sap netweaver spnego
TRANSCRIPT
SAP AG 2006, RAFP20 - EFP / 4
Introduction
Integrated Cross-Application User ManagementSingle point of administrationInteroperability, Multi vendor and platform supportAvoid redundant user information
Single Sign-On (SSO)User authenticates once against a security systemUser is afterwards automatically authenticatedto access other systemsAuthentication against other applicationsis transparent for the user
SolutionsSAP Logon TicketsWindows Credentials
SAP AG 2006, RAFP20 - EFP / 5
Focus on Windows Integrated Authentication
MicrosoftActive Directory
and WindowsDomain
SAP AG 2006, RAFP20 - EFP / 6
What is: SAP SPNego LoginModule
MotivationSSO from Browser to SAP Web AS / SAP Enterprise Portal byleveraging Microsoft Windows credentials (Kerberos) forauthentication
Example: Windows Integrated Authentication from MS IE to SAPEnterprise Portal without additional middleware components likeMS IIS or others
Solution:SAP SPNegoLoginModule for Kerberos authentication via HTTPto SAP NetWeaver
SAP AG 2006, RAFP20 - EFP / 7
SAP SPNego LoginModule
PrerequisitesMicrosoft WindowsDomain
Authentication of users isdelegated to the windowsDomain
User must beauthenticated againstWindows domain on his orher workstationBrowser propagateswindows credentials toSAP NetWeaver
Typical scenariosIntranet scenarios
ActiveDirectory /Windows DomainController
SAP NetWeaver4.SAP LogonTicket issued
2. BrowserSends windowscredentials
1.WindowsdomainLogon
3. SPNegochecks via JVMcredentialsagainst DC
SAP AG 2006, RAFP20 - EFP / 8
SPNego Use Cases
SPNego is a Java JAAS Login Moduleit applies to the NetWeaver Application Server J2EEa Logon Ticket is issued by the J2EE application Server
See SAP Note 701205 on how to configure a trust betweenNetWeaver J2EE + ABAP Systems with SAP logon tickets
ABAPhttp – Web service(e.g. URL for Web-Reports)
J2EEJava Stack(SPNEGO)
WindowsActive Directory
1
2
3
4
5
6
Send Logon Request to ABAP-http Service
Forward request to Java Stack (TA : SICS)
Verification of credentials through SPNEGOusing Kerberos against Windows Active Directory
Confirmation : SAP User is equalto AD/ Windows Username
Create Logon Ticket and Re-directto ABAP (http Service)
Trust Logon ticket and open ABAP app
SAP AG 2006, RAFP20 - EFP / 9
SPNego Use Cases
SPNego can thereby applied for authentication in many scenarios:NetWeaver Portal (intranet)NetWeaver Portal (intranet + external access by leveraging multiplelogon stacks)Web DynproABAP systems, e.g. SAP BW web reports, BSP pages,…Integrated ITS (as of 6.40 onwards)Duet...and others
SAP AG 2006, RAFP20 - EFP / 10
SPNego Protocol
Simple and ProtectedNegotiation protocol:
Wrapper around aGSS based protocol
Allows mechanismnegotiation
Supports all GSS APIconform mechanisms
For HTTP, tokens areexchanged as httpheaders betweenserver and browser
Base 64 encoding
ASN.1 SPNego wrapper
GSS token
SAP AG 2006, RAFP20 - EFP / 13
SPNego Manual Procedure
Configuration on the domain controllerCreation of a Windows user which represents the J2EE EngineExport of Kerberos keysRegister of Service Principal Names
Configuration on the browser clientsWindows integrated authentication must be switched onJ2EE Engine host must be explicitly assigned to local intranetAutomatic logon in intranet zone must be allowed
Configuration on the J2EE EngineConfiguration of the JAAS LoginModuleSetting of Java System PropertiesInstallation of krb5.conf and the key filesAdjustment of the UME-ConfigurationConfiguration of the LoginModule Stacks
Wizard
Wizard
SAP AG 2006, RAFP20 - EFP / 15
SPNego Wizard – Installation 1/2
Download ZIP archive SPNegoWizard.zip from SAP Note 994791
Deploy EARssap.com~tc~sec~auth~jmx~ear.earsap.com~tc~sec~auth~spnego~wizard.earsecurity_example.ear
SAP AG 2006, RAFP20 - EFP / 17
SPNego Wizard - Active Directory configuration 1/2
Create service user j2ee-<SID>Select “User cannot change password”Select “Password never expires”Select “Use DES encryption types for this account”
Configure the service userSet Service Principal Name (SPN)
setspn –A HTTP/<J2EE Hostname> <service user>
SAP AG 2006, RAFP20 - EFP / 18
SPNego Wizard - Active Directory configuration 2/2
Check service user configurationExport LDAP attributes
ldifde –r (samaccountname=<service user>) –f out.ldf
Check “userPrincipalName” and “servicePrincipalName”
SAP AG 2006, RAFP20 - EFP / 19
SPNego Wizard - UME Configuration 1/3
Change UME datasource (configtool)Upload dataSourceConfiguration_ads_readonly_db_with_krb5.xmlChange the datasource file todataSourceConfiguration_ads_readonly_db_with_krb5.xmlEnter LDAP connection dataTest connection and authentication
SAP AG 2006, RAFP20 - EFP / 21
SPNego Wizard - UME Configuration 3/3
OthersEnter additional user attributes to be visible in User Admin application
“krb5principalname; kpnprefix; dn”
SAP AG 2006, RAFP20 - EFP / 22
SPNego Wizard - Java AS configuration 1/2
Run the SPNego Configuration Wizardhttp://localhost:50000/spnego
SAP AG 2006, RAFP20 - EFP / 23
SPNego Wizard - Java AS configuration 2/2
Set “ticket” authentication stack to use “spnego” as template
uncheck andrecheck tomake the
Modules LoginStack Correct
SAP AG 2006, RAFP20 - EFP / 24
SPNego Wizard - Client configuration
Configure IEAdd “<J2EE Host>” to Local Intranet sitesDisable HTTP proxy for requests to <J2EE Host>Enable Windows Integrated AuthenticationRestart Browser
SAP AG 2006, RAFP20 - EFP / 25
SPNego authentication fallback and Result
The key to getting the basic auth fallback to work in to apply note 1007227.
IE6SPNego – OKBasic fallback with Integrated Windows Auth set - Double login screen withUNKNOWN_ERROR, hit F5 to refresh and login screen is correct. Login works withusername and password whether you hit F5 or not. The UNKNOWN_ERROR isscheduled to be fixed in SPS12, since this is a usability error and not a criticalerror no backport will be providedBasic fallback without Integrated Windows Auth set - OK, login with user id andpassword
IE7 (supported SPS10 and later):Same as IE6
Firefoxgeneral supported browser information will be documented in note 994791SPNego - OK, configured according tohttp://www.mozilla.org/projects/netlib/integrated-auth.htmlBasic fallback with http://www.mozilla.org/projects/netlib/integrated-auth.htmlsteps configured - result identical to IE6 2nd bulletBasic fallback without http://www.mozilla.org/projects/netlib/integrated-auth.htmlsteps configured - OK, login with userid and password
SAP AG 2006, RAFP20 - EFP / 29
Summary
Prerequisites:NetWeaver J2EE 6.40 SP15 or higherNetWeaver 2004s J2EE SP6 or higher
SPNego enables single sign-on (SSO) from your windows desktopworkstation to SAP business applications such as Portal, WebDynpro and ABAP-based systems
SPNego efficiently and securely authenticates users directly to theSAP NetWeaver J2EE application server leveraging the Kerberossecurity standard which is a built-in capability of a Microsoftenvironment.
SAP AG 2006, RAFP20 - EFP / 31
Further Information
Public WebSAP Developer Network: www.sdn.sap.com
+ SAP NetWeaver Platform SecurityNetWeaver Developer‘s Guide:http://www.sdn.sap.com/irj/sdn/developersguideSAP Service Marketplace:
http://service.sap.com/securityhttp://service.sap.com/securityguidehttp://service.sap.com/aishttp://www.sap.com/germany/company/revis/infomaterial/index.epx
Related SAP Education Training Opportunitieshttp://www.sap.com/education/ADM960, Security in SAP System Environment