Skip to Content
The Holy Grail of Single Sign On – Windows Integrated Authentication is just too tempting to have been left unattempted and as I have SP15 installed and IISPROXY is no longer supported by SAP. I took a deep breath, made myself a cup of coffee and dived straight in to configure Windows Integrated Authentication, based on Kerberos via the SPNegoLoginModules (this is new from SAP as of SP15).

<b>Windows Integrated Authentication – what it really means


</b>
image

The above diagram should pretty concisely depict a layman’s concept of Windows Integrated Authentication. Users will logon to the Windows Domain and this will allow them seamless access to the Enterprise Portal and subsequently to SAP-based Applications without any additional logons


Windows Integrated Authentication using Kerberos Authentication for Single-Sign On


When you use Kerberos, authentication is performed by several systems, which negotiate the outcome of the authentication process transparently for the user. At a minimum, Kerberos authentication involves the following systems:

    • Web client – the Web client requests a service or a resource from the J2EE Engine and authenticates against the Kerberos Key Distribution Center.
    • Kerberos Key Distribution Center (KDC) – the KDC authenticates the Web client and grants a Kerberos Client/Server Session Ticket that is used for the communication between the J2EE Engine and the Web client. To authenticate the Web client, the KDC uses a Kerberos user data store, which can also be the UME data store of the J2EE Engine.
    • SAP Web AS Java – the J2EE Engine of the SAP Web AS Java uses the User Management Engine (UME) to retrieve the identity management information for the authenticated the Web client request. Subsequently, the J2EE Engine provides access to the services or resources requested by the Web client.

The systems involved in the Kerberos authentication process share user information.

Therefore, to authenticate J2EE Engine access requests with Kerberos you have to configure several systems including the KDC, the J2EE Engine and its UME, as well as the Web client. In addition, the J2EE Engine uses Kerberos functions available from your Java Development Kit (JDK) and the actual J2EE Engine configuration depends on the underlying JDK you use. Configurations here are based on the SUN JDK 1.4.2_11 on Solaris and SUN ONE LDAP


Kerberos Key Distribution Center (KDC) Configuration


Before proceeding, it would be advisable to download Kerbtray.exe (available from Microsoft). Kerbtray can be installed on your desktop and is a GUI tool that displays ticket information for a computer running the Microsoft implementation of Kerberos V5 protocol.

Some critical definitions before we begin this would greatly help as you dig deeper into Kerberos documentations from MIT

SPN – Service Principal Name – J2EE Engine is known to the KDC as a service by its Service Principal Name (SPN).

KDC – is used for authenticating the client and issuing the Kerberos Client/Server Session Ticket for the communication between the Web client and the SAP Web AS Java. Typically the KDC can be any one of your Domain
Controllers


Let’s Begin


Create a service user in the user directory used by the KDC. This user represents a J2EE instance running on a specific host and must meet the following requirement – The password of the service user must never expire

Configuration on Windows Domain Controller


Importing into J2EE and Testing Configurations


—-


[domain_realm]
  .domain.dom = DOMAIN.DOM

  default_keytab_name = /etc/krb5/krb5.keytab
  default_realm = DOMAIN.DOM
  dns_lookup_kdc = true
  default_tgs_enctypes=des-cbc-md5;des-cbc-crc
  default_tkt_enctypes=des-cbc-md5;des-cbc-crc


  DOMAIN.DOM = {
     admin_server = —-


Using a command line, enter the command that corresponds to your host –
$JAVA_HOME/bin/klist –e –f –k –K /etc/krb5/krb5.keytab
You will see something like this, if you get this, you just passed your first hurdle.

Output

Key tab: keytab, 2 entries found.
Service principal: HTTP/portal.domain.dom@DOMAIN.DOM
         KVNO: 1
         Key type: 3
         Key: 0xefe125cfe09c59fd

Service principal: host/portal.domain.dom@DOMAIN.DOM
         KVNO: 1
         Key type: 3
         Key: 0x2fa8dda2b24fe502
</p>

J2EE Engine Properties


Do this next: ConfigTool > Cluster Data > Instance ID > Server > General Tab. Add the following Java Parameters

– Djavax.security.auth.useSubjectCredsOnly=false
– Djava.security.krb5.conf=/etc/krb5.conf
– Dsun.security.krb5.debug=true
Restart the Cluster


Making Your UME Configuration


Before configuring Kerberos Authentication with an LDAP data source, ensure that existing UM configuration with an LDAP data configuration is working and you are able to use the existing LDAP as a data source.
Configuration below is a typical configuration for SUN ONE


image
image


If this works natively, now you are ready to make your modifications to allow for Kerberos and you can switch the UM data source back if Kerberos does not work

Download the data source configuration file from Configtool Configuration Editor via Cluster Data > Server > Persistent > com.sap.security.core.ume.service


image


Open the data source configuration file with your favourite XML editor and add a new attribute “kpnprefix” via the following lines as shown in the diagram below (under the responsibleFor section of the LDAP data source)

!https://weblogs.sdn.sap.com/weblogs/images/49026/image010.jpg|height=61|alt=image|width=577|src=https://weblogs.sdn.sap.com/weblogs/images/49026/image010.jpg|border=0!

Perform the mapping of “kpnprefix” to the LDAP attribute for user id. In this case, it’s
uid. It could sometimes be logonid or cn. See figure below


image


Save the configuration file into another name that you can identify. In this example I used dataSourceConfiguration_iplanet_not_readonly_db_kerberos.xml

Upload this file by right-clicking on com.sap.security.ume.service and selecting File-entry and giving it a name that is identical to the filename

The final result should be something like this


image

Exit the Configuration Editor and go to Security Provider service under Global Server Configuration

Add the krb5principalname under ume.admin.addattrs (you are essentially defining an additional attribute for a user) and switch the ume.persistence.data_source_configuration to the new data source configuration file (dataSourceConfiguration_iplanet_not_readonly_db_kerberos.xml) in this case.
Up to this point, you have completed configuring the UME of the portal to a new configuration file and mapped the “kpnprefix” attribute to the LDAP attribute uid
To be consistent, update the UM Configuration on your portal by uploading the data source configuration file

Logon to the portal and upload the new configuration file via System Administration > System Configuration > UM Configuration > Upload. You will notice that the Data Source field will be switched to Other (this is normal)


Logon Stack Configuration based on the Ticket Authentication Template


Now it gets interesting ! Authentication Schemes are a little outside the scope of this document, but to gain a quick understanding, check your authschemes.xml via
Configtool.

You will notice that by default the uidpwdlogon, basicauthentication Authentication Schemes is assigned to the Authentication Template “Ticket” and the default Authentication Schemes that the portal will use is uidpwdlogon

Logon to Visual Administrator, under Server > Services > Security Provider.
Modify Ticket Authentication Template to include the following Login Modules and also the following Options.

com.sap.security.core.server.jaas.EvaluateTicketLoginModule, Flag as Sufficient
ume.configuration.active = true
com.sap.security.core.server.jaas.SPNegoLoginModule, Flag as Optional
ume.sap.spnego.uid.resolution.mode = prefixbased
com.sap.spnego.uid.resolution.attr = kpnprefix
com.sap.spnego.jgss.name = HTTP/portal.domain.dom@DOMAIN.DOM
com.sap.spnego.creds_in_thread = true
com.sap.security.core.server.jaas.CreateTicketLoginModule, Flag as Sufficient
ume.configuration.active = true
BasicPasswordLoginModule, Flag as Requisite
com.sap.security.core.server.jaas.CreateTicketLoginModule, Flag as Optional
Ume.configuration.active = true

Note that the SPNegoLoginModule is only provided from SP15 onwards
Click on the User Management tab and click on Manage User Store and create 2 additional Login Modules:
Krb5LoginModule and MappingModule

Create Krb5loginModule with the following parameters: Class name : com.sun.security.auth.module.Krb5LoginModule
Create MappingModule with the following parameters: Class name:com.sap.security.core.server.jaas.SPNegoMappingModule

Click back to Policy Configurations and create the com.sun.security.jgss.accept Login Module Stack. Within this stack include the following Login Modules

com.sun.security.auth.module.Krb5LoginModule
keytab = /etc/krb5/krb5.keytab
useKeyTab = true
debug = true
doNotPrompt = true
storeKey = true
principal = HTTP/portal.domain.dom@DOMAIN.DOM”>HTTP/portal.domain.dom@DOMAIN.DOM
useTicketCache = true
com.sap.security.core.server.jaas.SPNegoMappingLoginModule
com.sap.spnego.uid.resolution.attr = krb5principalname

When everything is done, it should look like this:


!https://weblogs.sdn.sap.com/weblogs/images/49026/image16a.JPG|height=102|alt=image|width=570|src=https://weblogs.sdn.sap.com/weblogs/images/49026/image16a.JPG|border=0!
image


Restart the Cluster at this point. When Cluster is fully operational, create a Service User on Web AS. Do this via the User Admin Quick Link
(/useradmin)
Scroll down to the bottom and you will notice the krb5principalname attribute. Enter the Kerberos Principal Name here
(HTTP/portal.domain.dom@DOMAIN.DOM )
image

Logon to Visual Administrator and check that the selection No Password Change required is checked (very important !)


Modify your Internet Explorer Security Option


Go to Tools > Internet Options > Advanced > Security and enable “Enable Windows Integrated Authentication”

The site that physically runs the J2EE engine must be explicitly added as a local Intranet Site. Navigate to Tools > Internet Options > Security > Local Intranet > Sites > add http://portal.domain.dom to the list.
Logoff from your desktop and Login to the desktop and the Windows Domain

Give yourself a pat on the back !!!


Test and Conclusion


Launch your browser enter the URL of your portal server (for a dramatic effect, use the Portal URL as the
browser’s home page) You will be logged-in and your welcome page with your corresponding Role will be displayed. Take
a deep breath and reflect !


Why would you use a non-ADS data Source ?


People have asked me why would I use a non-ADS data source. I would be hard pressed for an answer, I guess I would prefer to work with LDAP as opposed to ADS
However, a compelling scenario would be when you would want to enable both internal (LAN) and external (from the Internet) access to your portal. An unknown or external user could technically lock up your user id on ADS with multiple logon attempts. Don’t think your NT Administrator would like that very much. 
Hopefully  we’ll soon see a blog on password synchronising between ADS and LDAP


To report this post you need to login first.

21 Comments

You must be Logged on to comment or reply to a post.

  1. Bernd Eckenfels
    Does this only work with IE, or can Firefox or Opera be used? I know that Firefox on Win supports NTLM Hash Authentication if configured, but not sure about Kerberos Tickets.

    Personally I prefer soluions like SAML, they are more transparent to the client.

    Bernd

    (0) 
    1. Wai-Hon Lam Post author
      Good point, I did some quick research, and even installed Firefox.
      Unfortunately, I don’t think it works for Firefox.
      This is a limitation of Kerberos and SPNego, that it is not recommended for large scale over-the-Internet deployment.
      It will only be ideal on an Intranet  – where you have a dictatorial control over end-user browsers 🙂

      (0) 
        1. Wai-Hon Lam Post author
          Thanks for the link, I’ll be experimenting with this for the next 2 days 🙂
          Quick one, just off the cuff:
          pref(“network.negotiate-auth.trusted-uris”, site-list);
          pref(“network.negotiate-auth.delegation-uris”, site-list);

          Where are these set ?

          (0) 
          1. Anonymous
            Hi,

            when you open up Mozilla Firefox, just type “about:config” in the address bar. Thereby you’ll see all configurable options for the browser. I think they are in alphabetical order, so just scroll down to the n-section, and you’ll find them there…

            Regards,
            Yonko

            (0) 
              1. Wai-Hon Lam Post author
                If  they authenticate with your Windows domain controller, theoretically they should ‘get’ the kerberos ticket.

                It should work for Mac on Mozilla, if that’s the case.

                (0) 
  2. Umberto Fonda
    In this scenario:

    * IE as the Browser
    * a Servlet application running on SAP JAVA WEB AS, communicating via JCO with SAP R/3
    * SAP R/3 username are the same as windows accounts

    we want the Servlet application to connect to SAP R/3 with the windows account of the machine hosting the browser, and we don’t want the user to enter the windows domain username/password

    Can Kerberos be useful ?

    Thx

    (0) 
  3. kristene Jyo
    This is very good blog. But iam new to Kerberos implementation with Active directory. I need some suggestion to implement NW2004s Sp09
    we have ECC6.0 (ABAP+JAVA),BI+EP(ABAP+JAVA) 7.0 environment which is already integrated SSO Logon ticket.Now we wanted to Implement Kerboros authentication so that user should not get portal login credentials>it should login automatically

    Can you please suggest step by step what can be done at domain controller side and Portal server .Because our client is fully secured , we need to give proper information so that they will create ADS user and Keytab file.

    Thanks in advance,
    Kristene

    (0) 
  4. Horacio Pereira
    This is a good blog.
    does it work with JDK of HP vendor? or it is just for SUN/IBM?
    We run HP-UX 11.23 (64 bit) and HP JDK 1.4.2_11

    Thanks again for your answer.
    H+.

    (0) 
    1. Thi Tho Pham-Tran
      Hello Horacio,

      we have a lot of productive EP 7.0 servers which have been using SPNego for a while. All of these portal servers run on Windows 2003 Server and have Sun J2SE 1.4.2_13. I, therefore, didn´t get any problem upon implementing SPNego on them.

      But to my very regret, SPNego doesn´t function with our first portal system which was installed on HP-UX IA64 with HP J2SE 1.4.2_11 two weeks ago although I did install SPNego exactly like I had done on all of my NT portal servers. For this reason, I took a look at the PAM for SAP NetWeaver 7.0 on the SAP Marketplace again and found out Sun J2SE isn´t released for HP-UX by SAP. According to the SAP note 994791, SPNego is only supported for Sun JDK and IBM JDK. My problem is, you can neither find the Sun JDK version for HP-UX at java.sun.com nor at the SAP Marketplace.

      To sum up, I am creating a ticket at SAP Marketplace in relation to SPNego for portal systems running on HP-UX now. Have you ever got any new information concering this topic?

      Best regards,
      Tho Pham-Tran

      (0) 
  5. Abdul Rahim Shaik
    Hi,

    Your blog was a useful resource while we did your LDAP SAP integration.

    We are running ldap_rfc on the apps servers of our Sol Man system (SMP)
    to run LDAPConnector.

    Following are the connect strings:

    d:\usr\sap\SMP\D01\exe ldap_rfc –a LDAP_RFC –x sapgw01 –g sfrncorssm41

    We are successful in replication all directory users onto SAP user
    management.

    When we are trying to run this LDAP_RFC into a windows service using

    sc install “ldap.bat -log none” -b c:\ldap.bat -p service

    (the ldap.bat file containing – ldap_rfc –a LDAP_RFC –x sapgw01 –g
    sfrncorssm41), we are getting the below error:
    “sc install – unrecognized command”

    Please advise.

    Thanks in advance,
    Abdul

    (0) 
  6. Kishore Karuppan
    Hi – We are having issues with few users who are not able to login to IWA enabbled EP 7.0 system when logged in via. VPN. These users do authenticate to AD domain during the initial log on process. These users all have IE 6.0 Sp2. For some users it works it works wthout any problem with same IE browser, etc. All the browser settings are same. No clue why few users are having this issue. It works fine when they login directly to the network.  Have anyone seen this issue?
    (0) 
  7. Nirmal Sivakumar G
    Hi,

    First I would like to thank you for this wonderful blog. We have a situation like we have integrated LDAP with portal, but the j_user is mapped to an additional parameter (ex, employee number) to enable the user to use this as a login-id instead of the default id.

    How do we enable the same additional parameter for SPNego login also.

    Regards,
    Nirmal Sivakumar G

    (0) 

Leave a Reply