cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Single Sign-on using AD LDAP using & Kerberos.

former_member148398
Explorer

on ‎05-29-2018 12:13 PM

0 Kudos

Hi Experts,

Our company have a subsidiary at different location. and we have separate domain controller for subsidiary. I have configured single sign on using and user lpogin to windows using AD credentials and then open the SAP portal & without asking ID/Password can login to portal then can access other SAP systems by clicking links.

At my subsidiary location user login using domain ID/Password (i.e. child domain) then open the SAP portal and asked to enter the ID/Password again which are windows ID/Password again then can login to SAP system without asking login info.

Kindly guide if there is any option available to skip the SAP Portal ID/Password login option from my child domain. I want user shall login like main domain without asking ID/Password. Also share if any other solution available for the same.

Regards,

Khuram Shehzad

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

tim_alsop
Active Contributor
‎07-16-2018 10:38 AM
0 Kudos

Regarding "Also share if any other solution available for the same." you can also use SAP partner products for SSO on ABAP or JAVA stacks, not just the SAP SSO product.

You can also use SPNEGO on JAVA stack (which is free) if you just want Kerberos SSO when users logon to portal.

Show replies
Show replies
Former Member
‎05-29-2018 4:55 PM
0 Kudos

Khuram,


We have done this with with other domains myself. We have company A that bought company B and they still want to use companies B's domain.


A few things you will need before you start:

1. LDAP Service acccount - from the new domain

2. Domain controller name.

3. Register a Service Principal Name (SPN) for the portal URL with the new service account from new company. Usually done by network team on the new domain name. Have the keytab file sent back to you.

EXP Service Account: ex. SVC_account -

Service Account Password: 12345

Setspn: HTTP/<portal URL>.domain.com ex. HTTP/compnayB.xx.abc.com

Setspn: HTTP/ webdispatcher.xx.abc.com -- if you are using a WD

4. Upload Keytab file from new domain

5. Modify the Portal XML file to include the Domain and add password to additional password in the config tool.

6. Create same LDAP groups in new company as you have in your company and map them to your existing portal roles.

7. I would also verify the PC's or joined to the new domain and Windows NT authentication is checked in IE.


Good Luck....


Show replies
Show replies
former_member148398
Explorer
‎05-29-2018 8:30 PM
0 Kudos

Hello Joshua Algayer!

Thanks alot for your detailed answer, what I understand from your reply is I need to do same steps on child domain. But I can still see my main + child domain users in portal. Do we still need to create service user & keytab. If yes, I can see in portal configuration I can add one domain IP & keytab file, how to add new domain.

Regards,

Khuram Shehzad

Former Member
‎05-30-2018 3:33 PM
0 Kudos

Khuram,

No problem. Yes you will need to follow the same process for each new domain. However, I think I got your question wrong. Is your original domain mydomain.com and then your new child domain is new.mydomain.com. When I did it was a whole new domain from a different company that we added into our portal. However you will need definitely need to do the setspn if the service account is in the child domain. So are you able look up the users in User Administration under the existing domain UME? If you can look up the users it sounds like the domain is already setup though. If they can sign on with out SSO you probably only need to do the setspn and upload keytab file. Remember to to run setspn against both your portal instance and WD if you are using one.

Either way. To add a new domain

1.Launch the configtool.bat in \usr\sap\<SID>\J<instance#>\j2ee\configtool

2.Click yes to use default DB settings

3.switch to configuration editor mode icon

  • 4.Click the edit mode icon and select yes
  • 5.Expand cluster_config -> system -> custom_global -> cfg -> services -> com.sap.security.core.ume.service and double click on Propertysheet properties
  • 6.Double click on ume.ldap.access.additional_password.1 or 2 or 3. It depends on how many domains you already have. Sounds like for yours it would be password.2. Enter in the service account password. Click OK.
  • 7.Click on the top icon to go back to the configtool home page in the top left

8.Click file and select apply changes

9.In the Portal go to System Administration -> UME Configuration and download the Data Source config file. Mine is named dataSourceConfiguration_ads_deep_readonly_db.xml.

Then within the config file you add the new domain in. You should see your existing domain already. Just copy and past everything between <dataSource> and </dataSource> and update the below if they are different.

<ume.ldap.access.server_name>

<ume.ldap.access.user>

<ume.ldap.access.base_path.user>

<ume.ldap.access.password>$ume.ldap.access.additional_password.2</ume.ldap.access.password>

2. Now upload the file back into the portal UME section. Please be-sure all your info is correct or when you restart the portal it will not start. If it does not start you can simply remove the domain using the config tool.

3. Now upload the keytab file from the SETSPN to http://portal.xyz.com:5##00/spnego. Just click and by uploading Keytab file. When you pick the file and go through the wizard you should see the name of your new domain in step 2. Go through the rest of the wizard and keep the defaults yours could be slightly different. You can run SETSPN –l service account name and see If it is registered correctly on the domain.

C:\WINDOWS\system32>setspn -l Svc_SAPPORTPP2

Registered ServicePrincipalNames for CN=svc_sapportpp2,OU=ServiceAccounts,OU=ServicesManagement,DC=XYZ,DC=XYZ,DC=com:

http/portal.xyz.XYZ.com

HTTP/olypp2.xyz.xyz.com

C:\WINDOWS\system32>

4. Once you get to the end you should see your new domain and click the enable button. You should actually see your other domain also.

5. Restart the portal

Ask a Question