Register Login

Enable SSO in SAP System using Kerberos Authentication

Updated May 18, 2018

Step by step guide to enable Single Sign-On (SSO) for SAP applications in a Microsoft Active Directory environment using Kerberos authentication. 

This tutorial is meant to be a step by step guide to enable Single Sign-On (SSO) for SAP applications in a Microsoft Active Directory environment using Kerberos authentication. This will allow end users of the SAP System to logon to SAP with the Active Directory credentials, and avoid having another system to maintain a password in.

Active Directory Account Setup

SAP recommends to perform a Domain installation

The following tasks will have to be completed by Domain Administrator

  • Create the new global group SAP__GlobalAdmin
  • Create the two new SAP system users adm and SAPService
  • Add the users adm and SAPService to the newly created group SAP__GlobalAdmin

In the Active Directory Users and Computers console, Right-click Users in Tree, and choose New Group

  • Enter the following Group Name: SAP__GlobalAdmin

Note: Enter the SAP__GlobalAdmin group exactly as specified in the correct uppercase and lowercase.

  • Group Scope: Global 
  • Group Type: Security

In the Active Directory Users and Computers console, Right-click Users in Tree, and choose New Group

Creating the New SAP System Users adm and SAPService

  • Note: Enter the adm and SAPService user exactly as specified in the correct uppercase and lowercase.

  • Enter the password and select never expires

Adding the adm User to the SAP__GlobalAdmin Group

  • Choose Member and Add
  • Select the new SAP__GlobalAdmin group and choose Add to add it to the list
  • Note: By Default, the user is also a member of the Domain Users group

Adding the SAPService User to the SAP__GlobalAdmin Group

In the Users folder, double-click the newly created user account SAPService in the list on the right.

  • Choose Member Add
  • Select the new SAP__GlobalAdmin group
  • Choose Add to add it to the list

The SAPService user must not be a member of the Domain Users group

  • Select the SAP__GlobalAdmin group
  • Choose Set Primary Group.
  • Select the Domain Users group
  • Choose Remove to delete it from the Member of list
  • Choose OK to close SAPService Properties

In the Active Directory Users and Computers console, open the SAPService UserID

  • On the Account tab ensure the below fields are defined
  • UserID (ex. SAPServiceSLM)
  • Note: The UserID is case sensitive
  • Domain (ex.

Active Directory SPN for Service Account

Update Service Principle Name (SPN) for the SAP Service Account in the Active Directory
(This must be done on all Windows 2003 Native Mode Domains!)

  • On a Domain Controller in the SAP systems Domain, a Domain Admin must update the SPN for the SAPService
  • From the Windows 2003 Support Tools, setspn.exe must be installed
  • From a command prompt the Domain Admin will execute
    setspn –A SAPService/HostComputerName DomainSAPService

Note the following Microsoft Updates should be applied to Windows systems to prevent unexpected Kerberos related authentication errors for the SAP clients:

  • Windows 2003 RTM Systems – Kerberos Update for Domain Controllers (
  • Windows XP SP2 Systems – Kerberos Update for Clients

A reference article from Microsoft detailing Kerberos and SPN’s is available at:


SAP System Client & Configuration Update

  • Copy current gsskrb5.dll to %windir%system32 directory on both clients and servers. Currently, this file is dated 9/7/2004.
  • SAPGUI currently does not support the 64-bit gx64krb.dll or the gi64krb5.dll if the SAPGUI is needed to run on a 64-bit machine then the 32-bit gsskrb5.dll will have to be used instead.

Set System Environment Variable for SNC_LIB on both clients and servers

  • Right Click My Computer & Left Click Properties
  • Click on the Advanced tab

  • Click on Environment Variables button at the bottom

  • Under System Variables Click New

  • Enter
    Variable Name: SNC_LIB
    Variable Value: %windir%system32gsskrb5.dll

  • Click OK, and OK and OK

SAP Instance Profile Configuration

In RZ10 update Instance Profile with the following additions

  • #Kerberos
  • snc/enable =1
  • snc/accept_insecure_cpic =1
  • snc/accept_insecure_gui =1
  • snc/accept_insecure_r3int_rfc =1
  • snc/accept_insecure_rfc =1
  • snc/data_protection/max =1
  • snc/data_protection/min =1
  • snc/data_protection/use =1
  • # Location of the dll used for kerberos
  • snc/gssapi_lib = C:windowssystem32gsskrb5.dll
  • snc/permit_insecure_start =1
  • # The Windows User Account used to run SAP Server
  • snc/identity/as =
  • snc/r3int_rfc_secure = 0

  •  Save the updates, and the instance must be restarted.

SAP UserID Update

  • Log on to the desired SAP system and client, and enter transaction SU01
  • Enter the UserID to modify, and click Change ( )

  • A tab now appears titled SNC in the Maintain User screens, click on that tab
  • In the SNC name field, enter the name of the Active Directory user and their Fully Qualified Domain Name (FQDN) preceded with a p: as it was listed in Active Directory Account Setup step from above. For instance: p:test@ COMPANY.COM

SAPGUI Configuration

In SAP Logon update SNC configuration for the system

  • Select the desired system & Click Properties
  • Click Advanced on the Properties Window

  • Check the box next to “Enable Secure Network Communication”
  • For the field “SNC name” Enter
    entry is case sensitive, and the p: is required


  • The following section is a decision road-map that will step through the items to check if the authentication mechanism is failing for the users trying to login to the SAP environment

  • Check Status of SAP Instance by logging in without SNC configuration. This step should be performed on more than one client computer to ensure that it is not specific to the client running the machine.

  • Check the Domain Controller availability of the server and if service are available
  • Check Client installation and ensure that configuration is correct and proper components have been installed. (see section Active Directory SPN for Service Account)

Possible SSO Errors

  • The following error is from incorrect user added in the SNC configuration

  • The following errors are due to system outage

  • The following error is due to incorrect or incomplete environment variables in place


  • 22 Dec 2010 7:33 am rekha Helpful Answer


    1. Download the verify.der file to your local (portal server) file system.

    a) As portal user navigate to System Administration → System Configuration → Keystore Administration.

    b) Choose Download verify.der File and store the file in your local file system.

    c) UnZIP this file (e.g. using WinZIP or WinRAR) to be able to store verify.der.

    2. Upload the verify.der file to your ABAP based backend system.

    Note: Only one user can access the STRUSTSSO2 transaction, so you may have to wait until other groups have left STRUSTSSO2.

    a) Launch the SAP Logon shortcut on your portal’s server desktop.

    b) Create an entry for you ABAP based backend system .

    c) Logon to that system to client 100 with user.

    d) Launch transaction STRUSTSSO2 and press the Import certificate icon (in area Certificate). In field File path, browse to the verify.der file and press Enter.

    e) Press the Add to Certificate List button and Save.

    Hint: Do not exit the transaction, because to have to add the entry to the ACL (see next task).

    f) From the certificates list (area Cert. List), double-click the entry for your portal server, e.g. CN=SID.

    c) Choose Add to ACL and provide the following data:

    • System ID. Your portal server system ID, e.g. SID, Client your portal server client which should be 000

    d) Save your entry and exit the transaction.

  • 04 Dec 2012 5:56 am Shobana N
    Amarnath ...
    then what will be the right to explain ..... can u explain this ..