Solved: SSO using Kerberos and Sap Logon Ticket in Combina...

Former Member · ‎08-15-2007

Hi Guys,

after a few days studying about SSO there are is one major question not answerded.I would be very happy if someone could get me onto the right track.

Here is a short description what we want to have:

A number of users is logged on within an ADS Domain and will connect to the Portal and embedded Backends without using any passwort.

There are other users who wants to connect to the Portal, unfortunately they are not authenticated against the ADS.

Solution: We want to configure SPnego on the Portal to allow ADS Authenticated users to access the Portal without password. Once they are logged in, they get a SAP Logonticket issued by the Portal to have access to the embedded SAP Applications (Backends).

If there is a User without Kerberos Ticket then he is forced to logon to the Portal using Username and Password, he will get a Sap logon Ticket to get access to the Backends.

Problem: I understand, that the implementation of SPnego requires to change the UME datasource to point to the ADS. The Video and PDF in SPNego_ADS_datasource_Sun_JDK_1.zip provided by SAP describes the process very well.

1. If the Connection to the ADS is interrupted, is nobody able to logon anymore? (Because the user persistance is not local anymore)

2. If someone logs on with or without Kerberos Ticket, will he get an (additional) SAP Logon ticket issued by the Portal?

3. I believe, that all Portal users must be maintained using the ADS, is this correct?

I would be very happy if someone could help me to find answers. We do not want to use 3rd party Software, only SAP products if possible.

Thanks and regards,

Enno

Former Member · ‎08-16-2007

Hello,

i did a bit progress on this topic. Generally, i should be able to use Kerberos for the Portal authentication (ADS) using a Database User Store. The Procedure is described in SAP Note 935644. However, the Option to use the SPnego Wizard sounds very promising but obviously the usage of the wizard will lead to a UME LDAP datasource automatically:

From the SPnego Wizard Documentation

Result:

The service user in the ADS is created and configured to Kerberos authentication on the AS Java.

AND

The UME is connected to an LDAP data source and the UME data source configuration file contains attribute mappings to enable user resolution for Kerberos authentication.

This is not what i want.

Question: Is it possible to use the wizard and leave the Datasource Configuration untouched?

I believe that if have to add the "form auth" afterwards to the loginstack.

I would answer my questions like below:

1) As the Datasource is local im my scenario, the unavailable ADS is no Problem as long as the user knows the right password.

2) Every user will get a Sap logon ticket issued by the portal to access the sap backend systems

3) Portalusers must be maintained on the Portal only (groups, roles etc). To provide Kerberos SSO they must send their kerberos ticket with a proper configured IE.

Please, could anybody be so kind so approve that my plan and conclusion is correct?

Thanks and regards,

Enno

Former Member · ‎08-16-2007

Hello,

i did a bit progress on this topic. Generally, i should be able to use Kerberos for the Portal authentication (ADS) using a Database User Store. The Procedure is described in SAP Note 935644. However, the Option to use the SPnego Wizard sounds very promising but obviously the usage of the wizard will lead to a UME LDAP datasource automatically:

From the SPnego Wizard Documentation

Result:

The service user in the ADS is created and configured to Kerberos authentication on the AS Java.

AND

The UME is connected to an LDAP data source and the UME data source configuration file contains attribute mappings to enable user resolution for Kerberos authentication.

This is not what i want.

Question: Is it possible to use the wizard and leave the Datasource Configuration untouched?

I believe that if have to add the "form auth" afterwards to the loginstack.

I would answer my questions like below:

1) As the Datasource is local im my scenario, the unavailable ADS is no Problem as long as the user knows the right password.

2) Every user will get a Sap logon ticket issued by the portal to access the sap backend systems

3) Portalusers must be maintained on the Portal only (groups, roles etc). To provide Kerberos SSO they must send their kerberos ticket with a proper configured IE.

Please, could anybody be so kind so approve that my plan and conclusion is correct?

Thanks and regards,

Enno

renefeisterSAP · ‎08-22-2007

Hi Enno,

in general it is possible to use the SPNego configuration wizard also with a user datasource that IS NOT the Active Directory.

In such a case you still have to state in the first screen that you did the preperation work. In one of the following screens you have to select the prefixbased user resolution method and select the proper UME attribute where the user should be searched (default would be uniquename).

It might get a little bit more complicated if your JDK is from Sun, in that case also a lookup for the service user takes place and as the Active Directory is not directly connected to the UME you have to manually create the service user in the portal databse as well and maintain a new UME attribute (krb5principalname). How to do this in detail is described in the online documentation for the manual Kerberos configuration.

Hope that helsp a bit.

René

Former Member · ‎09-03-2007

Hi Rene,

thank you very much for your extensive explanation and your Help. I will reward you maximum points for that.

I did progress on this topic. However, now I have a problem with the configuration of the UME Datastore XML. I downloaded the original one (dataSourceConfiguration_database_only.xml) with the following content:

.......

</principals>

</homeFor>

</principals>

</responsibleFor>

.......

Regarding the Documentation i have to change the Data Source Definition:

a. Define the attribute kpnprefix in the responsibleFor section of the UME data source configuration file.

b. Map the attribute kpnprefix to the physical attribute in the UME data source that corresponds to the user account ID.

When using Sun JDK, you have to map the krb5principalname to the physical attribute user principal name. This is necessary for the acquisition of the J2EE Engine service user credentials.

Unfortunately the given example is not helpful at all. My configuration file is simplier and it does not have attributes, namespace, pricipal sections.

Would you or anybody else be able to give me an example on how to change my dataSourceConfiguration_database_only.xml? I want to upload it with a different name and want to change the UME to use it because we want to use the default ume persistance instead the ADS.

Thanks and regards,

Enno

Former Member · ‎09-04-2007

Hello,

here is my first try. Is anybody able to check if the syntax is correct to fulfill the above points a, b and sun - javascecific?

<?xml version="1.0" encoding="UTF-8"?>

<!-- $Id:

//shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/dataSourceConfiguration_database_onl

y.xml#2 $ from $DateTime: 2004/07/01 09:31:21 $ ($Change: 16627 $) -->

<!DOCTYPE dataSources SYSTEM "dataSourceConfiguration.dtd">

<dataSource id="PRIVATE_DATASOURCE"

className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence"

isReadonly="false"

isPrimary="true">

</principals>

</homeFor>

</attributes>

</namespace>

</namespaces>

</principals>

</responsibleFor>

</attribute>

</attributes>

</nameSpace>

</nameSpaces>

</principal>

</principals>

</attributeMapping>

</dataSource>

</dataSources>

On the other hand, links for examples for default database store using SPnego would be appreciated.

Thanks and regards,

Enno

renefeisterSAP · ‎09-04-2007

Hello Enno,

you do not need to modify the UME datasource XML file. In general the file dataSourceConfiguration_database_only.xml configures the UME to get all user and group data from the UME database directly; no mapping and no change in this file is necessary.

What you need to do is the following:

- prepare the service user on MS ADS according to the wizard documentation

- run the SPNego wizard

- mark the 2 flags in step 1

- in step 2 define the Kerberos realm (windows domain in upper case) and the KDC (or several KDCs for failover)

- in step 3 select prefixbased, as attribute you have to choose uniquename

- in step 4 leave the settings as they are shown by standard (spnego will be created as template)

- confirm the settings in step 5

As additional manual work (ONLY NECESSARY WHEN USING SUN JDK) you will have to perform the following steps:

- create a new UME attribute (ume.admin.addattrs = krb5principalname)

- restart the system

- create the service user from MS ADS in the portal database (which user ID you choose does not matter at all)

- maintain the new user attribute krb5principalname with a value that is configured in policy configuration "spnego" com.sap.spnego.jgss.name (the kerberos name of your system)

- set "No password change required" option for this new service user

More details for this special user are available in the documentation chapter (just leave the XML file adaption parts open):

http://help.sap.com/saphelp_nw70/helpdata/en/43/4c3725aeaf30b4e10000000a11466f/frameset.htm

Hope that helps a bit. Unfortunately there is no special documentation existing for your special scenario.

Best regards,

René

Former Member · ‎09-05-2007

Hi Rene,

thanks a lot for your very helpful information. I followed your step If not already done and was able to get through the Configwizard successfully.

Nevertheless, I am not able to logon using Kerberos Tickets - I did not expect that I will get it working from the first try because this topic is quite conplex.

Is it necessary to configure the logon stack afterwards because you mentioned that the wizard is creating a template only? Additionally I would be very happy to get your contact details unless you have no problem with it

Greetings to Germany from NZ.

Thanks and regards,

Enno Stahl

renefeisterSAP · ‎09-05-2007

Hello Enno,

yes, the wizard only prepares the template called "spnego"; you have to copy these settings to where you need to (for instance to "ticket" in case of a portal).

I will only be able to reply here in SDN, therefore direct contact via eMail does not make sense.

With best regards,

René

SSO using Kerberos and Sap Logon Ticket in Combination