Skip to Content

HowTo: New Implementation of SPNego in Freshly

Installed SAP NW EP7.3x – it’s as easy as abc

Why This Blog:

Although as a Basis Technician I am very familiar with configuring  and troubleshooting

SPNego on EP 7.0x, recently when configuring SPNego on EP7.3x using the new SPNego

wizard I ran into a few problems.

The basic root of my problems as solved through an OSS Message to my new best friend

Dimitar Dimkin at SAP was that when the SPNego didn’t immediately work, I began implementing

steps from the SPNego procedure for EP7.0x motivated by the doubt that because the

procedure with the new SPNego wizard had been so easy, perhaps there were some steps

missing.

The lessons learned are, the new SPNego wizard really makes the task easy, and if you are

an oldy, used to the older procedures for implementing SPNegothen you need to forget

most of what you did in the past and work with the new SPNego wizard with a clear head.

Some interesting changes to SPNego in NW7.3x are that:

. there is no KeyTab in the filesystem, this is now in the database

. the SAPJVM does not contain the KTPASS and KTAB and KLIST tools,

although if you really wanted these they are available in Oracle’s JVM 1.6

. you no longer need to use the old commands like KTPASS

. you must not touch the User Principle Name once it is configured in  the

Active Directory

Supporting Documentation:

                . OSS Note: SAP Note 1488409 – New SPNego Implementation

                . SPNegoDocumentation.pdf  (which is attached to the OSS Note)

Assumption:

You are working with a freshly installed NW EP7.3x system, not any other  system which

has been upgraded

SPNego has never been configured on this system

KDC Kerberos Distribution Center refers to the Domain Controller which in this case

is Active Directory

Step 1:  Prepare and Create the Service User to

Identify the AS Java instance on the KDC

[this section is pretty much a verbatim copy of Dimitar Dimkin’s pdf document from

the OSS Note 1488409]

[The Username is CASE SeNsItIvEand whatever CaSe is used in the Active Directory,

the same CaSe must be used in the configuration in the SPNego Wizard of the Portal]

Assumptions

. The Windows domain name is IT.CUSTOMER.DE

. The fully qualified domain name (FQDN) of the AS Java engine host is hades.customer.de

. The AS Java engine has an additional alias su3x24.customer.de

. The AS Java engine instance is D21

Configuration steps on the Active Directory Server

1. Create a service user named “j2ee-d21-hades”

2. Select the “Password never expires” check on the user’s account

3. Make sure the “Use DES encryption” check on the user’s account is not selected

4. From the command line, execute the following commands in order to register Service

Principal Names (SPNs) for the AS Java engine host name and alias to the service user

“j2ee-d21-hades”

setspn –a HTTP/hades.customer.de j2ee-d21-hades

setspn –a HTTP/su3x24.customer.de j2ee-d21-hades

Doing so registers both the host name and the alias as SPNs of the service user in the ADS

5. In order to check the configuration, execute the following command from the

command line for every SPN that you registered :

ldifde –r serviceprincipalname=HTTP/hades.customer.de –f out.txt

ldifde –r serviceprincipalname=HTTP/su3x24.customer.de –f out2.txt

Execute the command for every single SPN you registered to the service user and

check the generated files.

The output of each invocation must be only one entry – the service user created earlier,

in the example – j2ee-d21-hades.

In other words, all SPNs must be unique

[the reason for NOT selecting DES encryption for the User is because DES encryption

is no longer supported on the latest versions of Active Directory, and if your AD Team

have older versions of Active Directory and your User is created with DES encryption,

then later, when the AD Team upgrade the Active Directories, unless you keep track

of their upgrade project your Kerberos will stop working when the Active Directories

are upgraded because your User with DES encryption will not be able to work against

the Active Directory because of using an unsupported encryption method. The advice

is to use RC4 encryption with is 128bit]

Step 2:  Run the SPNegoWizard

SPNego Wizard Url: http(s)://Your-Portal-Server:Port/spnego

    /wp-content/uploads/2013/01/image001_172591.png                   

Click Add -> Manually

On the next screen:

/wp-content/uploads/2013/01/image003_172656.png

Enter the Realm which is the Domain of the Domain Controller – Active Directory

eg: YOURCOMPANY.COM

It is not a requirement to enter a Description

Click NEXT

On the next screen:

/wp-content/uploads/2013/01/image005_172658.png

Enter the Username and Password of the Service User created in Step #1

Remember, the Username is CASE sensitive and the CASE of the User must be the same as the

CASE the User has in the Active Directory User Store

Click NEXT

On the next screen:

/wp-content/uploads/2013/01/image007_172659.png

Uncheck the DES encryption because it is not needed

Click NEXT

On the next screen:

/wp-content/uploads/2013/01/image009_172660.png

Select your Mapping Mode, if your User Store is Active Directory then you can

leave this as the standard as shown in the screenshot

Click FINISH

On the next screen:

Click the ENABLE button, and then the STATUS will be GREEN

/wp-content/uploads/2013/01/image011_172661.png

/wp-content/uploads/2013/01/image013_172662.png

Step 3:  Adjust TheAuthentication Stack

NWA Url: http(s)://YourPortalServer:Port/nwa

/wp-content/uploads/2013/01/image015_172663.png

Click -> Configuration -> Security ->Authentication and Single Sign On ->

On the next screen:

/wp-content/uploads/2013/01/image017_172664.png

Select the row TICKET

And then click EDIT

Lower down on the same screen:

/wp-content/uploads/2013/01/image019_172665.png

Select SPNegoLogonModule with the Flag OPTIONAL

Then click ADD again:

/wp-content/uploads/2013/01/image021_172667.png

Select CreateTicketLogonModulewith the Flag REQUIRED

Next, organise the sequence and Flags for the LoginModules

/wp-content/uploads/2013/01/image023_172669.png

Organise the sequence of the Login Modules using the MoveUp and MoveDownbuttons and set

the FLAGs according to the screenshot above

And then scroll up the page and click SAVE like in the screenshot below:

/wp-content/uploads/2013/01/image025_172670.png

And you’re done J

Next test the SPNego logon

Troubleshooting

Open the TroubleShooting Wizard url:

http(s)://YourPortalServer:Port/tshw

/wp-content/uploads/2013/01/image027_172671.png

1, Click START DIAGNOSTICS

2, Execute the SPNego Logon which is failing

3, Click STOP DIAGNOSTICS

4, Click SHOW COLLECTED TRACES to view the trace file

5, Investigate the errors

p.s. for this and more Basis Administration documentation like it, checkout the Portal section of the SCN Wiki

SAP NetWeaver Basis Administrator’s Toolbox

To report this post you need to login first.

12 Comments

You must be Logged on to comment or reply to a post.

  1. P KK

    Hi Andy,

    Thanks for sharing this document !

    I have NW 7.31 Portal which is planning to configure SSO with SPNego.

    The JAVA standalone system was from a Dual stack split of NW730 and did a EHP1 upgrade on it.

    Its UME connected to ABAP back end and never configure SPNego and single sign-on before.

    Can I use this document for Implementation of SPNego for Single Sign-on with Active directory ?

    Best regards, KK

    (0) 
    1. Andy Silvey Post author

      Hi KK,

      there is a lot of doco available for configuring SPNego when you have an ABAP UME Datasource. I have not done SPNego while having an ABAP Datasource so I cannot give you a yes or no answer to that question.

      Here’s some…

      here

      here

      that should get you started.

      As you do the implementation please give feedback here how it goes and what the special steps and considerations are which make it different to SPNego when AD is the UME datasource.

      Best regards,

      Andy.

      (0) 
      1. P KK

        Hi Andy,

        Thanks for your quick reply.

        Things are getting little complicate now. My requirement is to configure Single sign-on with SPNego for more than one domain(Active Directory Servers). In this context, I assumed that i would change the Data source from ABAP to AD since system support only one ABAP system as UME Data source. My questions now are,

        1.     Is it possible to change existing UME data source from ABAP to AD (more than one AD is my requirement) ?

        2.     If I connect AD as UME data source, then can use your document to configure SPNego ?

        Best regards, KK

        (0) 
        1. Andy Silvey Post author

          Hi P KK,

          check this OSS Note:

          OSS 718383 – NetWeaver: Supported UME Data Sources and Change Options

          As far as I understand it is not supported to change UME from ABAP to LDAP/AD.

          Best regards,

          Andy.

          (0) 
          1. P KK

            Thanks Andy,

            Unfortunately SAP Note ‘0000718383’ does not exist now.

            I have to find out some solution for my use case 🙁 . I appreciate your help.

            Best regards, KK

            (0) 
  2. Eli Daniel Ramones Silva

    Hi Andy, thanks for document.

    Andy, I need your help. I am configured the SPNEGO but display the following error:

    Error during generation of encryption key with type AES256-CTS-HMAC-SHA1-96: Illegal key size. Check the crypto policy file in use and also SAP Note 1240081

    I check the Crypto and good, in this instance the configuration SSL is that active.

    You can help me?

    Best Regards,

    EDRS

    (0) 
    1. Sampath Kumar

      Hi Andy,

      I followed your steps but I am not able to successful,

      So I am collected trace file by start diagnostics, Please find the trace log below

      11:04:58:585

      Path

      Guest

      SAP_AFScheduler.Worker

      …tion.programmatic.getLoggedInUser()

      Entering method

      11:04:58:595

      Debug

      Guest

      SAP_AFScheduler.Worker

      …tication.programmatic.getAuthscheme

      Trying to get subject from security session.

      11:04:58:596

      Info

      Guest

      SAP_AFScheduler.Worker

      …tication.programmatic.getAuthscheme

      No authentication template attached to session/subject

      11:04:58:596

      Path

      Guest

      SAP_AFScheduler.Worker

      …(Principal, IUser, Subject, String)

      Entering method

      11:04:58:596

      Debug

      Guest

      SAP_AFScheduler.Worker

      …thentication.programmatic.getTicket

      Does not have private credentials

      11:04:58:597

      Debug

      Guest

      SAP_AFScheduler.Worker

      …(Principal, IUser, Subject, String)

      Ticket string is not available.

      11:04:58:597

      Debug

      Guest

      SAP_AFScheduler.Worker

      …(Principal, IUser, Subject, String)

      Does not have any public credentials

      11:04:58:597

      Path

      Guest

      SAP_AFScheduler.Worker

      …tion.programmatic.getLoggedInUser()

      Exiting method with Guest

      Can you help me to resolve this issue.

      Regards,

      Sampath Kumar S.

      (0) 

Leave a Reply