Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Single Sign-On with Microsoft NT LAN Manager SSP: NTLM v1 or NTLM v2 ?

Former Member
0 Kudos

Hello,

After reading lots of documentation and SAP notes, I am not able to find this simple information :

Which release of NTLM protocol does Single Sign-On for sapgui with Microsoft NTLM use : v1 or v2 ?

We do use successfully NTLM for sapgui direct access with GSSNTLM.DLL and GX64NTLM.DLL for 1500+ users.

Our current domain controllers are running Windows 2003 and will soon be upgraded to Windows 2008R2. As part of this migration, the domain admins told us that NTLM v1 will be deactivated because considered obsolete and not secure enough.

So, if GSSNTLM.DLL is not able to use NTLM v2, we are in trouble !

Thanks,

Olivier

10 REPLIES 10

Former Member
0 Kudos

I have only heard of network domain admins considering NTLM to be generally not secure and have seen policies which prohibit new implementations based on it.

I am not aware of any SAP specific documentation updates related to it either (90% of documentation I have observed is now SAML related).

Is this for your portal?

Cheers,

Julius

tim_alsop
Active Contributor
0 Kudos

Hi,

Before you migrate your domain controllers to 2008 R2 I suggest you migrate to using Kerberos SNC library instead of NTLM SNC library. This will be more future proof protocol for SNC authentication, and is used as default authentication method in both 2003 and 2008 R2 domains.

Julius - The libraries which are being used are SNC libraries, so not used with Portal. SAML is not applicable to SNC authentication.

Tim

Former Member
0 Kudos

Hi Tim,

You can use SNC from the portal for calls to backend ABAP functions, and as Olivier mentioned 1500 users I suspected a user subset using some special portal application with such a protected connection outside of the certificate based SNC which (based on previous posts) I assume is used for the rest of the user population.

It was speculation about a kiosk scenario and I was expecting Olivier to answer with some more context infos.

Cheers,

Julius

tim_alsop
Active Contributor
0 Kudos

Julius,

Olivier clearly described his requirement in this thread and explains that he is using SSO for SAP GUI and is using the NTLM SNC library. It is therefore not clear why portal is being discussed. This a simple matter of using an SNC library that is based on NTLM protocol which is old and has been superseded by Microsoft with Kerberos in year 2000 (11 years ago). However, it seems that lots of companies are still using NTLM and have not migrated to Kerberos. This is why I explained that Kerberos/SNC is the best upgrade path instead of trying to use an old outdated protocol.

Tim

Former Member
0 Kudos

Oops, I missed the sapgui in the small print.

You are correct and I agree.

Cheers,

Julius

Former Member
0 Kudos

Hello Julius and Tims,

Thanks for your answers.

Yes my question was about NTLM for sapgui.

We also have a SAP Portal and use its spnego/Kerberos IWA for SSO web access to ECC (BSP and abap web dynpro).

Of course, I had thought about using also Kerberos for sapgui but it was not possible (forbidden because of internal politics) in the windows domain of our ECC6 system. We had to install the SAP Portal in a new windows domain to be allowed to use Kerberos.

We have a hardware project (dump the itanium servers for x64 servers) and we will reinstall ECC6 in the same domain as the SAP Portal and use Kerberos also for sapgui, but until then we will have the domain controllers upgrade in the current domain and I'm trying to understand in advance if our sapgui SSO will suddenly stop to work.

We are also redoing our new sapgui (7.20) teledistribution packet and I have asked that they include the gsskrb5.dll.

By the way, do you know if this gsskrb5.dll has the same limitation (DES only) as the previous SAP java kerberos implementation ?

Regards,

Olivier

0 Kudos

Hi again,

In the README.txt of gsskrb5.dll I found this text :

1) gsskrb5.dll which implements an RFC-1964 compatible

GSS-API v2 mechanism on top of the Kerberos SSP

of Microsoft Windows 2000.

It supports secure mutual authentication and

single-DES message protection as specified in

RFC-1964. It is interoperable with MIT Kerberos 5.

2) gssntlm.dll which implements a simple GSS-API v2 mechanism

using the NTLM SSP of Windows 9x and Windows NT/2000.

This is a "proprietary" gssapi-style framing of NTLM

by SAP. I have no formal spec for it.

NTLM is a simple target-only challenge-response

authentication. When accepting contexts on Win 9x,

an insecure pass-through authentication request to

an NT machine is performed.

As it is configured, the mechanism supports no

message protection (although implemented, the message

integrity protection of NTLMv1 is insecure, broken

and incompatible with context export/import).

I am afraid to understand that It would be the worst case for me :

NTLMv1 so forbidden for me after domain controllers migration

Kerberos with single-DES only, so forbidden also as too insecure.

If true, our only solution will be to buy an external product for which we have no budget (yet).

PS : Yes, Tim I know that you sell a product that would be a solution.

Regards,

Olivier

0 Kudos

Olivier,

I am sorry to hear about the NTLM issue. I wasn't aware of the v1 or v2 support, but it looks like you found the info required in the README.

It seems you will have to move to Kerberos sooner than you would have hoped.

I am interested to know why Kerberos was not allowed on your current domain... This seems strange to me, since I normally find companies prefer Kerberos and don't allow NTLM Can you give some insight into why they didn't want you to use Kerberos for the IWA auth, hence forcing you to use a new domain ?

Thanks,

Tim

0 Kudos

Tim,

As I said the problem is internal politics.

In my company, the team historically in charge of windows domains is the desktop and Exchange team.

Up to last year, there was only one single production windows domain for servers and users.

There were more and more business applications servers in this domain and it was decided to create a new windows domain for business servers with a new team in charge.

When I needed spnego/kerberos for SAP Portal, they banned me to use Kerberos in the first domain because they want all new business servers in the new domain (I needed them for the setspn command). I had to install SAP EP in the new domain and we had to buy an external software to be able to use Kerberos without DES (SAP spnego/KErberos used only DES at that time).

I had also to use Domain relaxing in order to use SSO betweeen EP and ECC6.

So now, if they migrate their domain controllers before we reinstall ECC6 in the new domain, we will need a tough negotiation to be able to use Kerberos in the current domain.

If there were only technical problems in a company, life would so much easier for technical guys like me !

Regards,

Olivier

0 Kudos

Olivier,

Thanks for explaining.

In case it is of interest, our product does not require the Windows server to be joined to any domain - it can be a standalone server if needed. This sometimes helps avoid politics. We also support IWA, not just SNC, so you can install our product with less political barriers.

i hope you are able to find a way forward. if you want to call me you can, or (if appropriate) please continue to use this forum to discuss options.

Thanks,

Tim