This blog explains what to consider when implementing the Kerberos/SPNEGO scenario for SAP Application Server ABAP using the SAP Single Sign-On product in a multi-domain environment.
Windows domain and forest containers are used to meet different authentication and authorization requirements in the corporate landscape, like for example centralizing resource management, organizing network objects into a logical hierarchical structure, implementing rules for sharing resources across a network, etc. Domain containers can be segregated into Domain Name System (DNS) namespace hierarchies known as domain trees. The domain tree hierarchy is based on trust relationships.
When implementing Kerberos/SPNEGO using the SAP Single Sign-On product for a multi-domain environment, it is necessary to have in mind some specifics that are important, depending on the trust availability between the domains. In this blog, I will represent the specifics, using these two options:
- Option 1: There is a trust relationship between Microsoft domains.
- Option 2: There is no trust relationship between Microsoft domains.
Now lets see what you have to consider for these two options.
The implementation of Kerberos/SPNEGO using the SAP Single Sign-On product requires a service account to be created on the Windows domain controller. This service account is used for the Kerberos-based authentication.
When there is a trust relationship between the domains it is enough to create a service account only on the central domain.
When there are domains in the landscape that are not trusted and the Kerberos-based single sign-on has to be working also for users from these domains, you have to make sure that a service account is created also on every non-trusted Windows domain controller.
Service Principal Name
A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. The SPN is configured, using ADSI Edit (LDAP editor for managing objects and attributes in Microsoft Active Directory). The Service Principal Name is required for the SNC configuration or SPNEGO for ABAP and is used to provide Kerberos service tokens to the requested users.
When there is a trust relationship between the domains, it is enough to create a service account and to configure the respective Service Principal Name for this account only on the central domain. Such a configuration is sufficient because the Microsoft technology ensures that users from all trusted domains are visible in the central domain. It is also ensured that the authentication chain will reach the required trusted domain, where the KDC (Kerberos Key Distribution Center) will issue the Kerberos token to this user for the requested service, coming from the SAP AS ABAP system.
When the trust between the domains is missing, you need to configure service accounts on all non-trusted domains and make sure that one and the same Service Principal Name is configured for these service accounts. This configuration is necessary because non-trusted domains work independent from each other and every one of them has to be configured to recognize the service, coming from the SAP AS ABAP system.
A common configuration mistake is to use different Service Principal Names on different domains. Even if it is possible to create different service account names on different Microsoft domain controllers, you have to make sure that these accounts are configured with one and the same Service Principal Name.
On the SAP ABAP server side, the implementation of SNC with Kerberos/SPNEGO requires the generation of a Keytab file with the SPNEGO or SNCWIZARD transactions, available with the new AS ABAP versions (for more details use the link to the documentation at the end of the blog). The Keytab includes information about the User Principal and the password of the service account for this service, created on the Windows domain controller.
For more details, see: Using the Single Sign-On Wizard to Configure SNC and SPNego.
Option 1 and Option 2:
Irrespective of the trust existence between the domains, when we have more than one Microsoft domain to integrate into our Kerberos/SPNEGO implementation, it is necessary to create a Keytab for every one of these domains. Such a configuration is required because the SAP AS ABAP server has to be configured to trust every one of these domains.
A common configuration mistake made for the Kerberos Keytab generation is the wrong typing of the User Principal. Please note that the User Principal from the Active Directory has the following format:
sAMAccountName@WINDOWS2000-DOMAIN, where sAMAccountName is case sensitive and the domain part is in upper case. Here is an example: SAPServiceUserABC@IT.CUSTOMER.DE.
For more details about SNC/SPNEGO, see the following documentation: