cancel
Showing results for 
Search instead for 
Did you mean: 

SNC & Kerberos authentication across domains

former_member192350
Active Participant
0 Kudos

I have an infrastructure where users authenticate on their workstations to DOMAIN1 and the SAP Application servers are currently configured as local installations. For security reasons, as they are converted to DOMAIN installations, they will be made members of DOMAIN2 rather than DOMAIN1.

If a trust relationship is set up between DOMAIN1 and DOMAIN2 can SAPGUI Single Sign-on be configured using the GSS-API V2 gsskrb5.dll?

I'm familiar with configuration where the end user workstations and SAP application servers authenticate to the same AD domain, but not this particular case with multiple domains and a trust relationship.

The README.txt for the gsskrb5.dll source code says:

Credential delegation (TGT forwarding) acceptor side is UNTESTED!!

The initiator side of credential delegation should be working. However

for W2K to permit credential delegation, the target may need a "clearance".

Individual service principals in Microsoft's active directory may need to be

configured with "trusted for delegation" to make this happen.

It is possible to allow delegation to all principals of a REALM

by adding "RealmFlags = REG_DWORD 4" to the Registry under the key

"HKLM\SYSTEM\CurrentControlSet\Control\LSA\Kerberos\Domains\YOUR-REALM"

According to Microsoft, information on this is available in the

ResKit for W2K online docs:

Start->Programs->Windows 2000 Resource Kit->

Documentation->Registry Reference

I have added some code (bending the internal layer seperation) for the

acceptor side of credential delegation which should be able to return a handle

for a delegated credential. However I have never used credential delegation

and not tested this functionality at all -- good luck!

Has anyone gotten this scenario to work? If so, would you mind sharing any tricks you learned along the way?

Thanks,

Rich

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member184473
Active Contributor
0 Kudos

Hello Rich,

Maybe a look (and if not found) a thread in the Security forum:

Anyway, just check the following notes:

[352295 Microsoft Windows Single Sign-On options|http://service.sap.com/sap/support/notes/352295]

[150380 Is MIT Kerberos 5 supported for use with SNC ?|http://service.sap.com/sap/support/notes/150380]

Regards,

Eduardo Rezende