Determining the RFC Connection string

Referring to a system in saplogon.ini (SAPLOGON_ID)

Referring to saplogon.ini (the file where SAP GUI stores logon information) is the preferrable method of connecting, since it does not duplicate information which is already there. However, to be able to use this method, the saplogon.ini file must be in the search path (you can put it into a global location like C:\Windows\System32, in the same directory as your executable, or into some other folder contained in the %PATH%).

When using this method, you only need to set the parameter SAPLOGON_ID in the connection string:

You can find out the correct SAP System ID (SID) by looking at the "Description" property of the system's entry in SAP Logon:

Note that if your description contains spaces, you have to enclose the value into quotes, e.g. SAPLOGON_ID="NPL (Test)"

Connecting directly to application server (ASHOST and SYSNR)

To connect directly to a specific application server, you can use ASHOST (hostname) and SYSNR (instance number) parameters:

RfcSystemData.ConnectString="ASHOST=hostname_or_ip SYSNR=instancenumber"

Again, you can find the correct hostname and instance number by looking at the respective entry in SAP Logon:

Note: It is possible to configure the SAP system so that directly connecting to a specific application server is forbidden. In this case, you will receive an error message when trying to connect that way, and you have to use load balancing instead (see below).

Using load balancing through a message server (MSHOST and R3NAME)

Logon-time load balancing allows the administrator to distribute logins evenly between several application servers. It also allows to configure a bigger system landscape transparently, since the client does not need to know the address of all application servers, but only the address of the message server (load balancer).

To connect to the SAP system through a load balancer, you need to set the parameters MSHOST (address of the load balancer) and R3NAME (System ID/name of SAP system). Additionally, you may also need to set the GROUP (logon group) and/or the MSSERV (service name of load balancer service) parameters.

RfcSystemData.ConnectString="MSHOST=hostname_or_ip R3NAME=system_id GROUP=logon_group"

Again, you can find the load balancer hostname and System Id by looking at the respective entry in SAP Logon:

Note: Since the load balancer is also called "message server" in SAP, the parameter names MSHOST and MSSERV are easily confused. MSHOST is the hostname of the message server (load balancer), and must always be supplied. MSSERV, on the other hand, is the service name of the message server, and is not needed in most cases.

Connections which require SAProuter

In some cases, SAP systems are not directly reachable by IP, but require a connection through an SAProuter instead. You can think of SAProuter as some sort of proxy for RFC connections. And, like with regular http proxies, you can chain SAProuter connections.

To find out whether the connection to your system requires going through SAProuter, check whether the "SAProuter" field is filled in the connection entry in SAP Logon. A typical SAProuter string contains a hostname (/H/) and a port number (/S/), some SAProuter instances are also protected by a password (/W/):


As mentioned before, SAProuters can be chained, in that case the router strings are simply concatenated:


To use SAProuter string in your connection string, you have to prepend the router string before the hostname of the application server or load balancer. That means if you connect directly to an application server, your connection string would look like that:

RfcSystemData.ConnectString="ASHOST=/H/ SYSNR=instance_id"

Alternatively, if you connect through load balancing, your connection string would look like this:

RfcSystemData.ConnectString="MSHOST=/H/ R3NAME=system_id GROUP=PUBLIC"

Secure Network Connection (SNC) and Single Sign On (SSO)

Optionally, RFC connections can be cryptographically secured (SNC) and/or used for passwordless logon (Single Sign On). To enable SNC, add the parameter SNC_MODE=1 to the connection string.

Since the actual cryptography functions are not part of SAP GUI or the RFC library, it is also necessary to tell the library which cryptographic library to use. The name of (or the full path to) the library can be given with parameter SNC_LIB:

RfcSystemData.ConnectString="ASHOST= SYSNR=01 SNC_MODE=1 SNC_LIB=gsskrb5.dll"

If the cryptographic library is not in the PATH and you need to give the full path, and this path contains spaces, you must enclose the parameter with double quotes: SNC_LIB="C:\My Crypto Product\library.dll"

To enable Single Sign-On (SSO), you also need to supply the SNC_PARTNERNAME parameter. You can find out the correct partnername by looking at the "Connection" tab in the system properties:

If the partner name contains spaces or other special parameters, it must be quoted also: SNC_PARTNERNAME="p:CN=sap01.host1, OU=TEST01, O=myCompany, C=US"