Use case #

BI client tools such as Power BI, Power Pivot, Alteryx, etc. can start extractions in Xtract products, e.g., Xtract Universal or Board Connector). Xtract products load the extracted data directly into the tools. In this use case, it is often required that the extraction is executed with the SAP credentials of the (Windows AD) user, whose BI client triggered the extraction. This means that the SAP authorizations of the executing user apply, which is especially important when extracting BW/BEx queries.

The Windows credentials of the user must be forwarded to SAP using the Xtract product. On the way to SAP or on the SAP side, the Windows user and its SAP credentials are mapped.

Single Sign-On (SSO) with an Xtract product can be realized via three different procedures:

What is SNC? #

Secure Network Connection (SNC) enables authentication and transport encryption between SAP systems and between SAP systems and third-party tools like Xtract Universal and Board Connector. For more information on SNC, see SAP Help: SNC.

SSO and SNC with Client Certificates #


The usage of SSO Certificate requires the correct characteristics of the architecture:

For more information on how to set up SSO and SNC with client certificates, see Knowledge Base Article: SSO with Client Certificates.

SSO and SNC with Kerberos Wrapper Library #

Warning! SAP officially does not support the Kerberos Wrapper Library (gx64krb5.dll) anymore.

Warning! Single Sign-On availability
The ABAP application server has to run on a Windows OS and SNC with Kerberos encryption setup on SAP.


  • The SAP ABAP application server runs under a Windows operating system.
  • The BI client (which calls the extraction) runs under Windows.
  • The SAP Kerberos Wrapper Library (gsskrb5) is used as the SNC solution.

Note: Only one SNC solution can be set up on an SAP system at a time - for example, SAP’s Common Crypto Library or gsskrb5, but not both at the same time. The described procedure only works with the gsskrb5.

For more information on how to set up SSO and SNC with Kerberos Wrapper Library, see Knowledge Base Artile: SSO with Kerberos SNC.

SSO via SAP Logon Ticket #

If one of the above mentioned prerequisites is not met (in particular, Kerberos Library cannot be used or the SAP application server does not run under Windows), you can implement the SAP/AD user mapping using an SAP portal (SAP Web AS) without SNC.

Using SSO is then also possible, but the connection is then not encrypted, unlike with SNC. On the other hand, the SAP application servers must only be configured for SAP logon tickets and not for SNC.


The following scenario enables an SAP connection via Single-Sign-On:

  • You have an AS Java instance set up that is configured for SPNEGO/Kerberos authentication.
  • Within this AS Java instance there is a mapping between Windows AD users and SAP users (== ticket issuer).
  • Your AS ABAP instance (the SAP the system Xtract products extract data from) trusts the SAP logon tickets issued by the AS Java instance.

Note: For more detailed information on the process of calling extraction using SSO with SAP Logon Tickets, refer to the knowledge base article SSO with Logon-Ticket.