Single Sign on between Enterprise portal and Operating System (windows)
This document follows, Single Sign on between Enterprise portal and Operating System (windows)
SSO with Windows Integrated Authentication
The Windows Integration Authentication mechanism allows a user to log on to the SAP NW Portal without the need of enter username and password on the logon form. Instead, the credentials from the windows logon will be used by the SAP NW AS Java logon process to provide a user name that can be be validated against the UME persistence store.
- For more Details see “Course Book EP200 – SAP NetWeaver Portal System Administration”.
- SSO with Windows 7 clients
- From SAP Note 1396724
- DES encryption is not activated by default as an encryption type allowed for Kerberos by Vista SP2 and Windows 7 clients.
- The SPNego login module however requires DES Encryption and supports no other encryption type.
- SAP provides a solution that does not require DES encryption for the usage of the SPNego login module.
The new SPNego Login Module is also available as an add-on solution for customers who are not planning to upgrade to the SP Levels mentioned above in the near future. Please see SAP Note 1457499 for more details.
- If you cannot upgrade to the SP Levels mentioned above and if you don’t want to install the add-on solution described in SAP Note 1457499 the following workaround can be used: Since the SPNego Login Module currently requires DES Encryption and since it currently does support no other encryption type, customers have to enable DES support as an encryption type for Kerberos on all Windows 7 client computers and on all Windows Server 2008 R2 domain controllers.
- A procedure how to enable DES encryption types for Kerberos is described in the Microsoft Knowledge Base Article 977321: “The security principals and the services that use only DES encryption for Kerberos authentication are incompatible with the default settings on a computer that is running Windows 7 or Windows Server 2008 R2”.
When you use SPNego (Simple and Protected Negotiation Protocol), authentication is performed by several systems in your landscape, which negotiate the outcome of the authentication process transparently for the user. At a minimum, SPNego authentication involves the following systems:
- Web client – the Web client requests a service or a resource from the AS Java and authenticates against the Kerberos Key Distribution Center. For example, users use a Web browser for a Web client to access Web applications running on the AS Java.
- Kerberos Key Distribution Center (KDC) – the KDC authenticates the user and grants a Kerberos Client/Server Session Ticket that is used for the communication between the AS Java and the user’s Web client.
- SAP Web AS Java – the AS Java uses Generic Security Service Application Programming Interface (GSS-API), provided by the Java Virtual Machine (JVM) and the User Management Engine (UME). The GSS-API is used to acquire the negotiated security context with the Kerberos ticket issuer, and the UME is used to retrieve the identity management information for the authenticated with Kerberos user. Subsequently, the AS Java provides access to the services or resources requested by the Web client.
For more information about the Kerberos systems landscape and infrastructure, see Kerberos V5 Administrator’s Guide.
The systems involved in the SPNego authentication process share user information. Therefore, to enable the AS Java to use SPNego authentication you have to configure several systems including the KDC, the AS Java and its UME, as well as the Web client.
1st Step: Create an ADS User
The first step is to configure a service user in the LDAP directory. For my screenshots I used a J2EE engine that I (will) attached to a Microsoft ADS.
1. Create a user in the ADS
2. Enable the “Password Never Expires” option for this user.
3. Enable the “Use DES encryption” option for this user.
Now go to step 2 and set the service principal names (SPN) for this user. The SPN has to be every URL / DNS-Alias you are going to use to access the J2EE Engine – and of course the fully qualified computer name has also to be created. Simply repeat the steps. The command to add an service principal name is: setspn -A HTTP/servername username
2nd Step: Key Distribution Center Configuration
The Kerberos authentication process uses a Key Distribution Center (KDC) to authenticate a client and to issue the Kerberos Client/Server Session Ticket, which is used for the communication between the Web client and the AS Java. For this reason, the KDC maintains a directory of the users that can access AS Java resources for a Kerberos Realm
Note: The configuration steps are specific to the KDC that you use. For more information, see the documentation provided by your KDC vendor. If you use a Sun JDK to run the J2EE Engine and the KDC is a Windows 2000 Domain Controller with ADS, you also have to disable delegation in the ADS to avoid errors during ticket verification.
The following example shows the configuration steps when the KDC is a Microsoft Windows 2000 Domain Controller (DC) that uses an Active Directory Server (ADS) for a user store.
1. The service user from step 1 is already created. It is needed to identify the AS Java instance on the KDC.
For the purpose of this example we assume that:
- The KDC is a Microsoft Windows Server 2003 Active Directory Server
- The Windows Domain Name
- The fully qualified host name of the AS Java
- The AS Java has an additional alias.
Procedure: Configuration steps on the DC
1. From a command line, enter the following command to register service principal names (SPNs) for the AS Java host name and alias and map them to the service user.
Procedure: Check the Configuration
To check the result of the configuration, enter the following command line for each SPN you registered:The output of this command is one entry which points to the previously created service user.
3rd Step: Configuring the UME
Depending on the data source it uses, the UME of the AS Java can be configured to use several modes to resolve the user from the Kerberos Principal Name (KPN).
Information about Resolution Mode
The UME can use the following resolution modes to determine the user account from the KPN:
- none: for this mode, the user’s logon ID attribute in the UME must be identical to the Kerberos Principal Name (KPN) attribute in ADS.
Note: When the UME is configured to use ADS data source, do not use this resolution mode if the logon ID attribute corresponds to the samaccountname attribute in the Active Directory.
- simple: When you use this mode you can specify which UME user attribute matches the KPN. This can be any existing UME attribute or a new one. We recommend that you create a new attribute named krb5principalname, which corresponds to the KPN.
- prefixbased: For this mode, the UME searches for a user based only on the KPN prefix. The algorithm works as follows:
- Kerberos authentication yields a KPN, for eexample Vijay@AUTO.TEST.COM.
- SPNegoLoginModule splits the KPN into the parts johndoe and AUTO.TEST.COM and performs a search in UME for a user with uniquename=XYZ. If the search result is unique, then it is returned as a logon user id to the UME.
- If the result is not unique, SPNegoLoginModule uses the user’s attribute distinguishedName to exclude from the search those who are not in the domain AUTO.TEST.COM .
Use this topic to modify the data source configuration of the user management engine (UME) for using non-ADS data stores with Kerberos authentication. For this scenario, the used resolution mode is simple. To make the required settings, you use the Config Tool.
1. Start the Config Tool by double-clicking the configtool script file in the <SAP_install_dir>/<system_name>/<instance_name>/j2ee/configtool directory.
2. Open the template configuration and choose Services ® com.sap.security.core.ume.service.
3. Select the property ume.admin.addattrs.
4. In the Custom Value field enter krb5principalname. This attribute is used for resolving the user from his or her KPN.
5. To save the new value of the property, choose Set Custom value.
6. Restart the AS Java instance.
4th Step: Wizard-based Configuration for Kerberos Authentication
You can use the SPNego configuration wizard to enable SPNego authentication for all users belonging to a Kerberos Realm to log on transparently to the AS Java with Single Sign-On.
Kerberos authentication on the AS Java uses Kerberos infrastructural functions that are integral part of the Microsoft Windows 2000 and higher operating systems (OS).
There are two ways to start the wizard:
- As a standalone application from a Web browser using the following URL: http(s)://<host>:<port>/spnego.
- In the SAP NetWeaver Administrator by following the path System Management ® Configuration ® SPNEGO Configuration Wizard.
Using the wizard from a web browser
To access the SPNego Wizard follow the url http://<Server>:<port>/spnego. When its not installed the look at the following SAP Note: 968191 – SPNego Central Note and 994791 – Wizard-based SPNego configuration.
Step 1 of 4/5: Prerequisites
In this step all prerequisites for the configuration for Kerberos Authentification are listed. Please check the prerequisites and mark in the corresponding checkbox. Click on the Next-button
Step 2 of 4/5: Kerberos Realm
- Add Kerberos Realm
- Add KDCs (Key Distribution Centers):
- Enter a principal: e.g. TEST@TEST.com and the password
- Press Next: If you received an error message (LDAP user not found; Kerberos Realm is wrong or there is no such service user) the connection is wrong.
Step 3 of 4/5: Resolution Mode
- Choose simple from the drop down box
- Insert your KPN to the text field, in our case krb5principalname
- Insert the name of a portal user to the test field and click on the check-button. If everything is OK you will get a message like: Kerberos principal name xyz@AUTO.TEST.COM is resolved to user xyz in UME
- You have to fill out the krb5principalname of the tested user in the UME before you can test it. The attribute krb5principalname is listed on the tab Customized Information in the UME.
Step 4 of 4/5: Confirmation
- In this confirmation step all configurations are listed in a summary. Check the values again and click on Finish if everything is correct. Otherwise you can always go back to the previous step.
- You have to restart the J2ee instance after you have saved your settings.
Step 5 of 5: Final Result
This step only occurs if you configure the spnego configuration the first time. Don’t wonder why only four configuration steps (instead of five) are available when you start the tool a second time. Just delete the folder kerberos (\usr\sap\SID\SYS\global\kerberos) and you can almost start from the scratch.
5th Step: Visual Admin Configuration
After configuring step 4 you can have a look what the spnego wizard has done on the server side. Start the Visual Administrator and take a look at Server -> Services -> Security Provider. A new component com.sun.security.jgss.accept was created which contains two LoginModules: Krb5LoginModule and SPNegoMappingLoginModule. Both contain the options you chose when clicking through the wizard. Among other settings the Krb5LoginModule contains the properties of the Kerberos Principal user (service user) and the SPNegoMappingLoginModule the user resolution mode.
Make sure that the flag of both entries is set to SUFFICIENT.
If you are using Sun JDK for your J2EE engine, please make sure that you are using a JDK with 1.4.2_13 and not _14, _15 or _16. Unfortunately all these versions contain a bug that fails Kerberos to work, see Note 1057474 – NullPointerException in KRB5LoginMoule. As a workaround for this SAP Bug it is necessary to configure a property in the Krb5LoginModule
isInitiator = false
Then there is also the spnego template which contains the login modules required for a successful login. The first entry is the EvaluateTicketLoginModule (com.sap.security.core.server.jass.EvaluateTicketLoginModule). The Login module checks whether you already have a valid SAPLogonTicket (in a federated portal scenario this ticket could also come from another portal and if you have chosen to trust this portal then the check would succeed and because of the Flag “Sufficient” you would simply skip the next modules). If the Evaluate did not work, then the next login module will be used: SPNegoLoginModule. This module does the actual SPNego / Kerberos check. The flag is Requisite so that if it succeeds it will continue with the next login module. When this login module was successful then the last login module CreateTicketLoginModule will be executed. This time a SAPLogonTicket will be created so the next time you query the portal the EvaluateTicketLoginModule will succeed right away. (For a more detailed list of what the different Flags mean, please check: SAP Help(http://help.sap.com/saphelp_nw70/helpdata/en/d0/ee244134a56532e10000000a1550b0/frameset.htm)
1. The settings of the modules are shown in the next screenshot.
2. Set the Authentication Template of the component ticket to “spnego”. All changes have to be done directly in the spnego component. If there are problems with the SSO configuartion you have to set the flag REQUISITE of the SPNegoLoginModule to SUFFICIENT.
6th Step: Client side configuration
Procedure for Internet Explorer
1. Enable Windows Integrated Authentication in your Web browser: In Internet Explorer go to Tools -> Internet Options -> Advanced -> Security and choose Enable Windows Integrated Authentication (requires restart).
2. Enable automatic logon in Intranet zone: In Internet Explorer go to Tools -> Internet Options -> Security -> Local Intranet -> Custom Level and choose Automatic logon only in Intranet Zone from the section User Authentication.
3. (not mandatory) Add the J2EE Engine’s DNS host name to the list of local intranet sites: In Internet Explorer go to Tools -> Internet Options -> Security -> Local Intranet -> Sites -> Advanced and add the J2EE Engine’s DNS host name to the list.
Procedure for Mozilla Firefox
1. Add the server name to the list of sites which do not use a proxy: Open the proxy settings of your browser. In the field No Proxy for specify the name of the J2EE Engine for which you want to use Kerberos authentication, for example: my_kerberos_server.
2. Allow integrated authentication:
· In the address bar of your browser, enter the following: about:config.
· Filter the entries by name using the prefix negotiate.
· Add the J2EE Engine address to the entries network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris, for example: http://hostName.
Mozilla Firefox is configured to use Kerberos authentication for the required J2EE Engine
7th Step: Configuration of the Logoff URL
· set the logoff url in the config tool
in the configtool, goto cluster-data->instanceXXX->serverXXX->services
and on the right side change the parameter
- ume.logoff.redirect.url to https://hostName:PortNumber
· change authscheme.xml with the config tool
o navigate to cluster_data->server->persistent->com.sap.security.core.ume.service->authschemes.xml
o right-click on the item and choose “show details”
o download the file and store it in a safe location.
o make a working copy of the file and open it in an text editor
o add the following lines below the first scheme definition (within the <authschemes> tag, below the <authscheme name=”uidpwdlogon”> section):
<!– multiple login modules can be defined –>
<!– the frontendtype TARGET_FORWARD = 0, TARGET_REDIRECT = 1, TARGET_JAVAIVIEW = 2 –>
<!– target object –>
- right click again on “authschemes.xml” and choose “change”
- in the upcoming dialog, klick upload and choose the file you just edited.
- add a new logon module stack (logon template) to the Security Provider
- start Visual Admin
- navigate to a server node->Services->Security Provider
- switch to “edit mode”
- add a new template by clicking on “add” below the tree and name it “ticket_nosso”
- add the logon modules according to the picture on the right
Links & Troubleshooting
Here you will find helpful links to SSO topics and problem issues. Most of the possible problems are described in the note Configuring and troubleshooting SPNego – Part 3(http://scn.sap.com/people/holger.bruchelt/blog/2008/01/24/configuring-and-troubleshooting-spnego–part-3). This document also describes how to use the diagtool for logging and tracing the SPNego process and traffic. Use this tool for debugging SSO.
Helpful documentation about the configuration of SPNego:
- Configuring and troubleshooting SPNego – Part 1
- Configuring and troubleshooting SPNego – Part 2
- Configuring and troubleshooting SPNego – Part 3
Kerberos implementation with ADS made easy
Windows Integrated Authentication via Kerberos on an LDAP data source
Hope this is helpful !!!
Vijay K Kalluri