02-14-2014 10:16 AM
Hello,
We have requirement to implement the SSO for ECC system using AD, We have domain installation for both the system but issue is that we are using different domain for Servers user (<SID>adm and SAPService<SID>) and End users exist on different domain, So my question is can we configure SSO using kerberos ??
I was checking over the net and found that we can achieve it by setting the trust between the servers but unable to find How to guide to achieve the same.
Also let me know if it include additional cost of any license and what is difference between various type of Kerberos,SPNEGO,NTLM, X.509 and what we can achieve with SAP Netweaver Single Sign On 2.0 server, Does it include extra license cost ?
02-14-2014 6:22 PM
Ask your Windows admins to establish the trust, they can do it on a server (machine) level or domain level. NWSSO is a separately installed product. Since you are on heterogeneous Windows architecture you can use the library provided in SAP note 352295 although the library might not work with recent Active Directory landscapes, encryption keys, etc. In case it doesn't, you will have to require NWSSO or a SSO product from a certified SAP partner.
02-15-2014 2:33 PM
Thanks Samuli,
Could you please direct me the detailed SAP documents and which way trust (one way ) will work,
Also if we can establish it using Kerberos then why we require Netweaver SSO product ?
Pawan
02-16-2014 4:13 AM
I don't think SAP has documented the procedure since it's not SAP specific, it's generic to Windows. You might want to search MSDN or Microsoft KBAs to get help. Regarding what kind of trust needs to be setup, see this discussion thread. It's not a question of whether you can use Kerberos or not. The library provided in SAP note 352295 supports Kerberos, it is more a question if that library is compatible with your AD infrastructure/setup. NWSSO or a 3rd party product is required if the provided library doesn't work, for whatever reason.
02-17-2014 7:41 AM
To add some perspective as someone who writes documentation, if SAP officially documents a procedure of another company's software, depending on the legal framework, SAP can be held accountable for that documentation. You can see how that can be a problem. Microsoft can change how their software works without notifying SAP.
02-17-2014 8:05 AM
Hi Pawan,
With respect to setting trust relationship between domains you must contact your Windows Admin and check the requirements and explain the purpose.
See if you can simulate your idea before going in any other direction, this always is a good way to handle requirements and also good for knowledge base.
Cheers,
Nagarajan Viswanathan