Skip to Content
avatar image
Former Member

Kerberos SSO Web based access

Hello All,

We have plan to configure SSO based on Kerberos authentication for our ERP system as Abap stack so we set related requirements.

The users are available to logon without password for SAP Gui but the user has problem when logon with web based access.(SICF services as webgui).

For SSO configuration web based access;

We have defined the Kerberos Service Principal as <serviceuser> @<FQDN> in the SPNEGO t-code but the user still get pop up to password credentials. We have no found error logs in ICM trace and Active directory logs.

Let me clear about below questions ;

  • For Kerberos SSO configuration, AS Java is necessary ?
  • Is there additional requirements for Internet Security Tools ?
  • Is there additional options for SAP Abap side ?
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    avatar image
    Former Member
    Nov 03, 2016 at 08:25 AM

    Hello All,

    The web application is opened without requiring the user to enter username and password after install new sapcrypto.dll version and updated parameter is spnego/construct_SNC_name=201.

    The Kerberos User Principal Name is converted into SNC name using spnego/construct_SNC_name parameter values. Sap Note :1819808

    http://help.sap.com/saphelp_nwsso20/helpdata/en/82/8897e673354486a72600e637941fe0/content.htm?frameset=/en/aa/8b1e80b82340c5b4cdb7e4aabe8d9a/frameset.htm¤t_toc=/en/ba/a0222bf5da4ed3a655eaef1e4a3b60/plain.htm&node_id=127
    Add comment
    10|10000 characters needed characters exceeded

  • Nov 06, 2016 at 01:46 PM

    Hello Inanc, Ulas,

    Did you check Single Sign-On with Kerberos wiki and videos?

    For Kerberos authentication you donot need NW Java Server and add-on Secure Login Server.

    But Using Kerberos Authentication on SAP NetWeaver Application Server ABAP requires additional software licenses. as mentioned in the link.

    If you are paying for the license I advise you to use x.509 certificates and SAML.

    Regards,

    Yuksel AKCINAR

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Nov 07, 2016 at 11:18 AM

    Hello Yuksel,

    After updated the parameter is spnego/construct_SNC_name and updated sapcrypto.dll, the Web Gui service is working.

    Add comment
    10|10000 characters needed characters exceeded