#ATR(10)

Created this blog to provide information on how to configure Single Sign On to support both X.509 Certificate and Kerberos Token Logon using Single SNC Name. You can also prefer this document if you plan to configure Kerberos for ABAP/JAVA OR X.509 Certificate Alone.

• My Scenario - Users can select and switch to use Kerberos as well as X.509 certificate logon as per user convenience. Few old systems (EWM, CRM, SAP NETWEAVER 7.3) won't support Kerberos token. For those, Internally, we can select our JAVA UME (Copy of Windows SPNEGO Profile) SSO Server and use X.509 certificate to login without password.
• Prerequisites – Knowledge and Installation of SSO Server.
• [3 in 1 ARTICLE]
  • Kerberos for ABAP
  • Kerberos for JAVA
  • X.509 Certificate Logon Configuration for ABAP
  • Steps based on configuration to support both Kerberos and X.509 Certificate Token Logon

Consider,

• We are having SSO Server (SCA) installed on SAP NETWEAVER JAVA SYSTEM.

• We are having SAP ABAP SYSTEM in which SSO needs to be configured to use both X.509 CERTIFICATE and Kerberos Token Logon

• No Need of Additional Product Add-Ons required. A Simple latest ABAP PLATFORM will support both token logons.

Key points:

• My Scenario – To Config SSO – Users can login into SAP System using their Windows Azure AD Domain Checks – Either via Kerberos or X.509 Certificate.
• Kerberos token works without need of SSO server whereas X.509 certificate works with SSO Server – JAVA UME - SPNEGO Profile – Ticket Authentication.
• SNC identity should be p:CN=SID only to compliance and support both scenarios.
• Kerberos token authenticates directly with Azure AD domain via Service Account User and Service Principal Name which created in AD.
• For X.509 Certificate, Kerberos token configuration should be done on SSO Server Java System. We need to use SecureLoginDefaultGroup which should be assigned with SPNEGO(JAVA UME – Ticket Authentication) Profile. We need to create certificates in Secure Login Client (SSO) and sign ABAP SNC certificate with that SSO root CA. Root CA should be imported into Client PC. Now, Secure Login Client can able to trust SNC certificate and connect to SSO SecureLoginDefault Group/Profile post then it will authenticate via ticket – Windows AD Domain.

                                                                  KERBEROS SETUP

1) Create Service Account User in Azure AD

Account Properties:                                                                                                                                                ** Password Never Expires                                                                                                                                  ** Supports Kerberos AES128-bit as well as 256-bit encryption

Service Principal Name:

• Add HTTP\ABAPFQDN and SAP\ABAPSID – System which Kerberos token needs to be authenticated
• Add HTTP\SSOFQDN – SSO Server since we need to configure SSO – Windows Azure Domain Kerberos Authentication in Java System before configuring X.509 Certificate. For Java Kerberos token, HTTP\FQDN is sufficient.

2) Enable SNC in ABAP System

• Delete STRUST Certificate of SNC identity if any set by default.
• You won’t get SNC Identity field in SNCWIZARD if certificate exists.
• You can also verify in SNCCONFIG Transaction.

• Save -> Check -> Distribute All – To reflect in OS level as well.
• SNCCONFG -> You can see SNC Identity is blank(removed) once certificate deleted.

• Run SNCWIZARD Transaction. You can see SNC Identity field available to enter manually.

• Provide p:CN=SID [Mandatory – To support both X.509 and Kerberos token]
• Kerberos token won’t work if any SNC identity provided other than SID. Even with Service Account Username. If you have CN parameters, make sure to enter same parameters in SAP/SID OU= O= DE= in Service Principal Name of Service Account User. This will help to detect ABAP system without any issues. But Prefer p:CN=SID.

• Proceed with default profile parameter.

RESTART SERVER – OPTIONAL

COMPLETE TRANSACTION THEN RESTART SERVER – PREFER

• This is to avoid “SNC ERROR – NOT ACCEPTING CREDENTIALS, BAD CREDENTIALS, MISSING SNC CREDENTIALS, NO CREDENTIALS WERE SUPPLIED” if you didn’t complete transaction and somehow PSE file in OS Level not updated.
• This can also occur if user logged out suddenly in SNCWIZARD due to network connection issue.
• There were multiple of SAP Blogs with above SNC Errors but not relevant to this issue. If you face this error post restart, Just disable SNC – snc/enable from 1 to 0 from DEFAULT profile OS level -> Start System -> Delete STRUST – SNC Certificate and Start SNCWIZARD.

• For Kerberos Credentials, Provide Service Account User and Password.                                          USERNAME: USERID@DOMAIN 

• Select All Algorithm. Mostly, it will use AES128,256.

• SNC Status and Token Check will be in Red till we restart ABAP Application server.
• You can do checks once again post restart via SPNEGO Transaction. We have just saved Kerberos Credentials.
• For X.509, Just accept. It will open STRUST with P:CN=SID certificate which automatically added in SNC.

• Make sure to save certificate -> Check All -> Distribute all. You might face error while restarting “No Credentials were Supplied” Error if not distributed. Dispatcher will stop automatically during restart.

• Complete Transaction.

                                             *** RESTART APPLICATION SERVER***

• You can see SNC enabled and Token Check successful in SPNEGO TRANSACTION.

User Mapping:

• We can see currently logged in Windows Azure AD User@Domain fetched successfully.
• SNC Name is not case sensitive. Hence, system will detect to authenticate without any issues. Currently, No ABAP user assigned for SNC Name – ABAPUSERID@Domain.

• Assign ABAP User. I’m assigning SNC parameter in my ABAP User ID itself.

• For Mass User Change, we can also use SNC1 Transaction. Change GUI Flag – To Permit Password logon and vice versa.

                                      KERBEROS TOKEN CONFIGURATION COMPLETED

3) HOW TO SETUP SECURE LOGIN CLIENT AND LOGIN USING KERBEROS TOKEN

Please Refer My Blog ->  https://community.sap.com/t5/technology-blogs-by-members/how-to-setup-secure-login-client-and-login-...

(LINKED)

                                                     X.509 CERTIFICATE SETUP

• User should be available on Windows Azure AD Account
• User should be created on SSO Java Server (Guest Role Sufficient for normal business users) with name as same as Windows AD.
• User should be created on ABAP System and SNC Name should be provided w.r.t Windows AD Domain accordingly.
• To Configure X.509 in SSO Java server -> Prefer Administrator/User having Admin role, SLAC_SUPERADMIN (For SSO). I’m using Administrator user having both roles.

Short Steps:

1. Kerberos for Java Setup
2. Own Certificate Creation – ROOT, SAPCA, SAPUSERCA, SAPSSL
3. Adding ABAP system in Trusted System List
4. Create RFC Destination in SSO to ABAP System.
5. Copy SPNEGO Profile and create new Profile (I have named JAVA UME) and set Ticket Authentication with User Principal Name – USERID@DOMAIN. Assign it to SecureLoginDefaultGroup.                         

                                         1. KERBEROS – JAVA SETUP

• We need to configure Kerberos Token – JAVA to use those tokens as an intermediate for ABAP System Authentication using certificate.

*) Service Account User Creation

• This was done while setting up Kerberos at initial step] We have already created Service Account user in Windows Azure Domain. Also, HTTP\FQDN added in Service Principal Name. SAP\SID not required for Java System. We have also enabled Kerberos AES Encryption.

*) SPNEGO – Enabling SNC

• Go to NWA -> Configuration -> Authentication and Single Sign On -> SPNEGO Add new entry – Provide your Windows AD Domain.

• Keys and User Mapping will be similar to ABAP System. It’s just pick Algorithms and set default User Mapping.

*) Login Module Addition

• Once Account Added, Go to Authentication -> Ticket -> Login Modules -> Add SPNegoLoginModule.

Flag – OPTIONAL/SUFFICIENT

• This will help to use Windows Azure AD token authentication. No need to add anything in Properties.

*) Create user as same as Windows Azure Domain ID

• I’m using mine.

                                                  KERBEROS FOR JAVA COMPLETED

• Now, you can able to login SSO Java Server with Windows Azure Domain authentication.

2) Own Certificate Creation – ROOT, SAPCA, SAPUSERCA, SAPSSL

• Secure Login Client Admin Console -> Certificate Management -> Create New CA certificates one by one -> Root CA, SAP CA, SAP SSL, SAP User CA.

         https://hostname:port/webdynpro/resources/sap.com/securelogin.ui/Main#  

• All certificates can be user defined. CN Parameter can be provided as per our convenience. Just we need to sign ABAP Certificate and renew it. These certificates are not signed by CA Authorities. We have just created and renewed from SSO manually. Hence, Upload Root CA certificate in Client PC – Trusted Root Certificates for trust and authentication.
• Go to Sign Certificate requests.
• Upload Certificate Response taken from ABAP System [Use PSE Algorithm is sufficient]

• Extend End validity and Sign certificate with SAP CA.
• Hence, Certificate chain will be Server CA (Signed ABAPCN) -> Issuer SAP CA -> Root CA

• Signed Certificate Response (Server CA – ABAP CN)

• Copy your signed certificate response and provide with SAP CA Issuer and Root CA Base64.
• STRUST -> SNC Certificate -> Import Certificate Response. You can paste in any order.
• Save -> Check All -> Distribute All.

• Root CA uploaded in my Trusted Certificates - PC as well – Via MMC or SAP Management Console.

3) Adding ABAP system in Trusted System List

• Create Technical(Service/Communication) user with RFC Access and use in trusted system addition.

• ABAP System added successfully.

4) Create RFC Destination in SSO to ABAP System. You can use same technical user for destination as well.

Ping Destination and check.

5) Copy SPNEGO Profile and create new Profile (I have named JAVA UME) and set Ticket Authentication with User Principal Name – USERID@DOMAIN. Assign it to SecureLoginDefaultGroup

• In Secure Login Admin Console -> Profile Management
• Copy SPNEGO – Windows Authentication to New Profile -> Created JAVA UME Profile

• Go to JAVA UME Profile and change authentication to ticket.

• Change Common Name to USERID:UPN which will be UserName@WINDOWSDOMAIN.
• We can set SAP USER CA Certificate to be assigned as Secure Login Client User Certificate.

• We have already added SPNEGO Login module in Ticket Authentication while configuring Kerberos for Java. Hence, JAVA UME Profile use ticket – Windows Azure Domain Authentication which configured in SPNEGO Tab.

• Assign Java UME Profile to SecureLoginDefaultGroup
• Profile Management -> UserProfileGroups -> Profiles -> Add JAVA UME Profile

• We have already setup SNC Name SU01 - USERID@DOMAIN in ABAP User ID while configuring Kerberos Initial Setup.

                                                X.509 CONFIGURATION COMPLETED

6) HOW TO SETUP SECURE LOGIN CLIENT AND LOGIN USING X.509 TOKEN

 Refer My Blog -> https://community.sap.com/t5/technology-blogs-by-members/setup-secure-login-client-slc-and-login-usi...

(LINKED)

                                                                           KEY POINTS

1) To use both Kerberos and X.509 Certificate token.

• SNC identity should be p:CN=SID since Kerberos will work only with SID. For X.509, It will check via SNC Certificate only to connect SSO Profile group. It will not directly check with Windows Service Account Principal Name. Once it connected to SSO Profile group via certificate, it will use Profile Authentication (ticket) which automatically checks USERID:UPN and use Kerberos for Java setup (Windows Authentication). Hence, USERID should be available in SSO Server as same as Windows AD and SSO Server HTTP/FQDN needs to be added in Service Account Principal Name for successful authentication. If you plan to use X.509 certificate token alone, then you can have any SNC Identity p:CN=NAME.
• To use both logons, SPNEGO SNC Name should be USERID@DOMAIN even though X.509 SSO Server Common Name supports USERID:AUTH, USERID, USERID:DCS.

2) Errors you might face:

• For X.509 -> If User does not exist in SSO Server -> Secure Login Client will connect to Profile Group but unable to use ticket authentication since user does not exist.

• Even if you enter AD password and login manually, it will show “User Authentication Failed” since we select “ticket” based authentication.
• For X.509 -> If you didn’t import SSO Root CA(Manually created in SSO) in your PC Trusted certificates list, Secure Login Client won’t connect SSO Profile/Group itself due to certificate error.

3) USE SNC with ALIAS

• If we have security restrictions to create ABAP USER ID as same as Windows AD ID in your Project due to Production Scenarios, Client Specific PoC compliance, we can create any User ID (TRAINING1, TRAINING2) in ABAP and provide Windows AD ID in Alias.
• To assign SNC Canonical Name, we can use SNC1 transaction -> Alias as Variable Part. By this method, we can login with Kerberos token – Windows AD Domain but user logon with Training1/2 User ID instead of Windows AD ID.

         TRAINING 1 -> SNCNAME -> AD_USERNAME@AD_DOMIAIN 

• This method works for X.509 token as well but we need to create User in SSO Java Server as same as Windows AD ID since it’s ticket-based authentication. In ABAP, we can use any user ID name.

……………………………………………………………………………………………………………................................

                                                                 LOGON CHECK

• I have done two logons – One Kerberos – One X.509 JAVA UME SSO Profile at same time for our configured ABAP System (Without ending other logons)

Thanks for Visiting ! Please do let me know if you have any queries on this configuration. 

Please do connect and follow my Linked In Profile - https://www.linkedin.com/in/ajaytr66/

AJAY TR - ATR - SAP BASIS ADMINISTRATOR