cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SNC with SSO does not allow to login

werner_flamme
Explorer

on ‎03-16-2015 1:06 PM

0 Kudos

Hi everyone,

we try to configure Single Sign-On for the users with SAP GUI for Windows.

The ABAP application server has been configured, and I think the config is OK, since in the log file I see:

N  SncInit(): Initializing Secure Network Communication (SNC)

N        AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* = 16/64/64)

N        UserId="sidadm" (1002), envvar USER="sidadm"

N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():   found snc/data_protection/min=1, using 1 (Authentication Level)

N  SncInit():   found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=/usr/lib64/snckrb5.so

N    File "/usr/lib64/snckrb5.so" dynamically loaded as external SNC-Adapter.

N    The SNC-Adapter identifies as:

N    External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

N  SncInit():   found snc/identity/as=p/krb5:SAPServiceSID/sapsid.intranet.ufz.de@INTRANET.UFZ.DE

N  SncInit(): Accepting  Credentials available, lifetime=Indefinite

N  SncInit(): Initiating Credentials available, lifetime=07h 37m 16s

So, I think there is no error on the server side. But whenever a user tries to log in, he/she gets an error in SAP GUI:

---snip---

GSS-API(maj): Miscellaneous Failure

GSS-API(min): SSPI u2u-problem: please add Service principal for targe

target="p:myuser@INTRANET.UFZ.DE"

Error in SNC

---pins---

What's wrong here? Do I have to execute the "setspn" command for each user? And how would this look like? On the command line, the output of "setspn -l myuser" is empty, "setspn -l myuser@INTRANET.UFZ.DE" results in an error.

The entry in the Network tab in the SAP GUI reads either "p/krb5:myuser@INTRANET.UFZ.DE" or "p:myuser@INTRANET.UFZ.DE" or simply "P:myuser", the error remains always the same.


Can someone please help me?


Werner

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (6)

Answers (6)

Mofizur
Contributor
‎07-09-2015 12:03 PM
0 Kudos

Hi,

I believe below steps would be necessary for you.

1) Set SNC Parameters

snc/enable = 1

snc/gssapi_lib = <Drive>\Windows\SysWOW64\gx64krb5.dll

snc/identity/as = p:SAPService<SID>@DOMAIN.COM

snc/accept_insecure_cpic = 1

snc/accept_insecure_rfc = 1

snc/permit_insecure_start = 1

snc/accept_insecure_gui = 1

2) Perform setspn for User SAPService<SID>

    

Setspn -A http/FQDN HOSTNAME SAPService<SID>

3) Activate  SNC at SAPGUI

    

4) Handover to Security Team for their steps (Activate SNC at User level)

Hope above information helps.

Thanks,

Mofizur

Show replies
Show replies
werner_flamme
Explorer
‎07-09-2015 12:27 PM
0 Kudos

Mofizur,

thank you for point 4), YMMD . Unfortunately, there is no security team to hand the problems over, I have to work it out all alone. That's why I asked here.

Steps 1-3 I did weeks ago, as you can see in the previous posts.

Regards,

Werner

Former Member
‎04-01-2015 10:34 AM
0 Kudos

Very long thread but just checking, have you assigned the SNC name to the user?

As in the following blog

http://scn.sap.com/community/sso/blog/2012/08/17/how-to-configure-sap-netweaver-single-sign-on-for-s...

Show replies
Show replies
werner_flamme
Explorer
‎04-01-2015 4:07 PM
0 Kudos

Yes, all users got their respective entries. In our case, it is p:username@INTRANET.UFZ.DE. But I think that the SAP system is not involved.

I expect to get errors like "User name or password is wrong" when I use a non-existing SAP user, or "Duplicate Principal" when I try to log in, since I have accounts in clients 000 and 100 of that system.

Former Member
‎07-07-2015 10:28 PM
0 Kudos

Hi Werner,

I know you did not get any help here, so I am hesitating to ask. Nevertheless:

Could you solve the issue by now?

Best regards,

Ralf

werner_flamme
Explorer
‎07-09-2015 12:31 PM
0 Kudos

Hi Ralf,

I am sorry I was not able to solve it. I still have problems with the encryption between my Linux SAP hosts and the Windows Domain Controllers.

Unfortunately, we had several severe problems in the meantime, so I was not able to investigate here further. I remeber a multi-hour phone call to the Domain admin, but it left no usable results.

But I still have to try the last proposal from Amerit Chahal, just no time. The SAP basis admin team for our 12 systems consists only of me ...

Regards,

Werner

former_member259023
Explorer
‎03-17-2015 12:05 PM
0 Kudos

Hi Werner:

  Maybe can be crazy what i going to ask, but sometimes we forgot the small details, if everything it´s setup, do you install in the SAP Gui PC the SAPOSS.MSI software?

if there is everything correct in you server side, in the Gui you only need the software and in the configuration:

   p:SAPService/<SAP full domain host>@<your domain in CAPS>

i hope that you can solve your  problem quickly.

Best Regards;

Ricardo Nolasco

Show replies
Show replies
werner_flamme
Explorer
‎03-18-2015 6:33 AM
0 Kudos

Hi Ricardo,

Yes, I used the .msi package to deploy the libraries on the client (a Windows Desktop server) and set the environment variable SNC_LIB accordingly. Before, there was an error explicitly stating that the SNC lib could not be found.

When I do not use my own userPrincipalName in the SAP GUI but "p:SAPServiceUFT/sapuft.intranet.ufz.de@INTRANET.UFZ.DE", the error changes to

---snip---

GSS-API(maj): Miscellaneous Failure

GSS-API(min):SSPI::IniSctx#1()==Unknown SSPI error

0x80090342


target="p:SAPServiceUFT/sapuft.intranet.ufz.de@INTRANET.UFZ.DE"


Error in SNC

---pins---

But why would I enter the name of the SAP Service user in AD? Why do I have (in TA SU01) an entry for the SNC name when everyone uses the same entry in SAP GUI? Or does the name translation take place at the AD?

Then I may have an encryption problem, when I search for the error number, as mentionend in for example (the text of this error should be "The encryption type requested is not supported by the KDC"). Or the domain's KERBEROS DISTRIBUTION KEY (KDC) service  must be restartetd on the 3 domain masters.

OK, the domain admin will be back next week, he's ill just now...

Regards,

Werner

Former Member
‎03-31-2015 5:16 PM
0 Kudos

Werner,

I don't give up the ghost that easily

Is your Domain Admin back so that we can pick this again ?

Cheers,

Amerjit

werner_flamme
Explorer
‎04-01-2015 4:25 PM
0 Kudos

Amerjit,

thank you for remembering me . Today, I had a phone call with the AD admin, 3 hours...

We found out that the AD is not OK with the encryption we use. The manuals you find are always about earlier versions of Windows, and the encryption methods vary between them. We tried a lot, with enabling additional encryptions on the AD and defining various default_tgs_enctypes, default_tkt_enctypes and permitted_enctypes on the side of the SAP host.

In real life, 3 systems are involved: the client, where the SAP GUI resides (for most clients this is a Windows 7 PC); the AD running on Windows Server 2008 R2, and the SAP host running SUSE Linux Enterprise Server 11 SP3.

Currently, the invocation of "./gsstest -l /usr/lib64/snckrb5.so -a 'SAPServiceUFT/sapuft.intranet.ufz.de@INTRANET.UFZ.DE'" on the SAP host shows the first error as:



TEST: acquiring accepting credentials for target (can. printable name)


RESULT  OK


TEST: acquiring *default* accepting credentials (simple)


Status:  gss_inquire_cred Acc() == (GSS_S_DEFECTIVE_CREDENTIAL)


         gss_display_status(0x000a0000,GSS_S_GSS_CODE) =


           "Invalid credential was supplied"


RESULT  NOT ok (rc=1)

But later on, we see in the "Context establishment functions" section a lot like



TEST: Testing sec_context est.: ini_cred=SIMPLE, acc_cred=GSSNAMED


Status:  gss_init_sec_context #1() == (GSS_S_FAILURE)


         gss_display_status(0x000d0000,GSS_S_GSS_CODE) =


           "Unspecified GSS failure.  Minor code may provide more information"


         gss_display_status(0x96c73a0e,GSS_S_MECH_CODE) =


           "KDC has no support for encryption type"


WARNING: gss_init_sec_context() failed and returned min_stat but no mech_oid!


ERROR: sap_try_context(): context establishment error after #0 contexts!


RESULT  NOT ok (rc=1)

And this may be the reason for the 0x80090342 error we get in the SAP GUI for windows. And we are back to the question of enctypes... But even after 3 hours of discussing and trying, we did not find the point to click

Former Member
‎04-02-2015 10:45 AM
0 Kudos

Hey Werner,

In the context of only setting up SNC.... Please indulge me and proceed as follows.

1. Download and install the software as mentioned in the note.

1684886 - License conditions of SNC Client Encryption

2022906 - Downloading Secure Login Library for SNC Client Encryption 1.x

You can use SNC without a license. Only SSO with SNC becomes a licensed product.

2. Please follow the setup using the guides and references we (myself and others) have already pointed you to.

3. Concerning the SPN and then cross checking with"snc" please follow verbatim.

Please go through the above and revert back to us.

There is always a method in what may be perceived as madness

KR,

Amerjit

werner_flamme
Explorer
‎04-02-2015 1:25 PM
0 Kudos

Amerijt,

I do all the things here only to provide SSO in the end. If I succeed in setting up SNC with the SAP Secure Login Client Library, I am not allowed to use it for the desired purpose. That is why I did not install this software.

Next week I'll try it though. Currently I think the libraries on the client cause the problems, since I get no log entries at all in the SAP system regarding failed logon attempts, not even in the files in $DIR_INSTANCE/work.

Regards,

Werner

Former Member
‎04-02-2015 1:45 PM
0 Kudos

Werner,

I've understood your end goal which is SNC with SSO and understand the licensing constraint for the SSO part.

In such situations I always like to get back to basics and in that context that you manage to get SNC working. Then you've at least won half the battle (glass half full or half empty ?).

The packages in the note I mentioned also contain a client side package which is what you'll need.

If I were you, I'd scratch what you've done so far and take it from zero using the packages (see note) and procedures that have been mentioned.

prorsum et sursum.

Amerjit

werner_flamme
Explorer
‎04-14-2015 12:54 PM
0 Kudos

Amerjit,

it took a while, but I finally managed to install the Secure Client libraries. I got a VM with Win 7 Prof, and installed SAP GUI 7.40 SP 2 HF 2, which brought the libraries along (I checked the option during install).

Nice to see, that even on this newly installed VM I get the message I am so accustomed to, the 0x80090342 error

Since the AD admin told me every possible encryption is enabled for the host sapuft.intranet.ufz.de and for the user with the SPN SAPServiceUFT/sapuft.intranet.ufz.de@INTRANET.UFZ.DE I do not know how to proceed.

Regards,

Werner

Former Member
‎04-21-2015 10:08 AM
0 Kudos

Hi Werner, hope you are hanging on such a long and painful issue I see.

I cant read all the details but in case you havent tried this yet. Has your AD admin tried restarting the KDC service in all domain controllers?

werner_flamme
Explorer
‎04-21-2015 10:36 AM
0 Kudos

Hi,

he told me that they were restarted, yes . They restart once a month, and he said that this restart took place last weekend, but nothing changed

Former Member
‎04-21-2015 10:58 AM
0 Kudos

Ok this thread talked about using another encryption. Have you tried RC4-HMAC?

http://scn.sap.com/thread/3222921

Cheers

Donald

werner_flamme
Explorer
‎04-21-2015 11:28 AM
0 Kudos

Yes, that was about the first attempt. We tested many settings, and enabled every kind of encryption mentioned in the settings for the user and the host.

Now, I only set default_tgs_enctypes and default_tkt_enctypes and do not modify permitted_enctypes in /etc/krb5.conf.

What is making me feel exhausted is that neither side of the communication logs which type of encryption is used. But we found that aes256-cts-hmac-sha1 is an active encryption on our AD controllers (W 2008 R2), and the first default_*_enctype is set to aes256-cts-hmac-sha1-96 on the  SAP Linux host.

I'd suggest to restart all 3 DCs simultaneously, but this will get me rid of any friends I have left among the 1000+ Windows users in the company

Former Member
‎04-21-2015 11:52 AM
0 Kudos

Hi Werner,

Totally forgot to reply to you.

I'll repeat I understand your end goal is SSO with SNC and that your constraint is licensing. The licensing only comes into play for the SSO part and NOT the SNC part.

Now where you are right now is that you have this 0x80090342 error that is taking years away from your life

1. You've installed the SNC libs from the SAPGUI 740 media.

2. You're still running with native libraries on the SUSE side.

If you really would indulge me and install the SAP package on the server side and configure as per the various posts/blogs.

All I'm interested in at this stage is to get a known working combination working. Once that's done it should help in the process of elimination of your current problem with your current config.

Willing to join in ?

Amerjit

Former Member
‎03-17-2015 3:49 AM
0 Kudos

Hi Werner,

Correct value for the parameter snc/identity/as should be like "p:<DOMAIN_NAME>\SAPService<SID>"

Also you can follow below steps to check if SNC and SSO are configure correctly or not.

• is SSO working?

To check: execute function module (SE37) create_rfc_reentrance_ticket and confirm that a long alpha-numerical string is returned without any exception.
Example of ticket:  AjExMDABAAxTSEFIREVFICAgICACAAMwMDADAAhROTkgICAgIAQADD...... (Length 255 char)

• is SNC active?

To check: execute function module (SE37) SNC_GET_MY_INFO and confirm it is active.

Let us know if you observe any issue in checks?

Regards,

Prithviraj.

Show replies
Show replies
werner_flamme
Explorer
‎03-17-2015 6:41 AM
0 Kudos

Hi Prithviraj,

what is the difference between 'p:<DOMAIN_NAME>\SAPService<SID>' and 'p:SAPService<SID>/<hostname>@<DOMAIN_NAME>' in an AD running on Win 2008R2? I followed the documentation available from Realtech system consulting GmbH when it came to the name.

Function create_rfc_reentrance_ticket creates a nice long output

SNC is active, as it is stated in SU01. The output of SNC_GET_MY_INFO is:

---snip---

PNAME_APPL                  p:SAPServiceSID/sapsid.intranet.ufz.de@INTRANET.UFZ.DE
SNC_QOP_MIN                 1
SNC_QOP_MAX                 3
SNC_QOP_USE                 3

PNAME_USER

PNAME_CPIC

GUI_CONN_TYPE

LOGIN_TYPE                  ND
RC                          0

---pins---

I do not regard the output as issue

Former Member
‎03-17-2015 7:18 AM
0 Kudos

Hi,

Please check the below link section "Adding SPNs"

https://technet.microsoft.com/en-us/library/cc731241.aspx

and

Last reply from the discussion, if that helps.

Regards,

Prithviraj.

werner_flamme
Explorer
‎03-17-2015 7:47 AM
0 Kudos

Hi,

I don't see the point. The AD admin created an account named ad_sapuft and used the command "setspn -A SAPServiceUFT/sapuft.intranet.ufz.de INTRANET\ad_sapuft". The key was exported and imported into the keytab on the SAP host. For the SAP system user uftadm, kinit works and is executed via cron job every 4 hours.

I read the thread you mentioned, and especially the last reply, many times before I posted here, but I do not see the point where it would help me

Using Active Directory Explorer (by sysinternals.com), I see that the user with sAMAccountName "ad_sapuft" got the userPricipalName "SAPServiceUFT/sapuft.intranet.ufz.de@INTRANET.UFZ.DE". I do not know what should be changed, since that is exactly the value I use for snc/identity/as in the system's profile.

Regards,

Werner

Former Member
‎03-16-2015 8:27 PM
0 Kudos

Hello Werner,

Can you provide us with five things please.

Q1) As user <sid>adm, please run "snv" and post the output.

A)

Q2) Please tell us the values set for:

snc/gssapi_lib

snc/identity/as

A)

Q3) The Windows AD Account that has been setup along with the SPN

A)

Q4) Did you generate the Kerberos Keytab (PSE) on the Backend ?

A)

Q5) What version of SAP SSO are you using  (SSO1 or SSO2) ?

A)

For me I'm of the same opinion as @Samuli Kaski


Kindest Regards,

Amerjit

Show replies
Show replies
werner_flamme
Explorer
‎03-17-2015 6:33 AM
0 Kudos

A1) the command snv is unknown. The shell proposes env instead. The output of env is:

---snip---

vsapuft /home/uftadm> env | sort

BR_RSC=1

BR_RSH_CMD=/usr/bin/ssh

COLORTERM=1

CPU=x86_64

CSHEDIT=emacs

CSHRCREAD=true

CVS_RSH=ssh

dbms_type=ORA

DBSIDBASE=UFT

DBSID=UFT

DB_SID=UFT

dbs_ora_schema=SAPUFT

dbs_ora_tnsname=UFT

DIR_LIBRARY=/usr/sap/UFT/SYS/exe/run

ENV=/etc/bash.bashrc

FROM_HEADER=

G_BROKEN_FILENAMES=1

G_FILENAME_ENCODING=@locale,UTF-8,ISO-8859-1,CP1252

GROUP=sapsys

HOME=/home/uftadm

HOSTNAME=vsapuft.intranet.ufz.de

HOSTTYPE=x86_64

HOST=vsapuft

INFODIR=/usr/local/info:/usr/share/info:/usr/info

INFOPATH=/usr/local/info:/usr/share/info:/usr/info

INPUTRC=/etc/inputrc

KRB5_KTNAME=/home/uftadm/krb5.keytab

LANG=de_DE.UTF-8

LD_LIBRARY_PATH=/sapmnt/UFT/exe:/usr/sap/UFT/SYS/exe/run:/oracle/UFT/11203/lib

LESS_ADVANCED_PREPROCESSOR=no

LESSCLOSE=lessclose.sh %s %s

LESSKEY=/etc/lesskey.bin

LESS=-M -I

LESSOPEN=lessopen.sh %s

LOGNAME=uftadm

LS_COLORS=no=00:fi=00:di=01;34:ln=00;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=41;33;01:ex=00;32:*.cmd=00;32:*.exe=01;32:*.com=01;32:*.bat=01;32:*.btm=01;32:*.dll=01;32:*.tar=00;31:*.tbz=00;31:*.tgz=00;31:*.rpm=00;31:*.deb=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.lzma=00;31:*.zip=00;31:*.zoo=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.tb2=00;31:*.tz2=00;31:*.tbz2=00;31:*.avi=01;35:*.bmp=01;35:*.fli=01;35:*.gif=01;35:*.jpg=01;35:*.jpeg=01;35:*.mng=01;35:*.mov=01;35:*.mpg=01;35:*.pcx=01;35:*.pbm=01;35:*.pgm=01;35:*.png=01;35:*.ppm=01;35:*.tga=01;35:*.tif=01;35:*.xbm=01;35:*.xpm=01;35:*.dl=01;35:*.gl=01;35:*.wmv=01;35:*.aiff=00;32:*.au=00;32:*.mid=00;32:*.mp3=00;32:*.ogg=00;32:*.voc=00;32:*.wav=00;32:

LS_OPTIONS=-N --color=tty -T 0

MACHTYPE=x86_64-suse-linux

MAIL=/var/spool/mail/uftadm

MANPATH=/usr/local/man:/usr/share/man

MINICOM=-c on

MORE=-sl

NLS_LANG=AMERICAN_AMERICA.UTF8

NNTPSERVER=news

ORACLE_BASE=/oracle

ORACLE_HOME=/oracle/UFT/11203

ORACLE_SID=UFT

OSTYPE=linux

PAGER=less

PATH=/oracle/UFT/11203/bin:.:/home/uftadm:/usr/sap/UFT/SYS/exe/run:/home/uftadm/bin:/usr/local/bin:/bin:/usr/bin:/usr/bin/X11:/usr/X11R6/bin:/usr/games:/opt/kde3/bin:/usr/lib/mit/bin:/usr/lib/mit/sbin

PWD=/home/uftadm

PYTHONSTARTUP=/etc/pythonstart

QT_HOME_DIR=/usr/share/desktop-data

SAPDATA_HOME=/oracle/UFT

SAPSYSTEMNAME=UFT

SECUDIR=/usr/sap/UFT/DVEBMGS00/sec

SHELL=/bin/csh

SHLVL=1

SLIC_HW_VERSION=2

TERM=xterm

THREAD=NOPS

TNS_ADMIN=/usr/sap/UFT/SYS/profile/oracle

USER=uftadm

VENDOR=suse

WINDOWMANAGER=/usr/bin/startkde

XCURSOR_THEME=DMZ

XDG_CONFIG_DIRS=/etc/xdg

XDG_DATA_DIRS=/usr/local/share:/usr/share:/etc/opt/kde3/share:/opt/kde3/share:/usr/share/gnome/help

XKEYSYMDB=/usr/share/X11/XKeysymDB

XNLSPATH=/usr/share/X11/nls

---pins---

A2)

snc/gssapi_lib = /usr/lib64/snckrb5.so

snc/identity/as = p/krb5:SAPServiceUFT/sapuft.intranet.ufz.de@INTRANET.UFZ.DE

A3) yes

A4) yes

A5) SSO2, since the system is connected with a SAP NW 7.3 Java working as Portal.

Then I also ask you: in what way does snc/identity/as look incorrect?

BTW, all SAP systems are running on SLES 11 SP3, and the Domain Controllers are running Windows 2008R2.

Former Member
‎03-17-2015 6:38 AM
0 Kudos

Werner,

mea culpa.

Typo .... Should have read "snc"

Amerjit

werner_flamme
Explorer
‎03-17-2015 6:53 AM
0 Kudos

Amerijt,

bad luck:

> snc

CORRECT>sync (y|n|e|a)? no

Where should the executable come from?

Regards,

Werner

Former Member
‎03-17-2015 8:29 AM
0 Kudos

Hi Werner,

The command "snc" will be found in the directory where you unpacked the contents of SECURELOGINLIB.SAR (or equivalent) of.

Here's what I have working in my environment for years now.

snc/identity/as = p:CN=SAP/KerberosXXX@MYCO.COM

My AD User = <DOMAIN>\Kerberos<SID>

ServicePrincipalName = SAP/Kerberos<SID>

In my SAPGUI I have: p:CN=SAP/KerberosXXX@MYCO.COM

If as I assume you are using the document from "Matthias Schlarb" from RealTech. I used this as a basis for my setup on AIX and had to work around certain assumptions (not documented) that were made.

In addition to the above, please have a look at the following succinct but good guide by @Phillip Hofmeister

MFG,

Amerjit

werner_flamme
Explorer
‎03-17-2015 9:02 AM
0 Kudos

Hi Amerjit,

I am not allowed to use SECURELOGINLIB.SAR because we do not have a license for "SAP NetWeaver Single Sign-On". If this were the case, I'd rather open a service call with SAP instead of starting a discussion here - even if this discussion might be a lot more helpful than the support call, not to speak of the months of retention time until the first supporter picks the call .

You are right that the document I used was written by Matthias Schlarb.

When I look at the docu you mentioned, I see that I need "SNC Client Encryption/Libraries". When I try to download these, I read on the page before I reach the download links "Note: The SNC Client Encryption package must not be used in Single Sign-On scenarios. If Single Sign-On or other value added scenarios (e.g. SSF at the client) are required customers need to acquire the SAP NetWeaver Single Sign-On product".

So I think I really should not use those

Looking at my dev_w0 content, I think that I reached the end of point 4) of that docu successfully by following the steps Mr Schlarb wrote.

Regards,

Werner

Former Member
‎03-16-2015 2:50 PM
0 Kudos

setspn is executed once for SAPService<SID>. To me snc/identity/as looks incorrect, that is probably the source of your problems.

Show replies
Show replies
werner_flamme
Explorer
‎03-17-2015 6:29 AM
0 Kudos

In what way looks snc/identity/as incorrect?

Former Member
‎03-17-2015 2:46 PM
0 Kudos 


Werner Flamme wrote:




In what way looks snc/identity/as incorrect?

The correct format of SPN is SAP/XXX@DOMAIN, there are several possible values for XXX including host name but the one you have used isn't correct. Reading your other replies, you are on the right track meaning you can't use SSO with the SNC Client Encryption library since it is free and provided only for SNC encryption purposes. The only library allowing client SSO that SAP provides, especially in a heterogeneous SAP environment, is the one in SAP Single Sign-On which is a separately licensed product.

Ask a Question