Auto Draft

How to Configure SAP Netweaver?


SAP NetWeaver Single Signal-On offers numerous potentialities to configure/implement an SAP SSO situation. For the time being (there are coming extra), there are the next eventualities obtainable


The parts of SAP NetWeaver Single Signal-On might be mixed relying on the enterprise case. This the way to information describes solely the way to configure the answer for SAP GUI for Home windows with a Kerberos integration. If you’re utilizing SAP GUI and Net primarily based purposes, it’s best to verify the model with the certificates (out-of-the-box -> no exterior PKI required) particularly for intranet use instances. Moreover SAML (third choice) offers Net single sign-On capabilities with out the necessity to deploy something on the consumer aspect.

If you’re to implement the second choice – please learn this weblog:

Detailed worklflow of the situation


Conditions and data

It is advisable obtain the product SAP NetWeaver Single Signal-On from SAP market (-> you want a sound license)

System title: TDI set up an D:

Operation system: Home windows (however the resolution works in fact additionally if the system is working on Linux/Unix -> see PAM)


1. Set up the Safe Login Library (ON THE SERVER)

Create the folder D:usrsapTDISLL

Change to folder D:usrsapTDIDVEBMGS00exe


Change to the folder D:usrsapTDISLL and confirm the Safe Login Library standing utilizing the command snc.exe.
Confirm if the PSE listing is outlined to D:usrsapTDIDVEBMGS00sec(current)



2.   2. Test for Microsoft Setting Variable SNC_LIB and for the Kerberos Entry in MS Lively Listing


Test if SNC_LIB is ready to C:Program Recordsdata (x86)SAPFrontEndSecureLoginlibsecgss.dll

If not, please add the entry (FOR SAP GUI for Home windows)


With the subsequent steps we check out the Kerberos Configuration in Microsoft Lively Listing. Name Begin -> Run. Enter adsiedit.msc to name the MS Assist-Device for Lively Listing. Press the OK button.

Open the tree Area -> DC=honest .. (change to your enviroment) and OU=SCI266 (change to your enviroment). Click on on CN=Kerberos TDI (change to your enviroment) with the best mouse button and choose Properties .

The worth of the attribute servicePrincipalName is ready to SAP/KerberosTDI. Shut the appliance with none financial savings.



three. Ceate and Configure the Safe Retailer Setting ( –> on the server

Just remember to are within the folder D:usrsapTDISLL.
Create the safety retailer ( with the next command:

snc crtpse –x 1234567890 (use right here a safe password as an alternative!!!)

Confirm if the safe safety retailer is out there utilizing the command snc.exe. You will note that PSE does now exist [… (existing)]


Just remember to are in  the folder D:usrsapTDISLL.Create Kerberos KeyTab with the next command:

snc crtkeytab –s SAP/ -p abcd1234 (-> use the right password in your enviroment).

Confirm if Kerberos KeyTab entries can be found utilizing the command snc.exe. The whole lot is okay if four entries for Kerberos KeyTab are listed