Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Kerberos Authentication in One-Way Domain Trust

Former Member

‎06-29-2010 7:08 PM

0 Kudos

I am trying to set up Kerberos authentication in a trusted domain scenario, in which the SAP server domain (I will call this Domain A) has trusted a secondary domain (I will call this Domain B). This is a one way trust only, with Domain A as the "trusting" domain.

I have configured SPNego and verified that Kerberos authentication is working within Domain A. Now I am ready to try to get it working in Domain B. I have not run any setspn commands, or done any other configuration within Domain B at this point.

I have logged onto a Domain B workstation (with a Domain B userID) and adjusted the IE settings appropriately per the SAP documentation. then, if I trace a test connection from the Domain B workstation (using the Diagtool) it shows that an NTLM ticket is being passed instead of a Kerberos ticket.

Below is the setspn command that I ran on Domain A:

setspn u2013A HTTP/<sap server FQN> <DOMAIN_A\service_user>

Do I need to run this exact command on Domain B as well? Is there some other problem, or some other step that has to be performed on Domain B?

1 REPLY 1

Former Member

‎06-29-2010 7:19 PM

0 Kudos

Hi Though this seems to be a Basis activity :

I would like you to read this statement below which might hold good for Windows 2003 - 64 bit also

if that is operating system you are working on at both Domain A and Domain B locations

"One final client-side compatibility consideration: IE 6.0 on Windows 2000 will not, by default, accept the "Negotiate" challenge and use Kerberos, but will instead take the NTLM option. This is because the "Enable Integrated Windows Authentication" option is not selected by default. Here is the Knowledge Base article on how to configure IE on Windows 2000 to use Kerberos when the server offers it. "

I found the above in wikepedia "http://www.owasp.org/index.php/Authentication_In_IIS"

I think probably you need to tweak on both domains to to have just Kerberos , rather than

kerberos and NTLM.

This is a configuration issue/Basis activity provided you have done all the steps mentioned by SAP.