Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Kerberos SSO for ABAP with multiple kerberos realms

Former Member
0 Kudos

I am trying to establish if it is possible to do the following (and if so, how):

- SAP ABAP System ECD running on Windows 2008 in domain SAPROOT.LOCAL

- User PCs authenticated in domain ADROOT.COMPANY.COM

- Microsoft Kerberos Security Provider to be used

- Want to do SAPGui SNC SSO Logon using the above security provider

I understand that it is possible to use the Microsoft Kerberos Security provider when the users are in the same Kerberos Realm as the SAP Servers.

However, when they are in different realms, like above, could anyone give me an idea of what are the additional steps required to allow the SAP system in SAPROOT.LOCAL to accept kerberos authentication from users in the ADROOT.COMPANY.COM domain?

Presumably there is some form of trust requiring to be setup - however, I can't join the domains, so wish to know if there is some special kerberos trust mechanism.

Many thanks,

Andy.

1 ACCEPTED SOLUTION

tim_alsop
Active Contributor
0 Kudos

Your AD domain/forst called SAPROOT.LOCAL needs to trust the ADROOT.COMPANY.COM domain. You therefore need to setup one-way forest or domain trust. Make sure that the trust is "Transitive" so that Kerberos service ticket requests will work from the workstation which is logged onto an account in the ADROOT.COMPANY.COM domain.

Thanks,

TIm

8 REPLIES 8

tim_alsop
Active Contributor
0 Kudos

Your AD domain/forst called SAPROOT.LOCAL needs to trust the ADROOT.COMPANY.COM domain. You therefore need to setup one-way forest or domain trust. Make sure that the trust is "Transitive" so that Kerberos service ticket requests will work from the workstation which is logged onto an account in the ADROOT.COMPANY.COM domain.

Thanks,

TIm

Former Member
0 Kudos

Thanks Tim, Oh dear. I was rather hoping that wouldn't be the answer. The reason that the SAPROOT domain was setup was so that it was a separate security domain and there was no trust of the ADROOT domain.

We have setup SAP Portals which are in the SAPROOT domain to use SPNEGO and provide SSO for browser users, and no domain trust was necessary there, so I was hoping that there was some similar mechanism to provide this.

Is there no ktab mechanism or anything like that which could be used instead of setting up AD trust relationship?

Many thanks for your input, though.

Thanks, Andy.

tim_alsop
Active Contributor
0 Kudos

The authentication of a user via SPNEGO login module works exactly same way as when using SNC, so there must be a trust relationship already in place, or both domains are in the same forest, in which case the trust is automatically provided between sub domains in a forest.

You can create a ADROOT.COMPANY.COM domain principal in keytab on SAP server, and use this for users logged onto ADROOT.COMPANY.COM domain, but this will mean you will not be using the SAPROOT.LOCAL domain for anything anymore - you said you wanted this domain for security reasons.

tim_alsop
Active Contributor
0 Kudos

Andy,

Perhaps you can logon using SPNEGO login module, and then look in Kerberos ticket cache on workstation - if there is a domain trust already setup (which I suspect there is) you will see cross-realm versions of the krbtgt ticket. These will look something like krbtgt/REALM1@REALM2.

Thanks,

Tim

Former Member
0 Kudos

Tim,

I thought that the portal equivalent doesn't require an AD trust to be setup because the portal SPNEGO configuration uses a keytab to establish a connection between the saproot.local domain and the adroot.company.com domain through a specific service user. That's my understanding anyway.

I don't see how I can use a kerberos keytab in an ABAP system configuration though.

You said:

>You can create a ADROOT.COMPANY.COM domain principal in keytab on SAP server,

>and use this for users logged onto ADROOT.COMPANY.COM domain, but this will mean you will > not be using the SAPROOT.LOCAL domain for anything anymore - you said you wanted this

> domain for security reasons

How would I do this? I would appreciate if it you could give a pointer at least. I then need to thoroughly understand the security implications

Thanks, Andy.

tim_alsop
Active Contributor
0 Kudos

Andy,

Nice to hear from you again 🙂

The key table file is used by SAP ABAP server with SNC enabled, and also used by the SAP SPNEGO login module for IWA authentication. The principal in the key table file can be for an account in either of your domains. If you use your SAPROOT domain, then a trust relationship will be needed, and as I have said to you before, if SPNEGO is working and your HTTP/<hostname> principal is in the SAPROOT domain, then there MUST be a trust relationship already setup.

I hope this helps.

Thanks,

Tim

Former Member
0 Kudos

Tim,

for the portal/spnego:

The SPN for the SPNEGO was setup in the ADROOT.company.com domain controllers.

The portal then has a keytab loaded with the ADROOT service user details so that it can connect to the ADROOT domain and do authentication.(I presume)

For the Gui SSO

I now have the GUI SSO working within the SAPROOT.local domain, however, I need to understand if there is a way of setting up some sort of 'partial' trust so that the SAPServiceECD user in the SAProot.local domain can authenticate a user who presents ADROOT.company.com credentials - much like the portal does. As far as I can tell there is no general trust between SAPROOT.local and ADROOT.company.com - although I know that you say it must be the case if we are using SPNEGO on the portal. I am being told there is no general AD trust between the two domains (and will not be able to have one)

Thanks, Andy.

tim_alsop
Active Contributor
0 Kudos

Andy,

If your SPN for SPNEGO is on ADROOT domain, then this will not require any trust for users who are logged onto the ADROOT domain. If you create an SPN for SAP SNC on ADROOT domain then no trust will be required.

If you setup the SPN for SAP SNC on SAPROOT domain, then you will need to have a one-way transitive trust setup between these domains, so that users who are logged onto ADROOT domain are trusted by the SAP system on the SAPROOT domain.

Thanks,

Tim