Kerberos AuthenticationLocate this document in the navigation structure

Use

SAP NetWeaver Application Server (AS) Java supports Kerberos authentication for Web-based access with the Simple and Protected GSS API Negotiation Mechanism (SPNego).

SPNego enables you to use Kerberos authentication without an intermediary Web server and independently of the underlying operating system (OS) of the SAP NetWeaver host.

Overview of Kerberos

Kerberos is an authentication protocol developed by the Massachusetts Institute of Technology. Kerberos allows individuals communicating over an insecure network to prove their identity to one another in a secure manner. Kerberos authentication can be used to overcome weak points such as eavesdropping and replay attacks in other authentication mechanisms and to ensure the integrity of the data that is communicated.

The Kerberos authentication process involves several systems connected in a network, or a Kerberos realm. Kerberos authentication within a realm works on the basis of tickets, which serve to prove the authenticity of client requests. Kerberos authentication makes use of a trusted third party system called Key Distribution Center (KDC).

The KDC maintains a database of secret keys where each member system of a realm - whether a client or a server - shares a secret key known only to itself and to the Kerberos KDC. Knowledge of this key serves to prove the system's identity and this key never leaves the KDC. After the client is authenticated the KDC generates a session key for communication between the client and the application server, which they can use to secure their interactions.

Implementation Considerations

While Kerberos can overcome the vulnerabilities of other Web-based authentication mechanisms, the Kerberos configuration and administration can result in a relatively high administrative effort. In addition, Kerberos relies on authentication infrastructure, such as a Key Distribution Center, that enforces a Mandatory Access Control approach to authentication. Therefore, the use of Kerberos in open environments such as the Internet can increase the administrative load associated with the scalability of Kerberos supporting infrastructure.

For more information about Kerberos, see Kerberos documentation available from http://web.mit.eduInformation published on non-SAP site.

Process

For an overview of the communication flow and the systems involved in Kerberos authentication with SAP NetWeaver, see the figure below.

Figure 1: Kerberos Authentication with SPNego
  1. The Web client accesses an AS Java resource with a GET request.

  2. The AS Java returns a 401 response code (unauthorized) with a request to initiate SPNego authentication.

  3. The Web client recognizes that the host of the AS Java is a member of the Kerberos realm and procures a ticket from the KDC.

  4. The Web client then sends the ticket to the AS Java wrapped as a SPNego token.

  5. The SPNegoLoginModule reads the token and authenticates the user.

More Information

The AS Java uses SPNego to identify itself as a member of a Kerberos realm, determine a shared authentication mechanism and negotiate its use for establishing a security context for further communication with the client.

For information about configuring Kerberos authentication for SAP NetWeaver systems, see Using Kerberos Authentication .