Solved: Setting up Kerberos on NetWeaver 7.3 Portal

Former Member · ‎11-25-2011

Hi

Im planning to set up Kerberos for a new NetWeaver 7.3 Portal Installation. Heres a little description about the current situations.

- The Portal are using ECC as UME

- Usernames in ECC and Active Directory are not the same

- ECC are already using Single Sign On and therefore the SNC field (PNAME) in ABAP for each user is maintained with the logon name in AD

Example: ECC user name is KE, AD logon is k_engh and the SNC field is k_engh(at)asdf.no

The easiest option would be if we could use the value in SNC in resolution mode. But I dont think the SNC values are available from the portal.

Any tips? Or any other options?

Best Regards

Kristoffer Engh

former_member269672 · ‎11-28-2011

Hi,

There is an option of mapping "Principal@realm" to a user attribute. Here is a link to documentation:

[Changing User Mapping for Kerberos|http://help.sap.com/saphelp_nw73/helpdata/en/f4/1978c3a37a441b87a89d61c1a08689/frameset.htm] (scenario 2 from the examples is regarding mapping with email)

This could be a solution in case SNC name from ABAP is made available as user attribute.

Regards,

Desislava

Former Member · ‎11-25-2011

Have you thought of SPNEGO?

Cheers,

Julius

former_member269672 · ‎11-28-2011

Hi,

There is an option of mapping "Principal@realm" to a user attribute. Here is a link to documentation:

[Changing User Mapping for Kerberos|http://help.sap.com/saphelp_nw73/helpdata/en/f4/1978c3a37a441b87a89d61c1a08689/frameset.htm] (scenario 2 from the examples is regarding mapping with email)

This could be a solution in case SNC name from ABAP is made available as user attribute.

Regards,

Desislava

Former Member · ‎11-28-2011

Hi

Im running the SPNego Wizard now, but where do I add the KDC host? In the earlier release for NetWeaver, there was an extra step to add the KDC. But in the 7.3 its gone?

After completing wizard, im getting this error in the log:

Logon failed | LOGIN.ERROR | null | | Login Method=[default], IP Address=[192.168.204.144], UserID=[null], Reason=[Cannot authenticate the user.]

Can't map exception.

[EXCEPTION]

com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:130)

at java.security.AccessController.doPrivileged(Native Method)

I have used the resolution Principal@realm and mapped the email field. This field has the correct e-mail attribute which is the AD logon name

Best Regards

Kristoffer Engh

Edited by: Kristoffer Engh on Nov 28, 2011 11:29 PM

Edited by: Kristoffer Engh on Nov 28, 2011 11:31 PM

former_member269672 · ‎11-29-2011

Hi Kristoffer,

There is a new version of the SPNEGO configuration UI, that is why the step is missing.

Please check the steps for the configuration [Configuring Kerberos Authentication|http://help.sap.com/saphelp_nw73/helpdata/en/4a/3f5530efa0044ee10000000a421937/frameset.htm].

You can use SAP Note 1332726 - Troubleshooting Wizard to collect traces and check what might be the problem.

Best regards,

Desislava

Former Member · ‎12-05-2011

Hi

Thank you for all the help. I now have a solution that worked for me.

I used mapping mode Principal Only and used Logon Alias as source. This field is available from the Portal, which I can use for AD logonname.

Best Regards

Kristoffer Engh