SSO without Kerberos

Former Member · ‎07-20-2012

Hi Experts

I am looking for an SSO solution without the use of Kerberos.

The current setup is as follows: SSO is already setup and working between the Windows AD and ECC using SNC. ie. The user logs into the wondows domain and doesn't need to re-login to SAP Logon.

We want this to work with the SAP Portal as well. Bearing in mind that the sncname field in ECC is now filled, and after reading the following link describing how to setup SNC between the AS Java and AS ABAP: http://help.sap.com/saphelp_nw73/helpdata/en/d9/e8a740bbaa4d8f8bee6f7b173bd99f/content.htm (Yes we are on NW 7.31)

In theory would this complete SSO so that the only logon the user is presented with is for the Windows Domain?

Next question: Where do I find saprfc.ini and how do I edit it? Do I need to restart either the AS Java or AS ABAP afterwards?

Thanks in advance

Anton Kruse

tim_alsop · ‎07-20-2012

Anton,

Setting up SNC between Java and ABAP won't help you with SSO. It will just make a secure connection between ABAP and Java if you are running RFC's from Java code.

If I understand correctly, you want to use SSO for Java logon (e.g. SAP portal) and use the same mapping information which you are using for SNC logon to ABAP stack. Is this correct ?

Thanks,

Tim

Former Member · ‎07-20-2012

Hi Tim, yes I you understand me correctly.

I can create a certificate in the Portal and import it in ECC. Would this, together with Java to ABAP SNC complete the SSO?

tim_alsop · ‎07-20-2012

The authentication of a user when the user logs onto Java is between web browser and Java, not between Java and ABAP. So, having a certificate between Java and ABAP won't be helping you.

It looks like you need an authentication solution which uses MS AD credentials (so user doesn't get a SignOn screen) for when they logon to the portal, and which also is able to use the ABAP configured mapping information found in SNC tab of SU01.

Can you confirm what you are using for SNC ABAP authentication ? Your title of this thread suggests that you don't want to use Kerberos, so are you using certificates for SAP GUI SNC logon to ABAP ? I am asking this to understand what an entry in SNC tab of SU01 might look like.

Former Member · ‎07-20-2012

Hi Tim

Your assumptions are correct.

We cannot use Kerberos due to AD version and the client has said that they do not want to update their AD.

SNC ABAP authentication is done via NTLM v2.

The SNC tab contains the email address of user. Everything before the @ sign in the email address is the AD user name.

tim_alsop · ‎07-20-2012

Anton,

All versions of AD support Kerberos 🙂

Anyway, what method of authentication are you planning to use between the web browser and Java stack, so that the users MS AD credentials will be used ? If you can confirm this, then you just need to find a way to map the authenticated identity of the user onto the SAP user based on the information in the SNC tab in ABAP stack.

Thanks,

Tim

Former Member · ‎07-20-2012

Hi Tim

We are still trying to figure out what method of authentication to use.

We thought of using a custom JAAS module, but only as a last resort. We don't want to go the custom dev route if not absolutely necessary.

Kerberos is out due to AD domain security restrictions. I am not sure entirely what the restrictions are, but can find out.

Do you have another suggestion for us?

tim_alsop · ‎07-20-2012

Anton,

I know of a solution which will do what you want, e.g. authenticate user using browser and map the user using the SNC info in SU01 SNC tab, but the solution uses Kerberos and MS AD.

If you were to use some other security mechanism between browser and java stack, e.g. x.509 certificates, then you would still have to find a way to map the certificate DN of the user onto the ABAP user account using the info stored in ABAP user store.

Thanks,

Tim

Former Member · ‎07-20-2012

Is there no alternative technology to Kerberos?

Can NTLM be not be configured to do what Kerberos already does?

tim_alsop · ‎07-20-2012

You could use NTLM between browser and Java stack, but this would require an NTLM JAAS login module, and I am not aware of one being available. The demand/need for such a protocol is very low since most people who want this are using MS AD and ALL versions of MS AD support Kerberos, which is more secure than NTLM. If you can find or develop an NTLM login module, then you might be able to use it and then you have to solve the mapping issue (after user has authenticated).

Former Member · ‎07-20-2012

Hi Tim

Ok, so Kerberos might be on the table again if it can be motivated strongly enough as our only option.

Good news, but now I need to put a document together for motivation and detailing how the mapping is handled.

Do you have a document/link describing how users are mapped to sncname field in SNC tab in SU01.

Also how will ECC roles be replicated through to the Portal users?

Bearing in mind:

AD User ID != Portal User ID

AD User ID != ECC User ID

Portal User ID = ECC User ID

tim_alsop · ‎07-20-2012

Anton,

I have sent you an email explaining how the mapping works, since the information I needed to share is not online, hence I cannot provide a link. Also, it is against SCN rules to share information about third party products/tools, so I used email instead.

Thanks,

Tim

kristian_lehment · ‎07-20-2012

Dear Anton,

SAP also offers a Single Sign-On solution that provides SSO with or without Kerberos. The product is called SAP NetWeaver Single Sign-On.

You can find more information on https://scn.sap.com/community/netweaver-sso

The SAP solution provides SSO using different technologies. E.g. you can choose SAML certificates. The component with the certificates is very good for SAP internal scenarios and supports different UI technologies (SAP GUI, Web browser, SAP web dynpro applications, …) and back ends (SAP Portal, non-SAP web application server, SAP NetWeaver, … ). SAML provides SSO for Web based applications based on a public standard but does not support SAP GUI. Please use the above link to find more information on the SSO space on SDN.

Best Regards

Kristian

Former Member · ‎07-23-2012

Hi Kristian

Will NW SSO integrate between SAP ECC, SAP Portal and Windows AD?

For us, the only time the user will enter his/her credentials will be when logging on to Windows.

The user won't know his / her SAP / Portal user name and this will be different from their Windows domain user name.

The user mapping is handled in snc tab of su01.

Former Member · ‎07-22-2012

If the user is already loging onto the AD and then accessing ECC with SSO then where is the problem for the Java stack?

Perhaps you can explain your domain problem? Or unique user ID problems?

Cheers,

Julius

Former Member · ‎07-23-2012

Hi Julius

Yes SSO is currently setup between the Windows AD and SAP ECC using NTLM v2, not Kerberos.

Kerberos may be an option if we can motivate it strongly enough.

My current problem is how do i extend SSO to the SAP Portal? Do I have to use Kerberos for this? Can I use NW SSO?

This isn't normally my area so any advice would be appreciated.

Thanks

Anton

Former Member · ‎07-23-2012

You should seriously consider fixing the user ID uniqueness problem (for more reasons than just this) and then other options will open for you, such as pointing the Portal system's UME to the AD as store or using SSO2 tickets from other systems which have already authenticated the user. How big is the task of fixing that and how strong is the resistance from the AD team?

If you cannot fix that, then you will need a more "fancy" product which is capable of supporting the mapping of the ID names. In that case you will have to evaluate the NW SSO product or other 3rd party solutions and make your own choice there (licensing, maintenance costs and your budget limitations are a commercial topic which is not the purpose of these technical discussion forums).

Cheers,

Julius

Former Member · ‎07-23-2012

Hi Julius

Our client is global and each country maintains their AD differently. The resistance is very strong from the AD team.

I understand that once Kerberos is activated, it adds the Krb5principal field in the UME. If we can populate that with the AD username could we not use that for our mapping?

Do we still need something more "fancy"?