Skip to Content

This blog will give you details on setting up Single sign on (SSO) with SAP Hana using Kerberos.

Why do we need SSO ?

By enabling SSO, users can directly login from BO ( or any Front end Application) & access Hana database without providing login credentials again

There are different teams involved for this set up ( This may change based on your organization structure)

1) System administrator needs to install Kerberos Client on Hana server

2) Active Directory & Service account set up is done by of Identity Management Administrator

3) Hana Administrator needs to set  up  the configuration & user creation

Note: I have greyed out server names & service account names in screen shots for security reasons

Kerberos Client Installation:

Please make sure that the Kerberos client & libraries are installed on the Hana Database server

/wp-content/uploads/2013/04/client_intsall_200351.jpg

Creation of service account:

Identity Management Administrator will need to create a service user & a Service Principal Name( SPN) for each host on the system . For scale out box, we need to create 1 SPN for each host . Please find screen shot

Hana_acc_1.jpg

Hana_acc_2.jpg

The SPN needs to have the following syntax:

hdb/ <Domain Name >@Kerberos realm name

<Domain Name>: fully qualified domain name of the host

Generating a key Tab :

ktpass -princ hdb/ <servername.Domain Name>@ <REALM> -mapuser  <Domain>\<serviceuser> -pass <password> -out <keytabfile >.keytab -ptype<PRINCIPAL> -crypto <CRYPTOGRAPHIC TYPE>

<PRINCIPAL> = KRB5_NT_PRINCIPAL

<CRYPTOGRAPHIC TYPE> = RC4-HMAC-NT

 

Using the above syntax key tab file is generated

Hana Admin configuration:

Login  as root & update the krb5.conf file. This is located at /etc/krb5.conf

Entries in the file

[libdefaults]

default_realm= <realm>

[realms]

<realm>={ kdc=<kdc_name>}

Where <realm> and <kdc name>are the names of your Kerberos realm and KDC.

Realm is your domain name in uppercase letters, such as DOMAIN_NAME.

Note : if you are not aware of the above parameters like realm , KDC Name , Domain Name please contact your Active directory Adminstrator

Import the key tab which was generated into Hana Box.

Make sure the permissions are changed

Keytab.jpg

Creation of  user  in HANA:

This can be done via GUI screen or via sql syntax

CREATE USER Kiran IDENTIFIED EXTERNALLY AS ‘Kiran@Realm’ ;

Please assign the appropriate role to this user

While configuring the user in Hana studio , Please check the authentication by OS user as shown below

Hana_login.jpg

Hope this information is useful for you . Thank you for reading this blog

Cheers,

Kiran Musunuru.

To report this post you need to login first.

11 Comments

You must be Logged on to comment or reply to a post.

  1. Andy Silvey

    Hi Kiran,

    that is an excellent blog thank you.

    There are also some useful OSS Notes on this subject:

    OSS 1811398 – How to setup BI components to login to hana via AD kerberos SSO

    OSS 1813724 – HANA SSO/Kerberos: create keytab and validate conf

    OSS 1826673 – How to configure LDAP kerberos SSO to hana DB

    All the best,

    Andy.

    (0) 
  2. David Hull

    Great job, Kiran! I know you were an early adopter of HANA and have more experience than most people out there. I look forward to you sharing much more of your wisdom! 🙂

    Cheers,

    David.   

    (0) 
  3. Wolfgang Janzen

    It’s worth to mention that the AD (service) user (where you can assign multiple SPNs) should have a strong password (cf. WPA2 key).

    Reason: if that password can be guessed (or cracked), it will be possible to request arbitrary kerberos tokens and thus allow to impersonate just any user in the same Windows Domain.

    PS: same is true for setting up SPNego (e.g. for NWAS Java or ABAP).

    (0) 
  4. Thomas Wenckebach

    Please also consider the offical HOWTO HANA DB SSO Kerberos/ Active Directory in SAP Note 1837331.

    It comprehensively covers

    • Background know-how
    • Preparation steps
    • Step-by-step guidance (with verification for each step)
    • Troubleshooting

    This is complemented by the script hdbkrbconf.py for automatic validation of the Kerberos configuration and creation of the keytab in SAP Note 1813724.

    (0) 
    1. David Wei

      Hi Thomas,

      Good, now I am doing something  about configure Kerberos environment for HANA.
      Thanks for your suggestion about how to HANA DB SSO Kerberos/AD in SAP Note 1837331, but I could not open this document, would you please copy and send this document to me(weijianping2004@163.com), thank you in advance.

      Best Regards,

      David.

      (0) 
      1. Thomas Wenckebach

        Hi David,

        this document is a regular SAP Note. I can’t distribute it via e-mail. If you have issues accessing it, please get in contact with the SAP Note helpdesk.

        Best regards,

        Thomas

        (0) 
  5. Hani Lachnish

    Hi,

    i have a question –

    i have configured SSO on Hana db to active directory, now i am able to connect hana db with my system user and it is working.

    but when i tried to authenticate UIS application which activate on the hana db i am not able to login with ldap user – only with db user.

    can you please help me understand if it is possible to login with ldap user?

    Thanks,

    Hani.

    (0) 

Leave a Reply