Hi Tinu,

There's quite a bit more required than just enabling this profile parameter. The reason your system won't start afterwards is that you have to have a working Kerberos keytab setup first, and for that you also need some configuration in a Kerberos Domain Controller (KDC). For most of us working in Microsoft Active Directory domains, the AD domain controllers are the KDC.

The steps are outlined quite clearly in the PDF guide attached to Note 2185235: https://launchpad.support.sap.com/#/notes/0002185235.

Yuksel Akcinar also wrote a blog about this at https://blogs.sap.com/2016/01/28/is-your-sap-gui-connection-encrypted-can-someone-eavesdrop-your-dat....

Here are my notes from setting this up in my environment:

• Create or modify a service account in AD (it's ok to use your SAP system's service account, e.g. "SAPServiceSID", although some might argue you should keep this separate). The account needs to support Kerberos AES 128/256 bit encryption, and you need to set an SPN (Service Principal Name) = "SAP/SAPServiceSID". Double check, using ADSI Edit, that the SamAccountName and the UPN exactly match the SPN, case-sensitive (except for the "SAP/" prefix). Any mismatches in case will cause a failure.
• Create an environment variable on your server: SECUDIR = "E:\usr\sap\SID\DVEBMGS00\sec" (substitute correct drive and path for your server).
• In a DOS prompt (for a Windows server), create your keytab: "sapgenpse keytab -p SAPSNCSKERB.pse -x <password you create for PSE file> -X <password for SAPServiceSID user> -a SAPServiceSID@DOMAIN.COM" (obviously substitute your Active Directory domain here; also, it's important to capitalize the domain just like I did in the example).
• In the same DOS prompt: "sapgenpse seclogin -p SAPSNCSKERB.pse -x <PSE password> -O SAPServiceSID"
• Setup the profile parameters as defined in the guide, including "snc/enable = 1". An important one to get right, case-sensitive is "snc/identity_as = p:CN=SAPServiceSID@DOMAIN.COM"
• Restart the instance. If it still doesn't start, you'll find clues in the work process traces. Almost certainly it's a problem with the keytab, however, and the problems usually stem from incorrect passwords or case mismatches.
• If you've got the server correctly restarting, the next step is to configure the clients:
• Install SNC Client Encryption on the SAPGUI clients (distribute with a SAPGUI Installation Server).
• In saplogon, configure the connection entry:
• Activate Secure Network Communication
• SNC Name = p:CN=SAP/SAPServiceSID@DOMAIN.COM
• Use maximum security settings available
• Check "SNC logon with user/password (no Single Sign-On)" (because SSO requires a different product with additional licensing)
• Connect! If you're able to connect and see the lock icon in the lower right corner of SAPGUI, then it's all working.

Cheer,
Matt