Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SPNego for multi-forest using IBM JDK

0 Kudos

Hi All,

I need to setup SPNego authentication for EP7 and IBM JDK for a multi-forest landscape (2 Active directory domains). There's a guide about how to do this for Sun JDK : https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/c771c3d3-0c01-0010-b5b6-867... but I need one for IBM JDK as the login stack mudules are different.

Can anyone supply me with a guide or any helpful information regarding this ? Do you know if it works? I've currently got SPNego working for a single domain.

Thanks in Advance,

Anthony

7 REPLIES 7

Former Member
0 Kudos

Hi Anthony,

Have you found a solution for your problem? We need to set up SPNego for more than 2 domains for our portal on IBM JDK.

Please let me know if you got it to work.

Thanks

Jan

0 Kudos

Hi Jan,

Unfortunately we never got it to work. I don't think the current logon stack modules for IBM JDK allow for multiple domain entries.

We went live with staff from one domain able to auto-authenticate while staff from the other domain must manually login. Not ideal, but not the end of the world.

If there are any new developments and if you find out any helpful info to this regard, please post it.

Regards

Anthony

0 Kudos

Anthony, Jan,

I think I can help you with this. Can I first confirm my understanding of what you want to do ?

I understand you have multiple domains, so a user might authenticate with domain 1 (e.g. Kereberos principal name = user@DOMAIN1) and you also have users in domain 2 (e.g. Kerberos principal name = user@DOMAIN2). Each of these users needs to logon to the same SAP system (e.g. portal) via a Web browser, and be authenticated without entering another userid+password, so this is why you are using the SAP SPNEGO login module. e.g. You want the user to be authenticated to SAP using the identity they used when they logged onto their Workstation using a domain account.

Can you confirm if the above is correct ?

Can you confirm if you have any trust relationships between your domains ?

Thanks,

Tim

0 Kudos

Hi Tim,

yes, this is exactly what we want do do.

We have a couple of ADs but users are replicated in another ldap-directory, which is the UME datasource.

The domains trust each other. SPNego works find for one domain with the prefixbased resolution mode.

How do we have to set up the loginmodules and how can we differ between users from different domains, when they have the same samaccountname? We use a unique attribute as uid for UME.

Thanks in advance

Jan

0 Kudos

Jan,

ok, sounds like I can help you, but before I give you a detailed response, I have another question related to name mapping.

If a user, e.g. user.name@DOMAIN1 authenticates to SAP and there is also a user.name@DOMAIN2 who logs onto the same SAP system, I assume you want to log these two people on as different SAP users since they are not the same person in AD. Is this correct ?

How, or where do you plan to store information which maps a Kerberos principal name of a user, e.g. user.name@DOMAIN1 onto a specific SAP user name so that an SSO2 logon ticket can be issued for this user when they logon to SAP ?

Thanks,

Tim

0 Kudos

Hi Tim,

this is correct. there may be users in different domains with the same samaccountname. But as mentioned we have a custom attribute which is unique in our company.

Actually we use SSO through an IIS. To get this to work we have an attribute DOMAINNAME in the LDAP to differ between different domain users. But I don't know how to use this to find the correct user via SPNego??

maybe we need a new attribute in LDAP to store the KPN for the users to be authenticated?

Regards

Jan

0 Kudos

Jan,

ok, thanks. I will now explain how I think we can help.

Firstly, to be sure you understand - I represent a SAP partner company known as CyberSafe, and we have a product which uses SPNEGO for Kerberos authentication in a browser environment, so my answer relates mainly to our product functionality, and not related to the SAP login module, which has less functionality.

I must also apologise in case anybody reading this thread has an issue with me discussing non-SAP software. My view is that the most important thing on this forum is to help you (the SAP customer) get a solution that meets your needs, and if this involves SAP Partner products as well as SAP products, then that is acceptable.

Firstly, our product does not use the Java implementation of Kerberos. Instead, we use a JNI (Java Native Interface) so that our host based Kerberos library can be used to implement the protocol. This means that any differences between IBM, SUN or any other vendor JDK version related to Kerberos functionality, multi-domain support etc. are not relavent to our product. We support many things in our product which are not supported in Java implementations of Kerberos, so you don't need to wait for new versions of JDK to take advantage.

Secondly, and perhaps more relavent to this discussion is that our login module authenticates the user by decrypting the service ticket received using the key in the Key Table File on the host, and then we map this principal name onto a SAP user id. We then (via. the login module stack) cause the SAP system to issue an SSO2 logon ticket for this user id. The secret is the way we perform the mapping - we are not dependant on UME datasources for this, and I will describe below how we acheive mapping by using an example :

Lets suppose a user is authenticated as user.name@DOMAIN1, the SAP system login module has been setup using domain 2 (Realm = DOMAIN2) and trusted via a key in a key table file, with principal name of HTTP/hostname@DOMAIN2. Then, using normal Kerberos cross realm trust, and cross realm TGTs the browser requests a ticket from AD for HTTP/hostname@DOMAIN2, and this is issued by AD in domain 2 using the cross realm TGT, but the principal name of the authenticated user inside this service ticket is user.name@DOMAIN1. The login module on the SAP server can decrypt the ticket it receives to find the users Kerberos principal name.

So, the login module knows the user is user.name@DOMAIN1, it then has to decide how to determine the SAP user id. Our login module currently supports two different methods of performing this mapping, but we are adding more methods in each release to make the product even more flexible. Currently we support the following methods :

1. Simple mapping - this is where we remove the realm name and convert the principal name to upper case, so in this example user.name@DOMAIN1 would be mapped to a SAP userid of USER.NAME and used to issue an SSO2 ticket. Clearly this is only suitable for single domains, and makes administration very easy - many of our customers use this method, but you would need a different mapping method due to yoru multiple domains.

2. USRACL mapping - Since we also sell an SNC product for SAP GUI SSO, our customers already maintain mapping of Kerberos principal name to SAP user id using a table in ABAP engine called USRACL. This table is maintained using SU01 transaction. We now have support in our login module to read the USRACL table using the authenticated Kerberos principal name of the user (e.g. user.name@DOMAIN1) and find the required SAP user id, so that an SSO2 logon ticket can be issued.

I hope this helps you understand. If you are interested in more detail about our product, and how we might be able to help you, please feel free to contact me offline instead of via this forum.

Thanks,

Tim