SINGLE SIGN-ON FOR THE ABAP WORLD
USING SAP NETWEAVER SINGLE SIGN-ON
SIS265
Configuration of Single Sign-On based on Kerberos Stefanie Garcia-Laule, Jens Koster
SIS265
Page 2, SAP TechEd 2013
TABLE OF CONTENTS
Before you start ......................................................................................................................................... 3
Chapter 1: Setting up Trust between Active Directory and Application Server ABAP .............................. 4
Exercise 1.1 - Verify Kerberos Service User in Active Directory ............................................................. 4
Exercise 1.2 - Install Secure Login Library (SLL), Create PSE and cred_v2 .......................................... 8
Chapter 2: Preparing the Application Server for Single Sign-On .............................................................. 13
Exercise 2.1: Set Profile Parameters ....................................................................................................... 13
Exercise 2.2: Restart the SAP System .................................................................................................... 21
Chapter 3: Configuring the Client .............................................................................................................. 23
Exercise 3.1: Install Secure Login Client (SLC) ...................................................................................... 23
Exercise 3.2: Configure SAP Logon Entry .............................................................................................. 26
Chapter 4: Configuring User Mapping ....................................................................................................... 27
Exercise 4: Configure User Mapping ....................................................................................................... 27
Chapter 5: Testing Single Sign-On for SAPGUI Access ........................................................................... 30
Exercise 5: Test Single Sign-On for SAPGUI Access ............................................................................. 30
Chapter 6: Configuring Single Sign-On for Web Access ........................................................................... 32
Exercise 6: Configure SPNEGO .............................................................................................................. 32
Chapter 7: Testing Single Sign-On for Web Access ................................................................................. 35
Exercise 7: Test Single Sign-On for Web Access ................................................................................... 35
Appendix .................................................................................................................................................... 37
Troubleshooting ....................................................................................................................................... 37
Appendix A1 - Server start error .............................................................................................................. 37
Copyright ................................................................................................................................................... 39
SIS265
SAP TechEd 2013, Page 3
BEFORE YOU START
BEFORE YOU START Make sure that you log on to your TechEd Laptop with user FAIR\SIS265 with password abcd1234 Do not use user student!
SIS265
Page 4, SAP TechEd 2013
CHAPTER 1: SETTING UP TRUST BETWEEN ACTIVE DIRECTORY AND
APPLICATION SERVER ABAP
Estimated time: 10 minutes Objective In this exercise you will verify that the Kerberos Service User (KerberosTDI) has been set up correctly on the Active Directory. You will then configure the same information of the Kerberos Service User on the Application Server ABAP. Active Directory:
Use Tool adsiedit.msc to verify the ServicePrincipalName (s)
Application Server ABAP:
Extract the Single Sign-On software (Secure Login Library) to the target directory
Create a container to store the information of the Kerberos Service User. This container is called PSE (personal security environment)
Create a file that the Application Server can use to access the PSE during runtime. This file is called cred_v2.
Exercise 1.1 - Verify Kerberos Service User in Active Directory
Explanation Screenshot
1. Open the ADSI Edit tool: Start - Administrative Tools - ADSI Edit
2. Click on ADSI Edit with the right mouse button. 3. Click the Connect to... menu item to execute it.
SIS265
SAP TechEd 2013, Page 5
Explanation Screenshot
The path that is displayed might vary depending on the TechEd location. 4. Click OK.
5. Click Default naming context.
Again, the server name that is displayed in brackets might vary depending on the TechEd location.
6. Open the folder by clicking the Open folder icon.
Navigate down to the following node (You need to click on an entry once before you can expand it): Default naming context - Events - TechEd - Sessions - SIS265 - Systems - CN=KerberosTDI
SIS265
Page 6, SAP TechEd 2013
Explanation Screenshot
7. Click on CN=KerberosTDI with the right mouse button. 8. Click the Properties menu item to execute it.
9. Select the entry servicePrincipalName by clicking it. 10. Click View.
SIS265
SAP TechEd 2013, Page 7
Explanation Screenshot
You will see 2 entries for the trust relationship with the Application Server ABAP. The entry HTTP/local.abap is used for the Web access trust and the entry SAP/KerberosTDI is used for the trust using the SAPGUI connection. 11. Click OK.
12. Click Cancel.
13. You can close the tool again.
SIS265
Page 8, SAP TechEd 2013
Exercise 1.2 - Install Secure Login Library (SLL), Create PSE and cred_v2
Explanation Screenshot
1. Open the command prompt window: Press Start Enter cmd Select Program "cmd"
SIS265
SAP TechEd 2013, Page 9
Explanation Screenshot
You can copy most of the following commands from the SIS265_commands.txt file that is located in \\TEfile.fair.sap.corp\Studentshare\SIS265
shortcut on desktop 2. To extract the content of the Secure Login Library archive into the Secure Login Library target folder, enter the following command: D:\usr\sap\TDI\DVEBMGS00\exe\sapcar -xvf \\TEfile.fair.sap.corp\Studentshare\SIS265\Software\SECURELOGINLIB.SAR -R d:\usr\sap\TDI\DVEBMGS00\SLL
3. Go to Secure Login Library directory: cd d:\usr\sap\TDI\DVEBMGS00\SLL After that, switch to d: Enter d: 4. Now, you define the target folder for the security information to be stored to. Set environment variable SECUDIR (temporarily): set SECUDIR=d:\usr\sap\TDI\DVEBMGS00\sec
SIS265
Page 10, SAP TechEd 2013
Explanation Screenshot
You need to create a PSE file which will contain a keytab, representing the password of the Kerberos Service User. 5. Create the PSE file using the following command: sapgenpse keytab -p d:\usr\sap\TDI\DVEBMGS00\sec\SAPSNCSKERB.pse -a [email protected] Option -p defines file name and location for the PSE file, option -a defines the Kerberos Service User name to be used for the trust relationship.
6. Enter and confirm the PIN for the PSE file (that you will define in this step): Test123$
This PIN is used to protect the access to the PSE file content.
7. Enter and confirm the password of the Kerberos Service User (that is the same as for the user in the Active Directory), which is called keytab password in this dialog: secret123
A success message is displayed, which also lists the content of the keytab.
SIS265
SAP TechEd 2013, Page 11
Explanation Screenshot
8. Create the cred_v2 file that is used for the server to access the Keytab during runtime: sapgenpse seclogin -p d:\usr\sap\TDI\DVEBMGS00\sec\SAPSNCSKERB.pse -O SAPServiceTDI
Option -p defines the path to the PSE file, option -O (capital "O") defines the user that the SAP Application Server runs on, so that the Application Server can access the PSE file during runtime.
9. Provide the PSE PIN that you did define in a previous step to access the PSE: Test123$
Credentials file has been added. Using the credentials file, the SAP system can access the keys, stored in the PSE file during runtime.
SIS265
Page 12, SAP TechEd 2013
Explanation Screenshot
10. To verify that the files SAPSNCSKERB.pse and cred_v2 have been created, go to folder d:\usr\sap\TDI\DVEBMGS00\sec\ in Windows Explorer.
SIS265
SAP TechEd 2013, Page 13
CHAPTER 2: PREPARING THE APPLICATION SERVER FOR SINGLE SIGN-
ON
Estimated time: 15 minutes Objective In this exercise you will prepare the Application Server for Single Sign-On. You will set the profile parameters to enable SNC (Single Sign-On for SAPGUI) and SPNEGO (Single Sign-On for Web access). If you want to look up the documentation for each profile parameter, you can use transaction RZ11.
Exercise 2.1: Set Profile Parameters
Explanation Screenshot
1. Double click on the entry SAP Logon to select it.
2. Double click on the entry TDI [localhost] to select it.
3. Logon with user admin, password abc123
SIS265
Page 14, SAP TechEd 2013
Explanation Screenshot
4. Enter transaction code rz10 and press the Enter key.
5. Click . 6. Click the Import Profiles - Of active servers menu item to execute it.
7. You can ignore the error messages. Click .
SIS265
SAP TechEd 2013, Page 15
Explanation Screenshot
8. Click .
9. Double-click on TDI_DVEBMGS00_AMS... Profile.
10. Select
11. Click .
SIS265
Page 16, SAP TechEd 2013
Explanation Screenshot
12. Click in the area below the scroll bar to scroll down.
13 Click .
14. Click .
SIS265
SAP TechEd 2013, Page 17
Explanation Screenshot
15. Enter the parameter snc/enable into the Parameter Field. 16. Enter value 1 into the Parameter value field.
17. Click twice.
18. Click .
SIS265
Page 18, SAP TechEd 2013
Explanation Screenshot
19. Repeat steps 14 - 18 to set the following Profile Parameters:
snc/gssapi_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll snc/identity/as = p:CN=KerberosTDI spnego/enable = 1 spnego/krbspnego_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll Hint: You can copy the parameters and parameter values from the SIS265_commands.txt file that is located in \\TEfile.fair.sap.corp\Studentshare\SIS265
As you can see in the parameter list, other parameters related to SNC have been preconfigured in the system. These additional parameters allow you to still use unsecured connections into the system.
20. Click .
With this step you confirm the complete list of parameters that you added.
SIS265
SAP TechEd 2013, Page 19
Explanation Screenshot
21. Click .
22. Click .
23. Click .
24. Check if the parameters and parameter values that you entered are correct. Click .
SIS265
Page 20, SAP TechEd 2013
Explanation Screenshot
25. Click .
26. Click .
27. Click .
28. Click twice to log off.
SIS265
SAP TechEd 2013, Page 21
Exercise 2.2: Restart the SAP System
Explanation Screenshot
1. Double click on the entry SAP Management Console to open it. It might take a while for the console to start. Stay tuned.
2. Click on with the right mouse button. 3. Click the Restart... menu item to execute it.
. Click OK .
SIS265
Page 22, SAP TechEd 2013
Explanation Screenshot
5. Enter password abcd1234 6. Click OK .
Wait some minutes for the Application Server to start up again. You can continue with the next exercise in the meantime.
SIS265
SAP TechEd 2013, Page 23
CHAPTER 3: CONFIGURING THE CLIENT
Estimated time: 5 minutes Objective In this exercise you will install the required software on the client (Secure Login Client). This client is required for single sign-on using the SAPGUI. In order to enable single sign-on for a SAPGUI connection, you need to specify the SNC name of the SAP System (which is the Kerberos Service User name with prefix p:CN=) for the connection.
Exercise 3.1: Install Secure Login Client (SLC)
Explanation Screenshot
1. Double click on the entry Student (Share) to select it.
2. Navigate to folder \\TEfile.fair.sap.corp\Studentshare\SIS265\Software Double click on the entry SAPSetupSLC... to select it.
3. Click Run .
SIS265
Page 24, SAP TechEd 2013
Explanation Screenshot
4. Click Next > .
5. Click .
SIS265
SAP TechEd 2013, Page 25
Explanation Screenshot
6. Click Next > .
7. Click Close .
SIS265
Page 26, SAP TechEd 2013
Exercise 3.2: Configure SAP Logon Entry
Explanation Screenshot
1. Double click on the entry SAP Logon to open it.
2. Click on TDI [localhost] with the right mouse button. 3. Click the Properties... menu item to execute it.
4. Click the Network tab to select it. 5. Select the check box Activate Secure Network Communication. 6. Enter p:CN=KerberosTDI in the SNC Name box. 7. Click OK .
SIS265
SAP TechEd 2013, Page 27
CHAPTER 4: CONFIGURING USER MAPPING
Estimated time: 5 minutes Objective In this exercise you will map the Active Directory user name of the end user to the user name in the SAP Application Server. This is done in transaction SU01 in the user's master record.
Exercise 4: Configure User Mapping
Explanation Screenshot
1. Double click on the entry SAP Logon to open it. Note: You need to restart SAP GUI at this point so that the required modules can be loaded.
2. Click on TDI [localhost] with the right mouse button. 3. Click the SNC Logon Without Single Sign-On menu item to execute it.
4. Logon with user admin and password abc123
SIS265
Page 28, SAP TechEd 2013
Explanation Screenshot
5. Enter su01 in the transaction code box. Confirm your entry by pressing the Enter key.
6. Enter sis265 in the user field. .
7. Click Change .
8. Click . 9. Enter value p:[email protected] (use capital letters!) Important: Confirm your entry by pressing the Enter key.
SIS265
SAP TechEd 2013, Page 29
Explanation Screenshot
10. Verify the message "Canonical name determined" that should have appeared after hitting the return key in the previous step.
Click .
11. Click twice to log off.
SIS265
Page 30, SAP TechEd 2013
CHAPTER 5: TESTING SINGLE SIGN-ON FOR SAPGUI ACCESS
Estimated time: 1 minute Objective In this exercise you will test if single sign-on works using the SAPGUI.
Exercise 5: Test Single Sign-On for SAPGUI Access
Explanation Screenshot
1. Double click on the entry TDI [localhost] to select it.
You can see in the status bar that SNC is enabled.
2. Click . 3. Click the Status... menu item to execute it.
SIS265
SAP TechEd 2013, Page 31
Explanation Screenshot
You can see that the user SIS265 is logged on to the system. 4. Click Cancel .
SIS265
Page 32, SAP TechEd 2013
CHAPTER 6: CONFIGURING SINGLE SIGN-ON FOR WEB ACCESS
Estimated time: 5 minutes Objective In this exercise you will set up the trust between the Active Directory (already verified in previous exercise) and the Application Server FOR THE WEB ACCESS. For this, the same information (user, domain, password) of the Kerberos Service User needs to be maintained in transaction SPNEGO.
Exercise 6: Configure SPNEGO
Explanation Screenshot
1. Enter spnego in the transaction code box. Confirm your entry by pressing the Enter key.
2. Click Display/Change .
3. Click Continue .
SIS265
SAP TechEd 2013, Page 33
Explanation Screenshot
4. Click .
5. Enter [email protected] in the Service Name Field. 6. Enter secret123 in the box. Confirm your entry by pressing the Tab key. 7. Enter the same password in the confirm password field
8. Click Continue .
SIS265
Page 34, SAP TechEd 2013
Explanation Screenshot
9. Click .
10. Click to leave the transaction.
SIS265
SAP TechEd 2013, Page 35
CHAPTER 7: TESTING SINGLE SIGN-ON FOR WEB ACCESS
Estimated time: 2 minutes Objective In this exercise you will test if single sign-on works for the Web access to the Application Server. You will do the test using the Internet Explorer and the SAP NetWeaver Business Client.
Exercise 7: Test Single Sign-On for Web Access
Explanation Screenshot
1. Double click on the entry IE (32-bit) to select it.
2. Click WebGui .
3. Click Menu. Select System. 4. Click Status... .
SIS265
Page 36, SAP TechEd 2013
Explanation Screenshot
User SIS265 has been logged on automatically!
5. Click Close.
6. Double click on the entry NetWeaver Business Client 4.0 to open it.
7. Select the entry TDI SSO and click Log On.
User SIS265 is also logged on automatically to the Application Server using SAP NetWeaver Business Client.
SIS265
SAP TechEd 2013, Page 37
APPENDIX
Troubleshooting
Appendix A1 - Server start error
Explanation Screenshot
1. In the SAP Management Console, open the folder by clicking the Open folder icon. 2. Click Process List.
You can see that the Dispatcher Status is "stopped".
Open Windows Explorer. Navigate to D:\usr\sap\TDI\DVEBMGS00\work Open file dev_w0
3. Select the entry Notepad by clicking it. 4. Click OK.
SIS265
Page 38, SAP TechEd 2013
Explanation Screenshot
5. Click the Edit menu item to execute it. 6. Click the Find... menu item to execute it.
7. Enter sncerr in the Find what: box. 8. Click Find Next .
You can see that the issue was caused by a typo in the profile parameter value.
SIS265
SAP TechEd 2013, Page 39
COPYRIGHT
2013 by SAP AG or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.