Professional Documents
Culture Documents
Nghia Nguyen
SAP NetWeaver RIG Americas
SAP Labs, LLC
Introduction
SPNego Manual Process
SPNego Wizard Process
Demo
Summary
Futher Information
Introduction
SPNego Manual Process
SPNego Wizard Process
Demo
Summary
Futher Information
Introduction
Solutions
SAP Logon Tickets
Windows Credentials
Microsoft
Active Directory
and Windows
Domain
Motivation
SSO from Browser to SAP Web AS / SAP Enterprise Portal by
leveraging Microsoft Windows credentials (Kerberos) for
authentication
Solution:
SAP SPNegoLoginModule for Kerberos authentication via HTTP
to SAP NetWeaver
User must be
2. Browser
authenticated against Sends windows
Windows domain on his or credentials
her workstation SAP NetWeaver
4.
Browser propagates SAP Logon
windows credentials to Ticket issued
SAP NetWeaver
Typical scenarios
Intranet scenarios
J2EE Windows
Java Stack Active Directory
(SPNEGO)
Base 64 encoding
Wrapper around a
GSS based protocol
Allows mechanism
negotiation
ASN.1 SPNego wrapper
Supports all GSS API
conform mechanisms
GSS token
For HTTP, tokens are
exchanged as http
headers between
server and browser
Deploy EARs
sap.com~tc~sec~auth~jmx~ear.ear
sap.com~tc~sec~auth~spnego~wizard.ear
security_example.ear
Others
Enter additional user attributes to be visible in User Admin application
“krb5principalname; kpnprefix; dn”
uncheck and
recheck to
make the
Modules Login
Stack Correct
Configure IE
Add “<J2EE Host>” to Local Intranet sites
Disable HTTP proxy for requests to <J2EE Host>
Enable Windows Integrated Authentication
Restart Browser
Firefox
general supported browser information will be documented in note 994791
SPNego - OK, configured according to
http://www.mozilla.org/projects/netlib/integrated-auth.html
Basic fallback with http://www.mozilla.org/projects/netlib/integrated-auth.html
steps configured - result identical to IE6 2nd bullet
Basic fallback without http://www.mozilla.org/projects/netlib/integrated-auth.html
steps configured - OK, login with userid and password
Prerequisites:
NetWeaver J2EE 6.40 SP15 or higher
NetWeaver 2004s J2EE SP6 or higher
Public Web
SAP Developer Network: www.sdn.sap.com
+ SAP NetWeaver Platform Security
NetWeaver Developer‘s Guide:
http://www.sdn.sap.com/irj/sdn/developersguide
SAP Service Marketplace:
http://service.sap.com/security
http://service.sap.com/securityguide
http://service.sap.com/ais
http://www.sap.com/germany/company/revis/infomaterial/index.epx
Related SAP Education Training Opportunities
http://www.sap.com/education/
ADM960, Security in SAP System Environment