Skip to Content
Technical Articles

SAP Single Sign-on : Kerberos/SPNEGO Setup for AS-JAVA

Objective

This blog post describes the step by step guide for setting up Single Sign-On for SAP Netweaver AS-JAVA using Kerberos/SPNEGO. It works with AD authentication of users for login to SAP Portals. SSO Solution works only for those Users who are domain joined.

Implementing Single Sign-On with Kerberos/SPNEGO

Following are the step by step procedure to implement Kerberos/SPNEGO based SSO for AS-JAVA Environment 7.40 (and above).

  • Service user in Active Directory
    1. Create service user with option as ‘password never expire’ and uncheck ‘User must change password at next logon’. Note the user id/password which will be used in later steps.
      • Its recommended to have separate service user for each SAP environment/SID.
      • If organization have multiple domains.
        • All the domains trust each other then we need to create service user in forest root domain only.
        • If multiple domains have no trust relationship, we need to create service user (and its service principals) in all the domains.
    2. Add the service principal name for the service user:
      HTTP/<HOSTNAME>.<FQDN> (example: AZWINPDMD001.CORP.contoso234.com)
      HTTP/<HOSTNAME> (example : AZWINPDMD001)
    3. If we have webdispatcher included in the setup, create the service principal name for it within the same service user in AD.
      HTTP/<HOSTNAME>.<FQDN> (example: AZWINWEBD001.CORP.contoso234.com)
      HTTP/<HOSTNAME> (example : AZWINWEBD001)
  • Prepare the end-user browser for SSO
    1. Goto internet options -> security -> custom level -> user authentication -> and select automatic logon with current username and password. (IF using IE).
    2. Add the url to trusted sites in internet options -> Security -> Trusted sites ->sites
    3. Goto internet options -> Security -> Trusted sites -> custom level -> user authentication -> and select automatic logon with current username and password.
  • Configuration in AS-JAVA
    1. Access the Netweaver Administrator (NWA)                                                                      https://<hostname>.<fqdn>:<port>/nwa
    2. Go to “Configuration” tab.
    3. Click on “Authentication and Single-Sign-On”.
    4. Click on “SPNEGO” Tab.
    5. Click on “Add”-> ”Manually”.
    6. In the Realm Name field, add the FQDN Name(like CORP.contoso234.com). Click Next.
    7. Enter the AD Service Username & Password. Click Next.
    8. Select all Keys and click Next.
    9. In Next Screen, User Mapping Mode need to be defined and this needs to be done carefully based on scenario in your setup. I have used scenario 1 as described in the below screen which means backend AS-ABAP(UME for AS-JAVA) user-id are same as user name in AD, so Mapping Mode as “Principal Only”, Source as “Logon Id”. Click on finish button. https://help.sap.com/viewer/e815bb97839a4d83be6c4fca48ee5777/7.5.6/en-US/f41978c3a37a441b87a89d61c1a08689.html
    10. In next screen, select the Realm entry and click on enable.
    11. Click on the “Authentication” tab.
    12. Select on ‘ticket’ from the list and click on ‘Edit’.
    13. In the ‘Authentication Stack’ tab, click on ‘Add’. New entry will be created in the Login Modules.
    14. Make sure below entries are created with defined flags. This configuration used for SPNEGO (based on SAP Note 2273981)
      EvaluateTicketloginModule SUFFICIENT
      SPNegoLoginModule OPTIONAL
      CreateTicketLoginModule SUFFICIENT
      BasicPasswordloginModule REQUISITE
      CreateTicketLoginModule REQUISITE

      Save the changes.

    15. Log-off redirection.

We can redirect users to corporate home page OR any other webpage once they click log-off from Netweaver Portal by setting UME property ume.logoff.redirect.url

  • Test the SSO for AS-JAVA.

https://<hostname>.<fqdn>:<port>/irj/portal

Troubleshooting Tips

  1. We can generate and view the trace files in SAP NetWeaver Administrator →  Problem management Logs and Traces Log Viewer.
  2. Make sure system time of SAP servers(AS-JAVA and backend AS-ABAP) are synced with NTP server. If time is behind the actual time then SSO will fail.

Conclusion

Now SSO setup is completed for SAP Netweaver AS-JAVA system. In a SSO setup project, we should first implement it in non-prod envrionment and perform comprehensive tests before deploying it in Production environment.

1 Comment
You must be Logged on to comment or reply to a post.
  • A detail blog, which is very easy to follow for the SSO setup. The troubleshooting trips are very useful to avoid such issue.

    Thank you for a nice blog.