Skip to Content

SAP Single Sign On - Kerberos And X.509

We are trying to implement SAP Single Sign On and SNC Client Encryption as follows:

A limited number of users will use Single Sign On with an Entrust token.

All other users will use passwords, but with SNC client Encryption.

We have successfully implemented both features, but are running into the following problem.

For the users who will use SNC client encryption only, we set the SAP Logon Entry SNC name as p:CN=SAPServiceXXX.

However, when the backend system also has the X.509 configuration enabled, the SNC name in the SAP logon gets automatically updated to the corresponding X.509 name and the SNC client encryption fails.

How can we prevent the automatic change of the SNC name ?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    Mar 30, 2017 at 01:13 PM

    Hi Avinash,

    you must use one SNC Name snc/identityas for both scenarios. The SNC Name in the sap logon is distributed by message server reading this parameter. just create a x.509 snc certificate from strust while keeping the name for snc client encryption. Or wait one month and use SNC Client Encryption 2.0 which is much simpler to implement and no longer only kerberos but also x.509 certificate based.



    Add comment
    10|10000 characters needed characters exceeded