Enable Secure Network Communication”
- For the field “SNC name” Enter p:SAPService@company.com
entry is case sensitive, and the p: is required
Troubleshooting
- The following section is a decision road-map that will step through the items to check if the authentication mechanism is failing for the users trying to login to the SAP environment
- Check Status of SAP Instance by logging in without SNC configuration. This step should be performed on more than one client computer to ensure that it is not specific to the client running the machine.
- Check the Domain Controller availability of the server and if service are available
- Check Client installation and ensure that configuration is correct and proper components have been installed. (see section Active Directory SPN for Service Account)
Possible SSO Errors
- The following error is from incorrect user added in the SNC configuration
- The following errors are due to system outage
- The following error is due to incorrect or incomplete environment variables in place
Hi,
1. Download the verify.der file to your local (portal server) file system.
a) As portal user navigate to System Administration → System Configuration → Keystore Administration.
b) Choose Download verify.der File and store the file in your local file system.
c) UnZIP this file (e.g. using WinZIP or WinRAR) to be able to store verify.der.
2. Upload the verify.der file to your ABAP based backend system.
Note: Only one user can access the STRUSTSSO2 transaction, so you may have to wait until other groups have left STRUSTSSO2.
a) Launch the SAP Logon shortcut on your portal’s server desktop.
b) Create an entry for you ABAP based backend system .
c) Logon to that system to client 100 with user.
d) Launch transaction STRUSTSSO2 and press the Import certificate icon (in area Certificate). In field File path, browse to the verify.der file and press Enter.
e) Press the Add to Certificate List button and Save.
Hint: Do not exit the transaction, because to have to add the entry to the ACL (see next task).
f) From the certificates list (area Cert. List), double-click the entry for your portal server, e.g. CN=SID.
c) Choose Add to ACL and provide the following data:
d) Save your entry and exit the transaction.