Skip to Content
author's profile photo Former Member
Former Member

Kerberos(SSO): throw RC4 away, adopt AES !

Hello,

We can find on "SAP Community" site many nice tutorials explaining how to configure "Windows AD" authentication + SSO.

Some of them are quite old or are recent copies from parts of old ones.

In Kerberos configuration "krb5.ini" file, they all give RC4 algorithm for encryption type to be used. That was true with "Windows Server 2003"...

/!\ But be careful, in 2015 and soon 2016, RC4 is no more considered as a secured encryption algorithm /!\

Assuming nobody uses" Windows Server 2003" anymore, I would strongly suggest you to modify "krb5.ini" sample files like this :

Replace:

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

with:

default_tgs_enctypes = aes128-cts-hmac-sha1-96

default_tkt_enctypes = aes128-cts-hmac-sha1-96

or even better (requires Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for Java 7 or 8)

default_tgs_enctypes = aes256-cts-hmac-sha1-96

default_tkt_enctypes = aes256-cts-hmac-sha1-96

In fact, it's Microsoft's recommandation for "Windows Server 2008 R2" and above.

I've tested SAP/BO BI4.1 SP7 + AES-128 and AES-256 for Kerberos on Windows 2008 R2 and 2012 R2: it works great !

In fact, it would be nice if the authors of tutorials could modify them and add this security update.

Don't joke with security ! ;o)

Regards,

Stephane.

Add a comment
10|10000 characters needed characters exceeded

Related questions

4 Answers

  • Posted on Sep 02, 2016 at 10:31 PM

    Hello All,

    Use this document to configure SSO

    SSO Configuration with Active Directory SAP Business Objects 4.2 (AES Encryption)

    Regards,

    Yogesh

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Dec 28, 2015 at 03:37 PM

    Petit,

    Thank you providing this information. I have implemented this in my test environment and no issues so far.

    My environment details: AP/BO BI4.1 SP6 + AES-256 for Kerberos on 2012 R2:

    If you are okay, I will create a Blog post or document with information you provided for other to take advantage. let me know.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Apr 29, 2016 at 07:06 PM

    what about Ktpas command ?

    ktpass -out bosso.keytab -princ biservice@DOMAIN.INTERNAL -pass Password1 -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT


    replace RC4-HMAC-NT with aes128-cts-hmac-sha1-96 ?


    Thanks

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on May 19, 2016 at 09:25 PM

    Stéphane,

    when you set up windwos AD on 2012 Server where did you place bscLogin.conf and krb5.ini files ? the root of C:\ and system directory structures, including c:\windows are protected by default, after speaking with infrascture folks they recommended to find some other folder to place these files.

    If these files placed in different folder apart from C:\windows, do you know what config files needs to be modified in order for default JAVA program to look C:\Windows\

    Appreciate your help

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.