Kerberos Authentication Flow for Browser-Based Applications Provided by the AS ABAP
The employees of your company use Microsoft Windows operating systems and SAP business applications for their daily work. You want to enable single sign-on for your employees. They use PCs in a Microsoft Windows environment. They log on to a Microsoft Windows operating system, which determines the respective Windows users from the domain controller of Active Directory. Kerberos is the authentication method used. The Kerberos key distribution center, which is integrated in the Microsoft environment, grants a Kerberos ticket to those users who log on.
When a user tries to access an application of the SAP NetWeaver Application Server for ABAP (1) using a web browser (HTTPS is recommend), the AS ABAP requests a Kerberos service ticket from the browser. The browser forwards this request to Active Directory (2). The Kerberos key distribution center in the domain controller of Active Directory grants a Kerberos service ticket for the AS ABAP (3), the AS ABAP verifies this Kerberos ticket (4), and the users are logged on to the browser-based application.
- There is an SAP NetWeaver Application Server for ABAP with the default SAP Cryptographic Library (CommonCryptoLib). For more information, see SAP Note 1848999 and the relevant Release Note. The AS ABAP comes with the Simple and Protected GSS API Negotiation Mechanism (SPNego), which enables Kerberos authentication.
- The SNCWIZARD transaction is availabe in SAP NetWeaver Application Server for ABAP 7.31 SP15 or higher or 7.4 SP08 or higher. However, SPNego for ABAP is already available in release 7.02 SP14 or higher (see SAP Note 1798979).
- You have a license for SAP Single Sign-On 2.0 SP04 or higher.
- All Windows client PCs are using domain users. The Kerberos Key Distribution Center in the domain controller grants Kerberos tokens for the communication between the user’s client PC and the AS ABAP.
- You are using a browser that supports SPNego (see SAP Note 1732610).
I In the Active Directory
Configure the service account of the domain controller used by Active Directory.
- What you must do is create a service user for the AS ABAP host name (see the SAP Help Portal in Configuring a Service Account).
- Register a Service Principal Name (SPN) for this service user using the fully qualified domain name (FQDN).
- Check the association between the AS ABAP service user and the Service Principal Name see Registering Service Principal Names for Kerberos User Principals Names in Active Directory).
II In the AS ABAP
To enable authentication with SPNego for ABAP, you need to create a keytab by adding the Kerberos User Principal, then set the relevant profile parameters in the default or instance profile of your AS ABAP.
- Log on to your AS ABAP
- Call the transaction SNCWIZARD (see Using the Single Sign-On Wizard to Configure SNC and SPNego). It enables you to configure SNC and SPNego. It provides a default SNC and SPNego configuration for your system.
The wizard guides you through the configuration.
|Sequence||Step||Description||Related Links and Transactions|
Define the SNC identity. The default value is CN=<SID>
Example: p:CN=ABC, OU=SAP Web AS, O=SAP SE, C=DE
An SNC PSE will be created.
|2||Default Profile Parameters||Set and activate the profile parameters for the SNC usage and SPNego in the default profile for all instances.|
|3||Server Instance Status||Review the server instance for checking the servers. The message Restart Required tells you which server instances need to be restarted. This will activate SNC.|
|4||Manual activity: Restart the servers||
To activate SNC, restart the servers.
You have set up a valid default configuration for Secure Network Communication (SNC) and SPNego for the server instances
|(Optional) Check the changes in transaction SNCCONFIG|
opens transaction SPNEGO (KERBEROS)
Create a keytab for Kerberos-based SNC and SPNego and add a Kerberos User Principal
If you have not already done so, map the SNC user name onto the ABAP user’s SNC name on the SNC tab of User Maintenance.
See the i button in the SPNEGO transaction or Creating a keytab.
Transactions SU01 or SNC1
|6 (if required)||X.509 Credentials||To establish the certificate trust relationship, choose Continue. This opens the transaction STRUST in a new window.||For more information, see Trust
|7||Complete||The basic SNC configuration is complete.
If you want to change the profile parameters later, refer to Profile Maintenance.
You have completed the configuration for a Kerberos authentication flow using SNC and SPNego. From now on, your Windows client PC users can conveniently log on to browser-based applications provided by the AS ABAP using single sign-on.