Setup of SAP NetWeaver AS Java for Server-to-Server Single Sign-On using Kerberos

This is step 2 of a document series about setting up SAP Mobile Documents (based on SAP NetWeaver AS Java) to connect to Microsoft Sharepoint using Kerberos.

General remarks upfront:

SAP NetWeaver Administrator (NWA) is started using url
http://<host where AS Java is installed>:<port - usually 50000>/nwa

In the following, this URL is being referred to "go to NWA"

The system ID of thesystem that has been used for the screenshots is SBX

This is described with an AS Java System running on Windows

See also the high-level overview about this scenario. The official documentation is also linked there.

Deploy SSOExt Library

See official docu as reference: http://help.sap.com/saphelp_nwsso20/helpdata/en/80/d057adb7244181b2dbd17e4f485097/content.htm

Follow the download steps described on the official docu link.

Download latest version

Rename the file extension from .zip to .sca

The official way is to deploy AS Java using the Software Update Manager (SUM).

However,  I did the deployment using the unsupported option Telnet (as I am not a Java expert) and this is just for demo purposes. So please only use the following method for testing purposes - otherwise use SUM:

If you do not have Telnet available on your Windows Server, you can activate it: http://technet.microsoft.com/en-us/library/cc770501(v=ws.10).aspx

Open cmd with admin rights on the machine where the Java System is running.

Enter the following command: telnet localhost 50008

Enter AS Java admin and password

Enter command: deploy <full path to sca file>

Enable SSOExt Library

Go to NWA - search for applications - click Java Applications - search for name "ssoext".

Select the application ssoext_krb5 - click more Actions - View Application Properties

Select property "enabled" - click modify - enter value "true" - click Set

Click Save

Restart SAP Mobile Documents application

After deploying SSOEXT, you need to restart the SAP Mobile Documents application:

Go to NWA - search for applications - click Java Applications - search for Name "mcm":

Run SPNego Wizard

As a reference, see also official docu: http://help.sap.com/saphelp_nw73ehp1/helpdata/en/21/bff93c7dcd458e9d71539a6d50dbbe/frameset.htm

Go to NWA -  Search for SPNego - Click SPNego

Click Add - Manually

Enter the Realm Name (this is the name of your Windows domain) - you find it in the Active Directory Users and Computers :

In the next step, use the user that you created before:

In the next step, you can ignore the AES warning (for testing purposes):

Use the settings as shown below - then click Finish

Enable the configuration (the light will turn green):

Configure the krb5.conf File

See official docu as reference: http://help.sap.com/saphelp_nwsso20/helpdata/en/25/62d09a26634803aee7aa9f4068f211/content.htm

Create krb5.conf file with the following content (replace values accordingly) in <drive>:\usr\sap\<SID>\SYS\global\security:

----------------------------------------------------------------------------------------------------

[realms]

DEMO.MOBILEDOCS.CORP = {

kdc = mobiledocs.demo.mobiledocs.corp

cname = jee-sbx

spn = HTTP/mobiledocs.demo.mobiledocs.corp

}

----------------------------------------------------------------------------------------------------

Remark: Use upper case letters for the domain entry (as shown above)!

Restart the SSOExt application

Go to NWA - search for applications - click Java Applications - search for Name "sso":

Now your SAP NetWeaver AS Java should be properly configured for so-called Kerberos Constrained Delegation.

Continue with step 3 of the document series.