Skip to Content

PURPOSE

I had been keeping SAP Hana instance for few months on AWS (Amazon Web Services). I never did any thing excited with it until I was asked to demonstrate something for an University assingment (bco6181) . There, I just thought I could try integrating SAP Hana instance with Windows Active Directory for single sign on. Unfortunately, I was not successful but I completed the configuration to most extent. It was a good experience and an effort that I can not forget. 

Note: Please note I followed following guide to perform these steps

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/303bf0c3-ad5c-3010-df84-882747341e88?overridelayout=true

INFRASTRUCTURE


My infrastructure included following

SAP HANA Instance – HANA – Rev 48

Windows Server 2008 R2 – DC (Domain Controller) – and hosted AD (Active Directory) services.

Windows Server 2008 R2 – CLIENT  – and SAP Hana studio installed.

One VPC (Virtual Private Cloud) – 10.0.0.0/24 – Above machines (instances) were given specific ip address in given range and they were networked together.

HANA – 10.0.0.10 – Kerbrose Client

DC – 10.0.0.11 – Kerbrose Server

CLIENT – 10.0.0.12 – Hana Studio Installed

Please see following video to confirm the configuration and connectivity between these machines


I did not show two things in the above video for security reasons. When you create instance in VPC then it is bounded to default security group and network ACL (access list). New instances will not talk to each other until you change the incoming and outgoing rules in this security group. You can play with security group and allow only specific protocols. In my case, I did following:

Security Group: hana-access

Anything between machines – allow

RDP access to Windows Machine from my home IP address – allow

SSH access from my home IP address – allow

All three machines were talking to each other. You could see that DNS was working fine and as they were able to ping each other with their hostnames. In HANA instance, I had to edit /etc/resolv.conf and add these lines (instead of lines provided by AWS instance template)

search TESTDOMAIN.COM

nameserver 10.0.0.11

I also made sure that timing on all three machine were synced and correct (one of the requirement for Kerberos authentication)

CREATING SPN & KEYTAB FILE – DC

Created a domain user HANASSO to register spn (service principal name) and later created KEYTAB File. Please see following video

IMPORTING KEYTAB FILE TO HANA

I used winscp to copy the keytab file from DC to HANA

CREATING KEYTAB FILE & CONFIGURING KRB5.CONF – HANA

I created the keytab file (/etc/krb5.keytab) on HANA instance and then tested authentication by creating a kerberos ticket against DC. It worked. Please see following video:

https://youtube.com/watch?v=2VbJJtvx9r8

CREATING USER ON DC and HANA

I created the user “angads” on Windows domain controller (authentication server) and then log on to machine CLIENT. Later, I created the user “angads” on HANA by using SQL command in Hana Studio

create user “angads” identified externally as “angads@TESTDOMAIN.COM

I gave this user similar roles and access as SYSTEM

TESTING WITH HANA STUDIO

Here, I felt really disappointed as despite so much hard work I was unable to get HANA studio authenticated using logged on user credentials. Please video below:

https://youtube.com/watch?v=vjdknoHPyEU

I searched for that error and posted on scn but did not get any reply. I also tried to contact HANA experts via social media but still no success. So, if you can help me then please comment.

Anyway, my wife always says “everything happens for a good cause”. Later, I used this setup for different presentation in which I learnt and demonstrate connecting SAP Visual Intelligence to HANA Analytical model. I have shared my experience in my next blog here

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply