cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PI connecting to WS using Kerberos

Former Member

on ‎09-09-2011 2:22 PM

0 Kudos

Hi

From PI we are supposed to connect to a web service using kerberos authentication.

We have not found much information regarding a "how-to" on this. Maybe you could help?

-> Do we use SOAP or WS adapter?

-> If WS adapter, what authentication method do we use?

-> If SOAP adapter, we assume it is "Axis" message protocol, but what authentication method do we use? Certificate?

-> Any other things we have to be aware of when configuring Kerberos authentication?

Thanks!

regs S

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

mathias_essenpreis
Employee
Employee
‎10-29-2011 4:43 PM
0 Kudos

Hi,

Kerberos authentication is not supported for SOAP Web Serices with the WS Adapter neither as consumer nor as provider.

Wheter it's possible with SOAP Adapter? I don't know for sure but I doubt it will work.

If it would be supported you would't need to specify any certificate. The whole trust setup (you usually do this by exchanging certificates) would be based on the fact that the application server where the ABAP runs on is part of o kerberos realm (e.g. MS Active Directory Domain). So the trust setup has already been done on operating system level.

What other authentication options instead of Kerberos are available on the provider side?

Regards,

Mathias

Edited by: Mathias Essenpreis on Oct 29, 2011 5:47 PM

Show replies
Show replies
martijndeboer
Advisor
Advisor
‎10-31-2011 9:30 AM
0 Kudos

Hi,

If I get your request correct, your intention is to use SPNego/Kerberos authentication as a client.

For our book SAP Press book "Single Sign-on mit SAP" (http://sap-press.de/2409) I had been investigating using Kerberos from a Java standalone application, which seems somewhat similar to your scenario. In my scenario, a Java client would broker a Kerberos token into a SAML token from a security token service such as SAP Single Sign-on or Microsoft ADFS 2.0.

Java being a SPNego client is certainly the harder part. On Windows platforms, access to the SPNego token is only granted after changing certain registry entries. The most useful Java client I had found was http://spnego.sourceforge.net/client_keytab.html

Good luck & regards,

Martijn

Former Member
‎10-31-2011 9:50 AM
0 Kudos

Hi Martijn

It is hard to describe as we don't know the Kerberos concept in detail, but here is what we have:

- The application server we are calling from PI has to change to Kerberos based authentication.

- From what they say, someone else calling this service has just changed their authentication from BASIS to NTLM to make this work.

We are now investigating what we need to do from PI side to be able to call this service.

- We first want to try NTLM as it looks like the easiest way to the target. It should be possible to utilize with SOAP Axis adapter.

- If this does not work, we are not sure where to start. We haven't been able to find any information regarding what adapter to use, if it is possible at all to achieve with an adapter in PI and what other configuration we may need to do to be compatible with the "realm".

It seems that all information on help.sap.com is regarding the setup of SAP as a server, not a client, and it is hard to filter out what configuration that is necessary in our scenario. Do we for example need to configure anything on the PI java stack at all or can everything be done through the PI adapter?

Do you have any input on this?

Thank you.

regards Ole

martijndeboer
Advisor
Advisor
‎11-09-2011 9:48 AM
0 Kudos

Hello Ole,

After our discussion on Teched some links on Kerberos:

Regards,

Martijn

baskar_gopalakrishnan2
Active Contributor
‎09-09-2011 3:35 PM
0 Kudos

Use SOAP adapter. Regarding authentication use certificate. I think you can use both Axis or plain SOAPadapter for authentication (Depends on the end system requirement).

Show replies
Show replies
Former Member
‎10-12-2011 1:31 PM
0 Kudos

Hi

Thank you!

Still I am not sure if this is the whole solution - don't we have to configure anything in PI, only provide a certificate?

Do we have to provide 2 interfaces, one towards the Active Directory and one towards the service?

I have searched notes and forums, but there is no resource explaining the steps needed in PI, only how to configure java stack etc, so that is why I'm asking if a certificate should be enough.

Ask a Question