cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAPGUI NTLM SSO licensing

Go to solution
mcalucin
Participant

on ‎08-20-2014 7:24 PM

0 Kudos

Is there a licensing involved when using NTLM SSO specifically documented in this URL Single Sign-On with Microsoft NT LAN Manager SSP - User Authentication and Single Sign-On - SAP Lib...

Is there documentation anywhere referencing licensing or no licensing using this SSO method?

If there is licensing involved, are there any free SSO licensing schemes available for SAPGUI?

Thanks

Regards,

Mel Calucin

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

mcalucin
Participant
‎08-21-2014 11:32 AM
0 Kudos

Donka,

Thanks for your concern.  In an all Microsoft Windows SAP environment, I don't think this is much of a concern.  But my question is -- "Is there a monetary cost in terms of SAP licensing?  Basically, is it free?".

Thanks.

Mel Calucin

Show replies
Show replies
donka_dimitrova
Contributor
‎08-21-2014 12:03 PM
0 Kudos

Hello Mel,

You will have to pay licenses if you decide to implement the Kerberos solution using the SAP Single Sign-On product and the respective libraries, otherwise not.

Best regards,

Donka Dimitrova

mcalucin
Participant
‎08-21-2014 2:28 PM
0 Kudos

Hi Donka,

Is gsskrb5.dll part of the "SAP Single Sign-On product "?

Thanks.

Mel Calucin

donka_dimitrova
Contributor
‎08-21-2014 2:57 PM
0 Kudos

Hi Mel,

No, it is not part of the SAP Single Sign-On product.

Best regards,

Donka Dimitrova

mcalucin
Participant
‎08-21-2014 3:01 PM
0 Kudos

Thanks, Donka!

-Mel Calucin

Answers (1)

Answers (1)

donka_dimitrova
Contributor
‎08-21-2014 7:58 AM
0 Kudos

Hello Mel,

I hope you noticed the note in the documentation: "The Microsoft NTLM SSP only provides authentication based on a challenge-response authentication scheme. It does not provide data integrity or data confidentiality protection for the authenticated network connection."

If your company could afford to focus only on SSO and not to care about integrity and confidentiality of the business data, then it will be ok - this solution doesn't require licence but you have to make sure you implement mitigation for this risk.

On the other side we strongly recommend to our customers to protect their business data and to use the SNC Client encryption in combination with SSO for SAP GUI that is available via our SAP Single Sign-On product because the risk is not always coming from outside the corporate network. There are a lot of researches that show the security risks available also internally.

I hope this will help you in your research for an SSO solution to SAP GUI for your project.

Best regards,

Donka Dimitrova

Show replies
Show replies
mcalucin
Participant
‎08-21-2014 10:10 AM
0 Kudos

Hi Donka,

Thanks for the quick reply.

OK.  How about Single Sign-On with Microsoft Kerberos SSP - User Authentication and Single Sign-On - SAP Library?  Is this free?  It looks like it takes care of the network encryption:

"The Microsoft Kerberos Security Service Provider (SSP) provides secure authentication plus encryption of the network communication. In contrast, SSO with Microsoft NTLM SSP, as described in the next section, does not provide encryption of the network communication."

Thanks.

Mel Calucin

donka_dimitrova
Contributor
‎08-21-2014 11:25 AM
0 Kudos

Hello Mel,


This scenario relies mostly on 3rd party components not controlled by SAP. As a result, SAP's support is strictly limited to SAP's side of the code which calls external products according to the definition of the GSS-API v2 interface specification (rfc-2743, rfc-2744) with the constraints published as part of SAP's BC-SNC interoperability certification. More details you will be able to find in the SAP note: http://service.sap.com/sap/support/notes/150380 .


And again we strongly recommend for your scenario the solution we offer with SAP Single Sign-On product.

Best regards,

Donka Dimitrova

Ask a Question