Technical Articles
Configure Kerberos Authentication for Identity Authentication Service (IAS) in Cloud Platform
The purpose of this blog is to show you step by step guide to enable Kerberos authentication in IAS to enable SPNEGO feature to allow users to log in to Cloud platform application(service) without entering username and password when they are in the corporate network.
User logs in to the corporate network using Active Directory or network credentials, the same credentials are used to login to Cloud Platform application or services such as Portal or Fiori launchpad site.
The diagram below is taken from SAP help, for more information about different system involved please refer to help link
Perform the below steps to enable Kerberos authentication
- Generate the keytab file, use the below syntax. Go to your Java bin folder and run the below command
- ktab -a service.username@DOMAINNAME.COM –k c:\Temp\file.ktab
- Service.username is the service user created in Active directory
- Make sure to use the service username password while generating keytab file
- realm is the DOMAINNAME in capital letters
- ktab -a service.username@DOMAINNAME.COM –k c:\Temp\file.ktab
- Register a service principal name (SPN) for the IAS tenant
- setspn -A HTTP/<tenantID>.accounts.ondemand.com service.username@DOMAINNAME.COM
- tenantID is your IAS tenant name
- service.username@DOMAINNAME.COM is active directory service user used in step#1
- setspn -A HTTP/us-east.accounts.ondemand.com.cloud.sap.akadns.net service.username@DOMAINNAME.COM
- For IAS tenant in Europe run the above command
- setspn -A HTTP/accounts.ondemand.com.cloud.sap.akadns.net service.username@DOMAINNAME.COM
- For tenant in US run the above command
- setspn -A HTTP/<tenantID>.accounts.ondemand.com service.username@DOMAINNAME.COM
- Configure Kerberos in SAP Cloud Platform Identity Authentication Service
- After running the above commands, extract the Key from the keytab file by navigating into Java bin directory and execute the following command
- klist -e -f -k -K <path>\<keytab filename>.ktab
- Copy the key according to the number of the provided key type: 23 corresponds to RC4, 17 corresponds to AES128, and 18 corresponds to AES256
- After running the above commands, extract the Key from the keytab file by navigating into Java bin directory and execute the following command
- Login to IAS tenant and enable SPNEGO option
- Navigate to tenant settings and select SPNEGO and enter the following details
- Make sure to add *.ondemand.hana.com as trusted sites under Internet Explorer security zone and also enable Integrated Windows authentication
- Now launch Cloud portal application url within the corporate network, since Kerberos is enabled, a user is automatically logged in to the portal without asking username & password.
This concludes the blog, feel free to leave comment or suggestions.
Dear Mohammed,
great blog.
For our BTP platform user we to use Kerberos Authentication in our IAS.
Is this possible as the trust betwenn BTP und IAS is OpenID connect based ?
Our BTP is Cloud Foundry environment feature set B.
Kind regards,
Arnd