HowTo: New Implementation of SPNego in Freshly

Installed SAP NW EP7.3x – it’s as easy as abc

Why This Blog:

Although as a Basis Technician I am very familiar with configuring  and troubleshooting

SPNego on EP 7.0x, recently when configuring SPNego on EP7.3x using the new SPNego

wizard I ran into a few problems.

The basic root of my problems as solved through an OSS Message to my new best friend

dimitar.dimkin at SAP was that when the SPNego didn’t immediately work, I began implementing

steps from the SPNego procedure for EP7.0x motivated by the doubt that because the

procedure with the new SPNego wizard had been so easy, perhaps there were some steps

missing.

The lessons learned are, the new SPNego wizard really makes the task easy, and if you are

an oldy, used to the older procedures for implementing SPNegothen you need to forget

most of what you did in the past and work with the new SPNego wizard with a clear head.

Some interesting changes to SPNego in NW7.3x are that:

. there is no KeyTab in the filesystem, this is now in the database

. the SAPJVM does not contain the KTPASS and KTAB and KLIST tools,

although if you really wanted these they are available in Oracle’s JVM 1.6

. you no longer need to use the old commands like KTPASS

. you must not touch the User Principle Name once it is configured in  the

Active Directory

Supporting Documentation:

                . OSS Note: SAP Note 1488409 - New SPNego Implementation

                . SPNegoDocumentation.pdf  (which is attached to the OSS Note)

Assumption:

You are working with a freshly installed NW EP7.3x system, not any other  system which

has been upgraded

SPNego has never been configured on this system

KDC Kerberos Distribution Center refers to the Domain Controller which in this case

is Active Directory

Step 1:  Prepare and Create the Service User to

Identify the AS Java instance on the KDC

[this section is pretty much a verbatim copy of dimitar.dimkinDimkin’s pdf document from

the OSS Note 1488409]

[The Username is CASE SeNsItIvEand whatever CaSe is used in the Active Directory,

the same CaSe must be used in the configuration in the SPNego Wizard of the Portal]

Assumptions

. The Windows domain name is IT.CUSTOMER.DE

. The fully qualified domain name (FQDN) of the AS Java engine host is hades.customer.de

. The AS Java engine has an additional alias su3x24.customer.de

. The AS Java engine instance is D21

Configuration steps on the Active Directory Server

1. Create a service user named “j2ee-d21-hades”

2. Select the “Password never expires” check on the user’s account

3. Make sure the “Use DES encryption” check on the user’s account is not selected

4. From the command line, execute the following commands in order to register Service

Principal Names (SPNs) for the AS Java engine host name and alias to the service user

“j2ee-d21-hades”

setspn –a HTTP/hades.customer.de j2ee-d21-hades

setspn –a HTTP/su3x24.customer.de j2ee-d21-hades

Doing so registers both the host name and the alias as SPNs of the service user in the ADS

5. In order to check the configuration, execute the following command from the

command line for every SPN that you registered :

ldifde –r serviceprincipalname=HTTP/hades.customer.de –f out.txt

ldifde –r serviceprincipalname=HTTP/su3x24.customer.de –f out2.txt

Execute the command for every single SPN you registered to the service user and

check the generated files.

The output of each invocation must be only one entry – the service user created earlier,

in the example – j2ee-d21-hades.

In other words, all SPNs must be unique

[the reason for NOT selecting DES encryption for the User is because DES encryption

is no longer supported on the latest versions of Active Directory, and if your AD Team

have older versions of Active Directory and your User is created with DES encryption,

then later, when the AD Team upgrade the Active Directories, unless you keep track

of their upgrade project your Kerberos will stop working when the Active Directories

are upgraded because your User with DES encryption will not be able to work against

the Active Directory because of using an unsupported encryption method. The advice

is to use RC4 encryption with is 128bit]

Step 2:  Run the SPNegoWizard

SPNego Wizard Url: http(s)://Your-Portal-Server:Port/spnego

Click Add -> Manually

On the next screen:

Enter the Realm which is the Domain of the Domain Controller – Active Directory

eg: YOURCOMPANY.COM

It is not a requirement to enter a Description

Click NEXT

On the next screen:

Enter the Username and Password of the Service User created in Step #1

Remember, the Username is CASE sensitive and the CASE of the User must be the same as the

CASE the User has in the Active Directory User Store

Click NEXT

On the next screen:

Uncheck the DES encryption because it is not needed

Click NEXT

On the next screen:

Select your Mapping Mode, if your User Store is Active Directory then you can

leave this as the standard as shown in the screenshot

Click FINISH

On the next screen:

Click the ENABLE button, and then the STATUS will be GREEN

Step 3:  Adjust TheAuthentication Stack

NWA Url: http(s)://YourPortalServer:Port/nwa

Click -> Configuration -> Security ->Authentication and Single Sign On ->

On the next screen:

Select the row TICKET

And then click EDIT

Lower down on the same screen:

Select SPNegoLogonModule with the Flag OPTIONAL

Then click ADD again:

Select CreateTicketLogonModulewith the Flag REQUIRED

Next, organise the sequence and Flags for the LoginModules

Organise the sequence of the Login Modules using the MoveUp and MoveDownbuttons and set

the FLAGs according to the screenshot above

And then scroll up the page and click SAVE like in the screenshot below:

And you’re done J

Next test the SPNego logon

Troubleshooting

Open the TroubleShooting Wizard url:

http(s)://YourPortalServer:Port/tshw

1, Click START DIAGNOSTICS

2, Execute the SPNego Logon which is failing

3, Click STOP DIAGNOSTICS

4, Click SHOW COLLECTED TRACES to view the trace file

5, Investigate the errors

p.s. for this and more Basis Administration documentation like it, checkout the Portal section of the SCN Wiki

SAP NetWeaver Basis Administrator's Toolbox...