The following section describes the required steps for setting up Single Sign-On (SSO) with Secure Network Communication (SNC) and Kerberos encryption.

Warning! Single Sign-On availability
ABAP application server has to run on a Windows OS and SNC with Kerberos encryption setup on SAP.

Activation of HTTPS #

  1. Enable access control protocol HTTPS (1) within the tab Web Server settings.
  2. Reference an existing X.509 certificate (2).
  3. Click [OK] to confirm (3)

Note: Make sure to check the default ports depending on your product. HTTPS port 8165 is e.g., set up by default in Xtract Universal. BOARD Connector’s default HTTPS port 8197.


Configuration of Windows AD service account #

  1. Create a Windows AD service account for an Xtract Server. This is the account the service is running under (e.g., XU service account or BOARD Connector Service). XU_ServiceAccount
  2. In the Attribute editor tab define two Service Principal Names (SPN). Use the following notation <service class</<host<, e.g., HTTP/FQDN.domain.local:8165. XU_SSO_WinAD_SPN
  3. In the Delegation tab define the service account for constrained delegation - Use Kerberos Only. XU_SSO_WinAD_SPN
  4. Enter the SPN of the service account under which the SAP ABAP application server is running (SAP Service Account), e.g., SAPServiceERP/do_not_care For more detailed information about the partner name notation in SAP, see the SAP Help portal.
  5. In the tab Log On, change the account to service account, e.g., svc_xusrv@theobald.local. XU_SSO_WinAD_SPN

Server Settings #

Warning! Incompatible library
Xtract products run on 64bit OS only. Kerberos Wrapper Library gx64krb5.dll(64-Bit version) is required.
Download gx64krb5.dll from SAP Note 2115486.

  1. Copy the Kerberos Wrapper Library to the file system, e.g., to C:\SNC\gx64krb5.dll of the machine, where the service is running.
  2. Place the downloaded .dll file on each machine, where the Designer is running.
  3. Open “Computer Management” by entering the following command: compmgmt.msc.
  4. Under Local Users and Groups select Groups > Administrators.
  5. Click [Add] (4) to add the service account to the local admin group (5). XU_SSO_WinAD_SPN
  6. Open “Local Security policy” by entering the following command: secpol.msc. XU_SSO_LocSecPol
  7. Select [Local Policies > User Rights Assignment]
    • Act as part of the operating system
    • Impersonate a client after authentication
  8. Change the registry settings of the server machine:
Field Registry Entry
Entry ForceIniCredOK
Value 1

SAP Source Settings #

Note: An existing SAP connection to a Single Application Server or Message Server is the prerequisite for using SSO with SNC.

  1. In the main menu of the Designer, navigate to [Server > Manage Sources]. The window “Source Details” opens. XU_SSO_SAPSource
  2. Select an existing SAP source and click [Edit] (pencil symbol). Edit-SAP-source
  3. Enable the SNC option (1) in the subsection Authentication.
  4. Enable the checkbox Impersonate authenticated caller (SSO) (2).
  5. Enter the complete path of the Kerberos library in the field SNC library e.g., C:\SNC\gx64krb5.dll (3).
  6. Enter the SPN of the SAP service account in the field Partner name. Use the following notation: p:[SPN]@[Domain-FQDN-Uppercase] (4).
  7. Click [Test Connection] to verify your connection settings.
  8. Click [OK] to confirm.

Note: The SAP Logon Pad SNC settings for partner name differ from the ones used in Xtract products. SAP Logon Pad uses the UPN of the SAP service accounts and Xtract products use the Service Principal Name (SPN). Use the following notation: p:[SAP Service Account]@[domain]. SPN’s are case sensitive in the SNC partner name.

SNC Activation in SAP #

In SAP, apply the Kerberos SNC settings as described in the SAP Help.