7/22/2019 SPNego Wizard_Active Directory Configuration
1/31
Nghia Nguyen
SAP NetWeaver RIG Americas
SAP Labs, LLC
S ego Wizard
7/22/2019 SPNego Wizard_Active Directory Configuration
2/31
Introduction
SPNego Manual Process
SPNego Wizard Process
Futher Information
Demo
Summary
7/22/2019 SPNego Wizard_Active Directory Configuration
3/31
Introduction
SPNego Manual Process
SPNego Wizard Process
Futher Information
Demo
Summary
7/22/2019 SPNego Wizard_Active Directory Configuration
4/31
SAP AG 2006, RAFP20 - EFP / 4
Introduction
Integrated Cross-Appl ication User Management
Single point of administration
Interoperability, Multi vendor and platform support
Avoid redundant user informat ion
Single Sign-On (SSO)
User authenticates once against a security system
User is afterwards automatically authenticated
to access other systems
Authent ication against other appl icat ions
is transparent for the user
Solutions
SAP Logon Tickets
Windows Credentials
7/22/2019 SPNego Wizard_Active Directory Configuration
5/31
SAP AG 2006, RAFP20 - EFP / 5
Focus on Windows Integrated Authentication
Microsoft
Active Directory
and Windows
Domain
7/22/2019 SPNego Wizard_Active Directory Configuration
6/31
SAP AG 2006, RAFP20 - EFP / 6
What is: SAP SPNego LoginModule
Motivation
SSO from Browser to SAP Web AS / SAP Enterprise Portal by
leveraging Microsoft Windows credentials (Kerberos) for
authentication
Example: Windows Integrated Authentication from MS IE to SAPEnterprise Portal without additional middleware components like
MS IIS or others
Solution:
SAP SPNegoLoginModule for Kerberos authentication via HTTP
to SAP NetWeaver
7/22/2019 SPNego Wizard_Active Directory Configuration
7/31
SAP AG 2006, RAFP20 - EFP / 7
SAP SPNego LoginModule
PrerequisitesMicrosoft Windows
Domain
Authentication of users is
delegated to the windows
Domain User must be
authenticated against
Windows domain on his or
her workstation
Browser propagates
windows credentials toSAP NetWeaver
Typical scenarios
Intranet scenarios
Acti ve
Directory /
Windows DomainController
SAP NetWeaver
4.SAP Logon
Ticket issued
2. Browser
Sends windows
credentials
1.
Windows
domain
Logon
3. SPNego
checks via JVM
credentials
against DC
7/22/2019 SPNego Wizard_Active Directory Configuration
8/31
SAP AG 2006, RAFP20 - EFP / 8
SPNego Use Cases
SPNego is a Java JAAS Login Module
it applies to the NetWeaver Application Server J2EE a Logon Ticket is issued by the J2EE application ServerSee SAP Note 701205 on how to conf igure a trust between
NetWeaver J2EE + ABAP Systems with SAP logon tickets
ABAP
http Web service
(e.g. URL for Web-Reports)
J2EEJava Stack(SPNEGO)
Windows
Acti ve Directory
1
2
3
4
5
6
Send Logon Request toABAP-http Service
Forward request toJava Stack (TA : SICS)
Verification of credentials throughSPNEGOusingKerberos against Windows Active Directory
Confirmation : SAP User is equal
to AD/ Windows Username
Create Logon Ticket and Re-direct
to ABAP (http Service)
Trust Logon ticket and open ABAP app
7/22/2019 SPNego Wizard_Active Directory Configuration
9/31
SAP AG 2006, RAFP20 - EFP / 9
SPNego Use Cases
SPNego can thereby appl ied for authentication in many scenarios:
NetWeaver Portal (intranet)
NetWeaver Portal (intranet + external access by leveraging mult iple
logon stacks)
Web Dynpro
ABAP systems, e.g. SAP BW web reports, BSP pages,
Integrated ITS (as of 6.40 onwards)
Duet
...and others
7/22/2019 SPNego Wizard_Active Directory Configuration
10/31
SAP AG 2006, RAFP20 - EFP / 10
SPNego Protocol
Simple and ProtectedNegotiation protocol:
Wrapper around a
GSS based protocol
Allows mechanismnegotiation
Supports all GSS API
conform mechanisms
For HTTP, tokens areexchanged as http
headers between
server and browser
Base 64 encoding
ASN.1 SPNego wrapper
GSS token
7/22/2019 SPNego Wizard_Active Directory Configuration
11/31
7/22/2019 SPNego Wizard_Active Directory Configuration
12/31
Introduction
SPNego Manual Process
SPNego Wizard Process
Futher Information
Demo
Summary
7/22/2019 SPNego Wizard_Active Directory Configuration
13/31
SAP AG 2006, RAFP20 - EFP / 13
SPNego Manual Procedure
Configuration on the domain controller
Creation of a Windows user which represents the J2EE Engine
Export of Kerberos keys
Register of Service Principal Names
Configuration on the browser clients
Windows integrated authentication must be switched on
J2EE Engine host must be explicitly assigned to local intranet
Automatic logon in intranet zone must be al lowed
Configuration on the J2EE Engine
Configuration of the JAAS LoginModule
Setting of Java System Properties Installation of krb5.conf and the key files
Adjustment of the UME-Configuration
Configuration of the LoginModule Stacks
Wizard
Wizard
7/22/2019 SPNego Wizard_Active Directory Configuration
14/31
Introduction
SPNego Manual Process
SPNego Wizard Process
Futher Information
Demo
Summary
7/22/2019 SPNego Wizard_Active Directory Configuration
15/31
SAP AG 2006, RAFP20 - EFP / 15
SPNego Wizard Installation 1/2
Download ZIP archive SPNegoWizard.zip from SAP Note 994791
Deploy EARs
sap.com~tc~sec~auth~jmx~ear.ear
sap.com~tc~sec~auth~spnego~wizard.ear
security_example.ear
7/22/2019 SPNego Wizard_Active Directory Configuration
16/31
SAP AG 2006, RAFP20 - EFP / 16
SPNego Wizard Installation 2/2
7/22/2019 SPNego Wizard_Active Directory Configuration
17/31
SAP AG 2006, RAFP20 - EFP / 17
SPNego Wizard - Active Directory configuration 1/2
Create serv ice user j2ee-
Select User cannot change password
Select Password never expires
Select Use DES encryption types for this account
Configure the service user
Set Service Principal Name (SPN)
setspn A HTTP/
7/22/2019 SPNego Wizard_Active Directory Configuration
18/31
SAP AG 2006, RAFP20 - EFP / 18
SPNego Wizard - Active Directory configuration 2/2
Check service user conf iguration
Export LDAP attributes
ldifde r (samaccountname=) f out.ldf
Check userPrincipalName and servicePrincipalName
7/22/2019 SPNego Wizard_Active Directory Configuration
19/31
SAP AG 2006, RAFP20 - EFP / 19
SPNego Wizard - UME Configuration 1/3
Change UME datasource (configtool)
Upload dataSourceConf iguration_ads_readonly_db_with_krb5.xml
Change the datasource file to
dataSourceConfiguration_ads_readonly_db_with_krb5.xml
Enter LDAP connection data
Test connection and authentication
7/22/2019 SPNego Wizard_Active Directory Configuration
20/31
SAP AG 2006, RAFP20 - EFP / 20
SPNego Wizard - UME Configuration 2/3
7/22/2019 SPNego Wizard_Active Directory Configuration
21/31
SAP AG 2006, RAFP20 - EFP / 21
SPNego Wizard - UME Configuration 3/3
Others
Enter additional user attributes to be visible in User Admin application
krb5principalname; kpnprefix; dn
7/22/2019 SPNego Wizard_Active Directory Configuration
22/31
SAP AG 2006, RAFP20 - EFP / 22
SPNego Wizard - Java AS configuration 1/2
Run the SPNego Configuration Wizard
http://localhost:50000/spnego
http://localhost:50000/spnegohttp://localhost:50000/spnego7/22/2019 SPNego Wizard_Active Directory Configuration
23/31
SAP AG 2006, RAFP20 - EFP / 23
SPNego Wizard - Java AS configuration 2/2
Set ticket authentication stack to use spnego as template
uncheck and
recheck to
make the
Modules LoginStack Correct
7/22/2019 SPNego Wizard_Active Directory Configuration
24/31
SAP AG 2006, RAFP20 - EFP / 24
SPNego Wizard - Client configuration
Configure IE
Add to Local Intranet s ites
Disable HTTP proxy for requests to
Enable Windows Integrated Authentication
Restart Browser
7/22/2019 SPNego Wizard_Active Directory Configuration
25/31
SAP AG 2006, RAFP20 - EFP / 25
SPNego authentication fallback and Result
The key to getting the basic auth fallback to work in to apply note 1007227.
IE6 SPNego OK
Basic fallback with Integrated Windows Auth set - Double login screen withUNKNOWN_ERROR, hit F5 to refresh and login screen is correct. Login works withusername and password whether you hit F5 or not. The UNKNOWN_ERROR isscheduled to be fixed in SPS12, since this is a usability error and not a criticalerror no backport will be provided
Basic fallback without Integrated Windows Auth set - OK, login with user id and
password
IE7 (supported SPS10 and later):
Same as IE6
Firefox
general supported browser information will be documented in note 994791
SPNego - OK, configured according tohttp: //www.mozilla.org/projects/netlib/integrated-auth.html
Basic fallback with http: //www.mozilla.org/projects/netlib/integrated-auth.htmlsteps configured - result identical to IE6 2nd bullet
Basic fallback without http: //www.mozilla.org/projects/netlib/integrated-auth.htmlsteps configured - OK, login with userid and password
http://www.mozilla.org/projects/netlib/integrated-auth.htmlhttp://www.mozilla.org/projects/netlib/integrated-auth.htmlhttp://www.mozilla.org/projects/netlib/integrated-auth.htmlhttp://www.mozilla.org/projects/netlib/integrated-auth.htmlhttp://www.mozilla.org/projects/netlib/integrated-auth.htmlhttp://www.mozilla.org/projects/netlib/integrated-auth.html7/22/2019 SPNego Wizard_Active Directory Configuration
26/31
Introduction
SPNego Manual Process
SPNego Wizard Process
Futher Information
Demo
Summary
7/22/2019 SPNego Wizard_Active Directory Configuration
27/31
SAP AG 2006, RAFP20 - EFP / 27
Demo
Demo the SPNego Wizard
Reverse Proxy Scenario
7/22/2019 SPNego Wizard_Active Directory Configuration
28/31
Introduction
SPNego Manual Process
SPNego Wizard Process
Futher Information
Demo
Summary
7/22/2019 SPNego Wizard_Active Directory Configuration
29/31
SAP AG 2006, RAFP20 - EFP / 29
Summary
Prerequisites:
NetWeaver J2EE 6.40 SP15 or higher
NetWeaver 2004s J2EE SP6 or higher
SPNego enables single sign-on (SSO) from your windows desktop
workstation to SAP business applications such as Portal, Web
Dynpro and ABAP-based systems
SPNego efficiently and securely authenticates users directly to the
SAP NetWeaver J2EE application server leveraging the Kerberos
security standard which is a built -in capability of a Microsoft
environment.
7/22/2019 SPNego Wizard_Active Directory Configuration
30/31
Introduction
SPNego Manual Process
SPNego Wizard Process
Futher Information
Demo
Summary
7/22/2019 SPNego Wizard_Active Directory Configuration
31/31
SAP AG 2006, RAFP20 - EFP / 31
Further Information
Public WebSAP Developer Network: www.sdn.sap.com
+ SAP NetWeaver Platform Security
NetWeaver Developers Guide:
http://www.sdn.sap.com/irj/sdn/developersguide
SAP Service Marketplace:
http://service.sap.com/security
http://service.sap.com/securityguide
http://service.sap.com/ais
http://www.sap.com/germany/company/revis/infomaterial/index.epx
Related SAP Education Training Opportunitieshttp://www.sap.com/education/
ADM960, Security in SAP System Environment
http://www.sdn.sap.com/http://www.sdn.sap.com/irj/sdn/developersguidehttp://service.sap.com/securityhttp://service.sap.com/securityguidehttp://service.sap.com/aishttp://www.sap.com/germany/company/revis/infomaterial/index.epxhttp://www.sap.com/education/http://www.sap.com/education/http://www.sap.com/germany/company/revis/infomaterial/index.epxhttp://service.sap.com/aishttp://service.sap.com/securityguidehttp://service.sap.com/securityhttp://www.sdn.sap.com/irj/sdn/developersguidehttp://www.sdn.sap.com/Top Related