20
Applies To:
SAP NetWeaver Engine
? NetWeaver 04 (6.40)
? NetWeaver 04S (7.00)
? NetWeaver 04S EhP1 (7.01)
? NetWeaver 04S EhP2 (7.02)
Summary:
This document contains detailed instructions on installation and configuration of the newSPNego add-on.
Author: Dimitar Dimkin
Company: SAP AG
2010
SPNEGO CONFIGURATION GUIDE
2SAP AG 2007
Table of Contents
1. Introduction ........................... 3
2. Prerequisites ....... 4
3. Deployment . 9
4. Access to the user interface 10
5. Creating a new realm 11
6. Configuring the user mapping . 12
7. Configuring the encryption keys .. 16
8. Enabling the realm . 17
9. Adjusting the policy configuration 18
10. Troubleshooting 19
3SAP AG 2007
The SPNego add-ons purpose is to provide a possible solution to problems caused by thenew releases of Windows platforms (Windows Vista, Windows 7, Windows 2008 R2) which nolonger support DES as the default encryption mechanism. This causes the oldSPNegoLoginModule login module to fail because it cannot decrypt the Kerberos token received inthe request. The current solution supports both DES and RC4-HMAC encryption algorithms.
A workaround provided by Microsoft exists which enables DES encryption on the DomainController and forces it to behave in the same way as in the older Windows versions. Moreinformation can be found in SAP Note 1396724.
This document is targeted specifically at the add-on solution, but chapters 5 through 9 canbe used for configuring the new SPNego in its official release when it becomes available.
1. INTRODUCTION
4SAP AG 2007
Depending on whether you have a working configuration of the old SPNegoLoginModule ornot, there can be several prerequisites that must be met before the new configuration can befinished successfully.
I. A working configuration exists
In this case all the prerequisites have already been met. When configuring the realm in theconfiguration UI, you can select the already existing keytab file while configuring the encryptionkeys (located on your central instance under /usr/sap//SYS/global/kerberos) (if you used theSPNego Wizard to configure the old SPNego authentication).
II. A working configuration does not exist
In this case you must make sure you follow several procedures in order to configure theother parties in the SPNego mechanism properly.
1. Service user you must create a valid service user in the Active Directory. A service useris considered to be valid when:
a) The password of this user never expiresb) The URL of the J2EE engine which is to use SPNego authentication is registered
as an SPN (Service Principal Name) with this user. For example, if the name of the user is"sapdemo" and the URL of the J2EE engine is "testspnego.sap.com", you can set the SPN byexecuring the Active Directory command
"setspn -A HTTP/testspnego.sap.com sapdemo".
c) All of the user's SPNs are unique whithin the whole Active Directory (i.e. only thisuser has them). You can check if this is true by executing the Active Directory command
"ldifde -r (serviceprincipalname=HTTP/) -f out.txt".
The output must contain only one entry the service user which has this SPN registered to them.
In addition, if you want to use DES as encryption mechanism, you must select the Use DESencryption check in the service users properties.
2. Keytab file you must create a valid keytab file which contains encryption keys for therealm you are going to configure. A new keytab file must be created every time the service user ischanged, therefore it is a good idea to keep the number of such changes as low as possible.
The two Kerberos configuration files created by the old SPNego wizard are no longerneeded. You do not need to keep anything in \usr\sap\\SYS\global\kerberos. The purpose
2. PREREQUISITES
5SAP AG 2007
of the keytab file is to transport the encryption keys from the domain controller to the J2EE engineand once it is uploaded in the new Configuration UI, the file is no longer needed.
Keytab files are created via tools provided by the specific Active Directory vendor, for moreinformation contact your Active Directory administrator. One tool provided by the JDK itself hasbeen tested to work. It is called ktab and you can use the following syntax:
ktab a @ -k
For more information on its full syntax, you can run
ktab help
This tool creates encryption keys for all encryption mechanisms that it supports. If you wantto create a key for DES, you must use ktab provided by JDK1.5 or higher. If you need a key forRC4-HMAC, you have to use the tool that comes with JDK1.6.
3. Browser the browser must be configured so that it can communicate with the KeyDistribution Center and obtain a valid Kerberos token from it
6SAP AG 2007
a) Internet Explorer
? enable "Windows Integrated Authentication" Tools -> Internet Options-> Advanced -> Security
7SAP AG 2007
? enable automatic logon in intranet zone Tools -> Internet Options ->Security -> Local Intranet -> Custom level -> "Automatic logon only in Intranet Zone"
8SAP AG 2007
? add the J2EE engine host name to the list of local intranet sites Tools -> Internet Options -> Security -> Local Intranet -> Sites -> Advanced
? bypass the proxy server (if present) for the J2EE engine Tools ->Internet Options -> Connections -> LAN Settings -> Proxy server -> Advanced -> Exceptions
9SAP AG 2007
b) Mozilla Firefox
? bypass the proxy server (if present) for the J2EE engine Tools ->Options -> Advanced -> Network -> Settings -> "No proxy for:"
? adjust the negotiation properties for integrated authentication:o enter the URL "about:config" in the address baro filter the properties using "nego"o set the values of the properties "network.negotiate-auth.delegation-
uris" and "network.negotiate-auth.trusted-uris" to"http://"
10
SAP AG 2007
There are three deployable components:
? spnego.cfg.sda - This is a J2EE library which contains basic functionalityneeded by the login module and the configuration UI
? spnego.lm.sda - This is a J2EE library which contains theSPNEGOLoginModule
? sap.com~spnego.cfg.wd.ear - This is a WebDynpro application which is usedfor configuration of the new SPNEGOLoginModule
The three archives have internal dependencies, but they are only available runtime, notdeploy-time. That's why they must be deployed in a strict order:
1. Firstly, deploy spnego.cfg.sda2. Secondly, deploy spnego.lm.sda3. Lastly, deploy sap.com~spnego.cfg.wd.ear
NB! When deploying, do not select all of the archives. Deployment will fail if thecomponents are not selected as specified above.
These components are deployed online and do not require a server restart.
3. DEPLOYMENT
11
SAP AG 2007
The configuration UI is accessible under:
http://:/spnego2/cfg
If for some reason this does not work, you can also use the whole URL:
http://:/webdynpro/dispatcher/sap.com/spnego.cfg.wd/SPNEGO
You must log in with a user with administrator privileges.
4. ACCESS TO THE USER INTERFACE
12
SAP AG 2007
Click the "Add" button and fill in the name and the description of the realm you want to add.The names of all realms must be unique. The description field is not mandatory.
This creates a new realm which is not configured and is inactive. If you want to use it youmust configure its user mapping and encryption keys and then activate it.
5. CREATING A NEW REALM
13
SAP AG 2007
This step corresponds to the resolution mode definition in the old SPNego configuration UI.
Make sure the realm you want to modify is selected and click the "Edit" button. The "UserMapping" tab below the realms table becomes active. You must select both a user mapping modeand a user mapping source - the combination of the two determines the user mapping for theselected realm. Do not forget to save the changes when done.
You can define the namespace of a user attribute if applicable. Should you choose to omit it,the default UME attribute namespace will be used.
Suppose we have a user named "sapdemo" that belongs to the domain"SPNEGO.SAP.COM". This user will be used in the examples below.
Possible user mappings:
I. Mode = "principal only", Source = "logon id"
This means that the user in the user store must have their "logonid" attribute equal to"sapdemo"
6. CONFIGURING THE USER MAPPING
14
SAP AG 2007
II. Mode = "principal only", Source = "logon alias"
This means that the user in the user store must have their "logonalias" attribute equal to"sapdemo". This mapping can be used when the data source is ABAP or LDAP
III. Mode = "principal only", Source = "user attribute"
In this case you must specify the user attribute which is to contain the name of the user. Thisattribute refers to the data source configuration file and not the actual user store - meaning that youeither have to map this attribute to a physical one, or leave it as it is and fill it in for every singleuser manually.
For instance, if we specify "email" as the user attribute, this means that the user in the userstore must have their "email" (or mapped) attribute equal to "sapdemo"
IV. Mode = "principal@REALM", Source = "logon id"
This means that the user in the user store must have their "logonid" attribute equal [email protected]"
15
SAP AG 2007
V. Mode = "principal@REALM", Source = "logon alias"
This means that the user in the user store must have their "logonalias" attribute equal to"[email protected]". This mapping can be used when the data source is ABAP orLDAP
VI. Mode = "principal@REALM ", Source = "user attribute"
In this case you must specify the user attribute which is to contain the name of the user. Thisattribute refers to the data source configuration file and not the actual user store - meaning that youeither have to map it to a physical one, or leave it as it is and fill it in for every single user manually.
For instance, if we specify "email" as the user attribute, this means that the user in the userstore must have their "email" (or mapped) attribute equal to [email protected]
VII. Mode = " principal and REALM", Source = "ADS Data Source"
This mapping can be used when the data source is LDAP. By default the data sourceconfiguration files provided by SAP contain two user account attributes named "principal" and"realm". The first one is mapped to the physical attribute "samaccountname" and the second one -to nothing. This can be changed, but if you choose not to map any attribute to a physical userattribute, you are going to have to maintain the value of this attribute manually for every singleuser.
This means that the user in the user store must have their "principal" (or mapped) attributeequal to "sapdemo" and their "realm" (or mapped) attribute equal to "SPNEGO.SAP.COM"
16
SAP AG 2007
VIII. Mode = " principal and REALM", Source = "user attributes"
In this case you must specify the user attributes which are to contain the principal and therealm of the user. These attribute refers to the data source configuration file and not the actual userstore - meaning that you either have to map them to physical ones, or leave them as it is and fillthem in for every single user manually.
For instance, if we specify "email" as the user attribute for the principal and "city" as the userattribute for the realm, this means that the user in the user store must have their "email" (ormapped) attribute equal to "sapdemo" and their "city" (or mapped) attribute equal to"SPNEGO.SAP.COM"
17
SAP AG 2007
This step is new compared to the old SPNego configuration UI, but it eliminates the need tocreate a connection to the KDC.
Make sure the realm you want to modify is selected and click the "Edit" button. The "Keys"tab below the realms table becomes active. Navigate to a valid keytab file that contains encryptionkeys for the selected realm and upload it. You will be presented with a list of all the valid encryptionkeys available in this keytab file. Select the ones you want and click the "OK" button. Do not forgetto save the changes when done.
Note that if you used to have a working SPNego configuration which was completed with thehelp of the SPNego Wizard, you can take the keytab file created by the Wizard. It is located onyour central instance under /usr/sap//SYS/global/kerberos.
7. CONFIGURING THE ENCRYPTION KEYS
18
SAP AG 2007
Once you configure the realms user mapping and encryption keys, you have to activate it inorder to use it. If you do not activate the realm it will not be used during authentication even thoughthe rest of its configuration might be correct.
Make sure the realm you want to enable is selected and click the "Edit" button, followed bythe Enable button. Do not forget to save the changes when done.
8. ENABLING THE REALM
19
SAP AG 2007
As with the old SPNegoLoginModule, if you want certain applications to use Kerberosauthentication, you have to adjust their policy configurations. In order to configure the newSPNEGOLoginModule for the Portal and all WebDynpro applications, do the following:
1. Log on to the Visual Administrator2. Navigate to ServerXXX -> Services -> Security Provider3. Select the "ticket" template and make sure it does not have a reference to another policy
configuration4. Add the SPNEGOLoginModule login module to the list of login modules
4.1. If the old SPNegoLoginModule is present, remove it and put the newSPNEGOLoginModule in its position. Normally its flag should be OPTIONAL
4.2. If the old SPNegoLoginModule is not present, simply add the newSPNEGOLoginModule to the list. Normally its position should be 2 and its flag OPTIONAL. You also need to add the CreateTicketLoginModule module right afterit - with position 3 and flag SUFFICIENT
In case you want to use Kerberos authentication for a specific application, you have to findits policy configuration and add the module there as well.
9. ADJUSTING THE POLICY CONFIGURATION
20
SAP AG 2007
Deploy the Web diagtool from SAP Note 1045019 on the J2EE server, run it and perform thefollowing steps:
1. Select "Component" = "security" and "Activity" = "all"2. Click the "Go" button, followed by the "Add All" button3. Select "Component" = "All" and in the "Search pattern" field write "com.sap.security.spnego"4. Click the "Go" button, followed by the "Add All" button5. Start the tool
Then reproduce the problem and stop the tool. The generated zip file will contain traces thatmight help you figure out what is going wrong. If you are unable to do so, report a message in theBC-JAS-SEC component and attach this archive. Don't forget to include details about how youreproduce the problem along with the exact version of your engine.
10. TROUBLESHOOTING
