Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SAPGUI SSO with MS Kerberos SSP

tombo_larsen
Active Participant
0 Kudos

Hi

When implementing "SAPGUI for windows" single sign on using MS kerberos SSP (gx64krb5.dll), what are the prerequsites for the windows domain / domain relationship - client and server-side?

- End-users exist in one windows domain and SAP-server in another: Is trust between the domains a prerequisite?

... or is the only prerequisite that the end user must be domain account (posses a kerberos ticket) and no prerequisites for the SAP server side (trust, domain membership etc)?

BR

Tom

Single Sign-On using the Microsoft Kerberos SSP with the Kerberos wrapper library is only available for user accounts that belong to the Active Directory, that is, domain accounts. It can not be used with local computer accounts.

4 REPLIES 4

Former Member
0 Kudos

Hi,

- End-users exist in one windows domain and SAP-server in another: Is trust between the domains a prerequisite?

It is the case for spnego Kerberos, so I'm quite sure that the trust between domains will also be mandatory for sapgui Kerberos SSO. I don't see how it could work otherwise.

Regards,

Olivier

0 Kudos

Hi

Yes using SPNEGO "trust" is a prerequsite, but not necessary on the Active Directory level - i.e. we use windows clients running against UNIX SAP J2EE/SPNEO servers (not being part of a AD) and it works. Trust is establised using keytab.

But in the inst guide & online help for SAPGUI-SSO (kerberos) - no such prerequsites are documented - that's why I am asking.

BR

Tom

Former Member
0 Kudos

I have a feeling that the standard documentation quitely assumes that Win server (A) and user (B) belong to the same domain or to the trusted domains. Otherwise, if domains are not trusted, the trust must be done between server and domain B = there must be a way to tell to Windows server to add foregn (from domain A) credentials (like kinit in linux) and this part is not documented anywhere, at least I could not find in SDN or SAP helps.

donka_dimitrova
Contributor
0 Kudos

Hello,

With regard to the Microsoft Windows sso technology in combination with SAP GUI, you always have to consider also the recommendations of the SAP Note 352295 - Microsoft Windows Single Sign-On options

Best regards,

Donka Dimitrova