Skip to Content
avatar image
Former Member

SAP Kerbaros SSO

Hi,

We have configured SAP Kerbaros SSO SNC configuration on our landscape with MS-ADS. It's working fine, and when we click on the system in the logonpad, it's automatically logging on to the default client. We have bunch of clients in the system, is there a way we can configure client specific SSO cofiguration, in that way from logon pad we create multiple entries for each client and logon automatically

Any idea?

Thanks,

Kris

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

5 Answers

  • Oct 08, 2010 at 06:21 PM

    Kris,

    You need to logon to the client (e.g. client 100) without SNC and then use su01 to change the entry in SNC tab for a user, then when that user logs on using SNC they will be able to logon to the user in client 100. If you want the same user to logon to client 200 you need to logon to client 200 then use su01 to change the SNC name of a user, then when that user logs on they will be able to login to client 200 etc.

    Thanks

    Tim

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 08, 2010 at 07:42 PM

    Hi Tim,

    We have CUA setup on all clients. We have assigned the SNC string on all clients. But I am not sure how logon to specific client from SAPlogon pad.

    Thanks,

    Kris

    Add comment
    10|10000 characters needed characters exceeded

    • if the SNC name of a user is stored in more than one client, when th user logs on they will be shown a screen asking them which client they want to logon to. The SAP logon pad does not need to be configured - all confiuration is done by setting the entry correctly in su01.

      Thanks

      Tim

  • avatar image
    Former Member
    Oct 08, 2010 at 08:56 PM

    Thanks Tim.

    We have two clients on the system 100, and 150. The default client is 100. We have copied the SNC string for the user in both clients. When we open the logon screen, it's directly logging on to the client 150, which is not default client.

    We are not sure what is wrong. Any idea?

    Thanks,

    Kris

    Add comment
    10|10000 characters needed characters exceeded

    • I suggest you check the instance profile parameters you have set which determine how SNC auth works. Can you show them here so I can check which one you have wrong ?

      Thanks,

      Tim

  • avatar image
    Former Member
    Oct 08, 2010 at 09:16 PM

    Hi Tim,

    Please check the following parameters, which we have used for SNC.

    snc/gssapi_lib = C:\windows\system32\gx64krb5.dll

    snc/identity/as = p:SAPServiceAEC@DOMAINNAME

    snc/enable = 1

    snc/accept_insecure_cpic = 1

    snc/accept_insecure_rfc = 1

    snc/accept_insecure_gui = 1

    snc/accept_insecure_r3int_rfc = 1

    snc/data_protection/min = 1

    snc/data_protection/max = 3

    snc/data_protection/use = 3

    snc/permit_insecure_start = 1

    Thanks,

    Kris

    Add comment
    10|10000 characters needed characters exceeded

    • Perhaps you can try adding:

      snc/force_login_screen = 0

      snc/extid_login_diag = 1

      I also suggest you logon using SAP GUI onto each client, run su01 and check that the SNC name of the user is the same in each client. It is possible that CUA has not populated hte SNC name correctly, so checking using su01 will confirm.

      Thanks

      Tim

  • avatar image
    Former Member
    Oct 13, 2010 at 03:13 PM

    Thanks Tim

    It's working now without above two profile parameters. Seems Idocs were not populated properly.

    Thanks,

    Kris

    Add comment
    10|10000 characters needed characters exceeded