Skip to Content
5
Former Member
Dec 27, 2015 at 11:47 PM

Kerberos(SSO): throw RC4 away, adopt AES !

1689 Views

Hello,

We can find on "SAP Community" site many nice tutorials explaining how to configure "Windows AD" authentication + SSO.

Some of them are quite old or are recent copies from parts of old ones.

In Kerberos configuration "krb5.ini" file, they all give RC4 algorithm for encryption type to be used. That was true with "Windows Server 2003"...

/!\ But be careful, in 2015 and soon 2016, RC4 is no more considered as a secured encryption algorithm /!\

Assuming nobody uses" Windows Server 2003" anymore, I would strongly suggest you to modify "krb5.ini" sample files like this :

Replace:

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

with:

default_tgs_enctypes = aes128-cts-hmac-sha1-96

default_tkt_enctypes = aes128-cts-hmac-sha1-96

or even better (requires Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for Java 7 or 8)

default_tgs_enctypes = aes256-cts-hmac-sha1-96

default_tkt_enctypes = aes256-cts-hmac-sha1-96

In fact, it's Microsoft's recommandation for "Windows Server 2008 R2" and above.

I've tested SAP/BO BI4.1 SP7 + AES-128 and AES-256 for Kerberos on Windows 2008 R2 and 2012 R2: it works great !

In fact, it would be nice if the authors of tutorials could modify them and add this security update.

Don't joke with security ! ;o)

Regards,

Stephane.