Skip to Content

kerberos implementation with ADS made easy

This solution has been tested on Windows 2003 Domain Controller with Active Directory as a KDC and EP 6.0 SP15. SPNegoLoginModule is by default delivered with SP15, however if you need to implement Kerberos in Portal running < SP15 then you have to deploy the spnegoauthlib.sda file.

Step 1: Configuration steps on Domain Controller which is your KDC
1.1. Create a Service user whose password should never expire
1.2. Configuration of the Keytab file
After this step, a file will be generated with the extension “.keytab”. Now execute this command

Step 2: J2EE Engine configuration for Kerberos (perform these steps where your WebAS JAVA is installed)

2.1 Importing Kerberos Configuration Files to the J2EE Engine. I copied the file in “\usr\sap\EPD” folder

2.2 Create another file ‘krb5.conf’ in the same folder as follows:-

2.3 Configure J2EE engine properties as:-
[Do the same configurations on all the Server nodes]

2.4 UME Configuration
[We have used user resolution mode as ‘simple ‘]



2.5 Configuring LoginModule Stacks
[Add SPNegoLoginModule to the component ‘Ticket’ in the Security Provider service in Visual Admin.]

2.6 Create a new policy configuration ‘’ and add 2 Login Modules
1. Krb5LoginModule
2. MappingModule

2.7 Login Module(s) in the policy configuration ’’

1.) Mapping Login Module
2.) Krb5LoginModule

Step 3: Access J2EE Engine with Kerberos Authentication

3.1 Enable Windows Integrated Authentication in your Web browser


Access the Portal.
Life is good .. 🙂

You must be Logged on to comment or reply to a post.
  • Great blog. But what if we need to get our tickets from more domain controller. We would like to attach a single (global) portal to multiple (regional) AD Domain Controller?  What we have seen sofar is that SPNego only supports the connection to a single Domain Controller.
    • That’s true however i think if all the domains are trusted to each other and we perform these steps on the primay Domain Controller then the j2ee can receive the tickets from all the domains.

      However we haven’t tested that yet but it’s a good point and many people are facing this issue. So i’ll try to test that issue in multi domain scenario and upadate you all.

      • Hi vaibhav,
                   The Blog is very helpful.
        While I am trying to add “SPNegoLoginModule”, system throws an error message. Do you have any idea what could be reason ?
        I have also raised a question in forums: /thread/181228 [original link is broken]

        Sunil Kulkarni

        • Yeah sometimes it happens. Just logout from the Visual Admin and then try it again after some time. Please check that you dont have white spaces in the Class Name and the Display Name when adding the Login Module
      • Hi!
        I1m very interested in your Kerberos test in a multi-domain scenario. Can you send me more information about? If you have links on this issue please send me too.

        Best regards,

        José Mário

        • Hi,
          I saw your question in the blog regarding SPNego in multiple domains and wondered if you have done this or have any information about how to do this. Any assistance would be great.
          Thanks in advance.
          Brian Lane
          • Hi,

            Did you receive a response on how to set up Kerberos with ADS if there are multiple domains?  We are trying to set this up right now and are having no luck.



  • Hi,
    thanks for the blog, its very good but I have still some questions?
    Do the users are stored in the Datastore or ADS in your scenario?
    Do you know what have to be done and how, if UserIDs are different in Datastore and ADS?
    Thanks for help!
  • Hi Vaibhav
    in paragraph 2.4 (UME configuration), which dataSourceConfiguration ads file you used ?

    With Netweaver 2004s 7.00 SP9 7.00 SP9 are spnegoauthkib.sda must be deploy.


  • Hi Vaibhav,

    This is very good blog. But iam new to Kerberos implementation with Active directory. I need some suggestion to implement

    we have ECC6.0 (ABAP+JAVA),BI+EP(ABAP+JAVA) 7.0 environment which is already integrated SSO Logon ticket.Now we wanted to Implement Kerboros authentication so that user should not get portal login credentials>it should login automatically

    Can you please suggest step by step what can be done at domain controller side and Portal server .Because our client is fully secured , we need to give proper information so that they will create ADS user and Keytab file.

    Thanks in advance,

  • Hi,
      I am trying to do SSO between the Ep 7.0 and Operating System.I have followed the steps as explained by you,But when coming to the datasource i am facing problem,we are using datasourceConfiguration_abap.xml,i tried to edit this file to may the serviceUser to this datasource,after that the J2ee server is not starting.

      Please let me know how this SSO can  be achieved with Abap stack.



    • Hi,
      See the SAP SAP Note Number 994791 and down load the files. You can use this file’dataSourceConfiguration_ads_readonly_db_with_krb5″ as your datasource file, no need of any configuration.