Skip to content

SSO with SNC

Secure Network Communication (SNC) enables authentication and transport encryption between SAP systems and between SAP systems and third-party tools like Xtract Universal and Board Connector. For more information on SNC, see SAP Help: SNC.

When using SNC you can choose between the NTLM or the Kerberos5 mechanism.

Prerequisites

The following DLLs from SAP need to be present in the %SYSTEMROOT%\System32 directory of your system:

  • For 32-bit:


    • NTLM: gssntlm.dll
    • Kerberos: gsskrb5.dll
  • For 64-bit x86:


    • NTLM: gx64ntlm.dll
    • Kerberos: gx64krb5.dll

The DLLs are available via the SNOTE 2115486.

When using Kerberos authentication, apply the Kerberos SNC settings as described in the SAP Help - Single Sign-On with Microsoft Kerberos SSP to your SAP system.

Note

It is recommended to test the connection between SAP and the client before continuing.

SNC in ERPConnect

The R3Connection object automatically determines the needed SNC DLL based on the settings of SNCMechanism. With the SNCLibraryPath property you can specify the path to the SNC DLL manually. In this case the automatic detection of the DLL is disabled and the setting for SNCMechanism are ignored.

If you specify the SNCMechanism, you can choose between the NTLM and the Kerberos mechanism.
If the Kerberos authentication is not possible, NTLM is used automatically.

If you do not want to use the SNC properties to create a connection, set SNCEnabled to false. It disables all settings without changing the other SNC parameter.

The following example codes show how to pass the necessary parameters for an SNC connection to an R3Connection object.

using (R3Connection con = new R3Connection())
{
    con.Host = "sap-erp-as05.example.com";
    con.SystemNumber = 7;
    con.Client = "800";
    con.Language = "DE";
    con.SNCSettings.Enabled = true;
    con.SNCSettings.PartnerName = "p:SAPServiceNSP@THEOBALD";
    con.SNCSettings.Mechanism = SNCMechanism.NTLM;
    con.SNCSettings.QualityOfProtection = SNCQualityOfProtection.Maximum;

    con.Open();
    // define your application
}
using (R3Connection con = new R3Connection())
{
    con.Host = "sap-erp-as05.example.com";
    con.SystemNumber = 7;
    con.Client = "800";
    con.Language = "DE";
    con.SNCSettings.Enabled = true;
    con.SNCSettings.PartnerName = "p:SAPServiceNSP@THEOBALD";
    con.SNCSettings.LibraryPath = @"C:\Windows\SysWOW64\sncgss32.dll";
    con.SNCSettings.QualityOfProtection = SNCQualityOfProtection.Maximum;

    con.Open();
    // define your application
}

Note

As of ERP Connect version 4.2.3 you can set a security level with the property QualityOfProtection.

NTLM

NTLM (abbreviation for NT LAN Manager) is an authentication procedure for computer networks.
NTLM performs the SSO authentication via a challenge-response authentication between the client and the server.

For more information on NTLM, see Microsoft Documentation - NTLM.

Kerberos

The Kerberos method uses a Kerberos server to authenticate the client.
The server creates so-called tickets and sends them to the client. The client authenticates itself with this ticket to the server.

For more information on Kerberos, see Microsoft Documentation - Kerberos Authentication.

Double Hop Problem

Double hop describes the passing of authentication information across two or more computers (hops).
For technical reasons NTLM only works with one hop. For security reasons Kerberos transmits authentication data only in one hop by default, but it can be configured to send data over two or more hops. Examples:

If you use Xtract PPV as the consumer of the SAP data, it has to run on the same computer that Xtract PPV Server and PowerPivot run on. The domain controller and the SAP system can run on different computer. In this case you can also use NTML and Kerberos.

If you use Xtract PPV as the comsumer for the SAP data and the Xtract PPV Server and PowerPivot run on different computers, you have to use Kerberos which can be configured to handle the Double Hop Problem. For more information on the Kerberos configuration, see Microsoft Techcommunity - Understanding Kerberos Double Hop.

For more information on the SSO configuration, see SAP Help - Single Sign-On Configuration



Last update: September 12, 2024