Skip to Content

Strip REALM from Kerberos Ticket for SPNEGO (ICM)

Dear Experts,

at a customer we want to authenticate to Fiori Launchpad using SPNEGO. For SAP GUI we use X.509 certificates, issued with CN=<USERNAME>

As the SPNEGO is using the SU01 SNC-Name we need to make sure the value e. g. p:CN=<USERNAME>@DOMAIN is the same for both. This works if we issue certificates using the SLS in this way: CN=<USERNAME>@DOMAIN

We want to avoid chaning the current user certificates and to make use of SPNEGO in parallel for WDA (ICM).

Now we are looking for a way to strip the REALM part from the kerberos ticket received from the client e.g. <USERNAME>@DOMAIN and to use the Principal part only. According to SAP note 2338952 - CommonCryptoLib 8.5: Configuration Profile Parameters, we set the parameter ccl/snc/server_partner_name_kerb = PrincipalOnly.

Now we expected to receive a kerberos ticket which is stripped by inner functions of the crypto library to <USERNAME> before compared with the SNC Name stored in USRACL, which we changed from p:CN=<USERNAME>@DOMAIN to p:CN=<USERNAME>

THIS WORKS FOR SAP SUI (SNC). Unfortunately this does not seem to work for ICM!!

Question: Is there any setting available to enable name conversion for the SPNEGO authentication on the ICM? If not pls. consider this as a feature request, even with very old AS Java SPNEGO it is possible to configure Principal only mappings. I would love to have something in the SPNEGO transaction of the AS ABAP or in spnego/construct_SNC_name.

Regards, Carsten

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Jul 27, 2017 at 04:54 AM

    We implemented a workaround, similar to this steps:

    1. on the SLS issue the certificate with (AUTH:UPN) in the SAN
    2. on all AS ABAP set ccl/snc/server_partner_name_x509 = UserPrincipalNameOrSubject
    3. on all AS ABAP adjust SNC-Name from p:CN=<USERNAME> to p:CN<USERNAME>@DOMAIN

    If there is an easier way to achieve this without changing the SNC Names in all AS ABAP please let me know.

    Cheers, Carsten

    Add comment
    10|10000 characters needed characters exceeded