SPNego Wizard_Active Directory Configuration

7/22/2019 SPNego Wizard_Active Directory Configuration

1/31

Nghia Nguyen

SAP NetWeaver RIG Americas

SAP Labs, LLC

S ego Wizard


2/31

Introduction

SPNego Manual Process

SPNego Wizard Process

Futher Information

Demo

Summary


3/31

Introduction



Futher Information

Demo

Summary


4/31

SAP AG 2006, RAFP20 - EFP / 4

Introduction

Integrated Cross-Appl ication User Management

Single point of administration

Interoperability, Multi vendor and platform support

Avoid redundant user informat ion

Single Sign-On (SSO)

User authenticates once against a security system

User is afterwards automatically authenticated

to access other systems

Authent ication against other appl icat ions

is transparent for the user

Solutions

SAP Logon Tickets

Windows Credentials


5/31


Focus on Windows Integrated Authentication

Microsoft

Active Directory

and Windows

Domain


6/31


What is: SAP SPNego LoginModule

Motivation

SSO from Browser to SAP Web AS / SAP Enterprise Portal by

leveraging Microsoft Windows credentials (Kerberos) for

authentication

Example: Windows Integrated Authentication from MS IE to SAPEnterprise Portal without additional middleware components like

MS IIS or others

Solution:

SAP SPNegoLoginModule for Kerberos authentication via HTTP

to SAP NetWeaver


7/31


SAP SPNego LoginModule

PrerequisitesMicrosoft Windows

Domain

Authentication of users is

delegated to the windows

Domain User must be

authenticated against

Windows domain on his or

her workstation

Browser propagates

windows credentials toSAP NetWeaver

Typical scenarios

Intranet scenarios

Acti ve

Directory /

Windows DomainController

SAP NetWeaver

4.SAP Logon

Ticket issued

2. Browser

Sends windows

credentials

1.

Windows

domain

Logon

3. SPNego

checks via JVM

credentials

against DC


8/31


SPNego Use Cases

SPNego is a Java JAAS Login Module

it applies to the NetWeaver Application Server J2EE a Logon Ticket is issued by the J2EE application ServerSee SAP Note 701205 on how to conf igure a trust between

NetWeaver J2EE + ABAP Systems with SAP logon tickets

ABAP

http Web service

(e.g. URL for Web-Reports)

J2EEJava Stack(SPNEGO)

Windows

Acti ve Directory

1

2

3

4

5

6

Send Logon Request toABAP-http Service

Forward request toJava Stack (TA : SICS)

Verification of credentials throughSPNEGOusingKerberos against Windows Active Directory

Confirmation : SAP User is equal

to AD/ Windows Username

Create Logon Ticket and Re-direct

to ABAP (http Service)

Trust Logon ticket and open ABAP app


9/31


SPNego Use Cases

SPNego can thereby appl ied for authentication in many scenarios:

NetWeaver Portal (intranet)

NetWeaver Portal (intranet + external access by leveraging mult iple

logon stacks)

Web Dynpro

ABAP systems, e.g. SAP BW web reports, BSP pages,

Integrated ITS (as of 6.40 onwards)

Duet

...and others


10/31


SPNego Protocol

Simple and ProtectedNegotiation protocol:

Wrapper around a

GSS based protocol

Allows mechanismnegotiation

Supports all GSS API

conform mechanisms

For HTTP, tokens areexchanged as http

headers between

server and browser

Base 64 encoding

ASN.1 SPNego wrapper

GSS token


11/31


12/31

Introduction



Futher Information

Demo

Summary


13/31


SPNego Manual Procedure

Configuration on the domain controller

Creation of a Windows user which represents the J2EE Engine

Export of Kerberos keys

Register of Service Principal Names

Configuration on the browser clients

Windows integrated authentication must be switched on

J2EE Engine host must be explicitly assigned to local intranet

Automatic logon in intranet zone must be al lowed

Configuration on the J2EE Engine

Configuration of the JAAS LoginModule

Setting of Java System Properties Installation of krb5.conf and the key files

Adjustment of the UME-Configuration

Configuration of the LoginModule Stacks

Wizard

Wizard


14/31

Introduction



Futher Information

Demo

Summary


15/31


SPNego Wizard Installation 1/2

Download ZIP archive SPNegoWizard.zip from SAP Note 994791

Deploy EARs

sap.com~tc~sec~auth~jmx~ear.ear

sap.com~tc~sec~auth~spnego~wizard.ear

security_example.ear


16/31


SPNego Wizard Installation 2/2


17/31


SPNego Wizard - Active Directory configuration 1/2

Create serv ice user j2ee-

Select User cannot change password

Select Password never expires

Select Use DES encryption types for this account

Configure the service user

Set Service Principal Name (SPN)

setspn A HTTP/


18/31


SPNego Wizard - Active Directory configuration 2/2

Check service user conf iguration

Export LDAP attributes

ldifde r (samaccountname=) f out.ldf

Check userPrincipalName and servicePrincipalName


19/31


SPNego Wizard - UME Configuration 1/3

Change UME datasource (configtool)

Upload dataSourceConf iguration_ads_readonly_db_with_krb5.xml

Change the datasource file to

dataSourceConfiguration_ads_readonly_db_with_krb5.xml

Enter LDAP connection data

Test connection and authentication


20/31




21/31



Others

Enter additional user attributes to be visible in User Admin application

krb5principalname; kpnprefix; dn


22/31


SPNego Wizard - Java AS configuration 1/2

Run the SPNego Configuration Wizard

http://localhost:50000/spnego
http://localhost:50000/spnegohttp://localhost:50000/spnego


23/31


SPNego Wizard - Java AS configuration 2/2

Set ticket authentication stack to use spnego as template

uncheck and

recheck to

make the

Modules LoginStack Correct


24/31


SPNego Wizard - Client configuration

Configure IE

Add to Local Intranet s ites

Disable HTTP proxy for requests to

Enable Windows Integrated Authentication

Restart Browser


25/31


SPNego authentication fallback and Result

The key to getting the basic auth fallback to work in to apply note 1007227.

IE6 SPNego OK

Basic fallback with Integrated Windows Auth set - Double login screen withUNKNOWN_ERROR, hit F5 to refresh and login screen is correct. Login works withusername and password whether you hit F5 or not. The UNKNOWN_ERROR isscheduled to be fixed in SPS12, since this is a usability error and not a criticalerror no backport will be provided

Basic fallback without Integrated Windows Auth set - OK, login with user id and

password

IE7 (supported SPS10 and later):

Same as IE6

Firefox

general supported browser information will be documented in note 994791

SPNego - OK, configured according tohttp: //www.mozilla.org/projects/netlib/integrated-auth.html

Basic fallback with http: //www.mozilla.org/projects/netlib/integrated-auth.htmlsteps configured - result identical to IE6 2nd bullet

Basic fallback without http: //www.mozilla.org/projects/netlib/integrated-auth.htmlsteps configured - OK, login with userid and password
http://www.mozilla.org/projects/netlib/integrated-auth.htmlhttp://www.mozilla.org/projects/netlib/integrated-auth.htmlhttp://www.mozilla.org/projects/netlib/integrated-auth.htmlhttp://www.mozilla.org/projects/netlib/integrated-auth.htmlhttp://www.mozilla.org/projects/netlib/integrated-auth.htmlhttp://www.mozilla.org/projects/netlib/integrated-auth.html


26/31

Introduction



Futher Information

Demo

Summary


27/31


Demo

Demo the SPNego Wizard

Reverse Proxy Scenario


28/31

Introduction



Futher Information

Demo

Summary


29/31


Summary

Prerequisites:

NetWeaver J2EE 6.40 SP15 or higher

NetWeaver 2004s J2EE SP6 or higher

SPNego enables single sign-on (SSO) from your windows desktop

workstation to SAP business applications such as Portal, Web

Dynpro and ABAP-based systems

SPNego efficiently and securely authenticates users directly to the

SAP NetWeaver J2EE application server leveraging the Kerberos

security standard which is a built -in capability of a Microsoft

environment.


30/31

Introduction



Futher Information

Demo

Summary


31/31


Further Information

Public WebSAP Developer Network: www.sdn.sap.com

+ SAP NetWeaver Platform Security

NetWeaver Developers Guide:

http://www.sdn.sap.com/irj/sdn/developersguide

SAP Service Marketplace:

http://service.sap.com/security

http://service.sap.com/securityguide

http://service.sap.com/ais

http://www.sap.com/germany/company/revis/infomaterial/index.epx

Related SAP Education Training Opportunitieshttp://www.sap.com/education/

ADM960, Security in SAP System Environment
http://www.sdn.sap.com/http://www.sdn.sap.com/irj/sdn/developersguidehttp://service.sap.com/securityhttp://service.sap.com/securityguidehttp://service.sap.com/aishttp://www.sap.com/germany/company/revis/infomaterial/index.epxhttp://www.sap.com/education/http://www.sap.com/education/http://www.sap.com/germany/company/revis/infomaterial/index.epxhttp://service.sap.com/aishttp://service.sap.com/securityguidehttp://service.sap.com/securityhttp://www.sdn.sap.com/irj/sdn/developersguidehttp://www.sdn.sap.com/

SPNego Wizard_Active Directory Configuration

Documents