Skip to Content
avatar image
Former Member

Cross-domain authentication using SPNEGO

Hi Experts,

Consider this scenario.

Case 1:

There are 2 domains (forests), Domain A and Domain B.

SAP users are located in Domain A, while AS-JAVA server is located in Domain B.

There is a One Way Forest Trust (OWFT) between Domain A and Domain B, in which Domain A is the trusted domain, while Domain B is the trusting domain.

AS-JAVA is using Active Directory (Domain B) as the UME data source.

We run ‘setspn’ in Domain B for the AS-JAVA resource.

We create the Kerberos Realm in AS-JAVA for Domain B.

Would this SSO configuration work?

On this scenario, what would be the KPN (principal@REALM) of the user? Is it principal@DomainA or principal@DomainB?



Another side question I have:

when configuring SPNEGO authentication, is there a step where we need to connect from AS-JAVA to the LDAP (AD) server?

Can this connection be secured using LDAPS on port 636/tcp?



Thanks in advance.


Best Regards.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Dec 23, 2014 at 08:03 AM

    The principal name of the user would be <user>@DOMAINA since you said that users are in Domain A. If a user is in Domain C then their principal name would be <user>@DOMAINC ...

    The server doesn't connect to AD, since it just receives a token from browser and decrypts it, so no need for any server to connect to AD.

    Add comment
    10|10000 characters needed characters exceeded