Hi there,
we are acutally planning the roll-out of SAP SSO 3.0 for our SAP servers (Windows based + Active Directory / Kerberos).
The SAP servers are a local installation (not member of a domain). Is the membership of a domain a prerequisite or is it also sufficient if a domain user is available for the communication with the active directory?
Best regards!
4 Answers
-
Best AnswerPosted on Jul 15, 2019 at 01:05 PM
Hello Marc,
with SAP Single Sign-On 3.0 there is no need to consider a domain membership for an SAP-Server. The only link between the AD and SAP is the key tab file which is generated during the setup on the SAP system. Here you specify which domains you will trust. That can be one or many, in case you have no trusts between the domains/forests.
Nevertheless, the validation always takes place offline, so no communication between SAP and AD Domain controller is required in any case. Validation means decryption of the Service Ticket (ST) received from the KDC on basis of the SPN registered on the AD service user account generated for the SAP server. STs are always encrypted by the KDC and as both share the same symmetric key the decryption takes place.
Often SAP system operation has been outsourced and the SAP servers are integrated into the management domain of the organization hosting the SAP-Landscape. Even in such a case SAP users from different organizations can work with the same system, in the respective client, with Kerberos. Technically by having the PSE containing the keytabs, the SAP systems trust all domains, although there is no trust between the domains themselves. More input here
Cheers Colt
Add comment
-
Posted on Jul 15, 2019 at 12:40 PM
Hi,
You can check this blog below. I don't think it is required to be in same domain.
https://blogs.sap.com/2017/07/27/sap-single-sign-on-authenticate-with-kerberosspnego/
Best Regards
Imran
Add comment
-
Posted on Jul 15, 2019 at 12:54 PM
Hi Imran,
thanks for the link. Unfortunately I could not find a hint if a domain membership of the SAP server is necessary.
So if there is anyone out there who already successfully connected a Non-Domain SAP server, that would be very helpful. The transformation of a local installation to a domain installation is not that easy and will result in additional costs which we want to avoid.
Add comment
-
Posted on Jul 16, 2019 at 10:32 AM
Hi Carsten!
Thank you so much for your response. That's great news for us as we want to avoid extra costs for transferring the local SAP installation in a domain installation.
As far as I understood - after reading your referred blog - there is no direct communication between the SAP system an a domain controller. Only the client itself sends domain requests and the SAP system has to have the correct keytab. So this szenario is just perfect and I think we can go ahead with the planned SSO rollout :-)
Thanks for your explanation and best regards!
Add comment
Add comment