on 07-24-2020 4:43 AM
We are required to change the password of the Kerberos User Principal used in our SAP GUI Single Sign On. Aside from changing the password in SPnego, what else needs to be done?
Hi Redjie,
hope this information is helpful.
Every network service to which a user can authenticate must have a service principal with an appropriate key. The network service (here SAP) must have a copy of this key on the system for it to have the identity of a User can check. This key is in a specially formatted file saved, which is called the keytab. Several keys can be stored in a keytab file, either several keys for the same service principal or even keys for several different service principles. The keytabs are stored in the database in the SAP system (SPNEGO).
Note: If possible, all service accounts should be excluded from the regular password changes and never expire. And the passwords should be chosen as complex as possible. If such passwords have to be changed regularly (like every 12 Months) this would have to be coordinated between the security team (Active Directory) and SAP team.
The procedure can be carried out in advance by the SAP administrators by creating the corresponding keytab in the respective SAP system with the new password. Also, SAP provides version management in the transaction SPNEGO, which also retains old versions and thus enables the old and the new password of the same service account to be used in parallel to decrypt tickets.
Cheers Colt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.