cancel
Showing results for 
Search instead for 
Did you mean: 

Single Sign-On with local installation

marc_glaesser
Discoverer
0 Kudos

Hi there,

we are acutally planning the roll-out of SAP SSO 3.0 for our SAP servers (Windows based + Active Directory / Kerberos).

The SAP servers are a local installation (not member of a domain). Is the membership of a domain a prerequisite or is it also sufficient if a domain user is available for the communication with the active directory?

Best regards!

Accepted Solutions (1)

Accepted Solutions (1)

Colt
Active Contributor

Hello Marc,

with SAP Single Sign-On 3.0 there is no need to consider a domain membership for an SAP-Server. The only link between the AD and SAP is the key tab file which is generated during the setup on the SAP system. Here you specify which domains you will trust. That can be one or many, in case you have no trusts between the domains/forests.

Nevertheless, the validation always takes place offline, so no communication between SAP and AD Domain controller is required in any case. Validation means decryption of the Service Ticket (ST) received from the KDC on basis of the SPN registered on the AD service user account generated for the SAP server. STs are always encrypted by the KDC and as both share the same symmetric key the decryption takes place.

Often SAP system operation has been outsourced and the SAP servers are integrated into the management domain of the organization hosting the SAP-Landscape. Even in such a case SAP users from different organizations can work with the same system, in the respective client, with Kerberos. Technically by having the PSE containing the keytabs, the SAP systems trust all domains, although there is no trust between the domains themselves. More input here

Cheers Colt

Answers (3)

Answers (3)

marc_glaesser
Discoverer
0 Kudos

Hi Carsten!

Thank you so much for your response. That's great news for us as we want to avoid extra costs for transferring the local SAP installation in a domain installation.

As far as I understood - after reading your referred blog - there is no direct communication between the SAP system an a domain controller. Only the client itself sends domain requests and the SAP system has to have the correct keytab. So this szenario is just perfect and I think we can go ahead with the planned SSO rollout 🙂

Thanks for your explanation and best regards!

marc_glaesser
Discoverer
0 Kudos

Hi Imran,

thanks for the link. Unfortunately I could not find a hint if a domain membership of the SAP server is necessary.

So if there is anyone out there who already successfully connected a Non-Domain SAP server, that would be very helpful. The transformation of a local installation to a domain installation is not that easy and will result in additional costs which we want to avoid.

former_member256680
Participant
0 Kudos

Hi,

You can check this blog below. I don't think it is required to be in same domain.

https://blogs.sap.com/2017/07/27/sap-single-sign-on-authenticate-with-kerberosspnego/

Best Regards

Imran