Skip to Content
avatar image
Former Member

Steps required to change password of SPN account supporting NW SSO Client solution?

Hello Experts,

We are using SAP NetWeaver Single Sign-On to enable SAP GUI SSO. Our configuration uses Kerberos integration (SAP GUI for Window, Secure network communications - SNC).

I've been ask to change the password of the Kerberos service account as part of a yearly security task but it is not clear what all the steps that are needed to ensure Kerberos authentication is not interupted

Certainly I can change the pwd for the SPN account in Windows but I am not clear on what steps need to be taken on the SAP side to maintain the Kerberos authentication. From what I have read, a new keytab needs to be created but how exactly is this done? I also read there is a command line utility SAPGENPSE that is used to generate PSE file and Kerberos keytab when initially configuring the setup. Would this be used again to generate a new keytab file? Is there any other method that can be accessed from SAPGUI instead of a command line utility program?

Would very much appreciate your help to get a clear picture of the steps required to successfully update the SPN account password.


Stephen Brewer

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

1 Answer

  • avatar image
    Former Member
    Oct 08, 2014 at 04:43 PM

    Hello Stephen

    You need to use SAPGENPSE to create the keytab file and PSE file again. We need to generate keytabl file everytime after changing anything with Service User.

    In addition,

    1. also add credentials to the credentials file (cred_v2) using command:

    ./sapgenpse seclogin -p <keytab File Name>.pse -O <sid>adm

    You need to entre password of Service User as PIN.

    2. Verify entries in credential file using command:

    ./sapgenpse seclogin –l

    The path ../<keytab File Name>.pse should be readable to “devadm” user.

    I hope this information will help you.



    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Thanks Tapan! To avoid any interuption to the Kerberos authentication, I am hoping to be able to first create the new keytab with new password before actually applying the new password to the SPN account in Active Directory. I do not have command line access so have to coordinate this with another team but will post results.

      Stephen Brewer