SAP GUI – SSO with kerberos autentication on Windows

You can find many blogs and videos about setting up SSO with Kerberos authentication on SAP GUI. With “SNCWIZARD” this has become a real simple procedure.

SSO can be configured even if SAP is running on a different domain than your end user’s computer or even if it is not attached to a domain.
This is because SAP GUI acts as a communication agent between SAP application and your AD and there is no direct communication between SAP application and AD for authentication.

  1. Upgrade the Cryptographic library to latest level.2450794 – How to update CommonCryptoLib in an ABAP system.Following files are extracted from cryptographic library SAR files.ssofiles

    Make sure that the Kernel is upgrade to latest level or at least the above files are at latest level.

  2. Check if you need to install the following SAP Notes based on your existing SAP support pack level .2516329 – “Kerberos library was not loaded” error when accessing SPNEGO transaction
    2304831 – Programs fail after CCL 8.5 is installed
  3. Create User Principal Names and corresponding Service Principal names on your Active Directory.
  4. Run transaction “SNCWIZARD”sncwiz1
    sncwiz2Verify that all the relevant parameters are set appropriately.



    Wizard will tell you if you will need a restart in the next step:


    on the next screen you are directed to SPNEGO to enter AD user and Password.


    Complete the configuration wizard.


  5. Install SSO Login client on end user laptop.
    Test the connection to AD using SPNEGO transaction.snc1
  6. Now you can map the SAP users to users from SU01.snc6
  7. Now change the SAP GUI to use SSOsnc9
    Now users should be able to login to SAP without using User ID and Password.
















Adobe Document Services – A complete guide

Below steps explain Adobe Document Services (ADS) configuration for SAP:

ADS component runs on the Netweaver JAVA stack of SAP. So you can use, JAVA stack of Solution Manager, PO/PI, Enterprise Portal etc.. to connect to any ABAP stack application for generating PDF documents.

Install ADS on a SAP NW JAVA system:

ADS is by default not installed on the JAVA instance.  You must install it manually install the same if not already installed on your SAP JAVA engine. Ensure that you install the right version for you Netweaver stack.

Please refer to blog to install the component using telnet.

Install required libraries if running on Linux:

If your JAVA application is running on Linux, ensure that you have installed the required libraries as per below SAP Notes:

2029940 – IFbA: Required additional RPM package for ADS on Linux

1956394 – Troubleshooting for ADS OS native module termination on Unix platform

If this is not done, you might receive following errors when running FP_PDF_TEST_00.

“ADS: com.adobe.ProcessingException: com.adobe.Processin(200101)”.

And you might see following errors in the NWA logs:



Create users on JAVA:

Create user ADSUSER on JAVA engine with roles SAP_ADSCALLER and SAP_ADSMONITOR.

I suggest to make this a technical user.

Create users on ABAP:

Create user ADSAGENT and assign roles ADSCALLERS, SAP_BC_FPADS_ICF and SAP_BC_FP_ICF.

Activate the required services from SICF:


Create Destination for ABAP server with name FP_ICF_DATA_<SID> from NWA.




Create RFC from your ABAP to JAVA:

Path Prefix: /AdobeDocumentServices/Config?style=rpc



You are now done with the configuration of ADS

Test your ADS configuration:

Run report FP_TEST_00 (SE38/SA38):





Run report FP_PDF_TEST_00 (SE38/SA38):







If you get errors in any of these tests recheck your configuration. Check if any user is locked.

Additional SAP Notes for ADS configuration and troubleshooting:

1780404 – ADS problem on Solaris 11

2226341 – How to activate ADS trace in NW 7.1 and higher? [Video]

1503408 – Central Note for ADS on NW730

2420614 – IFbA: Suppress ADS error message from FP_PDF_TEST_00

1675976 – Password pop-up in ADS

1462986 – ADS Load Balancing

2029940 – IFbA: Required additional RPM package for ADS on Linux

1177315 – ADS RFC destination test return 403 / 404 / 405 code


How to deploy a SCA package using Telnet

Telnet can be used to deploy a SCA file on to the JAVA stack. This is the most easiest and quickest way to deploy individual packages.

You can refer to SAP Note SAP Note 1715441 for detailed instructions.

Key points to remember:

  1. Telnet port to connect to is 5<Instance Number>08.
  2. Use command lsc to list the available server nodes.
  3. Use command jump <server node> to connect to a particular node.
  4. Server node will get restarted during the deployment and you will get disconnected from the telnet session.
  5. Use get_result to get the result of the deployment. You may receive error, command not found when you run the command. This may be because the node is still coming up. Give it some time until the node is available again.


SAP Router Certificate Refresh

Procedure to refresh your expired SAP Router certificate with new one. I have included some screenshots for better understanding.

Check the validity of your router using below command:

sapgenpse get_my_name


Usually the validity of certificate is only for one year.

A. Login to SAP Market Place to get the distinguished name of your router server:


Before executing the next steps, make sure that you have taken the backup of complete SAPROUTER folder (Or which ever directory containing your SAP Router). Delete the following files local.pse, srcert, certreq and cred_v2 from SAPROUTER folder.

B. Generate the certificate Request with the command:

sapgenpse get_pse -v -r certreq -p local.pse “<Distinguished Name>”

sapgenpse get_pse -v -r “E:\usr\sap\saprouter\certreq” -p local.pse “CN=myserver, OU=0000123456, O=saprouter, O=SAP, C=DE”
Got absolute PSE path “E:\usr\sap\saprouter\local.pse”.
Please enter PSE PIN/Passphrase: ****
Please reenter PSE PIN/Passphrase: ****

!!! WARNING: For security reasons it is recommended to use a PIN/passphrase
!!! WARNING: which is at least 8 characters long and contains characters in
!!! WARNING: upper and lower case, numbers and non-alphanumeric symbols.

Supplied distinguished name: “CN=Myserver, OU=0000123456, OU=SAProuter, O=SAP, C=DE”
Creating PSE with format v2 (default)
certificate creation… ok
PSE update… ok
PKRoot… ok
Generating certificate request… ok.
Certificate Request
Signed Part
Subject :CN=Myserver, OU=0000123456, OU=SAProuter, O=SAP, C=DE”
Key type :rsaEncryption 
Key size :2048
Signature algorithm :sha256WithRsaEncryption 
Signature (size=”2048″) :<Not displayed>

You will be asked to enter the pin twice. Do make a note of the pin as you will be using it later.

C. Create SAP Router Certificate:

On SAP Marketpace, select the certificate you want to generate the request for and continue:


Copy and paste the content of file “certreq” on the next screen (From begin to end and no space included)


Now your SAP Router certificate is ready. Copy the certificate from “Begin certificate” to “End Certificate” and paste the content to file named “srcert”, which must be created in the same directory as the sapgenpse executable.

D. Install the SAP router certificate

Install the certificate using the below command,

sapgenpse import_own_cert -c srcert -p local.pse

example output:

Please enter PIN:
CA-Response successfully imported into PSE “D:\usr\sap\saprouter\local.pse”

E. Create credentials for SAP router 

Execute below command to generate credentials for SAP Router.

sapgenpse seclogin -p local.pse -O <user_for _saprouter>

Example output:

running seclogin with USER=”routadm”
Please enter PIN:
Added SSO-credentials (#0) for PSE “E:\usr\sap\saprouter\local.pse”
“CN=myserver, OU=0000123456, OU=SAProuter, O=SAP, C=DE”

Note: The account of the saprouter user should always be entered in full <domainname>\<username>. If you do not enter a user here, credentials will be generated for currently logged in user.

This will create a file called “cred_v2” in the same directory as “local.pse”

F. Check the certificate.

Execute below command to check the new validity of the certificate:

sapgenpse get_my_name -v -n Issuer
The name of the Issuer should be:
CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE

And below command to check the validity:

sapgenpse get_my_name

Sample output:

SSO for USER “routadm”
with PSE file “E:\usr\sap\saprouter\local.pse”

Subject : CN=myserver, OU=000012345, OU=SAProuter, O=SAP, C=DE
Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE
KeyInfo : RSA, 2048-bit
Validity – NotBefore: Fri Mar 010 17:22:45 2017
NotAfter: Thu Mar 08 17:22:45 2018

Client Copy – Performance improvement

Remote client copy from Production client to Quality? Not a good idea!

If you want to know why it is not a good idea, refer to SAP Note “489690 – CC INFO: Copying large production clients”.

But sometimes it is required to fulfill the requirement.

Lets see below some points that can help improve the performance of Copies.

Some other important notes below:

541311 – CC-INFO: Parallel processes FAQ

24853 – CC-INFO: Client copy, functionality

557132 – CC-TOPIC: Remote client copy

Its best to lock the source and target clients until the activities are done But again, “if it is Production”!

If the production client cannot be locked choose a low usage time frame.

  1. Empty the largest/time taking tables individually.

This saves lot of time during client delete. You should know these tables already from large table list of previous client copy logs.

Do not bother about these if you are planning to skip these from the copy.

SE14 –> Table Name

You can run deletion of multiple tables together.

Monitor the progress using SM37.

  1. Settings for Client Delete/Copy.

Below are generic settings for client delete and also the Client Copy.

SCC5/SCCL/SCC8/SCC9 à Expert Settings

Skip Empty tables:

Mark your big tables. Save the Biggest one for next step:

Add the biggest one in here:

Exclude the tables that you do not want to be Deleted or Copied here

Ensure to provide maximum number for parallel processes for the copy.

  1. Delete the Source Client.


Make sure you are logged in to the client you want to delete:

Monitor the progress from SCC3.

4 Perform Local/Remote Client copy or Export/Import.