Skip to Content
Author's profile photo Former Member

Configuring SPNego authentication on SAP BI7.0 WebAS JAVA

SSO* with JAVA AddIn on SAP WebAS BW NW2004s
Configuring SPNego** with ABAP datasource
Written by Gerd Schuster

*Single Sign-On
**Simple and Protected GSS-API Negotiation Mechanism

References:
SAP Note 994791

Create a user like j2ee-SID in the ADS and make sure that the settings
* Password never expired and
* Use DES encryption types for this account
are set. In the following screenshot I will use j2ee-q2b, j2ee-p2b as the service-user.

Then run the setspn command to assign the ServicePrincipalName to the user. This is the URL that you use to access the J2EE Engine.
C:\WINNT>setspn -A HTTP/hostname.domain.de domain_de\j2ee-SID
Registering ServicePrincipalNames for CN=j2ee-q2b,OU=System-Accounts,…
HTTP/hostname
Updated object

A short ldifde revals some important parameters that we are going to use later:
SAMAccountName: j2ee-SID
userPrincipalName: j2ee-SID@domain.de
servicePrincipalName: HTTP/hostname

Now start the configtool and add the krb5principalname as an additional UME attribute.
cd /usr/sap/SID/DVEBMGSxx/j2ee/configtool
./configtool.sh
go to “cluster-data”, “instance_IDxxxxx”, “server_IDxxxxxxx”, “services”, “com.sap.security.core.ume.service”
mark ume.admin.addattrs and set the custom value to krb5principalname
Restart the ABAP and JAVA instance.

Create a user like j2ee-SID in the UME
Assign the Roles SAP_BC_JSF_COMMUNICATION and SAP_BC_JSF_COMMUNICATION_RO to the user j2ee-SID

Now we can start the SPNego wizard. http://hostname.domain.de:port/spnego
Kerberos Realm: DOMAIN.DE
KDC-Host: domaincontroller.domain.de:88
Make sure that the KPN Prefix is set to uniquename wich is defined in the ABAP dataSourceConfiguration file.
resolve modus: Präfix-based
KPN-Präfix: uniquename
KPN-Suffix: dn
Testauflösungsmodus, enter the J2EE user name e.g. j2ee-SID.
“Prüfen – Kerberos Principal Name j2ee-Q2B@DOMAIN.DE wird aufgelöst in Benutzer j2ee-SID in UME”

After the testing the resolution mode continue with the next step. I prefer to create a new template and assign this template later on to my ticket component.
*activate password Fallback
*activate SSO mit SAP-Anmeldetickets

Restart your SAP J2EE Engine before you start using SPNego authentication.
Now the final step left is to assign the spnego template we created to the ticket component via the Visual Administrator.
cd /usr/sap/SID/DVEBMGSxx/j2ee/admin
./go
Logon with user j2ee_admin, go to “SID”, “Server”, “Services”, “Security Provider”. on the right side click to “ticket”. Switch to edit mode. Authentication template: “spenego”

That should be it!
Test it…
http://hostname.domain.de:port then click to SAP NetWeaver Administrator for example.

Now you should be able to access the portal via SPNego. If it is not working, then please have a look at the continues troubleshooting-pages they will coming soon!
If you have any question about that, so feel free to contact me or visit help.sap.com

Assigned tags

      3 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member
      Could you please elaborate why this step is actually required? I understand that the same user exists over the ADS.

      Thanks,
      Rosun

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Dear Rosun,

      exactly! You're right. This step is not required. I'll adjust my entry accordingly. Sorry for any inconvenience caused.

      Regards,
      Gerd

      Author's profile photo Former Member
      Former Member
      Thanks for the prompt reply.

      What are the following steps/checks to be done? How is it done really?

      *activate password Fallback
      *activate SSO mit SAP-Anmeldetickets

      Regards,
      Rosun