Skip to Content
Former Member
Jul 01, 2010 at 08:25 PM

Setting up Kerberos Authentication in Trusted Domain


I am trying to set up Kerberos authentication to the java stack of a PI 7.1 EHP1 system in a trusted domain scenario, in which the SAP server domain (I will call this Domain A) has trusted a secondary domain (I will call this Domain B). This is a one way trust only, with Domain A as the "trusting" domain.

I have configured SPNego and verified that Kerberos authentication is working within Domain A. Now I am ready to try to get it working from Domain B. I have not run any setspn commands, or done any other configuration within Domain B at this point.

I have logged onto a Domain B workstation (with a Domain B userID) and adjusted the IE settings appropriately per the SAP documentation. then, if I trace a test connection from the Domain B workstation (using the Diagtool) it shows that an NTLM ticket is being passed instead of a Kerberos ticket. I have verified that the clocks are in sync between the DC's on both sides, the SAP servers, and the frontend workstations.

Below is the setspn command that I ran on Domain A:

setspn u2013A HTTP/<sap server FQN> <DOMAIN_A\service_user>

Do I need to run this exact command on Domain B as well? Can I use the Domain A service account in the setspn command, or does an identical service account need to be created on Domain B? Is there some other problem, or some other step that has to be performed on Domain B? Again, I have tested single sign on successfully within Domain A, so I am pretty sure that my spnego configuration is correct.

Other details:

Domain Controllers are Windows 2008 running Active Directory 2008.