Skip to Content
1

Kerberos SSO Web based access

Nov 02, 2016 at 09:21 AM

266

avatar image
Former Member

Hello All,

We have plan to configure SSO based on Kerberos authentication for our ERP system as Abap stack so we set related requirements.

The users are available to logon without password for SAP Gui but the user has problem when logon with web based access.(SICF services as webgui).

For SSO configuration web based access;

We have defined the Kerberos Service Principal as <serviceuser> @<FQDN> in the SPNEGO t-code but the user still get pop up to password credentials. We have no found error logs in ICM trace and Active directory logs.

Let me clear about below questions ;

  • For Kerberos SSO configuration, AS Java is necessary ?
  • Is there additional requirements for Internet Security Tools ?
  • Is there additional options for SAP Abap side ?
10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Best Answer
avatar image
Former Member Nov 03, 2016 at 08:25 AM
0

Hello All,

The web application is opened without requiring the user to enter username and password after install new sapcrypto.dll version and updated parameter is spnego/construct_SNC_name=201.

The Kerberos User Principal Name is converted into SNC name using spnego/construct_SNC_name parameter values. Sap Note :1819808

http://help.sap.com/saphelp_nwsso20/helpdata/en/82/8897e673354486a72600e637941fe0/content.htm?frameset=/en/aa/8b1e80b82340c5b4cdb7e4aabe8d9a/frameset.htm¤t_toc=/en/ba/a0222bf5da4ed3a655eaef1e4a3b60/plain.htm&node_id=127
Show 1 Share
10 |10000 characters needed characters left characters exceeded
Former Member

The webgui is working.:=)

0
Yuksel AKCINAR Nov 06, 2016 at 01:46 PM
0

Hello Inanc, Ulas,

Did you check Single Sign-On with Kerberos wiki and videos?

For Kerberos authentication you donot need NW Java Server and add-on Secure Login Server.

But Using Kerberos Authentication on SAP NetWeaver Application Server ABAP requires additional software licenses. as mentioned in the link.

If you are paying for the license I advise you to use x.509 certificates and SAML.

Regards,

Yuksel AKCINAR

Show 1 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Thanks for comment:)

0
avatar image
Former Member Nov 07, 2016 at 11:18 AM
0

Hello Yuksel,

After updated the parameter is spnego/construct_SNC_name and updated sapcrypto.dll, the Web Gui service is working.

Share
10 |10000 characters needed characters left characters exceeded