The following section describes the required steps for setting up Single Sign-On (SSO) with Secure Network Communication (SNC) and Kerberos encryption in Xtract Universal.

Warning! Single Sign-On availability
ABAP application server has to run on a Windows OS and SNC with Kerberos encryption setup on SAP.

Activation of HTTPS in Xtract Universal #

  1. Enable access control protocol HTTPS (1) within the tab Web Server settings.
  2. Reference an existing X.509 certificate (2).
    HTTPS port 8165 is set up by default
  3. Click [OK] to confirm (3)
    XU_WebServerSettings_https

Configuration of Windows AD service account #

  1. Create a Windows AD service account for Xtract Universal (XU) Server. This is the account the XU service is running under (XU service account). XU_ServiceAccount
  2. In the Attribute editor tab define two Service Principal Names (SPN). Use the following notation <service class</<host<, e.g., HTTP/FQDN.domain.local:8165. XU_SSO_WinAD_SPN
  3. In the Delegation tab define the XU service account for constrained delegation - Use Kerberos Only. XU_SSO_WinAD_SPN
  4. Enter the SPN of the service account under which the SAP ABAP application server is running (SAP Service Account), e.g., SAPServiceERP/do_not_care For more detailed information about the partner name notation in SAP, see the SAP Help portal.
  5. In the tab Log On, change the account to XU service account, e.g., svc_xusrv@theobald.local. XU_SSO_WinAD_SPN

Xtract Universal Server Settings #

Warning! Incompatible library
Xtract Universal runs on 64bit OS only. Kerberos Wrapper Library gx64krb5.dll(64-Bit version) is required.
Download gx64krb5.dll from SAP Note 2115486.

  1. Copy the Kerberos Wrapper Library to the file system, e.g., to C:\SNC\gx64krb5.dll of the machine, where the Xtract Universal service is running.
  2. Place the downloaded .dll file on each machine, where the Xtract Universal Designer is running.
  3. Open “Computer Management” by entering the following command: compmgmt.msc.
  4. Under Local Users and Groups select Groups > Administrators.
  5. Click [Add] (4) to add the XU service account to the local admin group (5). XU_SSO_WinAD_SPN
  6. Open “Local Security policy” by entering the following command: secpol.msc. XU_SSO_LocSecPol
  7. Select [Local Policies > User Rights Assignment]
    • Act as part of the operating system
    • Impersonate a client after authentication
  8. Change the registry settings of the XU server machine:
Field Registry Entry
SubKey HKEY_LOCAL_MACHINE\SOFTWARE\SAP\gsskrb5
Entry ForceIniCredOK
Type REG_DWORD
Value 1

SAP Source Settings in Xtract Universal #

Note: An existing SAP connection to a Single Application Server or Message Server is the prerequisite for using SSO with SNC.

  1. In the main menu of the Designer, navigate to [Server > Manage Sources]. The window “Source Details” opens. XU_SSO_SAPSource
  2. Select an existing SAP source and click [Edit] (pencil symbol). Edit-SAP-source
  3. Enable the SNC option (1) in the subsection Authentication.
  4. Enable the checkbox Impersonate authenticated caller (SSO) (2).
  5. Enter the complete path of the Kerberos library in the field SNC library e.g., C:\SNC\gx64krb5.dll (3).
  6. Enter the SPN of the SAP service account in the field Partner name. Use the following notation: p:[SPN]@[Domain-FQDN-Uppercase] (4).
  7. Click [Test Connection] to verify your connection settings.
  8. Click [OK] to confirm.

Note: The SAP Logon Pad SNC settings for partner name differ from the ones used in Xtract Universal. SAP Logon Pad uses the UPN of the SAP service accounts and Xtract Universal uses the Service Principal Name (SPN). Use the following notation: p:[SAP Service Account]@[domain]. SPN’s are case sensitive in the SNC partner name.

SNC Activation in SAP #

In SAP, apply the Kerberos SNC settings as described in the SAP Help.