Skip to Content
Author's profile photo Donka Dimitrova

Reusing Kerberos Token for Issuing X.509 Client Certificates with Secure Login Server

Your company is using Secure Login Server (SAP Single Sign-On) for issuing short lived X.509 client certificates for authentication to the SAP and non-SAP business systems across your landscape.

Your company is also using Microsoft Active Directory and now you want to re-use Kerberos tokens, issued by the MS Domain Controller (KDC), for the Single Sign-On with Secure Login Server X.509 client certificates.SPNedo_SLS_Scenario.png

After implementing this scenario, your domain users will have to authenticate only once, using their Microsoft Active Directory credentials, and they will be authenticated automatically to any SAP and non-SAP system, that requires short lived X.509 client certificates and where they have been granted authorizations.

In my new guide SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates you will be able to find step-by-step instructions how to implement this scenario:

SPNedo_SLS_ImplSteps.png

Assigned Tags

      5 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Syed Rasheed
      Syed Rasheed

      Hi,

      We have implemented the exact configuration steps that are published in your document to enable SSO. SSO for ABAP system works fine but SSO for webgui does not work even after maintaining RootCA certificate in STRUST and user is mapped in transaction EXTIN_DN. Could you please advise what am I missing or can you share documentation for enabling SSO for wbgui using " SPNEGO based single sign -on using secure login server X.509 client certificate.

      Thank you in advance.

      Syes Rasheed.

      Author's profile photo Donka Dimitrova
      Donka Dimitrova
      Blog Post Author

      Hello Syes,

      Please, create a CSS message and provide the icm traces. The information, you provide, is not enough to find what you are missing.

      Regards,

      Donka Dimitrova

      Author's profile photo Former Member
      Former Member

      Good Morning Donka

      ihave  ERP 6.0 SR3   using  only  ABAP  System  install     with  all   latest  support  stack but    T-Code  SPNEGO   is not  working . We  do not  install  JAVA Stack.

      Please  review  Screen shot

      /wp-content/uploads/2015/03/test_668518.png

      Thanks

      Tejas

      Author's profile photo Donka Dimitrova
      Donka Dimitrova
      Blog Post Author

      Hello Tejas,

      As mentioned by my colleague in the other post, you have to check the SAP Note: https://service.sap.com/sap/support/notes/1798979.

      Seems you have to update your Kernel if you want to use the T-Code SPNEGO.

      See the supported SAP_BASIS Component Supported Packages:

      Support Packages & Patches

      Support Packages

      Software Component

      Release

      Support Package

      SAP_BASIS

      702

      SAPKB70214

      730

      SAPKB73010

      731

      SAPKB73107

      731

      SAPKB73109

      740

      SAPKB74002

      740

      SAPKB74004

       

      Support Package Patches

      Software Component

      Support Package

      Patch Level

      SAP KERNEL 7.21 32-BIT

      SP041

      000041

      SAP KERNEL 7.21 32-BIT UNICODE

      SP041

      000041

      SAP KERNEL 7.21 64-BIT

      SP041

      000041

      SAP KERNEL 7.21 64-BIT UNICODE

      SP041

      000041

      SAP KERNEL 7.21 EXT 32-BIT

      SP041

      000041

      SAP KERNEL 7.21 EXT 32-BIT UC

      SP041

      000041

      SAP KERNEL 7.21 EXT 64-BIT

      SP041

      000041

      SAP KERNEL 7.21 EXT 64-BIT UC

      SP041

      000041

       

      For more details, see the note.

      Regards,

      Donka Dimitrova

      Author's profile photo Andreas Zigann
      Andreas Zigann

      Hello Donka,

      thank you for this dokumentation. It works fine, but now I have to find a way to do user mapping between SAP NW SSO 3.0 and some SAP AS JAVA without homogenous users. Can you recommend a documentation describing the nessessary configuration?

      Best Regards

      Andreas