Windows Integrated Authentication via Kerberos on an LDAP data source

<b>Windows Integrated Authentication – what it really means

</b>

The above diagram should pretty concisely depict a layman’s concept of Windows Integrated Authentication. Users will logon to the Windows Domain and this will allow them seamless access to the Enterprise Portal and subsequently to SAP-based Applications without any additional logons

Windows Integrated Authentication using Kerberos Authentication for Single-Sign On

When you use Kerberos, authentication is performed by several systems, which negotiate the outcome of the authentication process transparently for the user. At a minimum, Kerberos authentication involves the following systems:

• Web client – the Web client requests a service or a resource from the J2EE Engine and authenticates against the Kerberos Key Distribution Center.
• Kerberos Key Distribution Center (KDC) – the KDC authenticates the Web client and grants a Kerberos Client/Server Session Ticket that is used for the communication between the J2EE Engine and the Web client. To authenticate the Web client, the KDC uses a Kerberos user data store, which can also be the UME data store of the J2EE Engine.
• SAP Web AS Java – the J2EE Engine of the SAP Web AS Java uses the User Management Engine (UME) to retrieve the identity management information for the authenticated the Web client request. Subsequently, the J2EE Engine provides access to the services or resources requested by the Web client.

The systems involved in the Kerberos authentication process share user information.

Therefore, to authenticate J2EE Engine access requests with Kerberos you have to configure several systems including the KDC, the J2EE Engine and its UME, as well as the Web client. In addition, the J2EE Engine uses Kerberos functions available from your Java Development Kit (JDK) and the actual J2EE Engine configuration depends on the underlying JDK you use. Configurations here are based on the SUN JDK 1.4.2_11 on Solaris and SUN ONE LDAP

Kerberos Key Distribution Center (KDC) Configuration

Before proceeding, it would be advisable to download Kerbtray.exe (available from Microsoft). Kerbtray can be installed on your desktop and is a GUI tool that displays ticket information for a computer running the Microsoft implementation of Kerberos V5 protocol.

Some critical definitions before we begin this would greatly help as you dig deeper into Kerberos documentations from MIT

SPN – Service Principal Name – J2EE Engine is known to the KDC as a service by its Service Principal Name (SPN).

KDC – is used for authenticating the client and issuing the Kerberos Client/Server Session Ticket for the communication between the Web client and the SAP Web AS Java. Typically the KDC can be any one of your Domain
Controllers

Let’s Begin

Create a service user in the user directory used by the KDC. This user represents a J2EE instance running on a specific host and must meet the following requirement – The password of the service user must never expire

Configuration on Windows Domain Controller

Importing into J2EE and Testing Configurations

—-

[domain_realm]
  .domain.dom = DOMAIN.DOM

  default_keytab_name = /etc/krb5/krb5.keytab
  default_realm = DOMAIN.DOM
  dns_lookup_kdc = true
  default_tgs_enctypes=des-cbc-md5;des-cbc-crc
  default_tkt_enctypes=des-cbc-md5;des-cbc-crc


  DOMAIN.DOM = {
     admin_server = —-

Using a command line, enter the command that corresponds to your host –
$JAVA_HOME/bin/klist –e –f –k –K /etc/krb5/krb5.keytab
You will see something like this, if you get this, you just passed your first hurdle.

Output

Key tab: keytab, 2 entries found.
Service principal: HTTP/portal.domain.dom@DOMAIN.DOM
         KVNO: 1
         Key type: 3
         Key: 0xefe125cfe09c59fd

Service principal: host/portal.domain.dom@DOMAIN.DOM
         KVNO: 1
         Key type: 3
         Key: 0x2fa8dda2b24fe502
</p>

J2EE Engine Properties

Do this next: ConfigTool > Cluster Data > Instance ID > Server > General Tab. Add the following Java Parameters

– Djavax.security.auth.useSubjectCredsOnly=false
– Djava.security.krb5.conf=/etc/krb5.conf
– Dsun.security.krb5.debug=true
Restart the Cluster

Making Your UME Configuration

Before configuring Kerberos Authentication with an LDAP data source, ensure that existing UM configuration with an LDAP data configuration is working and you are able to use the existing LDAP as a data source.
Configuration below is a typical configuration for SUN ONE

If this works natively, now you are ready to make your modifications to allow for Kerberos and you can switch the UM data source back if Kerberos does not work

Download the data source configuration file from Configtool Configuration Editor via Cluster Data > Server > Persistent > com.sap.security.core.ume.service

Open the data source configuration file with your favourite XML editor and add a new attribute “kpnprefix” via the following lines as shown in the diagram below (under the responsibleFor section of the LDAP data source)

!https://weblogs.sdn.sap.com/weblogs/images/49026/image010.jpg|height=61|alt=image|width=577|src=https://weblogs.sdn.sap.com/weblogs/images/49026/image010.jpg|border=0!

Perform the mapping of “kpnprefix” to the LDAP attribute for user id. In this case, it’s
uid. It could sometimes be logonid or cn. See figure below

Save the configuration file into another name that you can identify. In this example I used dataSourceConfiguration_iplanet_not_readonly_db_kerberos.xml

Upload this file by right-clicking on com.sap.security.ume.service and selecting File-entry and giving it a name that is identical to the filename

The final result should be something like this

Exit the Configuration Editor and go to Security Provider service under Global Server Configuration

Add the krb5principalname under ume.admin.addattrs (you are essentially defining an additional attribute for a user) and switch the ume.persistence.data_source_configuration to the new data source configuration file (dataSourceConfiguration_iplanet_not_readonly_db_kerberos.xml) in this case.
Up to this point, you have completed configuring the UME of the portal to a new configuration file and mapped the “kpnprefix” attribute to the LDAP attribute uid
To be consistent, update the UM Configuration on your portal by uploading the data source configuration file

Logon to the portal and upload the new configuration file via System Administration > System Configuration > UM Configuration > Upload. You will notice that the Data Source field will be switched to Other (this is normal)

Logon Stack Configuration based on the Ticket Authentication Template

Now it gets interesting ! Authentication Schemes are a little outside the scope of this document, but to gain a quick understanding, check your authschemes.xml via
Configtool.

You will notice that by default the uidpwdlogon, basicauthentication Authentication Schemes is assigned to the Authentication Template “Ticket” and the default Authentication Schemes that the portal will use is uidpwdlogon

Logon to Visual Administrator, under Server > Services > Security Provider.
Modify Ticket Authentication Template to include the following Login Modules and also the following Options.

com.sap.security.core.server.jaas.EvaluateTicketLoginModule, Flag as Sufficient
ume.configuration.active = true
com.sap.security.core.server.jaas.SPNegoLoginModule, Flag as Optional
ume.sap.spnego.uid.resolution.mode = prefixbased
com.sap.spnego.uid.resolution.attr = kpnprefix
com.sap.spnego.jgss.name = HTTP/portal.domain.dom@DOMAIN.DOM
com.sap.spnego.creds_in_thread = true
com.sap.security.core.server.jaas.CreateTicketLoginModule, Flag as Sufficient
ume.configuration.active = true
BasicPasswordLoginModule, Flag as Requisite
com.sap.security.core.server.jaas.CreateTicketLoginModule, Flag as Optional
Ume.configuration.active = true

Note that the SPNegoLoginModule is only provided from SP15 onwards
Click on the User Management tab and click on Manage User Store and create 2 additional Login Modules:
Krb5LoginModule and MappingModule

Create Krb5loginModule with the following parameters: Class name : com.sun.security.auth.module.Krb5LoginModule
Create MappingModule with the following parameters: Class name:com.sap.security.core.server.jaas.SPNegoMappingModule

Click back to Policy Configurations and create the com.sun.security.jgss.accept Login Module Stack. Within this stack include the following Login Modules

com.sun.security.auth.module.Krb5LoginModule
keytab = /etc/krb5/krb5.keytab
useKeyTab = true
debug = true
doNotPrompt = true
storeKey = true
principal = HTTP/portal.domain.dom@DOMAIN.DOM”>HTTP/portal.domain.dom@DOMAIN.DOM
useTicketCache = true
com.sap.security.core.server.jaas.SPNegoMappingLoginModule
com.sap.spnego.uid.resolution.attr = krb5principalname

When everything is done, it should look like this:

!https://weblogs.sdn.sap.com/weblogs/images/49026/image16a.JPG|height=102|alt=image|width=570|src=https://weblogs.sdn.sap.com/weblogs/images/49026/image16a.JPG|border=0!



Restart the Cluster at this point. When Cluster is fully operational, create a Service User on Web AS. Do this via the User Admin Quick Link
(/useradmin)
Scroll down to the bottom and you will notice the krb5principalname attribute. Enter the Kerberos Principal Name here
(HTTP/portal.domain.dom@DOMAIN.DOM )

Logon to Visual Administrator and check that the selection No Password Change required is checked (very important !)

Modify your Internet Explorer Security Option

Go to Tools > Internet Options > Advanced > Security and enable “Enable Windows Integrated Authentication”

The site that physically runs the J2EE engine must be explicitly added as a local Intranet Site. Navigate to Tools > Internet Options > Security > Local Intranet > Sites > add http://portal.domain.dom to the list.
Logoff from your desktop and Login to the desktop and the Windows Domain

Give yourself a pat on the back !!!

Test and Conclusion

Launch your browser enter the URL of your portal server (for a dramatic effect, use the Portal URL as the
browser’s home page) You will be logged-in and your welcome page with your corresponding Role will be displayed. Take
a deep breath and reflect !

Why would you use a non-ADS data Source ?

People have asked me why would I use a non-ADS data source. I would be hard pressed for an answer, I guess I would prefer to work with LDAP as opposed to ADS
However, a compelling scenario would be when you would want to enable both internal (LAN) and external (from the Internet) access to your portal. An unknown or external user could technically lock up your user id on ADS with multiple logon attempts. Don’t think your NT Administrator would like that very much. 
Hopefully  we’ll soon see a blog on password synchronising between ADS and LDAP