cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Secure Login Client Breaks NTLM Single Sign On - Catch 22

former_member197700
Participant

on ‎03-15-2016 6:39 PM

0 Kudos

We currently use NTLM single sign on for SAP on Windows. As soon as kerberos is enabled on an SAP system, it breaks sso on all PCs that don't have SAP Secure Login.  If we install SAP Secure Login on a PC, it breaks sso for any systems for which spnego/kerberos isn't enabled yet.

It is not feasible for our company to roll out kerberos and secure login client as a "big bang" without testing.  How can we transition so we do this in development first, then consolidation, then production?

Current Solution:

sec/libsapsecu = $(DIR_EXECUTABLE)\sapcrypto.dll

snc/gssapi_lib = $(DIR_EXECUTABLE)\gx64ntlm.dll

snc/identity/as = p:OURDOMAIN\SAPServiceSID

In su01, on the SNC tab, we specify p:NEXEOSOLUTIONS\<User Id>

New solution:

snc/identity/as= p:CN=KerberosSID@OURDOMAIN.COM
spnego/enable =1

spnego/krbspnego_lib = $(DIR_EXECUTABLE)\SLL\sapcrypto.dl

In su01, on the SNC tab, we specify p:CN=<User Id>@OURDOMAIN.COM

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎03-16-2016 7:27 AM
0 Kudos

Hello,

for the client side there is a migration guide available:

Then you can migrate the server side step by step. Of cause you need a new SAPGUI on the clients for that, but you can roll out this with the new Secure Login Client and the SNC_LIB_2 enviroment variables.

Maybe this hint helps you for a smooth migration solution.

best regards

Alexander Gimbel

Show replies
Show replies
Ask a Question