Additional Blogs by Members
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Configuring SPNego authentication on SAP BI7.0 WebAS JAVA

Former Member
‎11-30-2009 7:17 AM
0 Kudos
SSO* with JAVA AddIn on SAP WebAS BW NW2004s
Configuring SPNego** with ABAP datasource
Written by Gerd Schuster

*Single Sign-On
**Simple and Protected GSS-API Negotiation Mechanism

References:
SAP Note 994791

Create a user like j2ee-SID in the ADS and make sure that the settings
* Password never expired and
* Use DES encryption types for this account
are set. In the following screenshot I will use j2ee-q2b, j2ee-p2b as the service-user.

Then run the setspn command to assign the ServicePrincipalName to the user. This is the URL that you use to access the J2EE Engine.
C:\WINNT>setspn -A HTTP/hostname.domain.de domain_de\j2ee-SID
Registering ServicePrincipalNames for CN=j2ee-q2b,OU=System-Accounts,...
HTTP/hostname
Updated object

A short ldifde revals some important parameters that we are going to use later:
SAMAccountName: j2ee-SID
userPrincipalName: j2ee-SID@domain.de
servicePrincipalName: HTTP/hostname

Now start the configtool and add the krb5principalname as an additional UME attribute.
cd /usr/sap/SID/DVEBMGSxx/j2ee/configtool
./configtool.sh
go to "cluster-data", "instance_IDxxxxx", "server_IDxxxxxxx", "services", "com.sap.security.core.ume.service"
mark ume.admin.addattrs and set the custom value to krb5principalname
Restart the ABAP and JAVA instance.

Create a user like j2ee-SID in the UME
Assign the Roles SAP_BC_JSF_COMMUNICATION and SAP_BC_JSF_COMMUNICATION_RO to the user j2ee-SID

Now we can start the SPNego wizard. http://hostname.domain.de:port/spnego
Kerberos Realm: DOMAIN.DE
KDC-Host: domaincontroller.domain.de:88
Make sure that the KPN Prefix is set to uniquename wich is defined in the ABAP dataSourceConfiguration file.
resolve modus: Präfix-based
KPN-Präfix: uniquename
KPN-Suffix: dn
Testauflösungsmodus, enter the J2EE user name e.g. j2ee-SID.
"Prüfen - Kerberos Principal Name j2ee-Q2B@DOMAIN.DE wird aufgelöst in Benutzer j2ee-SID in UME"

After the testing the resolution mode continue with the next step. I prefer to create a new template and assign this template later on to my ticket component.
*activate password Fallback
*activate SSO mit SAP-Anmeldetickets

Restart your SAP J2EE Engine before you start using SPNego authentication.
Now the final step left is to assign the spnego template we created to the ticket component via the Visual Administrator.
cd /usr/sap/SID/DVEBMGSxx/j2ee/admin
./go
Logon with user j2ee_admin, go to "SID", "Server", "Services", "Security Provider". on the right side click to "ticket". Switch to edit mode. Authentication template: "spenego"

That should be it!
Test it...
http://hostname.domain.de:port then click to SAP NetWeaver Administrator for example.

Now you should be able to access the portal via SPNego. If it is not working, then please have a look at the continues troubleshooting-pages they will coming soon!
If you have any question about that, so feel free to contact me or visit help.sap.com
3 Comments
Popular Blog Posts
Top kudoed authors
View all