Hierarchy
⤷ BC-SEC-LGN (Application Component) Authentication and SSO
⤷ SPNEGO (Package) SPNego
Attribute
Message class | SPN | ||
Short Description | SPnego | ||
Message Number | 004 | ||
Documentation status | Space: object requires documentation | ||
Authorization check Error Message | |||
Changed On | 20140121 |
Message Text
Help Document
Configuring Kerberos Services with SPNego in AS ABAP
Short text
SPNego Configuration
Use
SAP NetWeaver Application Server (SAP NetWeaver AS) ABAP supports Kerberos with the Simple and Protected GSS API Negotiation Mechanism (SPNego) enabling authentication with web clients, such as web browsers.
Restrictions
SPNego does not provide transport layer security. We recommend that you use transport layer security mechanisms, such as Secure Socket Layer (SSL), Transport Layer Security (TLS), to ensure confidentiality and integrity of the communication with SAP NetWeaver AS ABAP.
Integration
Kerberos authentication requires several systems in your landscape, which negotiate the outcome transparently for the user:
- Web client
The web client requests a service or a resource from SAP NetWeaver AS ABAP and authenticates against the Kerberos Key Distribution Center. For example, users use a web browser as a web client to access web applications running on SAP NetWeaver AS ABAP. The user's browser must support SPNego. - Kerberos Key Distribution Center (KDC)
SAP NetWeaver AS ABAP uses the single sign-on authentication mechanism, integrated, for example, into Microsoft Windows 2003 and higher. The Microsoft Windows Domain Controller (DC) acts as a KDC enabling Microsoft Windows integrated authentication in a Microsoft Windows domain. It authenticates the user and grants a token that is used for the communication between the user's web client and the AS ABAP. - SAP NetWeaver AS ABAP
Prerequisites
The following prerequisites must be fulfilled for the configuration of SPNego for ABAP:
- You have an administration account in Active Directory.
- You have a license for SAP NetWeaver Single Sign-On 2.0 or higher.
- You have installed the Secure Login Library.
- You have configured SNC to enable the mapping of SNC names in the SNC tab of User Maintenance (SU01 transaction).
- You are using a browser that supports SPNego.
- (Optional) You use SSL/TLS for transport layer security.
Features
The SPNego configuration enables you to maintain and derive new symmetric keys with a Kerberos service name and password. You use the Kerberos services you get from the Active Directory in keytab files. You can import the keytab files with the Kerberos service entries and save them, or you can derive a new symmetric key. You change the password, which is hashed with the Kerberos service name as a salt in accordance with the selected encryption algorithms. This procedure derives a new symmetric key.
Example
For example, to configure a Kerberos Key Distribution Center in a Microsoft Windows 2003 Domain Controller that uses Active Directory Server, proceed as follows:
Assumptions
- KDC is a Microsoft Windows 2003 Active Directory Server.
- Microsoft Windows domain name is IT.CUSTOMER.DE.
- Fully qualified host name of the AS ABAP is hades.customer.de.
- AS ABAP has an additional alias su3x24.customer.de and its system ID is AB1.
Configuration Steps on the Domain Controller
- Create a service user KERBEROSAB1. You can also use another
service user. We recommend that you do not use SAPService<SID> because the
Password Never Expires option is not set for this user by
default. If the password for this user expires, single sign-on fails. - Enable the Password Never Expires option for this user.
- Register service principal names (SPNs) for the service user KERBEROSAB1 for the AS ABAP host name and all aliases. Make sure the SPNs are unique. Do this by entering the following command in the command line:
setspn -A HTTP/hades.customer.de IT.CUSTOMER.DE\KERBEROSAB1
setspn -A HTTP/su3x24.customer.de IT.CUSTOMER.DE\KERBEROSAB1
This registers both aliases hades.customer.de and su3x24.customer.de as SPNs and associates them with the AS ABAP service user on the Microsoft Windows Domain Controller.
To check the result of the configuration, enter the following command at the command line for each SPN you registered, for example:
ldifde -r serviceprincipalname=HTTP/hades.customer.de -f out.ldf
The output of this command (out.ldf
) is one entry, which points to the previously created service user (KERBEROSAB1).
To create a Kerberos keytab file on your Microsoft Windows Domain Controller, take the following steps:
1. Create a keytab file using the ktpass
command in Active Directory.
Format: ktpass /princ http/<ABAP_host_name>@<domain> /pass <password> /out c:/keytab /mapUser <Active_Directory_logon_name>@<domain> /crypto All /ptype KRB5_NT_PRINCIPAL
Example: ktpass /princ HTTP/hades.customer.de@IT.CUSTOMER.DE /pass <password> /out c:/keytab /mapUser SIMABAP@IT.CUSTOMER.DE /crypto All /ptype KRB5_NT_PRINCIPAL
For more information, see the Microsoft documentation.
Procedure
To enable authentication with SPNego for ABAP, set the following profile parameters:
Take the following steps:
- Start transaction RZ10.
- Choose the default or instance profile.
- Choose the profile parameter and enter the related values.
- Set spnego/enable to the value 1
- Set spnego/krbspnego_lib to the Kerberos library (Secure Login Library of SAP NetWeaver Single Sign-On 2.0).
Value:<path_to_Kerberos_library>
- Set spnego/construct_SNC_name to the value 111. For more information, see spnego/construct_SNC_name.
NOTE
Use the libsapcrypto.so or sapcrypto.dll file of SAP NetWeaver Single Sign-On 2.0 or higher. HP-UX uses libsapcrypto.sl. The file name depends on the operating system.
- Save your changes.
- Restart the system to enable it to read the profile parameters.
To configure an SPNego trust configuration, proceed as follows:
- Start SPNEGO.
- Choose the Edit button.
- Confirm the license disclaimer.
To import your keytab file, choose the Import Keytab file button.
- Select your keytab file.
- Choose Open.
- A dialog box displays a list of Kerberos service names with their encryption algorithms.
- Select the Kerberos service names you want to import.
- Choose Continue (Enter).
- Save your changes.
After you have configured the Key Distribution Center and the trust configuration, your users can log on to Microsoft Windows and authenticate at the AS ABAP if SAP NetWeaver Single Sign-On is already used for SNC-based authentication. If this is not the case, you must maintain SNC mapping. You do not need to restart the application server if the library was updated or configured for the first time. Wait two minutes for all instances to receive the import. Provided that your browser is configured for SPNego, your browser requests an SPNego token from the Active Directory when users access an AS ABAP. The AS ABAP parses the token and validates it.
The token contains the Kerberos Principal Name (KPN), which does not match the ABAP user name. The Kerberos Principal Name from the Active Directory has the following format:
Format: <AD_user_name>@<domain>
Example: Smith@IT.CUSTOMER.DE
During authentication, the Kerberos Principal Name must be converted to an SNC name. By default, the conversion adds the prefix p:CN=
and sets the Kerberos Principal Name to uppercase.
Example: Smith@IT.CUSTOMER.DE
(Kerberos Principal Name) p:CN=SMITH@IT.CUSTOMER.DE
(converted to SNC name)
You can configure the conversion rule in the profile parameter spnego/construct_SNC_name.
- Perform a user mapping with User Maintenance (SU01 transaction in the SNC tab).
Procedure for System Administration
To analyze SPNego authentication failures, use the SPNego tracing function by choosing Goto -> SPNego Tracing. For more information, see SAP Note 1732610 and 1819808.
See also
For more information on user mapping, see the SAP Help Portal under SAP NetWeaver -> Application Help -> Function-Oriented View -> Security -> Network and Transport Layer Security -> Configuring the AS ABAP for Supporting SSL -> Configuring the Communication Partners to Use SNC ->Special Cases -> Single Sign-On with Microsoft Kerberos SSP -> Mapping Windows to SAP Users for Kerberos SSO.
For detailed documentation on the SPNEGO transaction, and general information on Kerberos, see Kerberos Authentication at help.sap.com
For more information on authentication with logon procedures, see the SAP Help Portal under SAP NetWeaver -> Application Help -> SAP NetWeaver Library: Function-Oriented View->Application Server -> Application Server Infrastructure -> Connectivity -> Components of SAP Communication Technology -> Internet Communication Framework ->Serve-Side Development -> Creating a
History
Last changed on/by | 20140121 | SAP | |
SAP Release Created in | 740 |