Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SSO on AS Abap/JAVA using Kerberos

Former Member
0 Kudos

Hello,

We have the following configuration:

    • ECC system

    • Setup of Microsoft UAG server for SSO using Kerberos W2008R2

    • All the steps about SPN has been applied...

    • We use Kerbtray to check the keys..

But when using WEBGUI, we got error 401 http auth.

Tried to trace but nothing. I've found nothing on those forum about the setup of service webgui..and tried the most combination without any success...now I've selected in logn data procedure "Alternative logon procedure" and security standard-auth standard SAP user and keep all logon procedure.

Have a idea how to fix this problem ? thanks in advance.

Info: all the checks about IE8 or firefox setup has been applied and I've used SPNego Add-on setup and import the generated keytab ...with crypto RC4-HMAC-NT.

Regards,

Jade

7 REPLIES 7

Former Member
0 Kudos

Hi,

Do you have a Java stack in your ECC system ?

Spnego Kerberos is only possible on java stack SAP systems. Webgui uses the abap stack...

Regards,

Olivier

0 Kudos

Hello Olivier,

Merci for your feedback !!

Yes, Java Stack is installed, but not Portal component.

We tried to use DIAGTOOL and others tools like httpWatch....to trace but without any success.

Thanks, and if you have any idea...

Regards,

Jade

0 Kudos

Hello Jade,

If I understand well, you want to use Spnego/Kerberos SSO for webgui access on a dual stack ECC system.

I've never tried it because I don't use dual stack systems (it's evil ! )

In my opinion, you first need to make sure that SSO works OK when you use a JAVA URL.

Then you have to configure your system as if it were 2 different systems (1 J2EE and 1 abap).

You have to export the Java certificate SAPLogonTicketKeypair-cert as a file and yo import it in the abap stack with transaction STRUSTSSO2.

Then you will have to use a java redirect application to call indirectly your webgui URL in the abap stack.

The idea is to do the Kerberos SSO on the java stack, get authenticated on the java stack and so get a MYSAPSSO2 logon ticket and finally redirect to webgui with this valid saplogon ticket.

In the past, you had to write a specific java redirect servlet. Nowadays I seem to remember an OSS note spaeaking about a standard Java redirect servlet...

Regards,

Olivier

0 Kudos

Hi Jade,

I was in a same situation before. I have to configure SSO with Windows Authentication for IITS. I have configured Kerberos for SAP GUI for ABAP and SAP Negos only for JAVA stack (not for ABAP stack (IITS)). The Windows Authentication is possible with ABAP or JAVA individually. When I have opened a message with similar requirement SSO experts sugested me to use 3rd party products.

So finally to achieve the requirement I have configured SSO with Logon Tickets. Even though you dont have Enterprise portal, you can configure SSO with Logon Tickets creating a PSE in ABAP stack and importing in other system. This worked fine with IITS. Only for the initial system we need to enter credentials remaining directly logs you in the system with the generated cookie/ Ticket.

If you can try SAP negos then config. for ABAP to accept JAVA tickets (there is conf SSO from JAVA to ABAP) on the same system. This may enable Windows Authentication for IITS (I didnt try this)

Refer:

If you come up with any Solution other than this to enable Windows Authentication, Please post. May be Olivier Solution Works here. Olivier could you please post about the SAP note info and the config steps?

Thanks,

Ajay.

Edited by: Ajay_Basis on Jul 15, 2010 5:15 PM

0 Kudos

Hi Again,

The OSS note about the redirection application is [Note 1250795|https://service.sap.com/sap/support/notes/1250795]

Regards,

Olivier

0 Kudos

Hi Olivier,

Thanks for the SAP Note you posted. I will try this on Sand Box and I let you people know the result.

Thanks,

Ajay.

0 Kudos

Hi Olivier,

I am facing a problem during configuration. As per the SAP note when I enter http://host:port/redirect/redirect in the browser. It is asking user name and Password but after providing the credentials, it is giving an error message "401 unauthorized" [no details available]. I have tried with different user still no use. What might be the problem?

Following is the log

HTTP request processing failed. HTTP error [401] will be returned. The error is [UnauthorizedNo details available].#

#1.5#005056BA31C400470000002D00000CE400048B7D7FAF876F#1279271036393#com.sap.engine.services.httpserver##com.sap.engine.services.httpserver#J2EE_GUEST#2####10761d9090b911dfae1e005056ba31c4#SAPEngine_Application_Thread[impl:3]_18##0#0#Error#1#/System/Server#Plain###User J2EE_GUEST, IP address

Thanks,

Ajay