Portal integration with AD using Kerberos

Former Member · ‎02-23-2010

I am trying to setup my EP7 portal to use my AD as the UME. I need to setup SSO and SNC presumably using Kerberos.

My Portal is on UNIX.

Does anyone have installation instructions to setup this scenario

Thanks

Graham

tim_alsop · ‎02-23-2010

Graham,

You cannot use SNC for Web/portal SSO. The SNC interface and a GSS-API library is used for SAP ABAP SSO only. It is not clear from your initial post, but it looks like you are asking for help with SAP SNC SSO with SAP GUI and also need SSO for Portal ? If you can confirm I will summarise what you need to do.

Thanks,

Tim

Former Member · ‎02-23-2010

Hi Graham,

my quick howto describes SSO authentication using SPNego... maybe this will help you.

/people/gerd.schuster/blog/2009/11/30/configuring-spnego-authentication-on-sap-bi70-webas-java

Thanks,

Gerd

Former Member · ‎02-23-2010

Hi Tim

What I am trying to acheive is the following.

Use AD as the UME for my Portal.

I will configure SSO, SSL and SNC from the portal to the backend ABAP system. (This is a MSS ESS implementation)

I believe I have to setup SSO between the Portal UME and AD, for this I have been told I need Kerberos. This is confusing me though as we are only using AD as an authentication mechanism. SSO I thought was to the backend

I thought I had to setup SNC between the Portal and AD, not sure if this is true after your email.

Any help would be greatly appreciated

Thanks

Graham

tim_alsop · ‎02-23-2010

Graham,

I think you are a bit confused, so I will try and help.

1. SNC is used for secure communication between ABAP system and between SAP GUI and ABAP (e.g. for SSO or secure network communications).

2. SNC can be used to authenticate and secure a connection between code running on a portal and an ABAP system, but this is not often used, and I see nothing in your requriements that suggests this is needed.

3. If you are using the SAP SPNEGO login module for Web SSO, then you can configure the Java stack (which is running the portal) so that it uses AD as UME data source. If you don't want to do this and instead, you prefer to use ABAP as user data source, then you can use a third party product which is not dependant on the UME configuration, and provides Web SSO using Kerberos.

4. If you want to implement SSO for SAP GUI, then SNC will be used. This is completely different to Web/Portal SSO and not to be confused.

I hope this helps.

Thanks,

Tim

Former Member · ‎02-23-2010

Gerd

I notice you document is for ABAP UME. Will this also work with AD as your UME

Graham

koehntopp · ‎02-23-2010

Graham,

just use the SPNego wizard, described in SAP Note 994791:

https://websmp108.sap-ag.de/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=994791

Frank.

Former Member · ‎02-23-2010

Graham,

yes, this will work with AD as UME. The howto based on SAP AS Java - ABAP+JAVA Addin.

Use SPNego wizard as advised by Frank.

Gerd

martin_eberle · ‎11-30-2010

Hi

did you solve your problem?

I've already a very same szenario implemented, but now with the trust between SAP Portal and SAP HR (for ESS&MSS) we found, that a portal admin could

a) configure a URL transaction iview pointing to the HR system and

b) create a new user (same as an HR Business Admin)

=> Then he can access the HR by his own with full rights ...

Do you face with this problem as well?

Regards Martin