CONFIGURATION SAP SNC on WINDOWS 2008/ECC 6.0

I want to configure SNC for SAP ECC 6.0, therefore, have a few questions.

The Plan:

SAP SERVER & ACTIVE DIRECTORY CONFIGURATION (AD ON WINDOWS 2008 R2, SAP ON WINDOWS 2008 STANDARD)

1. Create user on Active Directory which works as Server Principal, eg: sncadm

2. Set "Password never expiresu201D and "Do not require Kerberos preauthentication".

3. SET Service SPN on SAP Server, eg: setspn -A SAPService/serverSAP AD_domain\sncadm

4. Export Keytab from microsoft ADS, eg:

ktpass -princ SAPService/serverSAP@AD_domain -mapuser serverSAP\sncadm -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -mapop +desonly set -pass passw0rd -out n4s.keytab

SAP SYSTEM CONFIGURATION (ECC 6.0 ABAP, WINDOWS 2008 x64)

snc/gssapi_lib - /usr/lib64/snckrb5.so

snc/identity/as- p/krb5:SAPService/serverSAP@AD_domain

snc/enable - 1

snc/accept_insecure_cpic - 1

snc/accept_insecure_rfc - 1

snc/accept_insecure_gui - 1

snc/accept_insecure_r3int_rfc - 1

snc/data_protection/min - 1

snc/data_protection/max - 3

snc/data_protection/use - 3

snc/permit_insecure_start - 1

WINDOWS CLIENT CLIENT (WINDOWS 7 and WINDOWS XP)

1. Install DLL: SAPSSO.MSI

2. Configure SAP Logon

it`s a good idea ? i have many question:

1. On windows 2008 R2(server AD) DES encryption is disabled, RC4-HMAC-NT will be working ?

2. Are the features for a user account set up something else ?

3. configure Service SPN on SAP Server, not Active Directory server ?

4. The script is KTPASS "+desonly", leave or set something else for encryption RC4-HMAC-NT?

5. ABAP Stack is limited to 12 characters in the username, as in the case if the AD account name has more than 12 ?

6. where exactly to copy the key ktpass?

BR,

T.

Edited by: tomsie on Jun 1, 2011 8:57 AM