Hi Wolfgang,
I thought you were answering to Tim's original original message (second sentence): [...]"Is there a report, or some other way to get a list of user authentications over a period of time (e.g. during last 7 days) and indicate whether the user has authenticated using SNC, using an SSO2 ticket or via a SAP userid and password ?"[...]. So this was about reporting. Sorry.
At SAP you are in quite a fairy-tale world concerning SNC. One domain, central client management, SAP system owners trusting AD security so you can do Kerberos bases SNC including SSO, external personnel that has access via virtual desktops. Quite idyllic. As soon as you leave this environment roads get very winding and full of potholes. E.g. SAP's GUI people implemented note 2138335 and the confirmed reason is that SNC ins unreliable (e.g. people forget or break their smart cards in an X.509-token scenario).
And as soon as you use an SAP fat client other than GUI with SNC but without SSO then you will find out that you are the first one who ever tested this (well the second, because I was the first one).
On these bumpy roads we are in need of every tool we can get. The reporting you mention has reached only a small fraction of systems of the real world. So we are in need of an API to write our own reporting in older systems.
SAP people unfortunately regularly underestimate SNC complexity in large real world environments because they have such a dreamlike IT infrastructure "at home".
I would be glad to invite you to a deeper dive into the real world using PM, email or a phone call if you like.
SAP is the only company in the world that can set the parameters of 1690662 because they have their supporters inhouse so they can use Kerbeors based SNC.
The most probable solution for reliable DIAG and RFC encryption would be if SAP fully implementedRFC 2743 including chapter 1.2.5: Anonymity Support.
Regards,
Lutz