SPNego Wizard

Nghia NguyenSAP NetWeaver RIG AmericasSAP Labs, LLC

SPNego Wizard

IntroductionSPNego Manual ProcessSPNego Wizard Process

Futher Information

DemoSummary

SAP AG 2006, RAFP20 - EFP / 4

Introduction

Integrated Cross-Application User ManagementSingle point of administrationInteroperability, Multi vendor and platform supportAvoid redundant user information

Single Sign-On (SSO)User authenticates once against a security systemUser is afterwards automatically authenticatedto access other systemsAuthentication against other applicationsis transparent for the user

SolutionsSAP Logon TicketsWindows Credentials


Focus on Windows Integrated Authentication

MicrosoftActive Directory

and WindowsDomain


What is: SAP SPNego LoginModule

MotivationSSO from Browser to SAP Web AS / SAP Enterprise Portal byleveraging Microsoft Windows credentials (Kerberos) forauthentication

Example: Windows Integrated Authentication from MS IE to SAPEnterprise Portal without additional middleware components likeMS IIS or others

Solution:SAP SPNegoLoginModule for Kerberos authentication via HTTPto SAP NetWeaver


SAP SPNego LoginModule

PrerequisitesMicrosoft WindowsDomain

Authentication of users isdelegated to the windowsDomain

User must beauthenticated againstWindows domain on his orher workstationBrowser propagateswindows credentials toSAP NetWeaver

Typical scenariosIntranet scenarios

ActiveDirectory /Windows DomainController

SAP NetWeaver4.SAP LogonTicket issued

2. BrowserSends windowscredentials

1.WindowsdomainLogon

3. SPNegochecks via JVMcredentialsagainst DC


SPNego Use Cases

SPNego is a Java JAAS Login Moduleit applies to the NetWeaver Application Server J2EEa Logon Ticket is issued by the J2EE application Server

See SAP Note 701205 on how to configure a trust betweenNetWeaver J2EE + ABAP Systems with SAP logon tickets

ABAPhttp – Web service(e.g. URL for Web-Reports)

J2EEJava Stack(SPNEGO)

WindowsActive Directory

1

2

3

4

5

6

Send Logon Request to ABAP-http Service

Forward request to Java Stack (TA : SICS)

Verification of credentials through SPNEGOusing Kerberos against Windows Active Directory

Confirmation : SAP User is equalto AD/ Windows Username

Create Logon Ticket and Re-directto ABAP (http Service)

Trust Logon ticket and open ABAP app


SPNego Use Cases

SPNego can thereby applied for authentication in many scenarios:NetWeaver Portal (intranet)NetWeaver Portal (intranet + external access by leveraging multiplelogon stacks)Web DynproABAP systems, e.g. SAP BW web reports, BSP pages,…Integrated ITS (as of 6.40 onwards)Duet...and others


SPNego Protocol

Simple and ProtectedNegotiation protocol:

Wrapper around aGSS based protocol

Allows mechanismnegotiation

Supports all GSS APIconform mechanisms

For HTTP, tokens areexchanged as httpheaders betweenserver and browser

Base 64 encoding

ASN.1 SPNego wrapper

GSS token


JAAS SPNego LoginModule:VERY Simplified Authentication Flow


Futher Information

DemoSummary


SPNego Manual Procedure

Configuration on the domain controllerCreation of a Windows user which represents the J2EE EngineExport of Kerberos keysRegister of Service Principal Names

Configuration on the browser clientsWindows integrated authentication must be switched onJ2EE Engine host must be explicitly assigned to local intranetAutomatic logon in intranet zone must be allowed

Configuration on the J2EE EngineConfiguration of the JAAS LoginModuleSetting of Java System PropertiesInstallation of krb5.conf and the key filesAdjustment of the UME-ConfigurationConfiguration of the LoginModule Stacks

Wizard

Wizard


Futher Information

DemoSummary


SPNego Wizard – Installation 1/2

Download ZIP archive SPNegoWizard.zip from SAP Note 994791

Deploy EARssap.com~tc~sec~auth~jmx~ear.earsap.com~tc~sec~auth~spnego~wizard.earsecurity_example.ear


SPNego Wizard – Installation 2/2


SPNego Wizard - Active Directory configuration 1/2

Create service user j2ee-<SID>Select “User cannot change password”Select “Password never expires”Select “Use DES encryption types for this account”

Configure the service userSet Service Principal Name (SPN)

setspn –A HTTP/<J2EE Hostname> <service user>


SPNego Wizard - Active Directory configuration 2/2

Check service user configurationExport LDAP attributes

ldifde –r (samaccountname=<service user>) –f out.ldf

Check “userPrincipalName” and “servicePrincipalName”


SPNego Wizard - UME Configuration 1/3

Change UME datasource (configtool)Upload dataSourceConfiguration_ads_readonly_db_with_krb5.xmlChange the datasource file todataSourceConfiguration_ads_readonly_db_with_krb5.xmlEnter LDAP connection dataTest connection and authentication



OthersEnter additional user attributes to be visible in User Admin application

“krb5principalname; kpnprefix; dn”


SPNego Wizard - Java AS configuration 1/2

Run the SPNego Configuration Wizardhttp://localhost:50000/spnego

http://localhost:50000/spnego


SPNego Wizard - Java AS configuration 2/2

Set “ticket” authentication stack to use “spnego” as template

uncheck andrecheck tomake the

Modules LoginStack Correct


SPNego Wizard - Client configuration

Configure IEAdd “<J2EE Host>” to Local Intranet sitesDisable HTTP proxy for requests to <J2EE Host>Enable Windows Integrated AuthenticationRestart Browser


SPNego authentication fallback and Result

The key to getting the basic auth fallback to work in to apply note 1007227.

IE6SPNego – OKBasic fallback with Integrated Windows Auth set - Double login screen withUNKNOWN_ERROR, hit F5 to refresh and login screen is correct. Login works withusername and password whether you hit F5 or not. The UNKNOWN_ERROR isscheduled to be fixed in SPS12, since this is a usability error and not a criticalerror no backport will be providedBasic fallback without Integrated Windows Auth set - OK, login with user id andpassword

IE7 (supported SPS10 and later):Same as IE6

Firefoxgeneral supported browser information will be documented in note 994791SPNego - OK, configured according tohttp://www.mozilla.org/projects/netlib/integrated-auth.htmlBasic fallback with http://www.mozilla.org/projects/netlib/integrated-auth.htmlsteps configured - result identical to IE6 2nd bulletBasic fallback without http://www.mozilla.org/projects/netlib/integrated-auth.htmlsteps configured - OK, login with userid and password

http://www.mozilla.org/projects/netlib/integrated-auth.html




Futher Information

DemoSummary


Demo

Demo the SPNego Wizard

Reverse Proxy Scenario


Futher Information

DemoSummary


Summary

Prerequisites:NetWeaver J2EE 6.40 SP15 or higherNetWeaver 2004s J2EE SP6 or higher

SPNego enables single sign-on (SSO) from your windows desktopworkstation to SAP business applications such as Portal, WebDynpro and ABAP-based systems

SPNego efficiently and securely authenticates users directly to theSAP NetWeaver J2EE application server leveraging the Kerberossecurity standard which is a built-in capability of a Microsoftenvironment.


Futher Information

DemoSummary


Further Information

Public WebSAP Developer Network: www.sdn.sap.com

+ SAP NetWeaver Platform SecurityNetWeaver Developer‘s Guide:http://www.sdn.sap.com/irj/sdn/developersguideSAP Service Marketplace:

http://service.sap.com/securityhttp://service.sap.com/securityguidehttp://service.sap.com/aishttp://www.sap.com/germany/company/revis/infomaterial/index.epx

Related SAP Education Training Opportunitieshttp://www.sap.com/education/ADM960, Security in SAP System Environment

http://www.sdn.sap.com/

http://www.sdn.sap.com/irj/sdn/developersguide

http://service.sap.com/security

http://service.sap.com/securityguide

http://service.sap.com/ais

http://www.sap.com/germany/company/revis/infomaterial/index.epx

http://www.sap.com/education/

SPNego Wizard

Documents

Transcript of SPNego Wizard