SAP Single Sign-on Configuration Using Kerberos Authentication from Microsoft

1) Prepare the SAP Server a. Server has to be part of the Active Directory Domain b. The server has to be started using the SAPService<SID> Domain account which has to have administrative rights on the SAP server. c. Copy the file gx64krb5.dll to the folder Windows\System32 or SysWOW64 if is a Windows 64 bit version. You can get the file by seeing SAP Note 352295 d. On the Domain Where the SAPService<SID> resides run the following Kerberos command setspn -A SAPServiceECS/CGI.CORP.CHAMBERLAIN.COM CGI_NT\SAPServiceECS (Domain dependant)

e. Enable SAPService<SID> for Kerberos delegation

f. g. Create the following parameters on the Instance Profile of the SAP server

On SAP system edit user by running SU01 b.CORP.CORP.CHAMBERLAIN.COM (Domain dependant) . p:SAPService<SID>@CGI.COM (Domain dependant) snc/accept_insecure_rfc = 1 snc/accept_insecure_cpic = 1 snc/permit_insecure_start = 1 snc/accept_insecure_gui = 1 h.dll snc/identity/as = p:SAPServiceECS@CGI. Stop and restart server 2) Enabling Users to logon using SSO a. Go to SNC tab and fill out the parameter with the following i.snc/enable = 1 snc/gssapi_lib = C:\Windows\SysWOW64\gx64krb5.CHAMBERLAIN.

Install SAPSSO. p:SAPServiceECS@CGI. Modify SAP GUI connection to server by adding on the Network tab the SNC security setting i.CHAMBERLAIN.COM .MSI on user s computers.CORP. see SAP note 595341 b.3) Configuring the SAP Front End a.