Setup of Kerberos Service Users (on MS Active Directory)

This is step 1 of a document series about setting up SAP Mobile Documents (based on SAP NetWeaver AS Java) to connect to Microsoft Sharepoint using Kerberos.

1.1 Create a Kerberos Service User for Sharepoint

Click Next - Finish.

1.2 Set Service Principal Name for the Sharepoint Kerberos Service User

Open adsiedit.msc on the domain controller.

Navigate to Users - Select the user that you just created - right click - Properties

Add the SPN (this is the prefix HTTP/ and the full qualified host name that you will configure in the destination of SAP AS Java to call the Sharepoint Server) and click OK

Click OK

2.1 Create Kerberos Service User for AS Java

See the documentation as reference: http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4a/3f289e43901cc5e10000000a42189b/frameset.htm

Set password and options as below:

Click Finish.

2.2 Set Service Principal Name for the Service User

Open adsiedit.msc on the domain controller

Navigate to Users - Select the Java Kerberos User that you just created - right click - Properties

Scroll down to servicePrincipalName - click edit

Add the SPN (this is prefix HTTP/ and the full qualified host name that you will use to call the AS
Java) and click OK

Click OK.

2.3 Configure Delegation from the AS Java Service User to the Sharepoint Service User

Open Active Directory Users and Computers

Go to properties:

Go to tab "Delegation"

In this case, select the Sharepoint Kerberos Service User for delegation (that was created in chapter 1.1).

Select the HTTP entry - click OK:

Click OK

You have now set up the Kerberos Service Users for the Kerberos connection.

In case of issues or further information you can use this page as a good ressource:

http://blog.blksthl.com/2012/09/26/the-first-kerberos-guide-for-sharepoint-2013-technicians/

Continue with step 2 of the document series.