SSO with SNC

Warning: Deprecated documentation
You are using the old version of the online help for ERPConnect.
Make sure to use the documentation within the new HelpCenter for ERPConnect.

You can create a SAP connection using Single-Sign-On (SSO) and Secure Network Communication (SNC) as of ERPConnect version 4.1.59.
If you use SNC in your project, you can choose between the NTLM or the Kerberos5 mechanism.

Prerequisites #

The following DLLs from SAP need to be present in the %SYSTEMROOT%\System32 directory of your system:

For 32-bit:

• NTLM: gssntlm.dll
• Kerberos: gsskrb5.dll

For 64-bit x86:

• NTLM: gx64ntlm.dll
• Kerberos: gx64krb5.dll

The DLLs are available via the SNOTE 2115486.

When using Kerberos authentication, apply the Kerberos SNC settings as described in the SAP Help - Single Sign-On with Microsoft Kerberos SSP to your SAP system.

Note: Before continuing, we recommend testing the connection between SAP and the client.

About SNC in ERPConnect #

The R3Connection object automatically determines the needed SNC DLL based on the settings of SNCMechanism. With the SNCLibraryPath property you can specify the path to the SNC DLL manually. In this case the automatic detection of the DLL is disabled and the setting for SNCMechanism are ignored.

If you specify the SNCMechanism, you can choose between the NTLM and the Kerberos5 mechanism.
If the Kerberos authentication is not possible, NTLM is used automatically.

If you do not want to use the SNC properties to create a connection, set SNCEnabled to false. It disables all settings without changing the other SNC parameter.

Samples #

The following example codes show how to pass the necessary parameters for an SNC connection to an R3Connection object.

Using the SNC Mechanism:

using (R3Connection con = new R3Connection())
{
    con.Host = "sap-erp-as05.example.com";
    con.SystemNumber = 7;
    con.Client = "800";
    con.Language = "DE";
    con.SNCSettings.Enabled = true;
    con.SNCSettings.PartnerName = "p:SAPServiceNSP@THEOBALD";
    con.SNCSettings.Mechanism = SNCMechanism.NTLM;
    con.SNCSettings.QualityOfProtection = SNCQualityOfProtection.Maximum;

    con.Open();
    // define your application
}

Using individual SNC DLL path:

using (R3Connection con = new R3Connection())
{
    con.Host = "sap-erp-as05.example.com";
    con.SystemNumber = 7;
    con.Client = "800";
    con.Language = "DE";
    con.SNCSettings.Enabled = true;
    con.SNCSettings.PartnerName = "p:SAPServiceNSP@THEOBALD";
    con.SNCSettings.LibraryPath = @"C:\Windows\SysWOW64\sncgss32.dll";
    con.SNCSettings.QualityOfProtection = SNCQualityOfProtection.Maximum;

    con.Open();
    // define your application
}

Note: As of ERP Connect version 4.2.3 you can set a security level with the property QualityOfProtection.

NTLM #

NTLM (abbreviation for NT LAN Manager) is an authentication procedure for computer networks.
NTLM performs the SSO authentication via a challenge-response authentication between the client and the server.

For more information on NTLM, see Microsoft Documentation - NTLM.

Kerberos #

The Kerberos method uses a Kerberos server to authenticate the client.
The server creates so-called tickets and sends them to the client. The client authenticates itself with this ticket to the server.

For more information on Kerberos, see Microsoft Documentation - Kerberos Authentication.

Double Hop Problem #

Double hop describes the passing of authentication information across two or more computers (hops).
For technical reasons NTLM only works with one hop. For security reasons Kerberos transmits authentication data only in one hop by default, but it can be configured to send data over two or more hops.

Example 1: If you use Xtract PPV as the consumer of the SAP data, it has to run on the same computer that Xtract PPV Server and PowerPivot run on. The domain controller and the SAP system can run on different computer. In this case you can also use NTML and Kerberos.

Example 2: If you use Xtract PPV as the comsumer for the SAP data and the Xtract PPV Server and PowerPivot run on different computers, you have to use Kerberos which can be configured to handle the Double Hop Problem.
For more information on the Kerberos configuration, see Microsoft Techcommunity - Understanding Kerberos Double Hop.

For more information on the SSO configuration, see SAP Help - Single Sign-On Configuration

Related Links

• Knowledge Base Article - SNC/SSO User Rights.
• SAP Help - Secure Network Communications (SNC).
• SAP Help - Single Sign-On