cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO SNC and kerberos setup for ECC6 and Portal

Former Member

on ‎03-02-2009 6:34 AM

0 Kudos

Hi,

Our SAP systems installed on Linux server.Customer wanted to implmnt SSO between windows SAPGUI to SAP systems.for this we can use SNC/kerberos setup, I was implemnetd on windows SAP environment.but i dont have experiace to configure in Linux.

Customer wanted to implemnt this , can you please suggest how to implemnt SNC/kerboros in Linux.Also let me know what are the ports required to authenticate

- Amy

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (8)

Answers (8)

Former Member
‎03-09-2009 4:26 PM
0 Kudos

Brian,

Thanks much for your help.I have on emore doubt, some one was guided me that do i need to install AD at SAP Linux network and replicate the AD where actual AD located.Is it must ?

Actually our AD located at customer location and SAP Linux located hosting partner zone.Do I need to do ablve step to synch AD ?

One more quest after chaing krb5.conf I need to restart any service?

- Amy

Show replies
Show replies
brian_walker
Active Participant
‎03-09-2009 5:45 PM
0 Kudos

Amy,

As far as I know, as I stated previously, the only thing you should need to do is make sure that the domain controller is accessible from your Linux server (ports 88 and 749 usually). Whether this is directly accessed over the internet or through some sort of VPN is up to you and your hosting partner. There is nothing to "sync" with Linux, SAP will merely check that the ticket granting ticket of each user was granted by the domain controller.

Also, as I mentioned before, the easiest way to test this once you have configured the krb5.conf file is to use kinit like:

kinit USERNAME

You will be prompted for the password of USERNAME, and if entered correctly then you will be granted a ticket granting ticket. The output of klist should then look like:

Valid starting Expires Service principal

03/09/09 12:26:55 03/09/09 23:24:58 krbtgt/MYDOMAIN.COM

renew until 03/10/09 12:26:55

As I have answered quite a few of your questions at this point, is there any chance you would award some points?

Brian

Former Member
‎03-08-2009 8:15 PM
0 Kudos

Brain,

The only thing you need to do to connect your Linux system to the Windows Domain is to setup the /etc/krb5.conf file as described in the PDF that was linked to previously.

I saw the PDF but did not undertand how it can be connected to Windows to Linux box

krb5.conf file what changes has to be done.Please let me know little more.

I will required to start this setup tomorrow.

- Amy

Show replies
Show replies
brian_walker
Active Participant
‎03-09-2009 1:05 PM
0 Kudos

Amy,

Here is my krb5.conf with my domain changed to MYDOMAIN.COM:

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = MYDOMAIN.COM

dns_lookup_realm = false

dns_lookup_kdc = false

ticket_lifetime = 24h

forwardable = yes

[realms]

MYDOMAIN.COM = {

kdc = dc1.mydomain.com:88

admin_server = dc1.mydomain.com:749

default_domain = mydomain.com

}

[domain_realm]

.mydomain.com = MYDOMAIN.COM

mydomain.com = MYDOMAIN.COM

[appdefaults]

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}

Brian

brian_walker
Active Participant
‎03-09-2009 1:07 PM
0 Kudos

The things above like logging that look like links are surrounded by brackets

[ and then a ]

Brian

Former Member
‎03-06-2009 12:09 AM
0 Kudos

Hi Brian,

Thanks for the reply.Actually my Linux box not connected to Windows AD.Do i need to connect before we proceed this ?

- Amy

Show replies
Show replies
brian_walker
Active Participant
‎03-06-2009 1:04 AM
0 Kudos

Amy,

The only thing you need to do to connect your Linux system to the Windows Domain is to setup the /etc/krb5.conf file as described in the PDF that was linked to previously. You will need to make sure that the Linux system can access the Windows Domain controller on ports 88 and 749, whether that is through some sort of VPN or directly over the internet. Once that is done, you can test this by using the kinit command and specifying an Active Directory username in uppercase. If everything works correctly, you will be prompted for the password and then be granted a ticket which you can display with klist.

Some tools like YAST in SUSE can make configuring the krb5.conf file easier, but aren't required.

Brian

Former Member
‎03-04-2009 10:46 PM
0 Kudos

Nelis/Brain,

Thanks for the response.The account we need to create in Active directory what privilages it should required?Is it just the user should not have any addtional privilages?

Do I need to create same user name in Linux box also ?

- Amy

Show replies
Show replies
Former Member
‎03-04-2009 9:01 AM
0 Kudos

Hi Nelis,

I could not find the info in the blog.But i could find only windows related information.

- Amy

Show replies
Show replies
Former Member
‎03-04-2009 2:20 AM
0 Kudos

Hi Brian/Nelis,

Thank you so much for your response.I was implemnetd SNC/kerberos scenarios in Windows environment but not in Linux.So I have to many clarifications.

Actually SAP ECC installed on Linux and different location with hosting partner.But i can access the SAP system using sapsystem.abcd.com (abcd.com is local customer DC, which is actaul active directory)

Since we are running Linux ,SAPservice<sid> will not be present so what account I should create and run the setspn command?And how this user should mapped to linux system?

Also I could not see the path /etc/krb5.keytab for to copy keytab file.so do i need to create manually?

but i can see krb5.conf file in /etc

I dont understand point

7. Add to the end of the <sid>adm user's .profile file the command "kinit -k sncsap@<DOMAIN HERE>"?

How I can test if i face any issues.

- Amy

Show replies
Show replies
nelis
Active Contributor
‎03-04-2009 5:52 AM
0 Kudos

Amy,

If you read the documentation from the Blog I posted all your questions will be answered.

Regards,

Nelis

brian_walker
Active Participant
‎03-04-2009 2:29 PM
0 Kudos

Amy,

As I said in step 1, we chose to create the user sncsap@<DOMAIN HERE>. This is something which must be done in Active Directory by a Windows administrator.

The /etc/krb5.keytab will NOT exist yet. This file is created first on Windows by running the command from step 3, ktpass. You must then manually transfer this file to the Linux server, name it krb5.keytab and place it in /etc

The commands in steps 2 and 3 should be on a Windows 2003 server. If not, they are part of some resource kit from Microsoft.

For step 7, you must use an editor to add to the end of the <sid>adm user's .profile file the command "kinit -k sncsap@<DOMAIN HERE>"

If you are not familiar with .profile files, then you've got some learning to do on Linux. They are executed by the BASH shell when the user logs in.

Brian

Former Member
‎03-02-2009 4:59 PM
0 Kudos

Hi Nelis,

Thanks for th response.Actually our SAP servers unstalled on Linux box in data center which is located in different hosting partner.And did not connected to Local Active directory server.Iam not sure how to synch AD with linux box.

Do i need to do any additional settings for to synch AD with linux box.

- Amy

Show replies
Show replies
brian_walker
Active Participant
‎03-02-2009 8:42 PM
0 Kudos

Amy,

Here is a list of instructions I used to enable SSO with SAPGUI for Windows and Linux. Please keep in mind that you cannot expect SAP to help with support of this solution as they do not support (MIT) Kerberos and Active Directory integration on Linux without purchasing 3rd party tools as stated in SAP note 150380. That said, this worked perfectly for me with SLES10 and Windows Server 2003:

1. Create a ticket granting user in Active Directory. For Windows app servers, this is usually SAPService 1&

SNC (Secure Network Communication) enabled

Brian

nelis
Active Contributor
‎03-03-2009 6:06 AM
0 Kudos

Hi Amy,

Firstly, you cannot use Kerberos authentication with local accounts only domain accounts. What you can do if your system is located at another hosting partner is setup a Windows AD remotely and then enable trust relationships between the two(remote and local AD). By doing this, you will be able to perform Cross-Realm Authentication with Kerberos. This happens automatically when you create a trust relationship between two domains. I can't think of any other SSO solution that would work otherwise. If you just want to encrypt the data then you can use a VPN, using SAP's SNC adapter will also encrypt the data with Kerberos.

I haven't done Cross-Realm Authentication personally but it should work in theory and practice

Have a look [here|http://technet.microsoft.com/en-us/library/cc772815.aspx] for more information on Microsoft's implementation of Kerberos 5.

Regards,

Nelis

nelis
Active Contributor
‎03-02-2009 8:08 AM
0 Kudos

Have a look at the following [Blog|https://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/8409] [original link is broken] [original link is broken] [original link is broken]; and associated white paper. Kerberos uses port 88

Regards,

Nelis

Show replies
Show replies
brian_walker
Active Participant
‎03-04-2009 2:37 PM
0 Kudos

Nelis,

Maybe I missed the English version, but the PDF that is attached to the link in the blog is in German, hence my response with the steps in English.

Brian

nelis
Active Contributor
‎03-05-2009 6:21 AM
0 Kudos

You can find the English version [here|http://www.realtech.com/wInternational/sap-consulting/sap-technologie/sap-identity-managementW3DnavidW26173.php].

Regards,

Nelis

brian_walker
Active Participant
‎03-05-2009 2:39 PM
0 Kudos

Nelis,

Thanks for the English link.

Amy,

I don't believe the snc active directory user requires any special privileges, but I am not an active directory expert. The screenshot in the PDF that Nelis linked to should provide the right information for a domain admin to create the user.

Brian

Ask a Question