Introduction to Kerberos Constrained Delegation – SAP HANA Smart Data Access HANA to HANA Scenarios
Kerberos is one of the single sign on (SSO) mechanisms supported by HANA. A user connecting to SAP HANA via Kerberos must have a SAP HANA database user, who is mapped to the external identity in a key distribution center (KDC) such as Microsoft Active Directory. HANA supports two different types of Kerberos authentication: Direct authentication and indirect authentication via constrained delegation. Kerberos in the SDA context is the later scenario, indirect authentication from other SAP HANA databases via constrained delegation.
Kerberos constrained delegation for Smart Data Access HANA to HANA scenarios is new in SPS12. As of May, 2016 this feature is currently only offically supported for connections between two HANA SPS12 systems. The advantage with this feature is it allows you to log on to several SAP HANA systems but only explicitly authenticate once. This means one less password to remember when accessing data from remote HANA systems, enhanced security, and a smoother workflow. Previously, only authentication via user name/password was available.
There are four main steps that take place when utilizing Kerberos SSO in a HANA to HANA SDA scenario. In Image one below you can see an overview of these four steps.
Image 1: Overview of Kerberos constrained delegation in the SDA HANA to HANA scenario
Step one, the HANA user logs into the source HANA using any authentication method (please note, it is not necessary to login to the source HANA via Kerberos). Step two, the source HANA requests a delegation ticket from the external Key Distribution Center (KDC) on behalf of the user. Step three, the KDC issues the Kerberos constrained delegation ticket for the user. Finally, in step four the target HANA uses the constrained delegation ticket to authenticate the user.
This section is intended as a general overview of the steps that need to be taken to enable Kerberos SSO for SDA in HANA to HANA scenarios.
Configuring the KDC
The first step you need to take is to configure the KDC for the source and the target HANA systems.
For the source system in the KDC, you need to create a Unix computer account for the SAP HANA 1 source system and mark it as trusted for delegation to SAP HANA 2 target system hdb service. You also need to add a host keytab on the HDB server to automatically authenticate the SAP HANA 1 source system with the Unix computer account.
For the target system SAP HANA 2 configure Kerberos authentication as normal (as in previous versions) by adding the hdb service to the KDC, no additional Kerberos configuration steps are necessary.
Detailed instructions on how to execute these configuration changes can be found in SAP Note 2303807.
On the source HANA server create a new HANA user with a Kerberos external identity in HANA studio. Grant this user the “Create Remote Source” privilege.
Image 2: Creating a new user in the source system HANA 1
Next, connect to the source HANA system HANA 1 with the new HANA user. Open the Provisioning folder, and right click on the remote sources folder to select a new remote source.
Image 3: Selecting a new remote source to add
Create a new remote source to the target HANA server HANA 2 and select SSO (Kerberos) as the credential mode.
Image 4: Adding a new SSO (Kerberos) enabled remote source
Ensure that on the target HANA server HANA 2 there is a HANA user with the same Kerberos external identity as the Kerberos user created on the source system HANA 1.
If you have correctly configured Kerberos SSO, now when you browse the remote HANA system, the session will open automatically with this new HANA user.
For more information on Kerberos and HANA please refer to:
HANA Security Guide