Skip to Content

This web page provides a description how to authenticate an SAP WebAS ABAP on Linux via Kerberos v5 and the SAP SNC adapter against a Windows Active Directory and map their users to use Single Sign-On with the SAP GUI on Windows clients.

To report this post you need to login first.

14 Comments

You must be Logged on to comment or reply to a post.

  1. Manfred Stein
    Comments on this blog are very welcome, we are particularly interested in knowing if you would want to use this in your production environments. Your feedback (including number of SAP users targeted) will be helpful for involved partners (Novell, Red Hat) in order to address concerns expressed in note 150380.
    Thnx in advance
    Manfred
    (0) 
    1. Ramesh Ramalingam
      We compiled our own Kerberos on Solaris 10 64bit kernel. I found a way to implement SSO using Windows AD domain along with SAP Logon load balancing feature. Basically we have 2 application servers and 1 central Instance.

      For SSO to use load balancing, you have to create 3 different accounts on the AD domain and setup the certification on those servers.

      Now from the SAP Logon pad, create a entry using the group tab and generate the list. Entries from SMLG will be populated from the message server. Choose one of them and click on Add and Logon and enable the SNC box from advanced tab.

      The SNC name is automatically populated from the profile parameter. Now edit the c:\windows\saplogon.ini using notepad and change the SNC name to use the message server.

      If you login it you will see 2 things happening,
      1. SSO using AD domain authentication
      2. Load balancing

      Feel free to send me any questions you might have I will be happy to help you.

      Thanks
      Ramesh

      (0) 
      1. ADMINISTRADOR GLOBALIA
        Hello Ramesh,

        We want to implement SSO in our landscape. We have Solaris 10 64bit.

        We have try with /usr/lib/64/libgss.so. The library is loading fine but SSO is not working…

        How can we compile our own Library??

        Many thanks,
        David.

        (0) 
      2. ADMINISTRADOR GLOBALIA
        Hello Ramesh,

        We want to implement SSO in our landscape. We have Solaris 10 64bit.

        We have try with /usr/lib/64/libgss.so. The library is loading fine but SSO is not working…

        How can we compile our own Library??

        Many thanks,
        David.

        (0) 
      3. Rajan M
        Hi Ramesh,

        Can you please help me with the detailed document for implementing SSO on HPUX for SAP systems, we would like to implement it in our landscape.

        Also would like to have SNC Adapter file as well..
        mrajan7@yahoo.com.

        Thanks & Regards,
        Raj

        (0) 
      4. Chad Niswander
        Ramesh:  I am interested in pursueing the same solution as you have implemented.  Kerberos authentication on Solaris 10 64 bit.  Any more details you could provide would be great.

        Thanks,

        Chad

        (0) 
  2. Markus Doehr
    …for a bunch of systems.

    I used http://osdir.com/ml/encryption.kerberos.general/2004-11/msg00007.html as reference. Pretty old, it was kind of hard to find the correct sources for all the necessary toos ;).

    We built our own Kerberos (MIT Kerberos 1.6.2, not Heimdal) and using the tools (kinit etc.) from that self compiled package because the vendor libraries and tools (in our case at that time SuSE SLES 9) didn’t turn out to be working, same was true for the Sun implementation.

    Another advantage of that approach was, that we could use the same software and configuration for all the OS’es we run (Linux 32bit, Linux IA64, Solaris x64, HP-UX IA64, Solaris SPARC etc.) and we didn’t need to fiddle with vendor specific implementations and their patches/problems.

    The sources for gsskrb5.dll were modified to be able to be built with a newer Visual Studio compiler (VS 2005/7.1) and were distributed on the clients using an MSI package.

    Some hundred users use that for BI (BEx) and various test systems (ABAP). The Java SSO did turn out to be problematic due to the bug in the Sun JDK and our need to use a version > 1.4.2_13 (on Sun x64). I haven’t tried yet with the new Java version (*_18).

    Markus

    (0) 
  3. Hemanshu Gupta
    Basis Gurus,

    I am following this Realtech document to configure SSO on Linux and ADS.
    I am on step 3.4 and get the following error

    kinit(v5): Cannot contact any KDC for requested realm while getting initial cres

    Any input from you will help.

    Regards,
    Hemanshu

    (0) 
    1. Matthias Schlarb Post author
      Hi there,

      I would check /etc/krb5.conf, especially the section

      [realms] LINUXLAB.COM = {
      kdc = linuxlabpdc.linuxlab.com
      admin_server = linuxlabpdc.linuxlab.com
      kpasswd_server = linuxlabpdc.linuxlab.com
      }

      and make sure that the user which executes the kinit has the permission to read this file.

      If this doesn’t help, post the detailed error from your your krb log.

      Regards,
      Matthias

      (0) 
  4. Nelis Lamprecht
    Hi Matthias,

    Firstly I just want to say thanks for this whitepaper, it is very informative and easy to follow.

    I just have one question. For every application server used do you have to create an additional service user, SPN and export key ? I thought I’d try use the same SPN but that didn’t work, then I tried creating separate SPN’s with the same service user and that also doesn’t seem to work.

    Thanks.

    Regards,
    Nelis

    (0) 
  5. Federico Biavati
    Hi Matthias,

    I want just to inform you that we implemented the SSO authentication between our SAP Systems (R/3 4.7 Ext 2.00, ECC 6.0, IDES ECC 6.0, and Solution Manager) and our AD Domain users (~ 400).

    The O.S. used is SLES 10 SP2 for every SAP system, and we are in Production from the beginning of September.

    Thanks for your help and for your useful document!

    Regards,
    Federico Biavati

    (0) 

Leave a Reply