595341-problemsso_sncsummary
TRANSCRIPT
![Page 1: 595341-ProblemSSO_SNCSummary](https://reader036.vdocuments.pub/reader036/viewer/2022082601/577d1da61a28ab4e1e8ca8da/html5/thumbnails/1.jpg)
7/31/2019 595341-ProblemSSO_SNCSummary
http://slidepdf.com/reader/full/595341-problemssosncsummary 1/2
Summary
Symptom
Issues and Problems with Secure Single Sign-On, Kerberos and SNC
Other terms
Windows, SNC, SSO, SAPSSO.msi
Solution
This is the English Version.This note deals with special features and problems related with Single Sign-On with Microsoft Lan Manager SSPor Kerberos SSP.
I General Information
For the installation of Secure Single Sign-On or Kerberos Single Sign-On, use the SAPSSO.msi file which is
located in the zip-file attached to this note.To download the Kerberos 5 DLL and GSSNTLM.DLL files, refer to SAP Note 352295.
II Use of sapcpe + SNC active: Editing sapcpeft
If sapcpe is used and SNC (Secure Network Communication) is active for your SAP Instance: Add the following line in directory: \usr\sap\SAPSID\sys\exe\run\sapcpeft:sapcrypto.dll | loc_cpy_if_existsMake sure that 'sapcrypto.dll' is contained in the following directory: \usr\sap\SAPSID\sys\exe\run\sapcpeft.
III Errors in documentation
In some Windows installation guides the user '<sapsid>adm' instead of 'SAPService<SAPSID>' is used in theconfiguration parameters for Secure Single Sign-On and Kerberos (Windows 2000). This error occurred in the
installation guides for installing the SAP systems 3.1I, 3.1I SR1, 4.0B, 4.0B SR1, 4.5B, 4.6C, 4.6C SR1, 4.6C SR2,4.6D, 4.6D SR1, WEB AS 6.10 on Windows.Please correct the following when installing and configuring Secure Single Sign-On or Kerberos (Windows 2000).
1. Secure Single Sign-On
• Chapter: "Preparing the Application Server for Single Sign-On":
o Replace "snc/identity/as =p:<Domain_Name>\sapsid<adm> (<DOMAIN_NAME> is the NT
domain that the user <sapsid>adm belongs to)" with the following:
"snc/identity/as =p:<Domain_Name>\SAPService<SAPSID> (<DOMAIN_NAME> is the NT domainthat the user SAPService<SAPSID> belongs to)".
• Chapter: "Preparing SAPGui and SAP Logon for Single Sign-On"
o Under "Procedure"-> Point 4.(or 3.) after "In the SNC name field enter:", replace:
"p:< DOMAIN_NAME>\<sapsid>adm(<DOMAIN_NAME> is the NT domain the user <sapsid>admbelongs to)" with:
"p:< DOMAIN_NAME>\<SAPService<SAPSID>(<DOMAIN_NAME> is the NT domain that the user SAPService<SAPSID> belongs to)".
![Page 2: 595341-ProblemSSO_SNCSummary](https://reader036.vdocuments.pub/reader036/viewer/2022082601/577d1da61a28ab4e1e8ca8da/html5/thumbnails/2.jpg)
7/31/2019 595341-ProblemSSO_SNCSummary
http://slidepdf.com/reader/full/595341-problemssosncsummary 2/2
Note that in the installation guides for the SAP systems 3.1I and 4.0B you find these passages in chapter "Completing and Checking the SAP Software Installation", section "Secure Single Sign-On" 2. The Configurationof Kerberos Single Sign-On (Windows 2000 only)
• Chapter "Preparing the Central Instance"
o Under 2., where it says: "In the instance profile of the central instance, set the SAP
parameters", replace
"snc/identity/as =p:<sapsid>adm@<DOMAIN_NAME> (Where <DOMAIN_NAME> is the Windows2000 domain that the user <sapsid>adm belongs to)" with
"snc/identity/as = p:SAPService<SAPSID>@<DOMAIN_NAME>
(Where <DOMAIN_NAME> is the Windows 2000 domain that the user SAPService<SIDADM>belongs to)"
o Replace the text in the note with the following:
"The <DOMAIN_NAME> and the user SAPService<SAPSID> are case-sensitive. Make sure that you
enter upper and lowercase correctly, for example: p:[email protected] "
• Chapter: "Activating Single Sign-On for the SAP Logon"
o Under 3., after: "In the SNC name field enter:", replace:
"p:< sapsid>adm@<DOMAIN_NAME" with
"p:SAPService<SAPSID>@<DOMAIN_NAME>"
o Replace the text of the note with the following: "The administrator of the system C11, belonging
to the domain NT5.SAP-AG.DE, would enter: P:SAPServiceC11@ NT5.SAP-AG.DE".