on 05-16-2022 9:39 AM
Dear All,
Currently implementing AD SSO on Tomcat with SAP BI 4.3 SP1 and my manual AD works fine. However my SSO fails [being prompted for logon screen] with below message in stdout.log
com.wedgetail.idm.sso.ConfigException: All SPNs failed verification.
com.businessobjects.webpath.rebean3ws.Activator
setspn -s HTTPS/BISERVERNAME SERVICEACCOUNT
setspn -s HTTPS/BISERVERNAME.FQDN SERVICEACCOUNT
Can anyone advise whether HTTPS is supported or should we used HTTP for creating the Tomcat SPN's?
Many thanks in advance.
Best Regards
Sheik
In Windows 2019 AD, we had to download the fix and change the HTTPS SPN to HTTP to be able to perform SSO on top of SSL in Tomcat/SAP BI 4.3 SP1 Patch 12.
However due to Kerberoasting and security issues our AD and Security team is unwilling to approve the HTTP SPN in Production environment.
Can SAP developers or authentication gurus clearly mention whether creating HTTPS as SPN for Win AD 2019 Domain for the Service Account is supported ? If Not will it ever be supported and by when.
MAny thanks in advance.
Kind Regards
Sheik
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
HTTPS SPN is not required. The SSL on Tomcat will secure the HTTP.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I did follow KB 2629070 and modified my registry.
The question is whether SAP supports/recommend HTTPS when creating the SETSPN for Tomcat.
In above KB you will see all the TOMCAT SPN are with HTTP and nowhere i have seen HTTPS.
setspn -s HTTPS/BISERVERNAME SERVICEACCOUNT
I/m sure doing
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
77 | |
8 | |
7 | |
6 | |
6 | |
6 | |
6 | |
6 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.