7/31/2019 595341-ProblemSSO_SNCSummary

http://slidepdf.com/reader/full/595341-problemssosncsummary 1/2

Summary

Symptom 

Issues and Problems with Secure Single Sign-On, Kerberos and SNC

Other terms 

Windows, SNC, SSO, SAPSSO.msi

Solution 

This is the English Version.This note deals with special features and problems related with Single Sign-On with Microsoft Lan Manager SSPor Kerberos SSP.

I General Information 

For the installation of Secure Single Sign-On or Kerberos Single Sign-On, use the SAPSSO.msi file which is

located in the zip-file attached to this note.To download the Kerberos 5 DLL and GSSNTLM.DLL files, refer to SAP Note 352295.

II Use of sapcpe + SNC active: Editing sapcpeft 

If sapcpe is used and SNC (Secure Network Communication) is active for your SAP Instance: Add the following line in directory: \usr\sap\SAPSID\sys\exe\run\sapcpeft:sapcrypto.dll | loc_cpy_if_existsMake sure that 'sapcrypto.dll' is contained in the following directory: \usr\sap\SAPSID\sys\exe\run\sapcpeft.

III Errors in documentation 

In some Windows installation guides the user '<sapsid>adm' instead of 'SAPService<SAPSID>' is used in theconfiguration parameters for Secure Single Sign-On and Kerberos (Windows 2000). This error occurred in the

installation guides for installing the SAP systems 3.1I, 3.1I SR1, 4.0B, 4.0B SR1, 4.5B, 4.6C, 4.6C SR1, 4.6C SR2,4.6D, 4.6D SR1, WEB AS 6.10 on Windows.Please correct the following when installing and configuring Secure Single Sign-On or Kerberos (Windows 2000).

1. Secure Single Sign-On 

• Chapter: "Preparing the Application Server for Single Sign-On":

o Replace "snc/identity/as =p:<Domain_Name>\sapsid<adm> (<DOMAIN_NAME> is the NT

domain that the user <sapsid>adm belongs to)" with the following:

"snc/identity/as =p:<Domain_Name>\SAPService<SAPSID> (<DOMAIN_NAME> is the NT domainthat the user SAPService<SAPSID> belongs to)".

• Chapter: "Preparing SAPGui and SAP Logon for Single Sign-On"

o Under "Procedure"-> Point 4.(or 3.) after "In the SNC name field enter:", replace:

"p:< DOMAIN_NAME>\<sapsid>adm(<DOMAIN_NAME> is the NT domain the user <sapsid>admbelongs to)" with:

"p:< DOMAIN_NAME>\<SAPService<SAPSID>(<DOMAIN_NAME> is the NT domain that the user SAPService<SAPSID> belongs to)".

7/31/2019 595341-ProblemSSO_SNCSummary

http://slidepdf.com/reader/full/595341-problemssosncsummary 2/2

Note that in the installation guides for the SAP systems 3.1I and 4.0B you find these passages in chapter "Completing and Checking the SAP Software Installation", section "Secure Single Sign-On" 2. The Configurationof Kerberos Single Sign-On (Windows 2000 only) 

• Chapter "Preparing the Central Instance"

o Under 2., where it says: "In the instance profile of the central instance, set the SAP

parameters", replace

"snc/identity/as =p:<sapsid>adm@<DOMAIN_NAME> (Where <DOMAIN_NAME> is the Windows2000 domain that the user <sapsid>adm belongs to)" with

"snc/identity/as = p:SAPService<SAPSID>@<DOMAIN_NAME>

(Where <DOMAIN_NAME> is the Windows 2000 domain that the user SAPService<SIDADM>belongs to)"

o Replace the text in the note with the following:

"The <DOMAIN_NAME> and the user SAPService<SAPSID> are case-sensitive. Make sure that you

enter upper and lowercase correctly, for example: p:SAPServiceC11@NT5.SAP-AG.DE "

• Chapter: "Activating Single Sign-On for the SAP Logon"

o Under 3., after: "In the SNC name field enter:", replace:

"p:< sapsid>adm@<DOMAIN_NAME" with

"p:SAPService<SAPSID>@<DOMAIN_NAME>"

o Replace the text of the note with the following: "The administrator of the system C11, belonging

to the domain NT5.SAP-AG.DE, would enter: P:SAPServiceC11@ NT5.SAP-AG.DE".