Skip to Content

Using Kerberos for SNC in a multi-domain multi-forest environment with two-way trusts

Hi all,

i need your advise. We got a customer with multiple AD domains, they are trusting each other (two way trust). So assume we have corporation.com as a Ressource domain (root) on the top level and we got corporation.de as well as corporation.uk and corporation.fr as child domains for Germany, UK and France.

We now need to setup SNC based on Kerberos (and SPNEGO for Web) for the SAP landscape of that customer.

Question:

Do we need to create a keytab for every single domain or is it sufficient to create just one Service Account for each SAP system in the root domain and register the SPNs only in the root domain?

Idea:

For SNC on the SAP system we would create a SAPSNCSKERB.pse only containing the one keytab for ServiceAccount@CORPORATION.COM and set the SPN to SAP/<SID>

I would assume that users from CORPORATION.DE would be able to connect to the SAP System via SNC as well in the following way:

  1. The SNC Name of the SAP Server is e.g. snc/identity/as = p:CN=<SID>, O=Corporation
  2. The client would use <SID> as the SPN and query his KDC for SAP/<SID>@CORPORATION.DE
  3. The KDC of CORPORATION.DE does not find a SPN but asks the global catalog (forest wide)
  4. …some AD magic happens...?
  5. The client gets the Service Ticket from the root domain issued for USER@CORPORATION.DE but encrypted with the password of the ServiceAccount@CORPORATION.COM which in turn can be decrypted by the SAP AS using its keytab/PSE.
  6. The service ticket contains the Kerberos Principal Name <sAMAccountName@DOMAIN> of the user

Would that work?

Thanks, Carsten

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    Feb 22 at 10:21 AM

    Hi!

    As promised we now have tested this and here is the result.

    In scenarios where you have a two-way forest trust or a one forest environment with multiple child domains (transitive trusts), you'll only need to create the service account and register the SPN for SPNego and SNC in the forest root domain. Even for SNC, we created the SAPSNCSKERB.pse with only the Keytab from the forest root domain.

    However, in order to allow clients from different trusted AD forests, to request a service ticket for the Kerberos service (SPN) in the trusted forest root domain, you need to make sure to add the domain name to the SNC-Name in SAP Logon.

    Example: p:CN=<SID>@FORESTROOTDOMAIN.TLD

    Even if you have clients in either the same forest or different forests they will be able via the SLC to obtain the Service Ticket by asking the global catalog servers.

    Hope my contribution helps other customers and partner to successfully manage multi-domain/multi-forest implementations while keeping the effort for the user and SPN creation very low.

    Of course, that only applies to trusted forests/domains.

    If there is no such trust, you need to just create a separate service user and SPN for each domain. And simply cut the domain from the SNC-Name in the SAP Logon, which forces the SLC to add the current USERDNSDOMAIN of the user. Example: p:CN=<SID>

    It is also quite common that SAP admins have defined their snc/identity/as like an X.509 DN for example, p:CN=<SID>, O=Organization, C=Country

    Don't panic the solution above will also work in that scenario because the SLC just takes care of the CN part.

    INFO: The only exception applies to the multi forest/domain solution I mentioned before. When you are using logon groups (message server) where the SNC name is obtained dynamically from the profile parameter of the respective application server. In this situation, you need to make sure the snc/identity/as is set to p:CN=<SID>@FORESTROOTDOMAIN.TLD

    Cheers, Carsten

    Add comment
    10|10000 characters needed characters exceeded

  • Feb 08 at 01:13 PM
    Add comment
    10|10000 characters needed characters exceeded

  • Feb 08 at 01:36 PM

    Hey Geferson,

    thanks for that. Of course i have already seen the documentation, but it does not contain any helpful details about that. I also have seen Donka's blog as well, and that is the reason I am asking. Because in her blog she said:

    Option 1:When there is trust between the domains, it is enough tocreate a service account and to configure the respective Service Principal Name for this account only on the central domain.

    On the other side she said:

    Irrespective of the trust existence between the domains, when we have more than one Microsoft Domain to integrate into our Kerberos/SPNego implementation, it is necessary to create a Keytab for every one of these domains. Such configuration is required because the SAP AS ABAP server has to be configured to trust every one of these domains

    Maybe I miss something, but my question is, how to create a keytab for every domain, if I only have one service account in the central domain?That is the command to create the keytab: sapgenpse keytab -p SAPSNCSKERB.pse -a <serviceaccountname>@<domain>

    You see the challenge?

    Carsten

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Geferson,

      no problem, thanks for your answer, I really appreciate it. In the meantime we have made some progress in the project, at least for the SPNego implementation part on AS ABAP and Java. Here it is working with just the one Keytab for the forest root domain. All child domains within the same forest and even some other domains/forests (two-way-trust) working as well. Seems the global catalog forwards the clients ST request to the root DC which knows the SPN - i believe this only works because of the trust.

      Unfortunately, we have not yet managed to test the same for SNC with the Secure Login Client because of delays in the project (permissions, users, ...).

      So you mean to create different Keytabs while always using the same password, sounds interesting and I will try this out, this may be necessary for the SNC part.

      I'll keep you posted.