Thanks to everyone for the great support, help and assistance!

Calin Barbat c.barbat at
Thu Sep 9 10:17:28 EDT 2004

Draft Notes for the configuration of single sign-on (SSO) from Windows 
clients to a SAP Linux server using SNC with the MIT Kerberos V

As the title implies, these instructions are not yet polished. If you 
have suggestions for improvement, feel free to contact me. The discussions
with the following people out there on the internet were of great help 
to me while struggling with the caveats of AD, Kerberos and SNC, as I was
familiar with none of them before doing this task:

The kerberos at mailing list - was the right place to post my 
request for kerberos related help.
Martin Rex of SAP (designer and maintainer of SNC) provided me with 
insight into the history of SNC-Kerberos interoperability and suggested
the use of the SNC Adapter
Cevat Gürsoy improved the settings for the snc/protection/* parameters
Norbert Klasen made a remark that helped me make the esential 
break-through. He suggested playing around with the sample 
gss-server/-client apps
from the Kerberos distribution, so that I was able to figure out what 
was still missing from my setup.

Various colleagues of mine here at work were of great help. I thank them 
all. One of them brought the problem to my attention and set the Linux box,
Oracle db and the SAP Web Application Server up and running; the 
sysadmins provided me with all things I needed from the AD, 
certificates, keytabs,
etc. Others helped me when - small, but nevertheless annoying - things 
wouldn't turn up as expected by me. I am also greatly indebted to a SAP R/3
BW consultant for R/3 specific help and discussions. One colleague was 
always good at cheering me up - he has some sticker around saying
"It's never too late to have a happy childhood" and other nice gadgets.

Remarks on the usage of these notes: all errors are mine.
The TODO??? show that I did the described things, but I'm not sure if 
it's really needed for having things working.
All names enclosed in <> have to be replaced according to your setup.
Before doing anything read these instructions twice or more times, as 
needed - to ensure you understand what you have to do.
It helps to do a search and replace with your <domain>, etc.

Date: 2004.09.09

Configuration of the Windows 2000 Server Active Directory Domain Controller

   TODO???: Create computer account for <fqdn>, Export the keytab.

   1. Create service user account <sap_service> on the 
<domain_controller> in the AD <domain> with password <sap_service-pass>.

   2. Export the keytab for this account:

      ktpass -princ <sap_service>/<fqdn>@<DOMAIN> -mapuser <sap_service> 
-pass <sap_service-pass> -out <sap_service>.keytab

Configuration of the Linux/Oracle/SAP Web Application Server <fqdn>

   I assume that you already installed Linux, Oracle and SAP on the 
machine and I will only describe the Kerberos and the SNC Adapter part.

   Configuration of Kerberos

   1. Download krb5-1.3.4.tgz from
      (Read security advisories for the known vulnerabilities, newer 
releases than 1.3.4 may also work.)

   2. Untar it:

      tar xvzf krb5-1.3.4.tgz

   3. Compile the MIT Kerberos V package (it is important to compile it 
as a shared library):

      cd krb5-1.3.4/src
      ./configure --enable-shared

      and as root do:

      make install

   4. Edit /etc/krb5.conf:

       default_realm = <DOMAIN>
       <DOMAIN> = {
            kdc = <domain_controller>.<domain>:88
            admin_server = <domain_controller>.<domain>:749
            default_domain = <domain>
       <domain1>.<domain> = <DOMAIN>
       .<domain1>.<domain> = <DOMAIN>
       <domain> = <DOMAIN>
       .<domain> = <DOMAIN>

   5. Transfer the generated <sap_service>.keytab (see 2. of Win2k AD 
Configuration above) securely to the Linux box.

   6. As root import <sap_service>.keytab:

      ktutil: rkt /etc/krb5.keytab
      ktutil: rkt <sap_service>.keytab
      ktutil: wkt /etc/krb5.keytab
      ktutil: l (shows a list of Kerberos principals)
      ktutil: q

   Configuration of the external SAP SNC Adapter

   1. Download from

   2. Unzip it:


   3. Create a sncadapt/build.Linux with the following content:

      CFLAGS="-g -DXDEBUG=1"
      RM="rm -f"
      LDFLAGS="-ldl -lnsl -lpthread -lc"
      LDTARGET='-o $@'
      LINK_SHARED='$(CC) -shared -Wl,-export-dynamic -Wl,-soname,$@'
      if [ "$VENLIB" = "" ] ; then
              echo "***"
          echo "*** Please edit $0 and define VENLIB to link your"
          echo "*** GSS-API v2 shared library"
          echo "***"
          exit 1

   5. Change "XNAME = sncntlm" to "XNAME = snckrb5" in sncadapt/Makefile.

   TODO???: comment out the function "sapgss_inquire_mechs_for_name" in 

   6. Compile it:

      cd sncadapt

   7. Copy the resulting file to /usr/local/lib:

      cp /usr/local/lib  

   Configuration of the SAP Server (as user <SID>adm = <sap_service> for 
   1. Set LD_LIBRARY_PATH to contain /usr/local/lib.

   2. Logon to the server as usual.

   3. Use transaction RZ10 (Edit Profiles), in "Profile" choose the 
"Instance profile".
      For "Edit Profile" click on "Extended Maintenance" then click the 
button "Change".
      Set "snc/gssapi_lib" to the value "/usr/local/lib/".

   4. Edit now the "Default profile" using RZ10.
      Set the following values:
            snc/enable            1
      snc/identity/as       p:<sap_service>@<fqdn>
      snc/protection/min    1
      snc/protection/max    3
      snc/protection/use    9

      TODO???: more of them needed

      While testing and debugging it is recommended that you use

      snc/*_insecure_*    1

   5. Use now transaction STRUST to go into the SNC PSE folder there and 
export certificate. Send this to your AD admin to request
      a certificate to insert into "Import Certificate Response".
      You may have to assign a password here, to use when changing these 

   6. Use transaction SU01 to assign SNC identities to a SAP user. After 
choosing the SAP user, you will see that the SNC tab has been activated.
      Click on it and for the Windows <user> in the AD <domain> type 
into the "SNC Name" the principal "p:<user>@<DOMAIN>"

   7. Start the server:
            kinit <sap_service>/<fqdn>

      Enter <sap_service-pass> when asked for a password. Then:

      startsap r3

Configuration of a Windows client to use SSO with the Linux SAP Server

   1. Copy gsskrb5.dll to %systemroot%\SYSTEM32\SNCGSS32.DLL, as this is 
the default location where SAP Logon will look for it:

      copy gsskrb5.dll %systemroot%\SYSTEM32\SNCGSS32.DLL
            Alternatively, you can also set the global environment 
variable SNC_LIB=<your_path_to_gss_wrapper_lib>\gsskrb5.dll
      2. Choose from SAP Logon the entry for the machine running the 
Linux SAP Server.
      Click on "Properties", then "More..." and activate the 
"Secure-Network-Communication" checkbox.

   3. In the "SNC-Name" field, type "p:<sap_service>/<fqdn>@<DOMAIN>".

   4. Finally, choose the "Max. available" radio-button.

   If you want to use the command line (cmd.exe):

   2'. If SNCGSS32.DLL isn't in the default location (see 1.):

      set SNC_LIB=<your_path_to_gss_wrapper_lib>\gsskrb5.dll

      The environment variable SNC_LIB is then only set locally in this 

   3'. Start the SAP Gui:

      C:\Program Files\SAP\FrontEnd\SAPgui\sapgui.exe /H/<fqdn>/S/3200 

More information about the Kerberos mailing list