SPNego Wizard Setup in 40 Characters

SPNego Wizard
Nghia Nguyen
SAP NetWeaver RIG Americas
SAP Labs, LLC
Introduction
SPNego Manual Process
SPNego Wizard Process
Demo
Summary
Futher Information
Introduction
Demo
Summary
Futher Information
Introduction
Integrated Cross-Application User Management

Single point of administration
Interoperability, Multi vendor and platform support
Avoid redundant user information
Single Sign-On (SSO)

User authenticates once against a security system
User is afterwards automatically authenticated
to access other systems
Authentication against other applications
is transparent for the user
Solutions
SAP Logon Tickets
Windows Credentials
SAP AG 2006, RAFP20 - EFP / 4

Focus on Windows Integrated Authentication
Microsoft
Active Directory
and Windows
Domain

What is: SAP SPNego LoginModule
Motivation
SSO from Browser to SAP Web AS / SAP Enterprise Portal by
leveraging Microsoft Windows credentials (Kerberos) for
authentication
Example: Windows Integrated Authentication from MS IE to SAP

Enterprise Portal without additional middleware components like
MS IIS or others
Solution:
SAP SPNegoLoginModule for Kerberos authentication via HTTP
to SAP NetWeaver

SAP SPNego LoginModule
Active
Prerequisites Directory /
Windows Domain
Microsoft Windows Controller
Domain
Authentication of users is 1. 3. SPNego

delegated to the windows Windows checks via JVM
domain credentials
Domain Logon against DC
User must be
2. Browser
authenticated against Sends windows
Windows domain on his or credentials
her workstation SAP NetWeaver
4.
Browser propagates SAP Logon
windows credentials to Ticket issued
SAP NetWeaver
Typical scenarios
Intranet scenarios

SPNego Use Cases
SPNego is a Java JAAS Login Module

it applies to the NetWeaver Application Server J2EE
a Logon Ticket is issued by the J2EE application Server
See SAP Note 701205 on how to configure a trust between

NetWeaver J2EE + ABAP Systems with SAP logon tickets
1 Send Logon Request to ABAP-http Service
2 Forward request to Java Stack (TA : SICS)
3 Verification of credentials through SPNEGO

using Kerberos against Windows Active Directory
6 Trust Logon ticket and open ABAP app

Create Logon Ticket and Re-direct
ABAP 5
to ABAP (http Service)
http – Web service 4 Confirmation : SAP User is equal
(e.g. URL for Web-Reports) to AD/ Windows Username
J2EE Windows
Java Stack Active Directory
(SPNEGO)

SPNego Use Cases
SPNego can thereby applied for authentication in many scenarios:

NetWeaver Portal (intranet)
NetWeaver Portal (intranet + external access by leveraging multiple
logon stacks)
Web Dynpro
ABAP systems, e.g. SAP BW web reports, BSP pages,…
Integrated ITS (as of 6.40 onwards)
Duet
...and others

SPNego Protocol
Simple and Protected

Negotiation protocol:
Base 64 encoding
Wrapper around a
GSS based protocol
Allows mechanism
negotiation
ASN.1 SPNego wrapper
Supports all GSS API
conform mechanisms
GSS token
For HTTP, tokens are
exchanged as http
headers between
server and browser

JAAS SPNego LoginModule:
VERY Simplified Authentication Flow

Introduction
Demo
Summary
Futher Information
SPNego Manual Procedure
Configuration on the domain controller

Creation of a Windows user which represents the J2EE Engine
Export of Kerberos keys Wizard
Register of Service Principal Names
Configuration on the browser clients

Windows integrated authentication must be switched on
J2EE Engine host must be explicitly assigned to local intranet
Automatic logon in intranet zone must be allowed
Configuration on the J2EE Engine Wizard
Configuration of the JAAS LoginModule

Setting of Java System Properties
Installation of krb5.conf and the key files
Adjustment of the UME-Configuration
Configuration of the LoginModule Stacks

Introduction
Demo
Summary
Futher Information
SPNego Wizard – Installation 1/2
Download ZIP archive SPNegoWizard.zip from SAP Note 994791
Deploy EARs
sap.com~tc~sec~auth~jmx~ear.ear
sap.com~tc~sec~auth~spnego~wizard.ear
security_example.ear

SPNego Wizard – Installation 2/2

SPNego Wizard - Active Directory configuration 1/2
Create service user j2ee-<SID>

Select “User cannot change password”
Select “Password never expires”
Select “Use DES encryption types for this account”
Configure the service user

Set Service Principal Name (SPN)
setspn –A HTTP/<J2EE Hostname> <service user>

SPNego Wizard - Active Directory configuration 2/2
Check service user configuration

Export LDAP attributes
ldifde –r (samaccountname=<service user>) –f out.ldf
Check “userPrincipalName” and “servicePrincipalName”

SPNego Wizard - UME Configuration 1/3
Change UME datasource (configtool)

Upload dataSourceConfiguration_ads_readonly_db_with_krb5.xml
Change the datasource file to
dataSourceConfiguration_ads_readonly_db_with_krb5.xml
Enter LDAP connection data
Test connection and authentication


Others
Enter additional user attributes to be visible in User Admin application
“krb5principalname; kpnprefix; dn”

SPNego Wizard - Java AS configuration 1/2
Run the SPNego Configuration Wizard

http://localhost:50000/spnego

SPNego Wizard - Java AS configuration 2/2
Set “ticket” authentication stack to use “spnego” as template
uncheck and
recheck to
make the
Modules Login
Stack Correct

SPNego Wizard - Client configuration
Configure IE
Add “<J2EE Host>” to Local Intranet sites
Disable HTTP proxy for requests to <J2EE Host>
Enable Windows Integrated Authentication
Restart Browser

SPNego authentication fallback and Result
The key to getting the basic auth fallback to work in to apply note 1007227.
IE6
SPNego – OK
Basic fallback with Integrated Windows Auth set - Double login screen with
UNKNOWN_ERROR, hit F5 to refresh and login screen is correct. Login works with
username and password whether you hit F5 or not. The UNKNOWN_ERROR is
scheduled to be fixed in SPS12, since this is a usability error and not a critical
error no backport will be provided
Basic fallback without Integrated Windows Auth set - OK, login with user id and
password
IE7 (supported SPS10 and later):

Same as IE6
Firefox
general supported browser information will be documented in note 994791
SPNego - OK, configured according to
http://www.mozilla.org/projects/netlib/integrated-auth.html
Basic fallback with http://www.mozilla.org/projects/netlib/integrated-auth.html
steps configured - result identical to IE6 2nd bullet
Basic fallback without http://www.mozilla.org/projects/netlib/integrated-auth.html
steps configured - OK, login with userid and password

Introduction
Demo
Summary
Futher Information
Demo
Demo the SPNego Wizard
Reverse Proxy Scenario

Introduction
Demo
Summary
Futher Information
Summary
Prerequisites:
NetWeaver J2EE 6.40 SP15 or higher
NetWeaver 2004s J2EE SP6 or higher
SPNego enables single sign-on (SSO) from your windows desktop

workstation to SAP business applications such as Portal, Web
Dynpro and ABAP-based systems
SPNego efficiently and securely authenticates users directly to the

SAP NetWeaver J2EE application server leveraging the Kerberos
security standard which is a built-in capability of a Microsoft
environment.

Introduction
Demo
Summary
Futher Information
Further Information
Public Web
SAP Developer Network: www.sdn.sap.com
+ SAP NetWeaver Platform Security
NetWeaver Developer‘s Guide:
http://www.sdn.sap.com/irj/sdn/developersguide
SAP Service Marketplace:
http://service.sap.com/security
http://service.sap.com/securityguide
http://service.sap.com/ais
http://www.sap.com/germany/company/revis/infomaterial/index.epx
Related SAP Education Training Opportunities
http://www.sap.com/education/
ADM960, Security in SAP System Environment

SPNego Wizard Setup in 40 Characters

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SPNego Wizard Setup in 40 Characters

Uploaded by

Copyright:

Available Formats

SPNego Wizard

Integrated Cross-Application User Management

Single Sign-On (SSO)

SAP AG 2006, RAFP20 - EFP / 4

SAP AG 2006, RAFP20 - EFP / 5

Example: Windows Integrated Authentication from MS IE to SAP

SAP AG 2006, RAFP20 - EFP / 6

Authentication of users is 1. 3. SPNego

SAP AG 2006, RAFP20 - EFP / 7

SPNego is a Java JAAS Login Module

See SAP Note 701205 on how to configure a trust between

1 Send Logon Request to ABAP-http Service

2 Forward request to Java Stack (TA : SICS)

3 Verification of credentials through SPNEGO

6 Trust Logon ticket and open ABAP app

SAP AG 2006, RAFP20 - EFP / 8

SPNego can thereby applied for authentication in many scenarios:

SAP AG 2006, RAFP20 - EFP / 9

Simple and Protected

SAP AG 2006, RAFP20 - EFP / 10

SAP AG 2006, RAFP20 - EFP / 11

Configuration on the domain controller

Register of Service Principal Names

Configuration on the browser clients

Configuration on the J2EE Engine Wizard

Configuration of the JAAS LoginModule

SAP AG 2006, RAFP20 - EFP / 13

Download ZIP archive SPNegoWizard.zip from SAP Note 994791

SAP AG 2006, RAFP20 - EFP / 15

SAP AG 2006, RAFP20 - EFP / 16

Create service user j2ee-<SID>

Configure the service user

SAP AG 2006, RAFP20 - EFP / 17

Check service user configuration

SAP AG 2006, RAFP20 - EFP / 18

Change UME datasource (configtool)

SAP AG 2006, RAFP20 - EFP / 19

SAP AG 2006, RAFP20 - EFP / 20

SAP AG 2006, RAFP20 - EFP / 21

Run the SPNego Configuration Wizard

SAP AG 2006, RAFP20 - EFP / 22

Set “ticket” authentication stack to use “spnego” as template

SAP AG 2006, RAFP20 - EFP / 23

SAP AG 2006, RAFP20 - EFP / 24

IE7 (supported SPS10 and later):

SAP AG 2006, RAFP20 - EFP / 25

Demo the SPNego Wizard

Reverse Proxy Scenario

SAP AG 2006, RAFP20 - EFP / 27

SPNego enables single sign-on (SSO) from your windows desktop

SPNego efficiently and securely authenticates users directly to the

SAP AG 2006, RAFP20 - EFP / 29

SAP AG 2006, RAFP20 - EFP / 31

You might also like