The above diagram should pretty concisely depict a layman's concept of Windows Integrated Authentication. Users will logon to the Windows Domain and this will allow them seamless access to the Enterprise Portal and subsequently to SAP-based Applications without any additional logons
When you use Kerberos, authentication is performed by several systems, which negotiate the outcome of the authentication process transparently for the user. At a minimum, Kerberos authentication involves the following systems:
The systems involved in the Kerberos authentication process share user information.
Therefore, to authenticate J2EE Engine access requests with Kerberos you have to configure several systems including the KDC, the J2EE Engine and its UME, as well as the Web client. In addition, the J2EE Engine uses Kerberos functions available from your Java Development Kit (JDK) and the actual J2EE Engine configuration depends on the underlying JDK you use. Configurations here are based on the SUN JDK 1.4.2_11 on Solaris and SUN ONE LDAP
Before proceeding, it would be advisable to download Kerbtray.exe (available from Microsoft). Kerbtray can be installed on your desktop and is a GUI tool that displays ticket information for a computer running the Microsoft implementation of Kerberos V5 protocol.
Some critical definitions before we begin this would greatly help as you dig deeper into Kerberos documentations from MIT
SPN - Service Principal Name – J2EE Engine is known to the KDC as a service by its Service Principal Name (SPN).
KDC - is used for authenticating the client and issuing the Kerberos Client/Server Session Ticket for the communication between the Web client and the SAP Web AS Java. Typically the KDC can be any one of your Domain
Controllers
Using a command line, enter the command that corresponds to your host -
$JAVA_HOME/bin/klist –e –f –k –K /etc/krb5/krb5.keytab
You will see something like this, if you get this, you just passed your first hurdle.
Do this next: ConfigTool > Cluster Data > Instance ID > Server > General Tab. Add the following Java Parameters
- Djavax.security.auth.useSubjectCredsOnly=false
- Djava.security.krb5.conf=/etc/krb5.conf
- Dsun.security.krb5.debug=true
Restart the Cluster
Before configuring Kerberos Authentication with an LDAP data source, ensure that existing UM configuration with an LDAP data configuration is working and you are able to use the existing LDAP as a data source.
Configuration below is a typical configuration for SUN ONE
If this works natively, now you are ready to make your modifications to allow for Kerberos and you can switch the UM data source back if Kerberos does not work
Download the data source configuration file from Configtool Configuration Editor via Cluster Data > Server > Persistent > com.sap.security.core.ume.service
Open the data source configuration file with your favourite XML editor and add a new attribute “kpnprefix” via the following lines as shown in the diagram below (under the responsibleFor section of the LDAP data source)
Perform the mapping of “kpnprefix” to the LDAP attribute for user id. In this case, it’s
uid. It could sometimes be logonid or cn. See figure below
Save the configuration file into another name that you can identify. In this example I used dataSourceConfiguration_iplanet_not_readonly_db_kerberos.xml
Upload this file by right-clicking on com.sap.security.ume.service and selecting File-entry and giving it a name that is identical to the filename
The final result should be something like this
Exit the Configuration Editor and go to Security Provider service under Global Server Configuration
Add the krb5principalname under ume.admin.addattrs (you are essentially defining an additional attribute for a user) and switch the ume.persistence.data_source_configuration to the new data source configuration file (dataSourceConfiguration_iplanet_not_readonly_db_kerberos.xml) in this case.
Up to this point, you have completed configuring the UME of the portal to a new configuration file and mapped the “kpnprefix” attribute to the LDAP attribute uid
To be consistent, update the UM Configuration on your portal by uploading the data source configuration file
Logon to the portal and upload the new configuration file via System Administration > System Configuration > UM Configuration > Upload. You will notice that the Data Source field will be switched to Other (this is normal)
Now it gets interesting ! Authentication Schemes are a little outside the scope of this document, but to gain a quick understanding, check your authschemes.xml via
Configtool.
You will notice that by default the uidpwdlogon, basicauthentication Authentication Schemes is assigned to the Authentication Template “Ticket” and the default Authentication Schemes that the portal will use is uidpwdlogon
Logon to Visual Administrator, under Server > Services > Security Provider.
Modify Ticket Authentication Template to include the following Login Modules and also the following Options.
com.sap.security.core.server.jaas.EvaluateTicketLoginModule, Flag as Sufficient
ume.configuration.active = true
com.sap.security.core.server.jaas.SPNegoLoginModule, Flag as Optional
ume.sap.spnego.uid.resolution.mode = prefixbased
com.sap.spnego.uid.resolution.attr = kpnprefix
com.sap.spnego.jgss.name = HTTP/portal.domain.dom@DOMAIN.DOM
com.sap.spnego.creds_in_thread = true
com.sap.security.core.server.jaas.CreateTicketLoginModule, Flag as Sufficient
ume.configuration.active = true
BasicPasswordLoginModule, Flag as Requisite
com.sap.security.core.server.jaas.CreateTicketLoginModule, Flag as Optional
Ume.configuration.active = true
Note that the SPNegoLoginModule is only provided from SP15 onwards
Click on the User Management tab and click on Manage User Store and create 2 additional Login Modules:
Krb5LoginModule and MappingModule
Create Krb5loginModule with the following parameters: Class name : com.sun.security.auth.module.Krb5LoginModule
Create MappingModule with the following parameters: Class name:com.sap.security.core.server.jaas.SPNegoMappingModule
Click back to Policy Configurations and create the com.sun.security.jgss.accept Login Module Stack. Within this stack include the following Login Modules
com.sun.security.auth.module.Krb5LoginModule
keytab = /etc/krb5/krb5.keytab
useKeyTab = true
debug = true
doNotPrompt = true
storeKey = true
principal = HTTP/portal.domain.dom@DOMAIN.DOM">HTTP/portal.domain.dom@DOMAIN.DOM
useTicketCache = true
com.sap.security.core.server.jaas.SPNegoMappingLoginModule
com.sap.spnego.uid.resolution.attr = krb5principalname
When everything is done, it should look like this:
Logon to Visual Administrator and check that the selection No Password Change required is checked (very important !)
Go to Tools > Internet Options > Advanced > Security and enable “Enable Windows Integrated Authentication”
The site that physically runs the J2EE engine must be explicitly added as a local Intranet Site. Navigate to Tools > Internet Options > Security > Local Intranet > Sites > add http://portal.domain.dom to the list.
Logoff from your desktop and Login to the desktop and the Windows Domain
Give yourself a pat on the back !!!
Launch your browser enter the URL of your portal server (for a dramatic effect, use the Portal URL as the
browser's home page) You will be logged-in and your welcome page with your corresponding Role will be displayed. Take
a deep breath and reflect !