kerberos implementation with ADS made easy
Step 1: Configuration steps on Domain Controller which is your KDC
1.1. Create a Service user whose password should never expire
1.2. Configuration of the Keytab file 
After this step, a file will be generated with the extension “.keytab”. Now execute this command
Step 2: J2EE Engine configuration for Kerberos (perform these steps where your WebAS JAVA is installed)
2.1 Importing Kerberos Configuration Files to the J2EE Engine. I copied the file in “\usr\sap\EPD” folder 
2.2 Create another file ‘krb5.conf’ in the same folder as follows:- 
2.3 Configure J2EE engine properties as:-
[Do the same configurations on all the Server nodes] 
2.4 UME Configuration
[We have used user resolution mode as ‘simple ‘]
2.5 Configuring LoginModule Stacks
[Add SPNegoLoginModule to the component ‘Ticket’ in the Security Provider service in Visual Admin.] 
2.6 Create a new policy configuration ‘com.sun.security.jgss.accept’ and add 2 Login Modules
1. Krb5LoginModule
2. MappingModule 
2.7 Login Module(s) in the policy configuration ’com.sun.security.jgss.accept’
1.) Mapping Login Module 
2.) Krb5LoginModule
Step 3: Access J2EE Engine with Kerberos Authentication
3.1 Enable Windows Integrated Authentication in your Web browser 
Access the Portal. 
Life is good .. 🙂
However we haven't tested that yet but it's a good point and many people are facing this issue. So i'll try to test that issue in multi domain scenario and upadate you all.
The Blog is very helpful.
While I am trying to add "SPNegoLoginModule", system throws an error message. Do you have any idea what could be reason ?
I have also raised a question in forums: /thread/181228 [original link is broken]
Regards
Sunil Kulkarni
I1m very interested in your Kerberos test in a multi-domain scenario. Can you send me more information about? If you have links on this issue please send me too.
Best regards,
José Mário
I saw your question in the blog regarding SPNego in multiple domains and wondered if you have done this or have any information about how to do this. Any assistance would be great.
Thanks in advance.
Brian Lane
Did you receive a response on how to set up Kerberos with ADS if there are multiple domains? We are trying to set this up right now and are having no luck.
Thanks,
Kathy
will this solution work in multiple domain scenarion, where users will access the same portal server from diffrent domains ??
thanks for the blog, its very good but I have still some questions?
Do the users are stored in the Datastore or ADS in your scenario?
Do you know what have to be done and how, if UserIDs are different in Datastore and ADS?
Thanks for help!
Regards,
Karol
in paragraph 2.4 (UME configuration), which dataSourceConfiguration ads file you used ?
With Netweaver 2004s
sap.com/SAP-JEECOR 7.00 SP9
sap.com/SAP-JEE 7.00 SP9 are spnegoauthkib.sda must be deploy.
regards
Ali
This is very good blog. But iam new to Kerberos implementation with Active directory. I need some suggestion to implement
we have ECC6.0 (ABAP+JAVA),BI+EP(ABAP+JAVA) 7.0 environment which is already integrated SSO Logon ticket.Now we wanted to Implement Kerboros authentication so that user should not get portal login credentials>it should login automatically
Can you please suggest step by step what can be done at domain controller side and Portal server .Because our client is fully secured , we need to give proper information so that they will create ADS user and Keytab file.
Thanks in advance,
Kristene
I am trying to do SSO between the Ep 7.0 and Operating System.I have followed the steps as explained by you,But when coming to the datasource i am facing problem,we are using datasourceConfiguration_abap.xml,i tried to edit this file to may the serviceUser to this datasource,after that the J2ee server is not starting.
Please let me know how this SSO can be achieved with Abap stack.
Thanks
Ravi.s
See the SAP SAP Note Number 994791 and down load the files. You can use this file'dataSourceConfiguration_ads_readonly_db_with_krb5" as your datasource file, no need of any configuration.
Thanks
S.Thomas