Thank you for the reply, Carsten.

We are in the same page as far as SNC, i.e., we prefer not to disable the secure connection

For #2, you are correct, but in our specific case, we would like to completely disable the "SNC Logon with Single Sign-On" option, so nobody could use the SSO credentials to access the SAP system.

For #3, your statement is also correct, but in this case, either the credentials of the new user logged to the Secure Login Client would be used, or somebody else could just simply logout the new user, which would revert the Secure Login Client kerberos token to the user who originally authenticated in the Windows PC.

What ideally I am trying to find, is to enable the end-user to completely disable SSO, for example, completely logout from SAP Secure Login Client, and later on to login again. When I test to logout from the Secure Login Client  (File >> Logout), my user gets logged in again.

Best regards,

Daniel

Two more options you may consider, and we could detail on demand:

- use our new Encryption Only + emergency mode, which requires CCL 8.5 and some X.509 PKI on server side,

- or turn on SSO Mode = 2 or higher for Secure Login Client, which forces Windows authentication for any SNC connection.

-- Stephan

Hi Daniel,

thanks. I may not fully understand your question

What is it you are trying to archive? To completely disable SSO but stay with SNC encryption - only temporary? What is the use case behind this requirement and what type of authentication would you expect in such cases? As you said you want to disable #2 nevertheless, you would be fine with the AD credentials, or? In this case I would recommend the SSO Mode 2 mentioned by Stephan.

Cheers,
Carsten

Thank you for the reply, Stephan.

At this point we do not have the pre-reqs for the first option

The SSOMode=2 registry setting appeared to be promising, but when testing, it looks like it works only for Business Client connections defined in the Local workspace. It did not appear to have any impact on connections that are centrally defined in other workspaces.  Is this the expected behavior or am I missing something?

Thanks,

Daniel Leal

Thanks, Carsten.  Paraphrasing my previous entry, I would like to give the ability to an end-user to disable SSO temporarily, so somebody else could work on the Windows session, but would not be able to logon to a SAP system via SSO.

It looks like I am describing a "kiosk" type of scenario, which appears to require certificate authentication as previously mentioned by Stephan. The difference in our specific case is to provide the ability to flip between "kiosk" and regular settings on demand, as needed by the end user.

I was hoping to find a simple way to enable/disable the SAP Secure Login Client, but it looks like this option is not currently available.

Best regards,

Daniel Leal

I will take it back, Stephan. Setting the registry entries HKCU\Software\SAP\SecureLogin\Common\Kerberos\SSOMode=2 and HKLM\SOFTWARE\Policies\SAP\SecureLogin\Common\Kerberos\SSOMode=2 did not cause any change in behavior to either Local or Centrally configured Business Client connections.

Thanks,

Daniel Leal

Hi,

why not switch to a two factor authentication for that user (OTP)?

Regards

Kai

This certainly is an option. Unfortunately right now two factor authentication is not in scope for us, but I will keep your suggestion in mind for a future date.

Thank you for the reply,

Daniel Leal

If you are descriving a kiosk type scenario then can you have a different Windows Account for the machine instead of one user logging in?

Business Client - using SNC? Or HTTPS with SPNEGO? Only SNC is controlled by Secure Login Client.

You may have to kill and restart SLC after changing SSOMode. But then you should immediately see that the Kerberos profile is grey, and SLC´s login UI appears once an SNC connection is launched.

NWBC then will prompt for Windows credentials for any new connection. This is what I´d call a kiosk mode.

-- Stephan