on 06-05-2015 2:29 AM
Hi gurus, After setting snc/accept_insecure_gui to 0, logon with a user id and password using sapgui is denied. A denial message "SNC Required for this connection" appears. The "Activate Secure Network Communication" box is checked in the saplogon Network tab.
When using single sign on with NTLM, the logon works fine. How can I get a secure SNC connection between sapgui and the SAP server when not using single sign on?
Warm Regards, CM
Hi Clifton
Just happened to stumble on this post, so sorry for joining late, but with regards to NTLM, you might want to have a look at Microsoft's own recommendation to not use that protocol:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Are you planning to continue using NTLM or move to using Kerberos ? Did you want user to be able to enter SAP user id and password or AD user id and password during logon to SAP but still have the SAP GUI session encrypted ?
Thanks
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I'm not 100% sure if NTLM supports SNC encryption or not. I am researching this for you and will let you know what I find. If you used Kerberos instead of NTLM then I know for sure that session encryption is possible and widely used.
If it is possible to use NTLM with encryption, and you have enabled encryption in saplogon.ini and in the snc/ instance profile parameters on the app server, then the session will be encrypted after the user has logged on. If you want to logon with SAP user and password and still use NTLM, then you can configure that in saplogon.ini or right click the entry in SAP Logon and select the option to logon without SSO.
I found the answer. In the SNC Users Guide in section 4.8.1 it says:
Microsoft's NTLMSSP provides a uni-directional authentication of the initiator (client) to the acceptor (server) only. It does not provide mutual authentication, and it does not offer data integrity or data privacy protection for the communication.
You can find this guide at ftp://ftp.sap.com/pub/icc/bc-snc40/SNC_User_Guide.pdf
So, you need to use a different SNC library that supports Kerberos or x.509. For keeping it simple and low cost I would suggest Kerberos.
Thanks
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.