Skip to Content
Jul 26, 2017 at 01:50 PM

Strip REALM from Kerberos Ticket for SPNEGO (ICM)

359 Views Last edit Jul 28, 2017 at 11:58 AM 3 rev

Dear Experts,

at a customer we want to authenticate to Fiori Launchpad using SPNEGO. For SAP GUI we use X.509 certificates, issued with CN=<USERNAME>

As the SPNEGO is using the SU01 SNC-Name we need to make sure the value e. g. p:CN=<USERNAME>@DOMAIN is the same for both. This works if we issue certificates using the SLS in this way: CN=<USERNAME>@DOMAIN

We want to avoid chaning the current user certificates and to make use of SPNEGO in parallel for WDA (ICM).

Now we are looking for a way to strip the REALM part from the kerberos ticket received from the client e.g. <USERNAME>@DOMAIN and to use the Principal part only. According to SAP note 2338952 - CommonCryptoLib 8.5: Configuration Profile Parameters, we set the parameter ccl/snc/server_partner_name_kerb = PrincipalOnly.

Now we expected to receive a kerberos ticket which is stripped by inner functions of the crypto library to <USERNAME> before compared with the SNC Name stored in USRACL, which we changed from p:CN=<USERNAME>@DOMAIN to p:CN=<USERNAME>

THIS WORKS FOR SAP SUI (SNC). Unfortunately this does not seem to work for ICM!!

Question: Is there any setting available to enable name conversion for the SPNEGO authentication on the ICM? If not pls. consider this as a feature request, even with very old AS Java SPNEGO it is possible to configure Principal only mappings. I would love to have something in the SPNEGO transaction of the AS ABAP or in spnego/construct_SNC_name.

Regards, Carsten