Solved: Kerberos Workflow Authentication

Hello @ll,

I am interested in workflow authentication using the Kerberos ticket, the Identity Centre supports this method. I have thus far not found any implementation guides. Is there anybody is who is more familar with this system, who can assist me.

Chris

SAP Managed Tags:
SAP Identity Management

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Accepted Solutions (1)

Chris,

My specialist area with SAP products is related to Kerberos, but I am not familiar with what you are describing. Can you provide more details to explain what you are looking to acheive ?

Regards,

Tim

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hello,

when you open the properties of the Identity Store in the Identity Center you see the workflow-register. Here you can choose a lot of authentication methods.Here and in some whitepaers we saw that the Workflow of SAP NW Identity Center supports Kerberos Authentication. We want to replace the WORKFLOW LOGIN with username/pw(Authentication method: Identity Store) by the kerberos authentication ticket from our domain controller (authentication method: Kerberos). But I dont know were to reference to our ad domain controller where a user has a kerberos ticket after windows login.

Chris

Chris,

Thankyou - this helps a lot.

I know this might sound like a silly question, but can you confirm what platform the Identity Center is running on ? e.g. is it installed on NetWeaver, or running on a standalone web server, or something else ?

Also, can you provide me with links to some of the white papers you mentioned ?

Regards,

Tim

Hello,

we run SAP NW Identity Center 7.0 SP2 (former MaXware) on a MS Server 2003 OS with MS SQL 2005 for the Idnetity Store. The Workflow Engine is running on a MS Server 2003 Webserver (IIS).

BR Chris

here is the link to the Security Guide:

https://www.sdn.sap.com/irj/sdn/nw-identitymanagement

("product information")

Chris,

ok, I thought this might be the case. The Kerberos authentication into any application running on IIS is setup by enabling Integrated Windows Authentication on IIS website and also in browser. Have you done this ? If you have, when user logs onto workstation and then opens a page on the IIS server they will be authenticated using the domain account they logged onto their workstation with.

Regards,

Tim

Chris,

Thankyou for the document link. As you said, it appears there is very limited information about the different authentication methods supported. However, as I said in my last post, when using IIS the IIS web server is handling the authentication of users, so this is where I suggest you enable IWA to allow you to get Kerberos authentication to work. I cannot think how the product could authenticate in any other way unless there is an ISAPI filter installed in the IIS webserver, just to handle workflow authentication - I doubt this is the case.

Thanks,

Tim

Thanks for your reply,

I did this yesterday:

1. enabled IWA in ISS

2. enabled IWA in IE

3. Kerberos as authentication method in the Identiy Center

missing:

But I think the networkuser has to be in the Identity Center as unique id (but I am not sure)

I will test this later...

Edited by: Christoph Reckers on Jun 25, 2008 11:32 AM

Edited by: Christoph Reckers on Jun 25, 2008 11:37 AM

Chris,

The domain user you are logged onto Windows workstation as will be used to log you onto the IIS application when IWA is used, so you need to make sure that this user exists in the application. If it doesn't you might get a popup signon screen from browser, which will likely not work unless you have also enabled other forms of authentication in IIS.

Regards,

Tim

Answers (1)

...I will test later

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Ask a Question

Top Q&A Solution Author

User

Count

Kerberos Workflow Authentication

Accepted Solutions (1)

Accepted Solutions (1)

Answers (1)

Answers (1)

Auto close/update all open Notifications work orde...

Re: SAP BW - Master Data Delta Load

Re: Change header field of purchase order on save

Input Control Sizing Not Working

Re: FB60 does not post. No error message is displa...