SAP Heartbeat and Password Changing

You can enable Secret Server to perform heartbeats and change passwords on SAP accounts by doing the following:

  1. Create a new privileged SAP account administrator secret, typically for the SAP or DDIC account which is used to log into SAP for administrative tasks.

  2. Select the SAP Account template and enter all required information to create the new SAP account administrator secret. By default, the Instance Number will be 00 and the Client Number will be 001.

    The default System ID for SAP is NSP.
  3. Create the account you are planning to change. Follow the same method as before and enter the current account password in the Password field.

  4. In your new SAP account administrator secret, set the privileged account in the Remote Password Changing tab.

  5. For an account to have its password changed, even a privileged account changing its own password, it requires permissions in SAP.

Installing SAP .Net Connector

  1. Navigate to service.sap.com/connectors.
  2. Type your credentials for the SAP Marketplace.
  3. Select SAP Connector for Microsoft .NET.
  4. Download SAP .Net Connector 3.1 (located under NCo 3.1), choosing the appropriate bit mode for your application pool (64-bit mode for most customers):

  5. Install the downloaded file.
  6. Copy the sapnco.dll and sapnco_utils.dll files into the bin folder of your web application.

    For a distributed engine, add these files to the installation folder. Please see How to create an ignore file for Distributed Engine upgrades for details.
  7. Recycle the application pool. Once these steps are complete, heartbeats and password changing should work.
Accounts can change their own SAP passwords just once per day. This is a restriction in the SAP software that cannot be changed. If an account needs its password to change more than once a day, use a privileged account to perform the reset.

If performing a heartbeat on a SAP secret fails, throwing the Exception: PASSWORD_EXPIRED error, it likely means an administrator has reset the SAP account's password, and the account must log in and change its own password in SAP.

If issues arise, please verify the secret template is set up properly. See Configuring SAP SNC Account Secret Templates for more details.