cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Connecting a standalone sap server to domain controller using secure LDAP

former_member246738
Explorer

on ‎03-29-2016 4:29 PM

0 Kudos

Hi All,

We are implementing SAP SLC 2.0, for which we have installed the SLQ QA Sell Side system in the DMZ, outside the company firewall. The server is also not joined to the domain. We now have a requirement to enable SNC on the application server. For obvious reasons we need to be able to let the application server communicate to the domain controller. IT Security has agreed to open ports in the firewall to let the application server communicate to the domain controller, the condition being that only LDAP(S), which is secure LDAP on port 636 can be opened. My question is that how we force the SAP application to connect to domain controller using LDAP(s) and not LDAP for which port will obviously not be opened. I need to be able to run the Windows service SAP<SID>_NN  with user SAPService<SID> created on the domain.

Regards

Joyee

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member202592
Participant
‎04-08-2016 2:32 AM
0 Kudos

Hello,

Which OS is your AS ABAP installed? Windows? Linux?

This is important since LDAPS only works (by chance) when the AS ABAP is installed in a Windows box.

Cheers,

Filipe Santos

Show replies
Show replies
LutzR
Active Contributor
‎04-01-2016 9:38 AM
0 Kudos

Hi Joyee,

could you please clarify your requirements. You want to establish SNC secured connections

- from SAP GUI to AS ABAP? Kerberos or X.509 based?

- from AS ABAP to other AS ABAP?

- from AS ABAP to some other system or other way round?

- with SSO or without SSO?

- Which SNC product do you use (SAP Single Sing-On?)

For Kerberos based SNC between GUI and AS ABAP there is no communication needed between AS ABAP and Domain Controller at least as long as you use SAP SSO. Trust is established by creating a keytab with the SAP system's AD account password during initial configuration on AS ABAP side.

LDAP / LDAPs has nothing to do with SNC. Kerberos communication would be port 99 AFAIK (but is not needed for SNC with SAP SSO).

For Server-to-Server SNC you could go with self signed X.509 certificates (and without Kerberos).

If your question is really about LDAPS:

As long as your application server is windows based the LDAP connector will automatically switch to SSL as soon as you configure the SSL port. If your application server is non Windows this gets complicated. You are talking about AS ABAP, don't you?

Regards,

Lutz

Show replies
Show replies
former_member246738
Explorer
‎04-01-2016 11:44 AM
0 Kudos

Hello Lutz,

Thanks for responding to my query. Please find my answers:

SNC secured connection is required for :

1. SAP Gui and AS ABAP.

2. RFC Connections AS ABAP to AS ABAP.

We do not have a SNC product currently and are evaluating our options. This is the first time we have been presented with such a situation. Generally, we have systems installed in the domain and we use the SNC name p:SAPService<SID>@<Domain>. However, this does not seem to be an option now.

The possibility that you mentioned using kerberos based SNC sounds promising. Would it be possible to share some documents or links on the same?

Would also like to know how to use self-signed X.509 certificates for server to server SNC.

Lets just disregard the discussion about LDAP or LDAP(s) for the time being.

Thanks in Advance

Regards

Joyee

LutzR
Active Contributor
‎04-01-2016 11:59 AM
0 Kudos

Hi Joyee,

as an entry point for documentation I would recommend

Using the Single Sign-On Wizard to Configure SNC and SPNego - What Is Secure Login? - SAP Library

Then you should move your attention to the product related SCN corner:

SAP SSO Product management and developers usually have an eye on that community and will help.

And you will always get a valuable second opinion from Tim Alsop of Cybersafe if you contact him directly.

Regards,

Lutz

former_member246738
Explorer
‎04-02-2016 4:38 PM
0 Kudos

Hi Lutz,

Thanks again for your guidance. I still have a few questions:

I have been able to enable SNC using the SNCWIZARD tcode. However, it looks like SPNEGO is possible only if we have a license for SAP SSO. Is my understanding correct in this respect?

We will have users logging on from PCs within the company domain to this standalone server. When I tried to login to this system using the SNC name generated automatically , SAP GUI tries to look for an SPN within the domain and it fails. What do we need to do in terms of SPN to get this working?

Thanks in Advance

Regards

LutzR
Active Contributor
‎04-04-2016 8:33 AM
0 Kudos

Hi Joyee,

this is without guarantee for correctness:

  • Server to Server SNC - no SAP SSO license required
  • Client to Server SNC - encryption only, no SSO ("SNC Cient Encryption") no SAP SSO license required
  • Client to Server SNC including SSO (Secure Login Client installation on PCs needed) - SAP SSO license required!
  • SPNego (on AS ABAP) - SAP SSO license required!
  • SPNego (on AS JAVA) - no SAP SSO license required

Product management will tell your more reliably if you post your question to SAP Single Sign-On.

Regards,

Lutz

Ask a Question