Setup of Kerberos Service Users (on MS Active Directory)
This is step 1 of a document series about setting up SAP Mobile Documents (based on SAP NetWeaver AS Java) to connect to Microsoft Sharepoint using Kerberos.
1.1 Create a Kerberos Service User for Sharepoint
Click Next - Finish.
1.2 Set Service Principal Name for the Sharepoint Kerberos Service User
Open adsiedit.msc on the domain controller.
Navigate to Users - Select the user that you just created - right click - Properties
Add the SPN (this is the prefix HTTP/ and the full qualified host name that you will configure in the destination of SAP AS Java to call the Sharepoint Server) and click OK
2.1 Create Kerberos Service User for AS Java
See the documentation as reference: http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4a/3f289e43901cc5e10000000a42189b/frameset.htm
Set password and options as below:
2.2 Set Service Principal Name for the Service User
Open adsiedit.msc on the domain controller
Navigate to Users - Select the Java Kerberos User that you just created - right click - Properties
Scroll down to servicePrincipalName - click edit
Add the SPN (this is prefix HTTP/ and the full qualified host name that you will use to call the AS
Java) and click OK
2.3 Configure Delegation from the AS Java Service User to the Sharepoint Service User
Open Active Directory Users and Computers
Go to properties:
Go to tab "Delegation"
In this case, select the Sharepoint Kerberos Service User for delegation (that was created in chapter 1.1).
Select the HTTP entry - click OK:
You have now set up the Kerberos Service Users for the Kerberos connection.
In case of issues or further information you can use this page as a good ressource: