cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Steps required to change password of SPN account supporting NW SSO Client solution?

Former Member

on ‎10-07-2014 6:28 PM

0 Kudos


Hello Experts,

We are using SAP NetWeaver Single Sign-On to enable SAP GUI SSO.  Our configuration uses Kerberos integration (SAP GUI for Window, Secure network communications - SNC).

I've been ask to change the password of the Kerberos service account as part of a yearly security task but it is not clear what all the steps that are needed to ensure Kerberos authentication is not interupted

Certainly I can change the pwd for the SPN account in Windows but I am not clear on what steps need to be taken on the SAP side to maintain the Kerberos authentication.  From what I have read, a new keytab needs to be created but how exactly is this done?  I also read there is a command line utility SAPGENPSE that is used to generate PSE file and Kerberos keytab when initially configuring the setup.  Would this be used again to generate a new keytab file?  Is there any other method that can be accessed from SAPGUI instead of a command line utility program?

Would very much appreciate your help to get a clear picture of the steps required to successfully update the SPN account password.

Regards,

Stephen Brewer

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎10-08-2014 5:43 PM
0 Kudos

Hello Stephen

You need to use SAPGENPSE to create the keytab file and PSE file again. We need to generate keytabl file everytime after changing anything with Service User.

In addition,

1. also add credentials to the credentials file (cred_v2) using command:

./sapgenpse seclogin -p <keytab File Name>.pse -O <sid>adm

You need to entre password of Service User as PIN.

2. Verify entries in credential file using command:

./sapgenpse seclogin –l

The path ../<keytab File Name>.pse should be readable to “devadm” user.

I hope this information will help you.

Regards,

Tapan

Show replies
Show replies
Former Member
‎10-10-2014 7:05 PM
0 Kudos

Thanks Tapan!  To avoid any interuption to the Kerberos authentication, I am hoping to be able to first create the new keytab with new password before actually applying the new password to the SPN account in Active Directory.  I do not have command line access so have to coordinate this with another team but will post results.

Stephen Brewer

Ask a Question