Hello Friends,
This document follows, Single Sign on between Enterprise portal and Operating System (windows)
The Windows Integration Authentication mechanism allows a user to log on to the SAP NW Portal without the need of enter username and password on the logon form. Instead, the credentials from the windows logon will be used by the SAP NW AS Java logon process to provide a user name that can be be validated against the UME persistence store.
When you use SPNego (Simple and Protected Negotiation Protocol), authentication is performed by several systems in your landscape, which negotiate the outcome of the authentication process transparently for the user. At a minimum, SPNego authentication involves the following systems:
For more information about the Kerberos systems landscape and infrastructure, see Kerberos V5 Administrator’s Guide.
The systems involved in the SPNego authentication process share user information. Therefore, to enable the AS Java to use SPNego authentication you have to configure several systems including the KDC, the AS Java and its UME, as well as the Web client.
The first step is to configure a service user in the LDAP directory. For my screenshots I used a J2EE engine that I (will) attached to a Microsoft ADS.
1. Create a user in the ADS
2. Enable the "Password Never Expires" option for this user.
3. Enable the "Use DES encryption" option for this user.
Now go to step 2 and set the service principal names (SPN) for this user. The SPN has to be every URL / DNS-Alias you are going to use to access the J2EE Engine - and of course the fully qualified computer name has also to be created. Simply repeat the steps. The command to add an service principal name is: setspn -A HTTP/servername username
The Kerberos authentication process uses a Key Distribution Center (KDC) to authenticate a client and to issue the Kerberos Client/Server Session Ticket, which is used for the communication between the Web client and the AS Java. For this reason, the KDC maintains a directory of the users that can access AS Java resources for a Kerberos Realm
Note: The configuration steps are specific to the KDC that you use. For more information, see the documentation provided by your KDC vendor. If you use a Sun JDK to run the J2EE Engine and the KDC is a Windows 2000 Domain Controller with ADS, you also have to disable delegation in the ADS to avoid errors during ticket verification.
The following example shows the configuration steps when the KDC is a Microsoft Windows 2000 Domain Controller (DC) that uses an Active Directory Server (ADS) for a user store.
Prerequisites:
1. The service user from step 1 is already created. It is needed to identify the AS Java instance on the KDC.
Assumptions:
For the purpose of this example we assume that:
Procedure: Configuration steps on the DC
1. From a command line, enter the following command to register service principal names (SPNs) for the AS Java host name and alias and map them to the service user.
Procedure: Check the Configuration
To check the result of the configuration, enter the following command line for each SPN you registered:The output of this command is one entry which points to the previously created service user.
Depending on the data source it uses, the UME of the AS Java can be configured to use several modes to resolve the user from the Kerberos Principal Name (KPN).
Information about Resolution Mode
The UME can use the following resolution modes to determine the user account from the KPN:
Procedure: Configuring the UME when Using Non-ADS Data Sources
Use this topic to modify the data source configuration of the user management engine (UME) for using non-ADS data stores with Kerberos authentication. For this scenario, the used resolution mode is simple. To make the required settings, you use the Config Tool.
1. Start the Config Tool by double-clicking the configtool script file in the <SAP_install_dir>/<system_name>/<instance_name>/j2ee/configtool directory.
2. Open the template configuration and choose Services ® com.sap.security.core.ume.service.
3. Select the property ume.admin.addattrs.
4. In the Custom Value field enter krb5principalname. This attribute is used for resolving the user from his or her KPN.
5. To save the new value of the property, choose Set Custom value.
6. Restart the AS Java instance.
You can use the SPNego configuration wizard to enable SPNego authentication for all users belonging to a Kerberos Realm to log on transparently to the AS Java with Single Sign-On.
Introduction
Kerberos authentication on the AS Java uses Kerberos infrastructural functions that are integral part of the Microsoft Windows 2000 and higher operating systems (OS).
There are two ways to start the wizard:
To access the SPNego Wizard follow the url http://<Server>:<port>/spnego. When its not installed the look at the following SAP Note: 968191 – SPNego Central Note and 994791 – Wizard-based SPNego configuration.
Steps:-
Step 1 of 4/5: Prerequisites
Description
In this step all prerequisites for the configuration for Kerberos Authentification are listed. Please check the prerequisites and mark in the corresponding checkbox. Click on the Next-button
Screenshot
Step 2 of 4/5: Kerberos Realm
Description
Screenshot
Step 3 of 4/5: Resolution Mode
Description
Prerequisites:
Screenshot
Step 4 of 4/5: Confirmation
Description
Screenshot
Step 5 of 5: Final Result
Description
This step only occurs if you configure the spnego configuration the first time. Don't wonder why only four configuration steps (instead of five) are available when you start the tool a second time. Just delete the folder kerberos (\usr\sap\SID\SYS\global\kerberos) and you can almost start from the scratch.
Screenshot
After configuring step 4 you can have a look what the spnego wizard has done on the server side. Start the Visual Administrator and take a look at Server -> Services -> Security Provider. A new component com.sun.security.jgss.accept was created which contains two LoginModules: Krb5LoginModule and SPNegoMappingLoginModule. Both contain the options you chose when clicking through the wizard. Among other settings the Krb5LoginModule contains the properties of the Kerberos Principal user (service user) and the SPNegoMappingLoginModule the user resolution mode.
Make sure that the flag of both entries is set to SUFFICIENT.
If you are using Sun JDK for your J2EE engine, please make sure that you are using a JDK with 1.4.2_13 and not _14, _15 or _16. Unfortunately all these versions contain a bug that fails Kerberos to work, see Note 1057474 - NullPointerException in KRB5LoginMoule. As a workaround for this SAP Bug it is necessary to configure a property in the Krb5LoginModule
isInitiator = false
Then there is also the spnego template which contains the login modules required for a successful login. The first entry is the EvaluateTicketLoginModule (com.sap.security.core.server.jass.EvaluateTicketLoginModule). The Login module checks whether you already have a valid SAPLogonTicket (in a federated portal scenario this ticket could also come from another portal and if you have chosen to trust this portal then the check would succeed and because of the Flag "Sufficient" you would simply skip the next modules). If the Evaluate did not work, then the next login module will be used: SPNegoLoginModule. This module does the actual SPNego / Kerberos check. The flag is Requisite so that if it succeeds it will continue with the next login module. When this login module was successful then the last login module CreateTicketLoginModule will be executed. This time a SAPLogonTicket will be created so the next time you query the portal the EvaluateTicketLoginModule will succeed right away. (For a more detailed list of what the different Flags mean, please check: SAP Help(http://help.sap.com/saphelp_nw70/helpdata/en/d0/ee244134a56532e10000000a1550b0/frameset.htm)
1. The settings of the modules are shown in the next screenshot.
2. Set the Authentication Template of the component ticket to "spnego". All changes have to be done directly in the spnego component. If there are problems with the SSO configuartion you have to set the flag REQUISITE of the SPNegoLoginModule to SUFFICIENT.
Procedure for Internet Explorer
1. Enable Windows Integrated Authentication in your Web browser: In Internet Explorer go to Tools -> Internet Options -> Advanced -> Security and choose Enable Windows Integrated Authentication (requires restart).
2. Enable automatic logon in Intranet zone: In Internet Explorer go to Tools -> Internet Options -> Security -> Local Intranet -> Custom Level and choose Automatic logon only in Intranet Zone from the section User Authentication.
3. (not mandatory) Add the J2EE Engine’s DNS host name to the list of local intranet sites: In Internet Explorer go to Tools -> Internet Options -> Security -> Local Intranet -> Sites -> Advanced and add the J2EE Engine’s DNS host name to the list.
Procedure for Mozilla Firefox
1. Add the server name to the list of sites which do not use a proxy: Open the proxy settings of your browser. In the field No Proxy for specify the name of the J2EE Engine for which you want to use Kerberos authentication, for example: my_kerberos_server.
2. Allow integrated authentication:
· In the address bar of your browser, enter the following: about:config.
· Filter the entries by name using the prefix negotiate.
· Add the J2EE Engine address to the entries network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris, for example: http://hostName.
Mozilla Firefox is configured to use Kerberos authentication for the required J2EE Engine
· set the logoff url in the config tool
in the configtool, goto cluster-data->instanceXXX->serverXXX->services
and on the right side change the parameter
· change authscheme.xml with the config tool
o in the configtool, switch to "configuration editor mode"
o navigate to cluster_data->server->persistent->com.sap.security.core.ume.service->authschemes.xml
o right-click on the item and choose "show details"
o download the file and store it in a safe location.
o make a working copy of the file and open it in an text editor
o add the following lines below the first scheme definition (within the <authschemes> tag, below the <authscheme name="uidpwdlogon"> section):
<authscheme name="no_sso">
<!-- multiple login modules can be defined -->
<authentication-template>
ticket_nosso
</authentication-template>
<priority>20</priority>
<!-- the frontendtype TARGET_FORWARD = 0, TARGET_REDIRECT = 1, TARGET_JAVAIVIEW = 2 -->
<frontendtype>2</frontendtype>
<!-- target object -->
<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
</authscheme>
in the configtool, switch to edit mode
Here you will find helpful links to SSO topics and problem issues. Most of the possible problems are described in the note Configuring and troubleshooting SPNego - Part 3(http://scn.sap.com/people/holger.bruchelt/blog/2008/01/24/configuring-and-troubleshooting-spnego--pa...). This document also describes how to use the diagtool for logging and tracing the SPNego process and traffic. Use this tool for debugging SSO.
Helpful documentation about the configuration of SPNego:
Other documentation
https://forums.sdn.sap.com/thread.jspa?threadID=194081
http://scn.sap.com/thread/194081
Kerberos implementation with ADS made easy
http://scn.sap.com/people/vaibhav.dua2/blog/2006/04/24/kerberos-implementation-with-ads-made-easy
Windows Integrated Authentication via Kerberos on an LDAP data source
Hope this is helpful !!!
Regards
Vijay K Kalluri
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
37 | |
10 | |
6 | |
4 | |
3 | |
3 | |
3 | |
2 | |
2 | |
2 |