spnego wizard
TRANSCRIPT
![Page 1: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/1.jpg)
Nghia NguyenSAP NetWeaver RIG AmericasSAP Labs, LLC
SPNego Wizard
![Page 2: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/2.jpg)
IntroductionSPNego Manual ProcessSPNego Wizard Process
Futher Information
DemoSummary
![Page 3: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/3.jpg)
IntroductionSPNego Manual ProcessSPNego Wizard Process
Futher Information
DemoSummary
![Page 4: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/4.jpg)
SAP AG 2006, RAFP20 - EFP / 4
Introduction
Integrated Cross-Application User ManagementSingle point of administrationInteroperability, Multi vendor and platform supportAvoid redundant user information
Single Sign-On (SSO)User authenticates once against a security systemUser is afterwards automatically authenticatedto access other systemsAuthentication against other applicationsis transparent for the user
SolutionsSAP Logon TicketsWindows Credentials
![Page 5: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/5.jpg)
SAP AG 2006, RAFP20 - EFP / 5
Focus on Windows Integrated Authentication
MicrosoftActive Directory
and WindowsDomain
![Page 6: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/6.jpg)
SAP AG 2006, RAFP20 - EFP / 6
What is: SAP SPNego LoginModule
MotivationSSO from Browser to SAP Web AS / SAP Enterprise Portal byleveraging Microsoft Windows credentials (Kerberos) forauthentication
Example: Windows Integrated Authentication from MS IE to SAPEnterprise Portal without additional middleware components likeMS IIS or others
Solution:SAP SPNegoLoginModule for Kerberos authentication via HTTPto SAP NetWeaver
![Page 7: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/7.jpg)
SAP AG 2006, RAFP20 - EFP / 7
SAP SPNego LoginModule
PrerequisitesMicrosoft WindowsDomain
Authentication of users isdelegated to the windowsDomain
User must beauthenticated againstWindows domain on his orher workstationBrowser propagateswindows credentials toSAP NetWeaver
Typical scenariosIntranet scenarios
ActiveDirectory /Windows DomainController
SAP NetWeaver4.SAP LogonTicket issued
2. BrowserSends windowscredentials
1.WindowsdomainLogon
3. SPNegochecks via JVMcredentialsagainst DC
![Page 8: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/8.jpg)
SAP AG 2006, RAFP20 - EFP / 8
SPNego Use Cases
SPNego is a Java JAAS Login Moduleit applies to the NetWeaver Application Server J2EEa Logon Ticket is issued by the J2EE application Server
See SAP Note 701205 on how to configure a trust betweenNetWeaver J2EE + ABAP Systems with SAP logon tickets
ABAPhttp – Web service(e.g. URL for Web-Reports)
J2EEJava Stack(SPNEGO)
WindowsActive Directory
1
2
3
4
5
6
Send Logon Request to ABAP-http Service
Forward request to Java Stack (TA : SICS)
Verification of credentials through SPNEGOusing Kerberos against Windows Active Directory
Confirmation : SAP User is equalto AD/ Windows Username
Create Logon Ticket and Re-directto ABAP (http Service)
Trust Logon ticket and open ABAP app
![Page 9: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/9.jpg)
SAP AG 2006, RAFP20 - EFP / 9
SPNego Use Cases
SPNego can thereby applied for authentication in many scenarios:NetWeaver Portal (intranet)NetWeaver Portal (intranet + external access by leveraging multiplelogon stacks)Web DynproABAP systems, e.g. SAP BW web reports, BSP pages,…Integrated ITS (as of 6.40 onwards)Duet...and others
![Page 10: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/10.jpg)
SAP AG 2006, RAFP20 - EFP / 10
SPNego Protocol
Simple and ProtectedNegotiation protocol:
Wrapper around aGSS based protocol
Allows mechanismnegotiation
Supports all GSS APIconform mechanisms
For HTTP, tokens areexchanged as httpheaders betweenserver and browser
Base 64 encoding
ASN.1 SPNego wrapper
GSS token
![Page 11: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/11.jpg)
SAP AG 2006, RAFP20 - EFP / 11
JAAS SPNego LoginModule:VERY Simplified Authentication Flow
![Page 12: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/12.jpg)
IntroductionSPNego Manual ProcessSPNego Wizard Process
Futher Information
DemoSummary
![Page 13: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/13.jpg)
SAP AG 2006, RAFP20 - EFP / 13
SPNego Manual Procedure
Configuration on the domain controllerCreation of a Windows user which represents the J2EE EngineExport of Kerberos keysRegister of Service Principal Names
Configuration on the browser clientsWindows integrated authentication must be switched onJ2EE Engine host must be explicitly assigned to local intranetAutomatic logon in intranet zone must be allowed
Configuration on the J2EE EngineConfiguration of the JAAS LoginModuleSetting of Java System PropertiesInstallation of krb5.conf and the key filesAdjustment of the UME-ConfigurationConfiguration of the LoginModule Stacks
Wizard
Wizard
![Page 14: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/14.jpg)
IntroductionSPNego Manual ProcessSPNego Wizard Process
Futher Information
DemoSummary
![Page 15: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/15.jpg)
SAP AG 2006, RAFP20 - EFP / 15
SPNego Wizard – Installation 1/2
Download ZIP archive SPNegoWizard.zip from SAP Note 994791
Deploy EARssap.com~tc~sec~auth~jmx~ear.earsap.com~tc~sec~auth~spnego~wizard.earsecurity_example.ear
![Page 16: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/16.jpg)
SAP AG 2006, RAFP20 - EFP / 16
SPNego Wizard – Installation 2/2
![Page 17: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/17.jpg)
SAP AG 2006, RAFP20 - EFP / 17
SPNego Wizard - Active Directory configuration 1/2
Create service user j2ee-<SID>Select “User cannot change password”Select “Password never expires”Select “Use DES encryption types for this account”
Configure the service userSet Service Principal Name (SPN)
setspn –A HTTP/<J2EE Hostname> <service user>
![Page 18: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/18.jpg)
SAP AG 2006, RAFP20 - EFP / 18
SPNego Wizard - Active Directory configuration 2/2
Check service user configurationExport LDAP attributes
ldifde –r (samaccountname=<service user>) –f out.ldf
Check “userPrincipalName” and “servicePrincipalName”
![Page 19: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/19.jpg)
SAP AG 2006, RAFP20 - EFP / 19
SPNego Wizard - UME Configuration 1/3
Change UME datasource (configtool)Upload dataSourceConfiguration_ads_readonly_db_with_krb5.xmlChange the datasource file todataSourceConfiguration_ads_readonly_db_with_krb5.xmlEnter LDAP connection dataTest connection and authentication
![Page 20: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/20.jpg)
SAP AG 2006, RAFP20 - EFP / 20
SPNego Wizard - UME Configuration 2/3
![Page 21: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/21.jpg)
SAP AG 2006, RAFP20 - EFP / 21
SPNego Wizard - UME Configuration 3/3
OthersEnter additional user attributes to be visible in User Admin application
“krb5principalname; kpnprefix; dn”
![Page 22: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/22.jpg)
SAP AG 2006, RAFP20 - EFP / 22
SPNego Wizard - Java AS configuration 1/2
Run the SPNego Configuration Wizardhttp://localhost:50000/spnego
![Page 23: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/23.jpg)
SAP AG 2006, RAFP20 - EFP / 23
SPNego Wizard - Java AS configuration 2/2
Set “ticket” authentication stack to use “spnego” as template
uncheck andrecheck tomake the
Modules LoginStack Correct
![Page 24: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/24.jpg)
SAP AG 2006, RAFP20 - EFP / 24
SPNego Wizard - Client configuration
Configure IEAdd “<J2EE Host>” to Local Intranet sitesDisable HTTP proxy for requests to <J2EE Host>Enable Windows Integrated AuthenticationRestart Browser
![Page 25: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/25.jpg)
SAP AG 2006, RAFP20 - EFP / 25
SPNego authentication fallback and Result
The key to getting the basic auth fallback to work in to apply note 1007227.
IE6SPNego – OKBasic fallback with Integrated Windows Auth set - Double login screen withUNKNOWN_ERROR, hit F5 to refresh and login screen is correct. Login works withusername and password whether you hit F5 or not. The UNKNOWN_ERROR isscheduled to be fixed in SPS12, since this is a usability error and not a criticalerror no backport will be providedBasic fallback without Integrated Windows Auth set - OK, login with user id andpassword
IE7 (supported SPS10 and later):Same as IE6
Firefoxgeneral supported browser information will be documented in note 994791SPNego - OK, configured according tohttp://www.mozilla.org/projects/netlib/integrated-auth.htmlBasic fallback with http://www.mozilla.org/projects/netlib/integrated-auth.htmlsteps configured - result identical to IE6 2nd bulletBasic fallback without http://www.mozilla.org/projects/netlib/integrated-auth.htmlsteps configured - OK, login with userid and password
![Page 26: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/26.jpg)
IntroductionSPNego Manual ProcessSPNego Wizard Process
Futher Information
DemoSummary
![Page 27: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/27.jpg)
SAP AG 2006, RAFP20 - EFP / 27
Demo
Demo the SPNego Wizard
Reverse Proxy Scenario
![Page 28: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/28.jpg)
IntroductionSPNego Manual ProcessSPNego Wizard Process
Futher Information
DemoSummary
![Page 29: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/29.jpg)
SAP AG 2006, RAFP20 - EFP / 29
Summary
Prerequisites:NetWeaver J2EE 6.40 SP15 or higherNetWeaver 2004s J2EE SP6 or higher
SPNego enables single sign-on (SSO) from your windows desktopworkstation to SAP business applications such as Portal, WebDynpro and ABAP-based systems
SPNego efficiently and securely authenticates users directly to theSAP NetWeaver J2EE application server leveraging the Kerberossecurity standard which is a built-in capability of a Microsoftenvironment.
![Page 30: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/30.jpg)
IntroductionSPNego Manual ProcessSPNego Wizard Process
Futher Information
DemoSummary
![Page 31: SPNego Wizard](https://reader031.vdocuments.net/reader031/viewer/2022013114/551ecac84a79596b108b4c9c/html5/thumbnails/31.jpg)
SAP AG 2006, RAFP20 - EFP / 31
Further Information
Public WebSAP Developer Network: www.sdn.sap.com
+ SAP NetWeaver Platform SecurityNetWeaver Developer‘s Guide:http://www.sdn.sap.com/irj/sdn/developersguideSAP Service Marketplace:
http://service.sap.com/securityhttp://service.sap.com/securityguidehttp://service.sap.com/aishttp://www.sap.com/germany/company/revis/infomaterial/index.epx
Related SAP Education Training Opportunitieshttp://www.sap.com/education/ADM960, Security in SAP System Environment