Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Single Sign-on for SAP Integration Guide

Create the license CAB file

To create the license CAB file

  1. Locate your license file and rename it to:

    Quest-QAS-GSSAPI-for-SAP.asc

  2. Run the following command:
    makecab.exe Quest-QAS-GSSAPI-for-SAP.asc license.cab

    Note: You may need to download makecab.exe if it is not available on your system.

    This creates a file called license.cab.

  3. Copy license.cab to the directory containing the qas-sso-for-sap-<version>.msi and qas-sso-for-sap.mst files.

Silent install

To deploy Single Sign-on for SAP through Group Policy silently

  1. Open a command prompt window, navigate to the directory containing the qas-sso-for-sap-<version>.msi, qas-sso-for-sap.mst and license.cab files.
  2. Execute the following command:
    msiexec /i "qas-sso-for-sap-<version>.msi" TRANSFORMS="qas-sso-for-sap.mst" /qb

Configuring the SAP GUI client on Windows XP

To configure the SAP GUI client on Windows XP

  1. Verify that the environment variable SNC_LIB contains the path to qgsskrb5.dll.

    The library is located in the folder where you installed Single Sign-on for SAP.

  2. Run the SAPlogin application.
  3. Select a server connection and click Change Item to open the properties.

    The SAP GUI client should already be installed and configured for normal password-based authentication.

  4. Click the Advanced button to open the Advanced Options.

  5. Select Enable Secure Network Communication to enable SNC.
  6. In the SNC Name box, enter the KPN of the SAP Server. For example, enter:
    p:sAMAccountName@realm

    This is the same KPN that was used for the SAP instance profile key snc/identity/as described in Enabling SNC on the SAP server.

  7. Select the Max. Available option to enable single sign-on as well as data integrity and encryption for all of the traffic between the SAP GUI client and the R3 server.
  8. Click OK to save these settings.

    You can now click the server name in SAPlogon to log onto the server without being prompted for a user name or password.

    Once you have configured the server connection to use SNC, it is now possible to create desktop shortcuts using SAPlogon. Shortcuts normally require a password to either be included with the shortcut (not recommended) or else the user is prompted for a password when the shortcut is activated. With SNC activated, however, it is only necessary to enter an arbitrary shortcut (a single letter will do) in the password field of the shortcut. This shortcut is not actually used for authentication, as the SAP system attempts authentication using GSS-API first.

    The use of SNC and shortcuts allows SAP administrators to create desktop icons for users that will launch them directly into specific SAP applications, securely authenticating without the use of passwords.

Configuring the SAP GUI client on Windows Vista and above

To configure the SAP GUI client on Windows Vista

  1. Open SAP GUI Logon 7.10 and click New Item.

    The Create New System Entry screen displays:

  2. Select User Specified System and click Next.

  3. Ensure the connection type is Custom Application Server.
  4. Enter the appropriate information in the Application Server, System Number, and System ID boxes and click Next.

  5. Select the Activate Secure Network Communication option and enter the Kerberos Principal Name (KPN) of the SAP Server and click Next.

    For example, enter:

    p:sAMAccountName@realm

    Use the same KPN that you used for the SAP instance profile key snc/identity/ as described in Enabling SNC on the SAP server.

  6. Leave the defaults on this view and click Finish.

    The new item you created will now appear on the SAP GUI log on.

  7. Click Logon and log in as a user who is setup to use SNC.
Related Documents