SAP ABAP Message Class SPN Message Number 004 (Application help)
Hierarchy
SAP_BASIS (Software Component) SAP Basis Component
   BC-SEC-LGN (Application Component) Authentication and SSO
     SPNEGO (Package) SPNego
Attribute
Message class SPN  
Short Description SPnego    
Message Number 004  
Documentation status       Space: object requires documentation
Authorization check Error Message      
Changed On 20140121   
Message Text
Application help
Help Document

Configuring Kerberos Services with SPNego in AS ABAP

Short text

SPNego Configuration

Use

SAP NetWeaver Application Server (SAP NetWeaver AS) ABAP supports Kerberos with the Simple and Protected GSS API Negotiation Mechanism (SPNego) enabling authentication with web clients, such as web browsers.

Restrictions

SPNego does not provide transport layer security. We recommend that you use transport layer security mechanisms, such as Secure Socket Layer (SSL), Transport Layer Security (TLS), to ensure confidentiality and integrity of the communication with SAP NetWeaver AS ABAP.

Integration

Kerberos authentication requires several systems in your landscape, which negotiate the outcome transparently for the user:

  • Web client
    The web client requests a service or a resource from SAP NetWeaver AS ABAP and authenticates against the Kerberos Key Distribution Center. For example, users use a web browser as a web client to access web applications running on SAP NetWeaver AS ABAP. The user's browser must support SPNego.
  • Kerberos Key Distribution Center (KDC)
    SAP NetWeaver AS ABAP uses the single sign-on authentication mechanism, integrated, for example, into Microsoft Windows 2003 and higher. The Microsoft Windows Domain Controller (DC) acts as a KDC enabling Microsoft Windows integrated authentication in a Microsoft Windows domain. It authenticates the user and grants a token that is used for the communication between the user's web client and the AS ABAP.
  • SAP NetWeaver AS ABAP

Prerequisites

The following prerequisites must be fulfilled for the configuration of SPNego for ABAP:

  • You have an administration account in Active Directory.
  • You have a license for SAP NetWeaver Single Sign-On 2.0 or higher.
  • You have installed the Secure Login Library.
  • You have configured SNC to enable the mapping of SNC names in the SNC tab of User Maintenance (SU01 transaction).
  • You are using a browser that supports SPNego.
  • (Optional) You use SSL/TLS for transport layer security.

Features

The SPNego configuration enables you to maintain and derive new symmetric keys with a Kerberos service name and password. You use the Kerberos services you get from the Active Directory in keytab files. You can import the keytab files with the Kerberos service entries and save them, or you can derive a new symmetric key. You change the password, which is hashed with the Kerberos service name as a salt in accordance with the selected encryption algorithms. This procedure derives a new symmetric key.

Example

For example, to configure a Kerberos Key Distribution Center in a Microsoft Windows 2003 Domain Controller that uses Active Directory Server, proceed as follows:

Assumptions

  • KDC is a Microsoft Windows 2003 Active Directory Server.
  • Microsoft Windows domain name is IT.CUSTOMER.DE.
  • Fully qualified host name of the AS ABAP is hades.customer.de.
  • AS ABAP has an additional alias su3x24.customer.de and its system ID is AB1.

Configuration Steps on the Domain Controller

  1. Create a service user KERBEROSAB1. You can also use another
    service user. We recommend that you do not use SAPService<SID> because the
    Password Never Expires option is not set for this user by
    default. If the password for this user expires, single sign-on fails.
  2. Enable the Password Never Expires option for this user.
  3. Register service principal names (SPNs) for the service user KERBEROSAB1 for the AS ABAP host name and all aliases. Make sure the SPNs are unique. Do this by entering the following command in the command line:

setspn -A HTTP/hades.customer.de IT.CUSTOMER.DE\KERBEROSAB1

setspn -A HTTP/su3x24.customer.de IT.CUSTOMER.DE\KERBEROSAB1

This registers both aliases hades.customer.de and su3x24.customer.de as SPNs and associates them with the AS ABAP service user on the Microsoft Windows Domain Controller.

To check the result of the configuration, enter the following command at the command line for each SPN you registered, for example:

ldifde -r serviceprincipalname=HTTP/hades.customer.de -f out.ldf

The output of this command (out.ldf) is one entry, which points to the previously created service user (KERBEROSAB1).

To create a Kerberos keytab file on your Microsoft Windows Domain Controller, take the following steps:

1.    Create a keytab file using the ktpass command in Active Directory.

Format:
ktpass /princ http/<ABAP_host_name>@<domain> /pass <password> /out c:/keytab /mapUser <Active_Directory_logon_name>@<domain> /crypto All /ptype KRB5_NT_PRINCIPAL

Example:
ktpass /princ HTTP/hades.customer.de@IT.CUSTOMER.DE /pass <password> /out c:/keytab /mapUser SIMABAP@IT.CUSTOMER.DE /crypto All /ptype KRB5_NT_PRINCIPAL

For more information, see the Microsoft documentation.

Procedure

To enable authentication with SPNego for ABAP, set the following profile parameters:

Take the following steps:

  1. Start transaction RZ10.
  2. Choose the default or instance profile.
  3. Choose the profile parameter and enter the related values.
    1. Set spnego/enable to the value 1
    2. Set spnego/krbspnego_lib to the Kerberos library (Secure Login Library of SAP NetWeaver Single Sign-On 2.0).
      Value: <path_to_Kerberos_library>
    3. Set spnego/construct_SNC_name to the value 111. For more information, see spnego/construct_SNC_name.

NOTE

Use the libsapcrypto.so or sapcrypto.dll file of SAP NetWeaver Single Sign-On 2.0 or higher. HP-UX uses libsapcrypto.sl. The file name depends on the operating system.

  1. Save your changes.
  2. Restart the system to enable it to read the profile parameters.

To configure an SPNego trust configuration, proceed as follows:

  1. Start SPNEGO.
  2. Choose the Edit button.
  3. Confirm the license disclaimer.

To import your keytab file, choose the Import Keytab file button.

  1. Select your keytab file.
  2. Choose Open.
  3. A dialog box displays a list of Kerberos service names with their encryption algorithms.
  4. Select the Kerberos service names you want to import.
  5. Choose Continue (Enter).
  6. Save your changes.

After you have configured the Key Distribution Center and the trust configuration, your users can log on to Microsoft Windows and authenticate at the AS ABAP if SAP NetWeaver Single Sign-On is already used for SNC-based authentication. If this is not the case, you must maintain SNC mapping. You do not need to restart the application server if the library was updated or configured for the first time. Wait two minutes for all instances to receive the import. Provided that your browser is configured for SPNego, your browser requests an SPNego token from the Active Directory when users access an AS ABAP. The AS ABAP parses the token and validates it.

The token contains the Kerberos Principal Name (KPN), which does not match the ABAP user name. The Kerberos Principal Name from the Active Directory has the following format:

Format:
<AD_user_name>@<domain>

Example:
Smith@IT.CUSTOMER.DE

During authentication, the Kerberos Principal Name must be converted to an SNC name. By default, the conversion adds the prefix p:CN= and sets the Kerberos Principal Name to uppercase.

Example:
Smith@IT.CUSTOMER.DE (Kerberos Principal Name)
p:CN=SMITH@IT.CUSTOMER.DE (converted to SNC name)

You can configure the conversion rule in the profile parameter spnego/construct_SNC_name.

  1. Perform a user mapping with User Maintenance (SU01 transaction in the SNC tab).

Procedure for System Administration

To analyze SPNego authentication failures, use the SPNego tracing function by choosing Goto -> SPNego Tracing. For more information, see SAP Note 1732610 and 1819808.

See also

For more information on user mapping, see the SAP Help Portal under SAP NetWeaver -> Application Help -> Function-Oriented View -> Security -> Network and Transport Layer Security -> Configuring the AS ABAP for Supporting SSL -> Configuring the Communication Partners to Use SNC ->Special Cases -> Single Sign-On with Microsoft Kerberos SSP -> Mapping Windows to SAP Users for Kerberos SSO.

For detailed documentation on the SPNEGO transaction, and general information on Kerberos, see Kerberos Authentication at help.sap.com

For more information on authentication with logon procedures, see the SAP Help Portal under SAP NetWeaver -> Application Help -> SAP NetWeaver Library: Function-Oriented View->Application Server -> Application Server Infrastructure -> Connectivity -> Components of SAP Communication Technology -> Internet Communication Framework ->Serve-Side Development -> Creating a

History
Last changed on/by 20140121  SAP 
SAP Release Created in   740