Skip to Content
avatar image
Former Member

Single Sign-On with Microsoft NT LAN Manager SSP: NTLM v1 or NTLM v2 ?

Hello,

After reading lots of documentation and SAP notes, I am not able to find this simple information :

Which release of NTLM protocol does Single Sign-On for sapgui with Microsoft NTLM use : v1 or v2 ?

We do use successfully NTLM for sapgui direct access with GSSNTLM.DLL and GX64NTLM.DLL for 1500+ users.

Our current domain controllers are running Windows 2003 and will soon be upgraded to Windows 2008R2. As part of this migration, the domain admins told us that NTLM v1 will be deactivated because considered obsolete and not secure enough.

So, if GSSNTLM.DLL is not able to use NTLM v2, we are in trouble !

Thanks,

Olivier

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

3 Answers

  • avatar image
    Former Member
    Jul 26, 2011 at 05:30 PM

    I have only heard of network domain admins considering NTLM to be generally not secure and have seen policies which prohibit new implementations based on it.

    I am not aware of any SAP specific documentation updates related to it either (90% of documentation I have observed is now SAML related).

    Is this for your portal?

    Cheers,

    Julius

    Add comment
    10|10000 characters needed characters exceeded

  • Jul 26, 2011 at 05:41 PM

    Hi,

    Before you migrate your domain controllers to 2008 R2 I suggest you migrate to using Kerberos SNC library instead of NTLM SNC library. This will be more future proof protocol for SNC authentication, and is used as default authentication method in both 2003 and 2008 R2 domains.

    Julius - The libraries which are being used are SNC libraries, so not used with Portal. SAML is not applicable to SNC authentication.

    Tim

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jul 27, 2011 at 07:22 AM

    Hello Julius and Tims,

    Thanks for your answers.

    Yes my question was about NTLM for sapgui.

    We also have a SAP Portal and use its spnego/Kerberos IWA for SSO web access to ECC (BSP and abap web dynpro).

    Of course, I had thought about using also Kerberos for sapgui but it was not possible (forbidden because of internal politics) in the windows domain of our ECC6 system. We had to install the SAP Portal in a new windows domain to be allowed to use Kerberos.

    We have a hardware project (dump the itanium servers for x64 servers) and we will reinstall ECC6 in the same domain as the SAP Portal and use Kerberos also for sapgui, but until then we will have the domain controllers upgrade in the current domain and I'm trying to understand in advance if our sapgui SSO will suddenly stop to work.

    We are also redoing our new sapgui (7.20) teledistribution packet and I have asked that they include the gsskrb5.dll.

    By the way, do you know if this gsskrb5.dll has the same limitation (DES only) as the previous SAP java kerberos implementation ?

    Regards,

    Olivier

    Add comment
    10|10000 characters needed characters exceeded

    • Olivier,

      Thanks for explaining.

      In case it is of interest, our product does not require the Windows server to be joined to any domain - it can be a standalone server if needed. This sometimes helps avoid politics. We also support IWA, not just SNC, so you can install our product with less political barriers.

      i hope you are able to find a way forward. if you want to call me you can, or (if appropriate) please continue to use this forum to discuss options.

      Thanks,

      Tim