Skip to Content

NW SSO 1.0 Multiple Domain support for Kerberos


We are trying to evaluate NW SSO using Kerberos (not using kerberos method because we are trying to avoid  the requirement of SLS and keep the architecture simple).

We have a Forest with six domains and each share a transitive trust with the other via a root domain.

The problem we see is when we setup Kerberos, we need to maintain an SNC entry for each user.

AD user representing our sap system itself is registered one of the six domains. However the users from the SAP system could be from any domain.

This makes it not possible to automate the SNC entry creation in SU01.

Eg :

My sap system is registered with XX.ABC.NET

And i have a user X  in XX.ABC.NET and user Y in YY.ABC.NET.

I need to then create the SNC entry for X in SU01 as X@XX.ABC.NET while the SNC entry for Y in SU01 as Y@YY.ABC.NET for the configuration to work

(It works !)

The problem is its a no go solution because there is no automated way for me to maintain the SNC entries. It would have been possible to schedule a job to create SNC entries for all users in the same but not selectively find out which domain each user is from and then appropriately create teh SNC entry

Any pointers. If this doesnot work with Kerberos, then Certificate based approach is the only way?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • avatar image
    Former Member
    Mar 19, 2015 at 02:42 PM

    Hey Chandrakanth -- saw your other post as well. Wondering why you moved away from Kerberos. Could you elaborate on the SLS requirements/architecture complexity that led to this?


    Add comment
    10|10000 characters needed characters exceeded