Windows Integrated Authentication via Kerberos on an LDAP data source
<b>Windows Integrated Authentication – what it really means
The above diagram should pretty concisely depict a layman’s concept of Windows Integrated Authentication. Users will logon to the Windows Domain and this will allow them seamless access to the Enterprise Portal and subsequently to SAP-based Applications without any additional logons
Windows Integrated Authentication using Kerberos Authentication for Single-Sign On
When you use Kerberos, authentication is performed by several systems, which negotiate the outcome of the authentication process transparently for the user. At a minimum, Kerberos authentication involves the following systems:
- Web client – the Web client requests a service or a resource from the J2EE Engine and authenticates against the Kerberos Key Distribution Center.
- Kerberos Key Distribution Center (KDC) – the KDC authenticates the Web client and grants a Kerberos Client/Server Session Ticket that is used for the communication between the J2EE Engine and the Web client. To authenticate the Web client, the KDC uses a Kerberos user data store, which can also be the UME data store of the J2EE Engine.
- SAP Web AS Java – the J2EE Engine of the SAP Web AS Java uses the User Management Engine (UME) to retrieve the identity management information for the authenticated the Web client request. Subsequently, the J2EE Engine provides access to the services or resources requested by the Web client.
The systems involved in the Kerberos authentication process share user information.
Therefore, to authenticate J2EE Engine access requests with Kerberos you have to configure several systems including the KDC, the J2EE Engine and its UME, as well as the Web client. In addition, the J2EE Engine uses Kerberos functions available from your Java Development Kit (JDK) and the actual J2EE Engine configuration depends on the underlying JDK you use. Configurations here are based on the SUN JDK 1.4.2_11 on Solaris and SUN ONE LDAP
Kerberos Key Distribution Center (KDC) Configuration
Before proceeding, it would be advisable to download Kerbtray.exe (available from Microsoft). Kerbtray can be installed on your desktop and is a GUI tool that displays ticket information for a computer running the Microsoft implementation of Kerberos V5 protocol.
Some critical definitions before we begin this would greatly help as you dig deeper into Kerberos documentations from MIT
SPN – Service Principal Name – J2EE Engine is known to the KDC as a service by its Service Principal Name (SPN).
KDC – is used for authenticating the client and issuing the Kerberos Client/Server Session Ticket for the communication between the Web client and the SAP Web AS Java. Typically the KDC can be any one of your Domain
Controllers
Let’s Begin
Create a service user in the user directory used by the KDC. This user represents a J2EE instance running on a specific host and must meet the following requirement – The password of the service user must never expire
Configuration on Windows Domain Controller
Importing into J2EE and Testing Configurations
—-
[domain_realm]
.domain.dom = DOMAIN.DOM
default_keytab_name = /etc/krb5/krb5.keytab
default_realm = DOMAIN.DOM
dns_lookup_kdc = true
default_tgs_enctypes=des-cbc-md5;des-cbc-crc
default_tkt_enctypes=des-cbc-md5;des-cbc-crc
DOMAIN.DOM = {
admin_server = —-
Using a command line, enter the command that corresponds to your host –
$JAVA_HOME/bin/klist –e –f –k –K /etc/krb5/krb5.keytab
You will see something like this, if you get this, you just passed your first hurdle.
Output
Key tab: keytab, 2 entries found.
Service principal: HTTP/portal.domain.dom@DOMAIN.DOM
KVNO: 1
Key type: 3
Key: 0xefe125cfe09c59fd
Service principal: host/portal.domain.dom@DOMAIN.DOM
KVNO: 1
Key type: 3
Key: 0x2fa8dda2b24fe502
</p>
J2EE Engine Properties
Do this next: ConfigTool > Cluster Data > Instance ID > Server > General Tab. Add the following Java Parameters
– Djavax.security.auth.useSubjectCredsOnly=false
– Djava.security.krb5.conf=/etc/krb5.conf
– Dsun.security.krb5.debug=true
Restart the Cluster
Making Your UME Configuration
Before configuring Kerberos Authentication with an LDAP data source, ensure that existing UM configuration with an LDAP data configuration is working and you are able to use the existing LDAP as a data source.
Configuration below is a typical configuration for SUN ONE
If this works natively, now you are ready to make your modifications to allow for Kerberos and you can switch the UM data source back if Kerberos does not work
Download the data source configuration file from Configtool Configuration Editor via Cluster Data > Server > Persistent > com.sap.security.core.ume.service
Open the data source configuration file with your favourite XML editor and add a new attribute “kpnprefix” via the following lines as shown in the diagram below (under the responsibleFor section of the LDAP data source)
Perform the mapping of “kpnprefix” to the LDAP attribute for user id. In this case, it’s
uid. It could sometimes be logonid or cn. See figure below
Save the configuration file into another name that you can identify. In this example I used dataSourceConfiguration_iplanet_not_readonly_db_kerberos.xml
Upload this file by right-clicking on com.sap.security.ume.service and selecting File-entry and giving it a name that is identical to the filename
The final result should be something like this
Exit the Configuration Editor and go to Security Provider service under Global Server Configuration
Add the krb5principalname under ume.admin.addattrs (you are essentially defining an additional attribute for a user) and switch the ume.persistence.data_source_configuration to the new data source configuration file (dataSourceConfiguration_iplanet_not_readonly_db_kerberos.xml) in this case.
Up to this point, you have completed configuring the UME of the portal to a new configuration file and mapped the “kpnprefix” attribute to the LDAP attribute uid
To be consistent, update the UM Configuration on your portal by uploading the data source configuration file
Logon to the portal and upload the new configuration file via System Administration > System Configuration > UM Configuration > Upload. You will notice that the Data Source field will be switched to Other (this is normal)
Logon Stack Configuration based on the Ticket Authentication Template
Now it gets interesting ! Authentication Schemes are a little outside the scope of this document, but to gain a quick understanding, check your authschemes.xml via
Configtool.
You will notice that by default the uidpwdlogon, basicauthentication Authentication Schemes is assigned to the Authentication Template “Ticket” and the default Authentication Schemes that the portal will use is uidpwdlogon
Logon to Visual Administrator, under Server > Services > Security Provider.
Modify Ticket Authentication Template to include the following Login Modules and also the following Options.
com.sap.security.core.server.jaas.EvaluateTicketLoginModule, Flag as Sufficient
ume.configuration.active = true
com.sap.security.core.server.jaas.SPNegoLoginModule, Flag as Optional
ume.sap.spnego.uid.resolution.mode = prefixbased
com.sap.spnego.uid.resolution.attr = kpnprefix
com.sap.spnego.jgss.name = HTTP/portal.domain.dom@DOMAIN.DOM
com.sap.spnego.creds_in_thread = true
com.sap.security.core.server.jaas.CreateTicketLoginModule, Flag as Sufficient
ume.configuration.active = true
BasicPasswordLoginModule, Flag as Requisite
com.sap.security.core.server.jaas.CreateTicketLoginModule, Flag as Optional
Ume.configuration.active = true
Note that the SPNegoLoginModule is only provided from SP15 onwards
Click on the User Management tab and click on Manage User Store and create 2 additional Login Modules:
Krb5LoginModule and MappingModule
Create Krb5loginModule with the following parameters: Class name : com.sun.security.auth.module.Krb5LoginModule
Create MappingModule with the following parameters: Class name:com.sap.security.core.server.jaas.SPNegoMappingModule
Click back to Policy Configurations and create the com.sun.security.jgss.accept Login Module Stack. Within this stack include the following Login Modules
com.sun.security.auth.module.Krb5LoginModule
keytab = /etc/krb5/krb5.keytab
useKeyTab = true
debug = true
doNotPrompt = true
storeKey = true
principal = HTTP/portal.domain.dom@DOMAIN.DOM”>HTTP/portal.domain.dom@DOMAIN.DOM
useTicketCache = true
com.sap.security.core.server.jaas.SPNegoMappingLoginModule
com.sap.spnego.uid.resolution.attr = krb5principalname
When everything is done, it should look like this:
!https://weblogs.sdn.sap.com/weblogs/images/49026/image16a.JPG|height=102|alt=image|width=570|src=https://weblogs.sdn.sap.com/weblogs/images/49026/image16a.JPG|border=0!
Restart the Cluster at this point. When Cluster is fully operational, create a Service User on Web AS. Do this via the User Admin Quick Link
(/useradmin)
Scroll down to the bottom and you will notice the krb5principalname attribute. Enter the Kerberos Principal Name here
(HTTP/portal.domain.dom@DOMAIN.DOM )
Logon to Visual Administrator and check that the selection No Password Change required is checked (very important !)
Modify your Internet Explorer Security Option
Go to Tools > Internet Options > Advanced > Security and enable “Enable Windows Integrated Authentication”
The site that physically runs the J2EE engine must be explicitly added as a local Intranet Site. Navigate to Tools > Internet Options > Security > Local Intranet > Sites > add http://portal.domain.dom to the list.
Logoff from your desktop and Login to the desktop and the Windows Domain
Give yourself a pat on the back !!!
Test and Conclusion
Launch your browser enter the URL of your portal server (for a dramatic effect, use the Portal URL as the
browser’s home page) You will be logged-in and your welcome page with your corresponding Role will be displayed. Take
a deep breath and reflect !
Why would you use a non-ADS data Source ?
People have asked me why would I use a non-ADS data source. I would be hard pressed for an answer, I guess I would prefer to work with LDAP as opposed to ADS
However, a compelling scenario would be when you would want to enable both internal (LAN) and external (from the Internet) access to your portal. An unknown or external user could technically lock up your user id on ADS with multiple logon attempts. Don’t think your NT Administrator would like that very much.
Hopefully we’ll soon see a blog on password synchronising between ADS and LDAP
Personally I prefer soluions like SAML, they are more transparent to the client.
Bernd
Unfortunately, I don't think it works for Firefox.
This is a limitation of Kerberos and SPNego, that it is not recommended for large scale over-the-Internet deployment.
It will only be ideal on an Intranet - where you have a dictatorial control over end-user browsers 🙂
SPNego does work with firefox, only the browser side config is a bit more menial.
Here's a link that shows what you have to do to enable it:
http://www.mozilla.org/projects/netlib/integrated-auth.html
Quick one, just off the cuff:
pref("network.negotiate-auth.trusted-uris", site-list);
pref("network.negotiate-auth.delegation-uris", site-list);
Where are these set ?
when you open up Mozilla Firefox, just type "about:config" in the address bar. Thereby you'll see all configurable options for the browser. I think they are in alphabetical order, so just scroll down to the n-section, and you'll find them there...
Regards,
Yonko
We have a couple of users who insist on using Mac...
Any tips?
Brgds,
Caroline
It should work for Mac on Mozilla, if that's the case.
* IE as the Browser
* a Servlet application running on SAP JAVA WEB AS, communicating via JCO with SAP R/3
* SAP R/3 username are the same as windows accounts
we want the Servlet application to connect to SAP R/3 with the windows account of the machine hosting the browser, and we don't want the user to enter the windows domain username/password
Can Kerberos be useful ?
Thx
(!)
we have ECC6.0 (ABAP+JAVA),BI+EP(ABAP+JAVA) 7.0 environment which is already integrated SSO Logon ticket.Now we wanted to Implement Kerboros authentication so that user should not get portal login credentials>it should login automatically
Can you please suggest step by step what can be done at domain controller side and Portal server .Because our client is fully secured , we need to give proper information so that they will create ADS user and Keytab file.
Thanks in advance,
Kristene
does it work with JDK of HP vendor? or it is just for SUN/IBM?
We run HP-UX 11.23 (64 bit) and HP JDK 1.4.2_11
Thanks again for your answer.
H+.
we have a lot of productive EP 7.0 servers which have been using SPNego for a while. All of these portal servers run on Windows 2003 Server and have Sun J2SE 1.4.2_13. I, therefore, didn´t get any problem upon implementing SPNego on them.
But to my very regret, SPNego doesn´t function with our first portal system which was installed on HP-UX IA64 with HP J2SE 1.4.2_11 two weeks ago although I did install SPNego exactly like I had done on all of my NT portal servers. For this reason, I took a look at the PAM for SAP NetWeaver 7.0 on the SAP Marketplace again and found out Sun J2SE isn´t released for HP-UX by SAP. According to the SAP note 994791, SPNego is only supported for Sun JDK and IBM JDK. My problem is, you can neither find the Sun JDK version for HP-UX at java.sun.com nor at the SAP Marketplace.
To sum up, I am creating a ticket at SAP Marketplace in relation to SPNego for portal systems running on HP-UX now. Have you ever got any new information concering this topic?
Best regards,
Tho Pham-Tran
Kerberos SSO does function with JDK of HP Vendor on HP-UX. We have got it successfully.
Best regards,
Tho
Thnks
Your blog was a useful resource while we did your LDAP SAP integration.
We are running ldap_rfc on the apps servers of our Sol Man system (SMP)
to run LDAPConnector.
Following are the connect strings:
d:\usr\sap\SMP\D01\exe ldap_rfc –a LDAP_RFC –x sapgw01 –g sfrncorssm41
We are successful in replication all directory users onto SAP user
management.
When we are trying to run this LDAP_RFC into a windows service using
sc install "ldap.bat -log none" -b c:\ldap.bat -p service
(the ldap.bat file containing - ldap_rfc –a LDAP_RFC –x sapgw01 –g
sfrncorssm41), we are getting the below error:
“sc install – unrecognized command”
Please advise.
Thanks in advance,
Abdul
First I would like to thank you for this wonderful blog. We have a situation like we have integrated LDAP with portal, but the j_user is mapped to an additional parameter (ex, employee number) to enable the user to use this as a login-id instead of the default id.
How do we enable the same additional parameter for SPNego login also.
Regards,
Nirmal Sivakumar G
Is it possible to implement SSO using LDAP in an offline Adobe Form.
Thanks and Regards
Nidhi Jain