8 Comments

You must be Logged on to comment or reply to a post.

    1. Matt Fraser Post author

      Hi Lutz, and thank you for your comments and the links to those discussions. You do raise an important point.

      I haven’t yet found documentation to indicate at what release and SP levels the AS Java will support AES (I know that Active Directory with Windows 2012 DCs will), so until I know that I hesitate to document the process for others. One of the discussions you linked is talking about BusinessObjects, which is a different beast, and so it’s not necessarily a translation across to AS Java. However, you are quite correct that AES is more secure than RC4 (and considerably more so than DES).

      The only blogs I was able to find about configuring the SPNego SSO for an AS Java before writing this one still recommended enabling DES, as below the SP levels I mention in this post that was apparently the highest encryption that the “old” SPNego would support. Much of the older documentation floating around on SCN and SMP still advises to do this. So, I’m hopefully at least disabusing people of that notion.

      Over the next few weeks and months I will be doing further experimentation with our own servers, both to determine a working method for mismatched AD<->SAP usernames, and to validate that AES encryption can be made to work with NW 7.01 (I don’t like to blog about anything I haven’t actually done myself in “real life”). Meanwhile, I’m hoping that here I’ll have clarified a few misconceptions that may be floating around out there (that I myself had, until I embarked on this project).

      Doing so should help with clarifying some of the questions you raised in your discussion thread, i.e. what limitations are imposed when restricting the algorithm to AES, and just how does Kerberos negotiate which algorithm to use. From documentation I’ve read, Kerberos should negotiate between client and server to identify the highest common supported algorithm, in which case if the server supports DES, RC4, and AES, and the client supports RC4 and AES, then AES should in theory be chosen. However, that will take some testing to validate. If true, and a downlevel AS Java only supports up to RC4, but AES is enabled on the client (via the AD service user), then SSO should still work even though the negotiation will result in RC4 being chosen.

      On a side note, although 95% of the workstations in my organization are now running Windows 7 (and only just — it was about a four-year project to get 20,000 PCs upgraded), I still have a very small handful of XP clients out there. Thankfully I think it’s down to numbers I can count on my hands (perhaps just one hand), but there it is.

      Once I’ve confirmed that AES works in my environment, I’ll update the blog.

      Thanks again, and I look forward to further discussions!

      Cheers,

      Matt

      (0) 
      1. Lutz Rottmann

        Hi Matt,

        I am really glad that you did a refresh of this subject, because most stuff on this subject is very old indeed.

        AES for SPNEGO on AS Java was introduces by note http://service.sap.com/sap/support/notes/1457499 :

        • NetWeaver 04 (6.40) SP27
        • NetWeaver 04S (7.00) SP23
        • NetWeaver 04S EhP1 (7.01) SP08
        • NetWeaver 04S EhP2 (7.02) SP06

        AES should be no problem with Windows XP as long as it is SP3 and the AD is 2008 or newer according to this:

        https://technet.microsoft.com/de-de/library/cc749438(v=ws.10).aspx

        Unfortunately I have no XP system left so I am not able to verify.

        I would be glad if we could all collect more facts about compatibility and incompatibility of AES and Kerberos/SPNego. My impression currently is that rollout of AES is typically prevented based on rumours. SAP’s product management is also adding to this unspecific rumours when questiones instead of communicating facts.

        Cheers,

        Lutz

        (0) 
        1. Matt Fraser Post author

          Thanks! That’s what I was looking for.

          Yes, I suspect the information may be somewhat buried because of a general push of customers toward the separately-licensed NWSSO product. But of course, I would never suspect this of being intentional!

          (0) 
        2. Matt Fraser Post author

          It turns out that AES encryption for Kerberos tokens requires NetWeaver 7.20 or higher (SPNego Kerberos Authentication – SAP Netweaver Application Server Java – SCN Wiki) (Note 2218506). It is possible to enable AES128 and AES256 for the service user in AD, and doing so has no adverse effect on the existing SPNego implementation. You can also regenerate the keytab file and see in the contents of the file that the new encryption protocols are included (note that you need the “unlimited” JCE policy files in your JRE to generate AES256 keys). However, when you go to upload the new keytab in the SPNego Wizard, only the RC4 key will be available to import.

          In my example here, I am enabling SSO on a NetWeaver 7.01 AS Java system, so RC4 remains the best option, unfortunately. Nevertheless, for those with portals on a higher NetWeaver version, I would strongly encourage you to turn on AES and use it.

          (0) 

Leave a Reply