Skip to Content
This solution has been tested on Windows 2003 Domain Controller with Active Directory as a KDC and EP 6.0 SP15. SPNegoLoginModule is by default delivered with SP15, however if you need to implement Kerberos in Portal running < SP15 then you have to deploy the spnegoauthlib.sda file.

Step 1: Configuration steps on Domain Controller which is your KDC
1.1. Create a Service user whose password should never expire
image
1.2. Configuration of the Keytab file
image
After this step, a file will be generated with the extension “.keytab”. Now execute this command
image

Step 2: J2EE Engine configuration for Kerberos (perform these steps where your WebAS JAVA is installed)

2.1 Importing Kerberos Configuration Files to the J2EE Engine. I copied the file in “\usr\sap\EPD” folder
image

2.2 Create another file ‘krb5.conf’ in the same folder as follows:-
image

2.3 Configure J2EE engine properties as:-
[Do the same configurations on all the Server nodes]
image

2.4 UME Configuration
[We have used user resolution mode as ‘simple ‘]

image

image

2.5 Configuring LoginModule Stacks
[Add SPNegoLoginModule to the component ‘Ticket’ in the Security Provider service in Visual Admin.]
image

2.6 Create a new policy configuration ‘com.sun.security.jgss.accept’ and add 2 Login Modules
1. Krb5LoginModule
2. MappingModule
image

2.7 Login Module(s) in the policy configuration ’com.sun.security.jgss.accept’

1.) Mapping Login Module
image
2.) Krb5LoginModule
image

Step 3: Access J2EE Engine with Kerberos Authentication

3.1 Enable Windows Integrated Authentication in your Web browser
image

image

Access the Portal.
image
Life is good .. 🙂

To report this post you need to login first.

17 Comments

You must be Logged on to comment or reply to a post.

  1. Maurice Sens
    Great blog. But what if we need to get our tickets from more domain controller. We would like to attach a single (global) portal to multiple (regional) AD Domain Controller?  What we have seen sofar is that SPNego only supports the connection to a single Domain Controller.
    (0) 
    1. Vaibhav Dua Post author
      That’s true however i think if all the domains are trusted to each other and we perform these steps on the primay Domain Controller then the j2ee can receive the tickets from all the domains.

      However we haven’t tested that yet but it’s a good point and many people are facing this issue. So i’ll try to test that issue in multi domain scenario and upadate you all.

      (0) 
      1. Sunil Kulkarni
        Hi vaibhav,
                   The Blog is very helpful.
        While I am trying to add “SPNegoLoginModule”, system throws an error message. Do you have any idea what could be reason ?
        I have also raised a question in forums: /thread/181228 [original link is broken]

        Regards
        Sunil Kulkarni

        (0) 
        1. Vaibhav Dua Post author
          Yeah sometimes it happens. Just logout from the Visual Admin and then try it again after some time. Please check that you dont have white spaces in the Class Name and the Display Name when adding the Login Module
          (0) 
      2. Jose Mario Coimbra Leao
        Hi!
        I1m very interested in your Kerberos test in a multi-domain scenario. Can you send me more information about? If you have links on this issue please send me too.

        Best regards,

        José Mário

        (0) 
        1. Brian Lane
          Hi,
          I saw your question in the blog regarding SPNego in multiple domains and wondered if you have done this or have any information about how to do this. Any assistance would be great.
          Thanks in advance.
          Brian Lane
          (0) 
          1. Kathy Livingston
            Hi,

            Did you receive a response on how to set up Kerberos with ADS if there are multiple domains?  We are trying to set this up right now and are having no luck.

            Thanks,

            Kathy

            (0) 
  2. Karol Fil
    Hi,
    thanks for the blog, its very good but I have still some questions?
    Do the users are stored in the Datastore or ADS in your scenario?
    Do you know what have to be done and how, if UserIDs are different in Datastore and ADS?
    Thanks for help!
    Regards,
    Karol
    (0) 
  3. Alain FLEURY
    Hi Vaibhav
    in paragraph 2.4 (UME configuration), which dataSourceConfiguration ads file you used ?

    With Netweaver 2004s
    sap.com/SAP-JEECOR 7.00 SP9 
    sap.com/SAP-JEE 7.00 SP9 are spnegoauthkib.sda must be deploy.

    regards
    Ali

    (0) 
  4. kristene Jyo
    Hi Vaibhav,

    This is very good blog. But iam new to Kerberos implementation with Active directory. I need some suggestion to implement

    we have ECC6.0 (ABAP+JAVA),BI+EP(ABAP+JAVA) 7.0 environment which is already integrated SSO Logon ticket.Now we wanted to Implement Kerboros authentication so that user should not get portal login credentials>it should login automatically

    Can you please suggest step by step what can be done at domain controller side and Portal server .Because our client is fully secured , we need to give proper information so that they will create ADS user and Keytab file.

    Thanks in advance,
    Kristene

    (0) 
  5. Ravi Sunkara
    Hi,
      I am trying to do SSO between the Ep 7.0 and Operating System.I have followed the steps as explained by you,But when coming to the datasource i am facing problem,we are using datasourceConfiguration_abap.xml,i tried to edit this file to may the serviceUser to this datasource,after that the J2ee server is not starting.

      Please let me know how this SSO can  be achieved with Abap stack.

    Thanks

    Ravi.s

    (0) 
    1. Thomas Shaji
      Hi,
      See the SAP SAP Note Number 994791 and down load the files. You can use this file’dataSourceConfiguration_ads_readonly_db_with_krb5″ as your datasource file, no need of any configuration.

      Thanks
      S.Thomas

      (0) 

Leave a Reply