Skip to Content
avatar image
Former Member

Kerberos Delegation for SNC


I am evaluating different techniques for SSO. In my scenario, there is a non-SAP JEE server which supports integrated Windows Authentication using SPNEGO. The JEE server is able to use Credential Delegation when calling out to backend systems.

There is a Web application running on this JEE server to which the user does not need to log in manually, because her Windows credentials are accepted.

Now, the Web Application requires data from a SAP ABAP backend system. It uses JCO to open a RFC connection (actually SNC). So far I found out how to use

- userid / password

- X.509 certificates

- MYSAPSSO2 tickets

to authenticate from my JCO client (Web app) to the ABAP backend.

My question is: Is there a way to use Kerberos Credential Delegation with JCO 3?

Any hint is appreciated.



P.S. Right now, I am using SAP CryptoLib for the SNC connection from my JEE server to the ABAP backend. This somehow authenticates my JCO client (Web app) to the ABAP backend. However, in JCO, I still need to provide additional credentials (one of the 3 options from the list above).

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    May 26, 2010 at 12:53 PM


    Yes, this is actually quite easy to do.

    You would need to use an SNC library which supports Kerberos on your ABAP backend, and you would need an SNC library which supports Kerberos on the JEE server. THen the JCO library will use the SNC library if the correct connection string is given. The SNC library on JEE server will use the forwarded credentials of the user at workstation. I have done this with JCO and also with .NET applications running on IIS. The concepts are same.



    Add comment
    10|10000 characters needed characters exceeded

    • Jens,

      Thankyou for explaining. I thought my previous explanation was clear enough, but I assumed you were familiar with how Kerberos delegation/fowrarding works.

      In the web environment, the browser sends a GSS-API token to Web server wrapped inside an SPNEGO token. The web server unwraps the SPNEGO token, finds the GSS-API token and uses this token to accept the security context. At the Kerberos protocol mechanism level, this means the web server is taking a service ticket from browser and decrypting it using key in keytab found on web server. If ticket forwarding is used, this process will result in a forwarded TGT of user in the Kerberos credentials cache at web server, so that the web server code can connect to other systems and use this users TGT for Kerberos auth. In your case, this is what you want, sot hat the JEE server can use the users credentials from the Kerberos credentials cache and authenticate to backend using JCO/RFC/SNC

      So, within the context of user logged onto web server, the credentials of the user will be present. These credentials will be used if in the same context an RFC connection is triggered via JCO. if RFC SNC parameters are used in the connection string.

      Hopefully this helps ? It seems from you previous post that you are trying to understand how the Web with SPNEGO is linked to the RFC connection whcih is not HTTP based. Hopefully you can see now that this is done using the Kerberos credentials cache on web server in the user context, so that all code running in this context can access these credentials as if the user was logged onto the web server directly.

      In the RFC connection, you would use SNC_PARTNERNAME and SNC_MYNAME to specify Kerberos principal names of user and backend system, but you won't be needing to specify a userid and password, x.509 cert or MYSAPSSO2. The SNC parameters will determine the user identity under which the function module executes because of mapping info in USRACL table. As I mentioned, you need a Kerberos SNC library on backend, as well as on JEE server.