Enable Kerberos-based SSO for accessing your applications on SAP Cloud Platform
Intro into SCP and security.
I had the pleasure of touring with Martin Raepple across Australia to meet all our key customers presenting security session workshops. We discussed the option to put some of the common things asked by some of the SAP cloud subscribers into some blogs to help assist the journey.
When using SAP Cloud Platform Identity Authentication (IAS) many of our customers using Microsoft AD are interested in the configuration of Kerberos and IAS.
SAP Cloud Platform Identity Authentication Service (IAS) allows to configure single sign-on (SSO) for Browser-based access to any application trusted by the IAS tenant based on the SPNEGO protocol, which is also referred to as “Integrated Windows Authentication” by Microsoft. SPNEGO uses the Kerberos ticket issued by the user’s corporate Active Directory to authenticate the user at the IAS tenant.
Figure 1. Shows the major steps in this SSO scenario:
- In the first step, the user with login name “jdoe” authenticates against the corporate Active Directory domain. This happens usually at initial windows login in the corporate network (Intranet). After successful login, the user obtains a Kerberos ticket from Active Directory (AD).
- When accessing the IAS tenant administration console, jdoe’s Web browser identifies this application as a trusted web site, and requests a new Kerberos ticket for it from the corporate AD, using the existing ticket obtained in the first step. This happens without asking the user again for her username and password. Based on an established trust relationship to the IAS tenant, the new ticket is accepted by the IAS tenant and the user is single-signed on to the administration console.
The following settings should be checked before configuring the SPNEGO settings in Active Directory and IAS.
1) A user account for the IAS administrator exists in IAS tenant with login name equal to Windows logon name (here “P000000”)
2) A user account for the IAS Administrator exists in Active Directory (AD) with logon name equal to user in IAS tenant (here “P000000”)
3) In the business user’s browser settings, ensure that your IAS tenant’s hostname is either listed in the sites under “Trusted Sites”, or in the sites of the “Local intranet” zone (see screenshot for IE settings)
3.1) Optional: If IAS hostname is added under “Trusted Sites” zone, also set “Automatic logon with current user name and password” in “User Authentication” à “Logon” Security Settings of the “Trusted Sites” zone.
4) In the business user’s browser settings, ensure that “Integrated Windows Authentication” (aka SPNEGO) is enabled under Advanced options.
5) Create a (service) user iastenant in AD. Mark in account options that “the account supports Kerberos AES 128 Bit encryption”.
6) Open command line and register a service principal name (SPN) associated with the service user for the host name used to access Identity Authentication:
setspn -A HTTP/<tenantid>.accounts.ondemand.com iastenant
7) Register the root host name of IAS per your region as an additional SPN for your service user, which is accounts.ondemand.com.cloud.sap.akadns.net for tenants in EU, or
us-east.accounts.ondemand.com for tenants in US:
setspn -A HTTP/accounts.ondemand.com.cloud.sap.akadns.net iastenant
8) Verify that the two SPNs are registered with the following command: setspn -T <Realm> -F -Q http/*
9) Change to your JAVA runtime bin folder (e.g. cd c:\Program Files\Java\jre1.8.0_131\bin)
10) Create new keytab file for the service user with command .\ktab -a iastenant@BESTRUN.CORP -k c:\tmp\newkeytab.ktab
11) Extract the keys from the keytab file with klist command from JAVA runtime environment:
cd c:\Program Files\Java\jre1.8.0_131\bin
.\klist -e -f -k -K c:\tmp\newkeytab.ktab
Copy the hex value for Key type 17 (all characters including ‘0x…’) into the clipboard.
12) Login to the IAS admin console with your IAS administrator username and password.
Go to SPNEGO Configuration under Tenant Settings.
Paste the key from the clipboard and select “AES128-CTS…” from the key type.
Enter the correct Realm name for your domain and save the settings.
13) Go to the Administration Console under Applications and enable SPNEGO
Testing the Scenario
14) Login to a host which belongs to the AD domain
15) Open the URL of the admin console in a Web browser (https://<tenantid>.accounts.ondemand.com/admin)
You’re user should be single-singed-on to the admin console now.
Good post. It is really helpful !!
Nice work Ian! this will be a good reference for other customers and communities to follow.
Thanks Ian for the helpful blog. Just trying to understand how IAS connect to the Corporate AD without Cloud Connector because I thought IAS will act like a proxy.