Objective
This blog post describes the step by step guide for setting up Single Sign-On for SAP Netweaver AS-JAVA using Kerberos/SPNEGO. It works with AD authentication of users for login to SAP Portals. SSO Solution works only for those Users who are domain joined.
Implementing Single Sign-On with Kerberos/SPNEGO
Following are the step by step procedure to implement Kerberos/SPNEGO based SSO for AS-JAVA Environment 7.40 (and above).
- Service user in Active Directory
- Create service user with option as ‘password never expire’ and uncheck ‘User must change password at next logon’. Note the user id/password which will be used in later steps.
- Its recommended to have separate service user for each SAP environment/SID.
- If organization have multiple domains.
- All the domains trust each other then we need to create service user in forest root domain only.
- If multiple domains have no trust relationship, we need to create service user (and its service principals) in all the domains.
- Add the service principal name for the service user:
HTTP/<HOSTNAME>.<FQDN> |
(example: AZWINPDMD001.CORP.contoso234.com) |
HTTP/<HOSTNAME> |
(example : AZWINPDMD001) |
- If we have webdispatcher included in the setup, create the service principal name for it within the same service user in AD.
HTTP/<HOSTNAME>.<FQDN> |
(example: AZWINWEBD001.CORP.contoso234.com) |
HTTP/<HOSTNAME> |
(example : AZWINWEBD001) |
- Prepare the end-user browser for SSO
- Goto internet options -> security -> custom level -> user authentication -> and select automatic logon with current username and password. (IF using IE).
- Add the url to trusted sites in internet options -> Security -> Trusted sites ->sites
- Goto internet options -> Security -> Trusted sites -> custom level -> user authentication -> and select automatic logon with current username and password.
- Configuration in AS-JAVA
- Access the Netweaver Administrator (NWA) https://<hostname>.<fqdn>:<port>/nwa
- Go to “Configuration” tab.
- Click on “Authentication and Single-Sign-On”.
- Click on “SPNEGO” Tab.
- Click on “Add”-> ”Manually”.
- In the Realm Name field, add the FQDN Name(like CORP.contoso234.com). Click Next.
- Enter the AD Service Username & Password. Click Next.
- Select all Keys and click Next.
- In Next Screen, User Mapping Mode need to be defined and this needs to be done carefully based on scenario in your setup. I have used scenario 1 as described in the below screen which means backend AS-ABAP(UME for AS-JAVA) user-id are same as user name in AD, so Mapping Mode as “Principal Only”, Source as “Logon Id”. Click on finish button. https://help.sap.com/viewer/e815bb97839a4d83be6c4fca48ee5777/7.5.6/en-US/f41978c3a37a441b87a89d61c1a...
- In next screen, select the Realm entry and click on enable.
- Click on the “Authentication” tab.
- Select on ‘ticket’ from the list and click on ‘Edit’.
- In the ‘Authentication Stack’ tab, click on ‘Add’. New entry will be created in the Login Modules.
- Make sure below entries are created with defined flags. This configuration used for SPNEGO (based on SAP Note 2273981)
EvaluateTicketloginModule |
SUFFICIENT |
SPNegoLoginModule |
OPTIONAL |
CreateTicketLoginModule |
SUFFICIENT |
BasicPasswordloginModule |
REQUISITE |
CreateTicketLoginModule |
REQUISITE |
Save the changes.
- Log-off redirection.
We can redirect users to corporate home page OR any other webpage once they click log-off from Netweaver Portal by setting UME property ume.logoff.redirect.url
- Test the SSO for AS-JAVA.
https://<hostname>.<fqdn>:<port>/irj/portal
Troubleshooting Tips
- We can generate and view the trace files in SAP NetWeaver Administrator → Problem management→ Logs and Traces → Log Viewer.
- Make sure system time of SAP servers(AS-JAVA and backend AS-ABAP) are synced with NTP server. If time is behind the actual time then SSO will fail.
Conclusion
Now SSO setup is completed for SAP Netweaver AS-JAVA system. In a SSO setup project, we should first implement it in non-prod envrionment and perform comprehensive tests before deploying it in Production environment.