Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP GUI SSO in multiple domain with no trust

Former Member

‎02-08-2013 7:01 PM

0 Kudos

Hello,

We are trying to set up SAP GUI SSO  & Portal SPNego in our environment which has following setup:

1) SAP systems are on Windows 2008 server.

2)Active Directory users are in domain ABC.

3) SAP system are in different domain DEF.

4) There is NO trust between the two domain.

5) Currently login is happening through userid/password.

We tried to configure SNC using NTLM however it didnt worked as there is no trust between the two domains(which is a prerequsite of this configuration). However, in SU01 transaction the AD User id has been identified as Canonical name (showing green).

Now, we are thinking on going with Kerberos SNC confgiuration however, I read that this configuration also needs trust between two domains (Not sure about this).

Other option I know with Kerberos configuration is to setspn the service userid of SAP server domain in AD domain (or may be viceversa OR both). Please confirm.

Can you please let us know the path to follow  for this kind of scenario for SSO setup for SAP GUI and also for Portal SSO using SPNego configuration.

Also let us know if there are other options available for SAP GUI & Portal SSO in scenario of multiple domain with no trust.

Another question I have regarding Portal 7.02 sp11 SPNego configuration. New SPNego configuration guide do not talk about any LDAP configuration or data source change. Are these steps now not required?

Thanks

11 REPLIES 11

Former Member

‎02-08-2013 7:55 PM

0 Kudos

If you want the SAP application servers to authenticate users in the user domain, you will have to setup a domain trust. You can setup a one-way trust (SAP domain trusts the user domain). See Microsoft's AD documentation for details.

Former Member
In response to Former Member

‎02-09-2013 4:52 PM

0 Kudos

Currently problem is we dont want to setup trust because of security reasons. BTW I read bidirectional trust is required for SNC with NTLM. Are you talking about Unidirectional trust for Kerberos SNC setup ?

Former Member
In response to Former Member

‎02-10-2013 12:16 AM

0 Kudos

Hmm... it has been many years since I last implemented NTLM based SNC SSO but unless I'm mistaken, a one-way trust is sufficient. Notice which way it has to be, as I wrote you make the SAP domain trust the user domain. At least Microsoft AD documentation confirms my understanding: "Authentication requests can only be passed from the trusting domain to the trusted domain".

tim_alsop
Active Contributor

‎02-10-2013 7:59 AM

0 Kudos

Dipu,

There has to be a trust, unless you are sending a password in which case the SAP application uses the password to trust/know who the user is.

If you are using NTLM or Kerberos then the domain that issued the token/ticket must be trusted by the domain that the SAP application resides. If not, then anybody could authenticate in their local domain, and get issued with a ticket, then send it to the SAP system and effectively say "I'm Dipu, let me in without a password". Hopefully you can understand that the SAP system needs to trust that the user is who they say they are, and this requires something unique to the user (like a password) or requires a trust to know that the ticket the user is sending is issued by a known domain.

So, it is easy to solve your problem. You need to:

1. Setup one-way trust so that domain DEF trusts domain ABC

2. Use an SNC library which implements Kerberos so you get SSO for SAP GUI users.

3. Use SPNEGO on Java stack for Web login

Thanks,

Tim

Former Member
In response to tim_alsop

‎02-11-2013 8:20 PM

0 Kudos

Thanks Tim.

I have below queries:

1) Regarding SAP GUI SSO with Kerberos, is it possible to avoid domain trust by implementing setspn for service user?  I'm asking this after checking your last reply in "http://scn.sap.com/message/13657892"

As per your reply if I can do setspn for service user of DEF domain in ABC domain, no trust is needed. Am I correct?

2) For SPNego config, we are doing setspn for AD Service user in ABC domain for all host & alias name of portal sytem. Again do we at all required any trust in case of spnego ? OR setspn is sufficient ?

Thanks

tim_alsop
Active Contributor
In response to tim_alsop

‎02-11-2013 8:29 PM

0 Kudos

Hi,

Answers below:

1) The setspn tool is used to set a service principal name on an account. This principal name would be something like user@REALM or user/instance@REALM. I don't know why you think this will help you when you don't have any trust. It will not. You can think of it like a way to give an account in AD an alternative name, but the domain name of the alternative name will be in domain DEF if you are using setspn in domain DEF.

2) For SPNEGO, the setspn command is being used to allow multiple DNS domain names to used to access the server. The DNS domain name is not necessarily the same as the AD domain name. I think you are confusing the two.

Thanks,

Tim

Former Member
In response to tim_alsop

‎02-11-2013 9:34 PM

0 Kudos

Thanks Tim

So, This concludes that I must have one way trust (ie domain DEF trusting ABC) for both SAP GUI SSO & SPNego to work? Correct?

In any case, Is there is any solution where we dont need to setup trust & yet SSO for GUI & Portal works fine?

tim_alsop
Active Contributor
In response to tim_alsop

‎03-03-2013 8:12 AM

0 Kudos

It looks like you haven't marked this question as answered, so obviously you were not clear on the answer given. Yes, trust is required if users authenticate using a domain which is different domain used by your SAP systems.

Think of it like this... Lets suppose somebody lives in India and wants to travel to USA. In order to gain access to USA they need to present the US immigration with a passport. This passport will need to be issued by Indian government for the person and the US immigration needs to trust the Indian government and be able to verify that the passport is genuine. If there is no trust then the person cannot enter USA using their indian passport. So, this is similar to your scenario where you are asking if a user can authenticate using an AD domain and if that user can access a SAP system in a domain which doesn't trust the domain he/she authenticated with. Obviously that is not possible, since there is no trust.

I hope this helps.

Former Member
In response to tim_alsop

‎03-06-2013 3:10 PM

0 Kudos

Hi Tim,

We have a similar problem.

We have a global domain trusted with other domains, the global domain haven't users itself, the users info  of the other domains is replicated in the global domain.

The SAP Portal is connect to this global domain , when a user is within the local network can automatically access the portal through the kerberos ticket.

The problem is with the users who want to connect to this portal through VPN because this user is outside the local network.

The user can't automatically access to the portal, the portal requested to him user and password, but still does not recognize the user's credentials and can't access to portal.


we do not know may be happening, Do you have any idea what could be the problem?

Thanks


tim_alsop
Active Contributor
In response to tim_alsop

‎03-07-2013 8:26 AM

0 Kudos

Monica,

Yes, I am very familiar with the problem you describe and I have helped many customers solve it, but not using SAP software for SSO.

Thanks,

Tim

Former Member
In response to tim_alsop

‎03-07-2013 2:11 PM

0 Kudos

X.509 certificates will work regardless of how you login to the network and yes SAP supports X.509 certificates out-of-the-box.