SSO with SNC

Secure Network Communication (SNC) enables authentication and transport encryption between SAP systems and between SAP systems and third-party tools like Xtract Universal and Board Connector. For more information on SNC, see SAP Documentation: SNC.

When using SNC you can choose between the NTLM or the Kerberos5 mechanism.

Prerequisites

The following DLLs from SAP need to be present in the %SYSTEMROOT%\System32 directory of your system:

The DLLs are available via the SNOTE 2115486.

When using Kerberos authentication, apply the Kerberos SNC settings as described in the SAP Help - Single Sign-On with Microsoft Kerberos SSP to your SAP system.

SNC in ERPConnect

The R3Connection object automatically determines the needed SNC DLL based on the settings of SNCMechanism. With the SNCLibraryPath property you can specify the path to the SNC DLL manually. In this case the automatic detection of the DLL is disabled and the setting for SNCMechanism are ignored.

If you specify the SNCMechanism, you can choose between the NTLM and the Kerberos mechanism.
If the Kerberos authentication is not possible, NTLM is used automatically.

If you do not want to use the SNC properties to create a connection, set SNCEnabled to false. It disables all settings without changing the other SNC parameter.

The following example codes show how to pass the necessary parameters for an SNC connection to an R3Connection object.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

using (R3Connection con = new R3Connection())
{
    con.Host = "sap-erp-as05.example.com";
    con.SystemNumber = 7;
    con.Client = "800";
    con.Language = "DE";
    con.SNCSettings.Enabled = true;
    con.SNCSettings.PartnerName = "p:SAPServiceNSP@THEOBALD";
    con.SNCSettings.Mechanism = SNCMechanism.NTLM;
    con.SNCSettings.QualityOfProtection = SNCQualityOfProtection.Maximum;

    con.Open();
    // define your application
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

using (R3Connection con = new R3Connection())
{
    con.Host = "sap-erp-as05.example.com";
    con.SystemNumber = 7;
    con.Client = "800";
    con.Language = "DE";
    con.SNCSettings.Enabled = true;
    con.SNCSettings.PartnerName = "p:SAPServiceNSP@THEOBALD";
    con.SNCSettings.LibraryPath = @"C:\Windows\SysWOW64\sncgss32.dll";
    con.SNCSettings.QualityOfProtection = SNCQualityOfProtection.Maximum;

    con.Open();
    // define your application
}

NTLM

NTLM (abbreviation for NT LAN Manager) is an authentication procedure for computer networks.
NTLM performs the SSO authentication via a challenge-response authentication between the client and the server.

For more information on NTLM, see Microsoft Documentation - NTLM.

Kerberos

The Kerberos method uses a Kerberos server to authenticate the client.
The server creates so-called tickets and sends them to the client. The client authenticates itself with this ticket to the server.

For more information on Kerberos, see Microsoft Documentation - Kerberos Authentication.

Double Hop Problem

Double hop describes the passing of authentication information across two or more computers (hops).
For technical reasons NTLM only works with one hop. For security reasons Kerberos transmits authentication data only in one hop by default, but it can be configured to send data over two or more hops. Examples:

For more information on the SSO configuration, see SAP Help - Single Sign-On Configuration

Related Links

• Knowledge Base Article - SNC/SSO User Rights.
• SAP Help - Secure Network Communications (SNC).
• SAP Help - Single Sign-On