Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
213,138

Overview


The SAP Single Sign-On product offers support for Kerberos/SPNEGO. You can use Kerberos authentication tokens to easily implement a single sign-on solution for your SAP systems. This requires little implementation effort, but provides a considerable simplification to your employees’ authentication processes. Using Kerberos technology via SNC or SPNEGO, a trust relationship is established between the user’s front end (SAP GUI for Windows or a web browser, for example) and the back-end Application Server ABAP or Java.

Employees log in once when they start their computers by signing on to their Windows domain. Any subsequent authentication processes are left to a Kerberos token mechanism provided by SAP Single Sign-On and based on Microsoft Active Directory. No additional server is required in this scenario. Working on the front-end software, the user experiences streamlined, easy accessibility.



 

Implementing Single Sign-On with Kerberos


The following videos provide a step-by-step configuration tutorial for setting up Kerberos-based single sign-on for AS ABAP and AS Java.

 

Part 1: Kerberos-Based SSO to Application Server ABAP (6:20 min)


The video guides you step-by-step through the tasks required for setting up Secure Network Communication (SNC) and configuring SSO based on Kerberos/SPNEGO on the ABAP backend. Learn how easy this is using the SNC Wizard and Kerberos transaction.


Part 2: Kerberos-Based SSO to Application Server ABAP - Mass User Mapping (1:56 min)


One configuration task required for Kerberos-based SSO is user mapping. You need to map the SNC user name (based on the Windows domain user name) to the SAP ABAP user name. But how to configure user mapping for thousands of users? The video guides you through the options available for mass user mapping in Application Server ABAP.


Part 3: Kerberos-Based SSO to Application Server Java (3:52 min)


The video guides you step-by-step through the tasks required for configuring SSO based on Kerberos/SPNEGO in the Application Server Java.


Recommendations and Troubleshooting


Single Sign-On with Kerberos: Recommendations & Troubleshooting

Troubleshooting SPNego for ABAP (SAP Note 1732610)

Blogs


Kerberos Authentication Flow for Browser-Based Applications Provided by the AS ABAP

Kerberos/SPNEGO for SAP AS ABAP in a Multi-Domain Environment

SAP Single Sign-On: Protect Your SAP Landscape with X.509 Certificates

Additional Resources


Single Sign-On to SAP HANA DB using Kerberos (SAP Note 1837331)

Single Sign-On to SAP BusinessObjects BI Platform 4.0

Mobile Single Sign On from iOS 7 to SAP NetWeaver

Take the SAP Fiori Experience to a New Level with SAP Single Sign-On

More Information


For more information about SAP Single Sign-On, visit our community here:

https://community.sap.com/topics/single-sign-on.

 
148 Comments
Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
Hi Anoop,

Unfortunately, there currently doesn’t exist any documentation in case you don’t have the transaction SNCWIZARD available. Please open a ticket and our primary support will be able to help you with this.

Thanks,

Martina
abhiBa
Newcomer
0 Kudos
Dear Martina,

We have a requirement in which the service user created in the domain for SSO will have a password expiry (password never expires cannot be set) and whenever we set the new password on expiry it should not be required to reconfigure the SPNego...is this possible?

Please advice.

Regards

 
Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi Abhijit,

When the service account needs a new password, the old keyTab from the transaction SPNEGO needs to be deleted and the new keyTab (service account and new password) needs to be created. Otherwise SNC with Kerberos or SPNego in the browser will no longer work.

Best regards,

Martina
ekaminski
Explorer
0 Kudos
Hi Martina,

thanks for the blog!

I setup SSO to SAP Gui SSO with Kerberos that work's fine, but at Web/Fiori access is not working.

Gui connect directly server by hostname like s4.domain.local

Fiori connect by WebDispatcher by FQDN with other DNS suffix like s4.domain.com

The Kerberos REAL is domain.local

I set SPN for both

SAP/<sid>

HTTP/s4.domain.local

HTTP/s4.domain.com

When we access to s4.domain.com we are receiving a message "Authentication token is of type NTLM instead of SPNEGO."

did you already see the same?

 

Thanks
Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi Eduardo,

please check the SPNego ABAP: Troubleshooting Note available here:

https://launchpad.support.sap.com/#/notes/0001732610

Refer to section "3.2.3 NTLM token received". And also check section 2.2 about how to enable your browser for SPNego.

Hope this helps.

Best regards,

Martina
hubert_pikus
Discoverer
0 Kudos
Hello Martina.

Our SAP - Systems are outsorced and we must realize a SSO
with the AzureAD.

Is a SSO for the SAPGUI with the AzureAD possible?
What must we configured in the transaction SPNEGO?
What must i defined, that the SAP-System know, that the SSO is
realized with the AzureAD?

Many thanks for your help?

Hubert
Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi Hubert,

Azure AD is a cloud-based SAML Identity Provider and can be used with browser-based business applications. However, Azure AD does not support desktop clients such as SAP GUI, as these are not compatible with the SAML protocol. For these desktop clients, SAP Single Sign-On is required, using Kerberos or X.509 certificates as SSO tokens.

You could use the Secure Login Web Client, which is a component of the SAP Single Sign-On product. The Secure Login Web Client can accept a SAML 2.0 assertion as security token and in return provision an X.509 certificate for single sign-on of desktop applications such as SAP GUI.

See documentation here:

https://help.sap.com/viewer/df185fd53bb645b1bd99284ee4e4a750/3.0/en-US/dce8de8d2b4547038b9c5b3c361ad...

https://help.sap.com/viewer/df185fd53bb645b1bd99284ee4e4a750/3.0/en-US/bf25ca2ceb8f4baba6069d955fbb2...

Best regards,

Martina
hubert_pikus
Discoverer
0 Kudos
Hello Martina.

Many, many thanks for your information!!

Best regards.

Hubert

 
0 Kudos

Hi Martina,

 

I have configured SSO in our system. While creating the keytab in SPNego, we are getting the following error. Please suggest the way forward

Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi Muhammad,

please open a customer ticket for your problem. Our support team will be able to assist you.

Thanks,

Martina
0 Kudos
martina.kirschenmann

Hi Martina,

We were in contact about SPNEGO for a customer but I believe the subject has its place here and might benefit to other colleagues.

It is about the SPNEGO wizard for JAVA. I believe the concept is similar to the wizard in ABAP.

For Kerberos to work:

  • An AD user is configured with some Service Principal Names (SPNs) matching URLs for which we want to allow Kerberos authentication. DES encryption is disabled.

  • Run SPNEGO wizard

    • Create REALM manually

    • Enter the Principal (AD user containing SPNs)

    • Keys (keytab files) are generated
      I guess here DES can be unticked and depending on security requirements keeping AES256 is probably the most secure option.

    • Define user mapping
      When using ADS as datasource, Principal and REALM is recommended.




My understanding in the screen "Principal", the password entered twice is only used to generate the keys (keytab files).

  • Do I understand correctly ?

  • How SPNs are being read/retrieved from the Principal ?

    • Does it use the UME configuration (LDAP configuration) ?

      • In that case it means the password set in AD for the Principal is not important and the team in charge of renewing user's password can do it without impacting the SAP system. Is it right ?






Many thanks in advance.
Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi Christophe,

You can find all configuration details in our documentation here:

Using Kerberos Authentication on SAP NetWeaver AS for Java

Best regards,

Martina
0 Kudos
Many thanks Martina.

The documentation confirms that there is no password check but it has to be the right one as defined in AD.


Kerberos Realms - Add manually

0 Kudos

Hello All,

I get a error while validating the password .

But the user exists in Active directory with never expire and also AD admin was able to login with below ID and password.

 

Can you please guide if iam missing anything.

 

Check user in Active Directory  -  We can't sign you in with this credential because

Message no. SPN028

Requirements

You have installed and licensed SAP Single Sign-On 2.0 or higher. It comes with a front-end control that enables you to validate users from the Active Directory database of the Microsoft Windows domain controller. See SAP Note 1943266.

Diagnosis

This message comes from Active Directory.

This function tries to verify whether the selected Kerberos Principal Name exists in Active Directory. The Check User Principal in AD button enables you to validate the Kerberos Principal User against Active Directory. You enter the password of Active Directory, and the front-end control checks whether Active Directory has a user with this Kerberos Principal Name in the userPrincipalName attribute.

 

Procedure

If you get this error message, contact your Active Directory administrator. Make sure that the Active Directory administrator configures this user correctly in Active Directory.

 

Regards

Shekar

SSO

Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hello Shekar,

it looks like you are not in the right domain. Therefore, the verification does not work.

You can try to generate the keyTab without password validation and go to the tab Service Principal Names. There you will see that you don't have the domain as your service account.

Regards,

Martina
0 Kudos
Hello Martina,

 

Thanks for your reply.

Can you please let me know how to overcome the issue.


 

regards

Shekar

Service Principal Name

0 Kudos
Hello Martina,

After logging with the user in domain, the issue is resolved.

Currently iam having another issue, please see screen below.

 

Token check in in status RED


 

Regards

Shekar

 

 
Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hello Shekar,

please open a customer ticket to resolve your problem.

Thanks,

Martina
steven_foo
Participant
0 Kudos
Hi,

This is weird, we are able to download the software. Does this mean we already have the license?

However when we check with SAP Sales Executive, he mentioned we don't have?

We recall in one of the SAP note it mentioned if you have the license already, the download part will appear.

Kindly correct me if this is wrong?

Secondly, how could we install the license into the ABAP instance running on Oracle or HANA DB?

Thanks.

 
steven_foo
Participant
0 Kudos

We are able to download the SAP Single Sign On 3.0 which is appearing when we go to the SAP Marketplace or Support center.

However when we check with our SAP Sales Executive, he mentioned that we don't have license.

But if we are not wrong according to one of the SAP Note - 1876552 - Unable to find SAP Single Sign-On product on ONE Support Launchpad - SAP ONE Support Launc..., it mentioned the SAP Single Sign On 3.0 will only appear for download if customer already have a license.

Any idea on this discrepancy ?

Thanks.

Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hello Steven,

you will only be able to download the SAP Single Sign-On 3.0 product if you have a license for it, as stated in the SAP Note you mentioned above. Please check again with your SAP Account Executive for investigation.

Thanks,

Martina
steven_foo
Participant
0 Kudos
HI Martina,

We have raise ticket to SAP support, SAP support checked and feedback that we have licensed.

So we are not sure why SAP SE provide us with incorrect information.

How is the license work? Is it by user count or just by one block ?

Thanks.

 

 
steven_foo
Participant
0 Kudos
Martina,

Do you know how the license work?

By user count or one bulk license?

 
Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi Steven,

licensing for the SAP Single Sign-On product is user-based. For the details, please get in contact with your SAP Account Executive.

Best regards,

Martina
Francis417
Participant
0 Kudos
Hi Martina,

Just would like to ask if it is also possible to integrate Azure AD with SAP Java AS 7.0 using the same method as shown in the video in the blog post?

If not, any place where I can find some steps and guideline on how it can be done if this is feasible.

Thanks.
Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
Hi Francis,

Azure AD only supports SAML. This blog post and the configuration videos are about SSO using Kerberos/SPNEGO with the SAP Single Sign-On product, and for that you need the on-premise Active Directory.

Please also note that SAP NetWeaver 7.0 AS JAVA has been out of maintenance for several years already, and it is not recommended to use it.

Best regards,

Martina
jegadesh_k
Participant
0 Kudos
Hi Martina,

Excellent blog. Currently i am trying to configure SSO SNC for Mac GUI. Will the setup be similar as this document or is there something else i need to consider? Appreciate your response

 

Thanks

Jega
Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
Hi Jega,

in general, configuration is the same as with Windows clients. You only need to consider the documentation how to install the Secure Login Client on macOS. You will find the documentation here:

https://help.sap.com/docs/SAP_SINGLE_SIGN-ON/df185fd53bb645b1bd99284ee4e4a750/f304002c0e794013b438a5...

Best regards,

Martina
Graciete
Discoverer
0 Kudos
Hi Martina,

Excelent blog. I have a problem. Already configurate SSO to GUI with Kerberos Authentication, but when run a fiori URL (server is the some backend and frontend), or run webgui, appear popup to logon in AD, if put the user and pass user AD, not working. Can help me please?

 

Best Regards

Graciete
Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi Graciete,

You can refer to the following information for troubleshooting:

https://wiki.scn.sap.com/wiki/display/Security/Single+Sign-On+with+Kerberos%3A+Recommendations+and+T...

Or refer to SAP Note 1732610 - SPNego ABAP: Troubleshooting Note:

https://launchpad.support.sap.com/#/notes/0001732610

Hope this helps.

Best regards,

Martina
henrivb
Member
0 Kudos
Hi Martina,

Great blog, and have used it a few times.

Is it possible to make use of SSO for SAP GUI on Windows, when the SAP application servers are running on Linux, and the SAP Users (<sid>adm, and SAPService<sid>) is not on the domain?

 

Thanks

Henri
Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi Henri,

Yes, that is possible. When using SAP Single Sign-On, the application server does not need to be part of the Windows domain.

Best regards,

Martina
sreekanth_
Member
0 Kudos
Hi Shekar,

 

Have you got the right solution for the above issue?I am also stuck with the same " Token  Check"Error,If possibile could you share the fix information.

Best Regards

Sreekanth
Kim_Heckscher
Explorer
0 Kudos
Hello Mrs. Kirchenmann, Hello Martina,

I'm new with SAP SSO 3.0 and we just configured the 1st System "SBT" with Kerberos.

On Transaction SPNEGO we didn't see the User Principals or User Mapping.


SPNEGO missing UserPrincipals and User Mapping


I saw this one Time just after restart of my client but not now...
Any Ideas why it didn't show the UPNs? Ther is no Error Message at all..

SSO 3.0 SP 2 Patch 16. but this is not relevant as I see.
(I checked allready SAP Note 2729769 - SPNEGO transaction - tab "Service Principal Names" is blank during SAP Single Sig...

On Tracing I couldn't find anythink..

Thanks for Info or shoul I better create a Ticket on SAP 4 ME?

 

Hope you can Help me, best Regards,

Kim
Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hello Kim,

Your configuration looks fine and SNC is working. Sometimes this could happen that the UPNs are not shown correctly. Maybe you can try again. Or refer to SAP Note 3279986 as a workaround.

If the problem persists, please open a ticket and our support team will assist you.

Thanks,

Martina
tskwin
Explorer
0 Kudos


Hello Martina,

Thank you for this blog.

Is it possible to install SSO with Kerberos without a Secure Login Server? How are the user tickets (without SLS) distributed automatically? Does AD to have certain functions? What advantage does SLS have in this case? is Kerberos still recommended as SSO?

Many Thanks

Best regards

Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hello Tatjana,

When using Kerberos for SSO, you don’t need the Secure Login Server. You only need the Secure Login Client on the client side (together with SAP GUI). On the server side, the functionality of verifying the Kerberos tokens is provided by the SAP Cryptographic Library that already comes with the ABAP kernel.

SSO via Kerberos technology requires a local Microsoft Active Directory (AD). The Microsoft AD (KDC) issues the Kerberos token upon successful Windows domain login. Yes, Kerberos is still recommended as SSO technology, and many of our customers are still using it.

Please note that last month we launched a new solution for SSO with SAP GUI: the SAP Secure Login Service for SAP GUI. This new solution also includes SSO via Kerberos, same as with the previous SAP Single Sign-On product. More information is available in the release blog here: https://blogs.sap.com/2023/05/04/sap-secure-login-service-for-sap-gui-now-available/

Best regards,

Martina
Kim_Heckscher
Explorer
0 Kudos
Hi Martina, I just created an Ticket.

Ticket-ID: 528328 / 2023

Test with kerberostest.exe was successful:


Kerberostest

gciula
Member
0 Kudos
Hello Martina,

I have configured SPNEGO according to your description "Kerberos-Based SSO to Application Server ABAP".
Work for GUI. but it doesn't work for HTTPS WEBGUI.
I have registered HTTP/FQDN, and added entries to the registry - 3183026(Edge, Chrome). But still not working.
Something else I should do (some parameters in RZ10)?



Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hello Grzegorz,

please open a ticket for your issue and our support team will assist you.

Thanks,

Martina
ajsehgal1
Explorer
0 Kudos
martina.kirschenmann , Thanks for posting this blog.  I have few questions & not sure if you can help me answering them.

We have a requirement to configure Kerberos authentication in our ERP EHP5 (SAP Basis 702) using HTTPS (browser based).  As per SAP KBA 1798979 - SPNego ABAP: Downport, i believe it is supported.

We have one landscape which is on domain A & has SPNEGO configured. We have another landscape which is running on domain B but accessible on same network as domain A. We want to configure the SPNEGO for system running on domain B but users will be from domain A. While i have also read your blog on - Kerberos/SPNEGO for SAP AS ABAP in a Multi-Domain Environment.  I believe that is for people accessing same system from multiple domains . Can you please confirm if accessing only from Domain A for system in Domain B is supported scenario.  Your response will be appreciated.

Also if you can confirm if Secure Login Client 3.0 will be compatible with ERP EHP 5 (SAP Basis 702).

Please let me know if above doesnt make sense to you.

Many Thanks,

Ajay
Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hello Ajay,

Yes, you will find the configuration details in the blog:

Kerberos/SPNEGO for SAP AS ABAP in a Multi-Domain Environment.

For technical release information, please refer to the Product Availability Matrix here and the SAP Note 1798979 you mentioned.

Best regards,

Martina
former_member135411
Discoverer
0 Kudos
Hi ,

We are implementing SSO with OKTA. SSO works fine for WebGUI

We would like to configure  SSO with OKTA  for SAP Gui. How can we achieve this?

 

Best regards
Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hello,

You can use the SAP Secure Login Service for SAP GUI to provide your SAP GUI users with SSO to their ABAP-based business applications. The solution is based on a lean cloud service and can integrate with your existing corporate identity provider (such as Azure AD or OKTA).

You will find more information about our SAP Secure Login Service for SAP GUI (product overview, documentation, etc.) here:

https://community.sap.com/topics/single-sign-on

Best regards,

Martina
0 Kudos
Hi Martina,

With transaction SPNEGO in an ABAP system, it is possible to provide user principal name and all that stuff pointing to an active directory. So far so good it is working.

The connection normally is established via LDAP port 389 which is non-secure.

Question for me:

When switching to SSL over LDAP (LDAPS), port will be changed to 636. But where?

 

Can you give me a hint? Reason behind is, LDAP here should only be offered for port 636 (LDAPS) in future.

 

Best regards,

Oliver
Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hello Oliver,

Our implementation uses the same Microsoft functions as Microsoft itself to connect to Active Directory and it cannot be configured.

Best regards,

Martina

 
rajavelu
Member
0 Kudos
Hi martina.kirschenmann,

Thank you for the nice blog!

We have followed and enable the SAP Single Sign-On: Authenticate with Kerberos/SPNEGO for SAP GUI it is working fine.

For third party systems, example ServiceNow want to connect our SAP using  X.509 SSL Client Certificate / Single Sign on using SPNego in the SOAMANEGR webservice WSDL generated URL without id and password.

Please let us know below this document will help to enable ?
https://www.sap.com/documents/2015/07/b20f4c88-5b7c-0010-82c7-eda71af511fa.html

SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates

Can enable both Kerberos / X.509 Client Certificates for the Single sign-on in parallel?.

Thanks.

 

Regards,

R Rajavelu
Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hello R Rajavelu,

Even if using X.509 certificates would probably be technically possible, it is not the recommended way. For browser-based applications we recommend to use an identity provider, such as SAP’s Identity Authentication Service (IAS) or another third-party identity provider.

Best regards,

Martina