Skip to Content
0
Jan 13, 2013 at 11:09 PM

SAP NetWeaver Single Sign-on X.509 Certificate Based Authentication

214 Views

Hi Experts

We are trying to implement SAP NetWeaver Single Sign-on X.509 Certificate Based Authentication.

We have followed the Best Practice Guide and also the Secure Login Server, Secure Login Library and Secure Login Client guides.

We have the follwoing scenario:

Windows Domain "A" contains:

MS Active Directory (just to manage SAP Servers)

SAP ABAP Servers with Secure Login Library installed

NO Secure Login Clients

Windows Domain "B" contains:

MS Active Directory (managing users and computers / servers etc)

SAP Java Secure Login Server

SAP ABAP Servers with Secure Login Library installed

SAP Java Servers

PC's with Secure Login Client installed

There is no trust relationship between the Windows Domains.

Secure Login Clients need to single sign on to SAP systems in both Windows Domain "A" and "B"

So far we have have Secure Login Clients being able to single sign-on to SAP Servers in Domain "B" - this is working fine.

However we have not been able to configure Secure Login Clients to be able to single sign-on to the SAP systems in Domain "A"

We have setup SPNego with a realm for each Domain and we have a service account in each Domain with Service Principla Name both referencing the Java Secure Login Server.

When we configure SNC on SAP ABAP servers in Domain "A" with certificate exported from Secure Login Server into SNC node of STRUST and set the snc/identity/as to the CN, the servers do not start?

Please could you advise how we can get the above scenario working?

Thanks in advance

Mark