Skip to Content
avatar image
Former Member

SAP GUI SSO in multiple domain with no trust


We are trying to set up SAP GUI SSO & Portal SPNego in our environment which has following setup:

1) SAP systems are on Windows 2008 server.

2)Active Directory users are in domain ABC.

3) SAP system are in different domain DEF.

4) There is NO trust between the two domain.

5) Currently login is happening through userid/password.

We tried to configure SNC using NTLM however it didnt worked as there is no trust between the two domains(which is a prerequsite of this configuration). However, in SU01 transaction the AD User id has been identified as Canonical name (showing green).

Now, we are thinking on going with Kerberos SNC confgiuration however, I read that this configuration also needs trust between two domains (Not sure about this).

Other option I know with Kerberos configuration is to setspn the service userid of SAP server domain in AD domain (or may be viceversa OR both). Please confirm.

Can you please let us know the path to follow for this kind of scenario for SSO setup for SAP GUI and also for Portal SSO using SPNego configuration.

Also let us know if there are other options available for SAP GUI & Portal SSO in scenario of multiple domain with no trust.

Another question I have regarding Portal 7.02 sp11 SPNego configuration. New SPNego configuration guide do not talk about any LDAP configuration or data source change. Are these steps now not required?


Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

2 Answers

  • avatar image
    Former Member
    Feb 08, 2013 at 07:55 PM

    If you want the SAP application servers to authenticate users in the user domain, you will have to setup a domain trust. You can setup a one-way trust (SAP domain trusts the user domain). See Microsoft's AD documentation for details.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hmm... it has been many years since I last implemented NTLM based SNC SSO but unless I'm mistaken, a one-way trust is sufficient. Notice which way it has to be, as I wrote you make the SAP domain trust the user domain. At least Microsoft AD documentation confirms my understanding: "Authentication requests can only be passed from the trusting domain to the trusted domain".

  • Feb 10, 2013 at 07:59 AM


    There has to be a trust, unless you are sending a password in which case the SAP application uses the password to trust/know who the user is.

    If you are using NTLM or Kerberos then the domain that issued the token/ticket must be trusted by the domain that the SAP application resides. If not, then anybody could authenticate in their local domain, and get issued with a ticket, then send it to the SAP system and effectively say "I'm Dipu, let me in without a password". Hopefully you can understand that the SAP system needs to trust that the user is who they say they are, and this requires something unique to the user (like a password) or requires a trust to know that the ticket the user is sending is issued by a known domain.

    So, it is easy to solve your problem. You need to:

    1. Setup one-way trust so that domain DEF trusts domain ABC

    2. Use an SNC library which implements Kerberos so you get SSO for SAP GUI users.

    3. Use SPNEGO on Java stack for Web login



    Add comment
    10|10000 characters needed characters exceeded