on 10-07-2014 6:28 PM
Hello Experts,
We are using SAP NetWeaver Single Sign-On to enable SAP GUI SSO. Our configuration uses Kerberos integration (SAP GUI for Window, Secure network communications - SNC).
I've been ask to change the password of the Kerberos service account as part of a yearly security task but it is not clear what all the steps that are needed to ensure Kerberos authentication is not interupted
Certainly I can change the pwd for the SPN account in Windows but I am not clear on what steps need to be taken on the SAP side to maintain the Kerberos authentication. From what I have read, a new keytab needs to be created but how exactly is this done? I also read there is a command line utility SAPGENPSE that is used to generate PSE file and Kerberos keytab when initially configuring the setup. Would this be used again to generate a new keytab file? Is there any other method that can be accessed from SAPGUI instead of a command line utility program?
Would very much appreciate your help to get a clear picture of the steps required to successfully update the SPN account password.
Regards,
Stephen Brewer
Hello Stephen
You need to use SAPGENPSE to create the keytab file and PSE file again. We need to generate keytabl file everytime after changing anything with Service User.
In addition,
1. also add credentials to the credentials file (cred_v2) using command:
./sapgenpse seclogin -p <keytab File Name>.pse -O <sid>adm
You need to entre password of Service User as PIN.
2. Verify entries in credential file using command:
./sapgenpse seclogin –l
The path ../<keytab File Name>.pse should be readable to “devadm” user.
I hope this information will help you.
Regards,
Tapan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Tapan! To avoid any interuption to the Kerberos authentication, I am hoping to be able to first create the new keytab with new password before actually applying the new password to the SPN account in Active Directory. I do not have command line access so have to coordinate this with another team but will post results.
Stephen Brewer
User | Count |
---|---|
80 | |
9 | |
9 | |
7 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.