Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO through IIS and Kerberos (SPNego)

Former Member

‎07-30-2009 4:46 PM

0 Kudos

Folks, is there someone out there who has configured SSO going through IIS.

In my scenerio I have it configured from ADS to SAP EP.

Need to route it through IIS using the same (Kerberos) not NTLM.

I have setup the IIS also to accept Kerberos authentication.

My probable issue is IIS not talking or passing info to EP.

Any help will gladly be accepted and appreciated.

11 REPLIES 11

tim_alsop
Active Contributor

‎07-30-2009 4:58 PM

0 Kudos

Shakil,

I am not exactly clear what you are trying to do. Can you give some more details ?

For example:

1. user logs onto workstation using domain account

2. user enters URL in browser which is URL for SAP EP

3. SAP EP uses IIS as a reverse proxy to authenticate user

or

1. user logs onto workstation using domain account

2. user enters URL in browser which is URL for SAP EP

3. SAP EP uses SPNEGO to authenticate user - IIS is not used/needed.

or ???

Thanks,

Tim

Former Member
In response to tim_alsop

‎07-30-2009 5:11 PM

0 Kudos

Tim, thanks for your questions.

Let me summarise the enviroment.

Currently the setup for SSO to EP from Sharepoint is NTLM through an IIS Proxy.

SAP has recommended to use Kerberos (SPNego).

I have already configured that successfully. Having mentioned that , user logs into the Windows workstation , hits the URL for SAP EP and gets into it directly without UID and P/W for the obvious reason that the Kerberos is setup.

I want the same to happen through an IIS server , using Kerberos.

Check the scenario

Basically User-->logs into Windows->Sharepoint with or without-->IIS server-----> SAP EP is the requirement.

Currently working User-->logs into Windows->Sharepoint with or without---->SAP EP

Hope I have simplified it ....

Regards

Shakil.

tim_alsop
Active Contributor
In response to tim_alsop

‎07-30-2009 5:21 PM

0 Kudos

Shakil,

This helps a little, but I am still not clear what IIS is being used for and why you are using NTLM ?

When you configure Integrated Windows Authentication in IIS, it will use Kerberos if the domain supports it.

I understand you want the user to logon to sharepoint portal and then click on a link to allow them access to EP - this can be done easily and securely if both Sharepoint (running on IIS) and SAP EP are supporting Kerberos (via SPNEGO). The SPNEGO is nothing more than Integrated Windows Authentication (as it is called in IIS).

Thanks,

Tim

Former Member
In response to tim_alsop

‎07-30-2009 5:32 PM

0 Kudos

Hello Tim,

As mentioned it is currently setup for NTLM. I want to switch over to SPNego.

To answer your second question, we are using a dedicated seperate IIS server between Sharepoint and SAP EP.

To answer your third one, I don't think I need to use the IIS server for Sharepoint though it would be good to.

But I have also configured the current IIS server to accept Kerberos authentication , they still don't connect.

The URL that I use hits the IIS server using a specific port for EP , and it doesn't find the page.

It has wrecked my brains , hope you can get a solution to this easily.

Regards

Shakil.

tim_alsop
Active Contributor
In response to tim_alsop

‎07-30-2009 5:38 PM

0 Kudos

Shakil,

For your info - sharepoint already uses IIS - it runs on top of IIS.

I am still not clear. Sorry, but I am trying to help you and getting confused because you refer to things like "As mentioned it is currently setup for NTLM" and I am not clear what you mean by "it" in this sentence. What exactly is using NTLM and needs to use Kerberos ?

When you say "But I have also configured the current IIS server to accept Kerberos authentication , they still don't connect." - what doesn;t connect ? The only things which need to connect are the browser at users workstation and SAP EP and you already told me you got this working.

Can you also clarify if there is a direct connection between workstation and SAP EP ? if there is, why is IIS required ?

Thanks,

Tim

Former Member
In response to tim_alsop

‎07-30-2009 6:38 PM

0 Kudos

Tim,

"As mentioned it is currently setup for NTLM" is in our Production EP enviroment.

I am working on this (SSO through IIS and Kerberos (SPNego)) in our EP Test enviroment. All the configuration that I have mentioned have been done in this enviroment. ie: SPNego setup

-

For IIS server.

As per Microsoft there is a configuration to set Kerberos on the IIS server as I am using a seperate one.

http://support.microsoft.com/kb/215383

This is what I have done on the Test IIS server.

-

For your last question "Why IIS is required" because we don't want to change URLs' for all the links in Sharepoint. We want to keep them as they are now. Further the Webproxy is also caching images for performance.

-

Regards

Shakil.

tim_alsop
Active Contributor
In response to tim_alsop

‎07-30-2009 6:48 PM

0 Kudos

Shakil,

If your SAP EP is currently using NTLM (somehow) and you want to use Kerberos - you just need to impelment the SPNEGO login module, which you have already done and confirmed it works.

When you say "SSO through IIS" what do you mean by "through" ? if user is able to logon to their workstation and get logged onto SAP EP using Kerberos (via SPNEGO login module) then there is no need to go "through" anything since SPNEGO requires a direct IP connection between browser and SAP system which HTTP traffic can travel over.

You have also said you have setup Kerberos on IIS, but I am not clear why, since you are trying to logon to SAP EP using SPNEGO and you already said this is working and of course this does not need IIS.

Why don't you want to change URLs in sharepoint ? I think you will find you have to change them so that SAP EP is accessed directly using same URL that woudl be accessed if user just opens browser on workstation and logs directly into SAP EP (no sharepoint, no IIS). No other URL will work.

The reason why the URL is very important is that the browser uses the URL to determine the name of the Kerberos principal to request from AD, e.g. HTTP/<url entered>@<REALM> is used and you cannot deviate from this convention if you want to use SPNEGO (aka IWA).

Thanks,

Tim

Former Member
In response to tim_alsop

‎07-30-2009 7:23 PM

0 Kudos

Tim,

Hmmmm!!! makes sense, well let us say we need to customize this to work in our enviroment. i'll keep on trying to find a way.

Anyone else has some ideas up their sleeves.

Regards

Shakil.

tim_alsop
Active Contributor
In response to tim_alsop

‎07-31-2009 2:42 PM

0 Kudos

Shakil,

I hope you are clear that the SPNEGO/Kerberos works as follows:

When user enters http://server.company.com/irj/portal into browser, the browser will request a Kerberos ticket form domain with principal name HTTP/server.company.com@REALM. The server which they are connecting to must be expecting to receive the principal with this name and have the key so that it can decrypt the token from browser.

Perhaps you can consider above when deciding if you need to change URLs or not - my suggestion is that you use the correct URL to make SPNEGO work and then you will have what you need.

Thanks,

Tim

Former Member
In response to tim_alsop

‎07-31-2009 2:57 PM

0 Kudos

Hello Tim, thanks for the info. This is the final path that I will take. But would still try to see if I can also acheive to make it work "SOMEHOW" the other way also.

Regards

Shakil.

tim_alsop
Active Contributor
In response to tim_alsop

‎07-31-2009 3:00 PM

0 Kudos

Shakil,

ok, I think you will not get much help on SDN to make it work "the other way" unless you first provide more details so your requriement/questions are clear.

Thanks,

Tim