Skip to Content

Introduction:

As of Windows Server 2008 and Windows Server 2012 Active Directory will not be supporting DES encryption by default, in favour of stronger encryption eg RC4. This is explained in Microsoft (MS) Knowledge Base Article (KBA) : http://support.microsoft.com/kb/977321 .

SPNego/Kerberos in SAP NetWeaver 7.0x systems has been supporting DES encryption by default.

For any  SAP NetWeaver 7.0x systems which use SPNego/Kerberos with an Active Directory (AD) Service User which is using DES encryption, if the AD is upgraded to Windows Server 2008 or Windows Server 2012 the Kerberos/SPNego from SAP NW 7.0x will no longer work because of DES encryption not being supported by default.

This procedure explains all of the steps to change the AD Service User from DES encryption to RC4 encryption and restore the successful Kerberos/SPNego implementation on the SAP NW 7.0x system.

There is a work around from Microsoft for the AD to continue supporting DES and it is explained in MS KBA: http://support.microsoft.com/kb/977321

These are the most useful SAP OSS Notes relating to this activity:

. SAP Note 1396724 – SPNEGO fails with Vista SP2,Windows 7,Windows Server 2008 R2

. SAP Note 1457499 – SPNego add-on – checkout attached zip file relating to you NW version,

as it contains the Addon binaries and a pdf describing the steps involved

This procedure is oriented towards SAP NW EP 7.0x.

Please note this procedure is time critical and will cause a temporary outage of SPNego in the Portal, therefore, this procedure needs to be executed in close cooperation with the AD Team, especially the step of deleting the existing AD User and creating the new AD User, because when the old User is deleted SPNego will stop working and will not work until the whole procedure is completed.

Nb. This procedure involves deleting the AD User and creating new AD User, this is because the AD User cannot be copied to a new AD User because two AD Users cannot have the same SPN’s according to

     . OSS Note 1313880 – SPNego with DNS aliases

Step 1, Prepare the AD User

1a, Check and Confirm which AD User you are using in the Portal UME.

Logon to Portal, Navigate -> System Administration -> System Configuration -> UME -> LDAP ->

Portal UME Check AD Username.JPG

There you can see the name of the AD User.

1b, Make a note of the password for the AD User

1c, Contact the AD Team and ask them to make a note of the SPN’s (Service Principal Names) configured in AD for this User

**************** NB, once you do step 1d) you have a system outage and certainly SPNego will not work until

You complete this procedure, therefore take care before doing step 1d) ******************************************

1d, Ask AD Team to

. DELETE this User

. Make a NEW CREATION the SAME User

. Give the NEW User the original Password

. Give the NEW User the original SPN’s

Step 2, Remove SPNegoLoginModule from Ticket Authentication Stack

. Open the Visual Administrator, navigate -> Server -> Services -> Security Provider -> Ticket -> Remove SPNegoLoginModule from the Ticket authentication stack and SAVE:

Visual Administrator Security Provider.JPG

Step 3, Undeploy SPNego using the Software Deployment Manager

. Open the Software Deployment Manager – SDM

            /usr/sap/SID/JCxy/SDM/program/RemoteGui.sh

           

            Connect to your Instance SDM Port using SDM Password

            Click on theUnDeployment tab

            Select ‘sap.com/tc~sec~auth~spnego~wizard’ for UnDeployment and UnDeploy

SDM Undeploy SPNEGO.JPG

. After successful UnDeployment then RESTART Java, purists might argue this is not necessary but a restart

never hurts after an undeployment

Step 4, Delete the KeyTab and Instance KRB5 files

cd to /sapmnt/SID/global/Kerberos

rm the keytab and the Instance directory – rm everything in /sapmnt/SID/global/Kerberos

Unix RM KeyTab and Instance KRB5 directory.JPG

Step 5, Use the SDM to Deploy the New SPNego Addon files

. Open the Software Deployment Manager – SDM

            /usr/sap/SID/JCxy/SDM/program/RemoteGui.sh

           

            Connect to your Instance SDM Port using SDM Password

            Deploy these files in this order one by one:

      1. sap.com~spnego.cfg.wd.ear

                 2.   spnego.cfg.sda

                 3.   spnego.lm.sda

            After successful Deployment, RESTART Java

Step 6, Install Oracle/Sun JDK 1.6

            Download the Oracle/Sun JDK 1.6 from this link:

            http://www.oracle.com/technetwork/java/javase/downloads/jdk6downloads-1902814.html

Download Oracle Sun JDK.JPG

Download the version for Windows x86

            Install JDK 1.6 on YOUR pc

Step 7, Use the Oracle 1.6 JDK on YOUR pc to create a KeyTab file

(you will need the password for the AD Service User for this step)

. open a command cmd window on your pc ->  START -> run -> cmd

. cd to the Oracle JDK 1.6  / jre / bin /  directory

. execute the following commands and enter the AD Service User password when requested:

ktab -a SPN -k keytab

ktab -a SPN -k keytabktab -a SPN -k keytab

PLEASE NOTE – these commands are respective to EACH SAP Portal you work on

Running KTAB from Oracle JDK 16 on Windows PC and klist.JPG

Step 8, Copy the keytab File from YOUR PC to SAP Portal Unix/OS

. the keytab file which you created in Step #7, copy that file to

            /sapmnt/SID/global/Kerberos

Step 9, Add Back The  SPNegoLoginModule from Ticket Authentication Stack

. Open the Visual Administrator, navigate -> Server -> Services -> Security Provider -> Ticket -> ADD SPNegoLoginModule from the Ticket authentication stack and SAVE:

Visual Administrator Security Provider.JPG

Step 10, Run the SPNego Wizard in the Portal

. Logon to your Portal using the NEW SpNego url

            http://HOSTNAME:PORT/spnego2/cfg

Click ADD

Enter the name of the Realm

SPNego NEW wizard Add Realm 1.JPG

Click OK

Click EDIT

SPNego NEW wizard EDIT Realm.JPG

Configure the UserMapping Mode and Source as shown in the picture below

SPNego NEW wizard EDIT Realm.JPG

Now click on the KEYS tab as shown in the picture below:

SPNEgo NEW wizard KEYS tab.JPG

Next Step, IMPORT the KeyTab which you created on your PC

SPNego NEW wizard IMPORT KeyTab.JPG

a)     Click ADD

b)    Click Browse and browse to the location of the keytab file

c)     Click IMPORT

d)    Using the CheckBoxes select ALL of the RC4 keys

e)     Click OK

Next, click ENABLE and then click SAVE

SPNego NEW wizard ENABLE and SAVE Realm.JPG

And then you should see the green light as shown in the screenshot below:

SPNego NEW wizard everything saved and green.JPG

and now you’re done 🙂

Now you can  test the Kerberos Single Sign On eg, from Citrix.

Have fun with the Portal.

All the best,

Andy.

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

    1. Andy Silvey Post author

      Hi Supriya,

      I’ve just been through this fun and I thought it would make a useful blog for others, because for sure, there are going to be a lot of people affected by this, and I wonder how many of them are really aware of what is coming when their AD Teams upgrade AD to Windows Server 2008 & 2012.

      All the best,

      Andy.

      (0) 

Leave a Reply