Kerberos and SAP NetWeaver Application Server Java

SAP NetWeaver Application Server (AS) Java supports Kerberos authentication for Web-based access with the Simple and Protected GSS API Negotiation Mechanism (SPNego).

SPNego enables you to use Kerberos authentication without an intermediary web server and independently of the underlying operating system (OS) of the SAP NetWeaver host.

For an overview of the communication flow and the systems involved in Kerberos authentication with SAP NetWeaver, see the following figure.

1. The Web client accesses an AS Java resource with a GET request.

2. The AS Java returns a 401 response code (unauthorized) with a request to initiate SPNego authentication.

3. The Web client recognizes that the host of the AS Java is a member of the Kerberos realm and procures a ticket from the KDC.

4. The Web client then sends the ticket to the AS Java wrapped as a SPNego token.

5. The SPNegoLoginModule reads the token and authenticates the user.

The AS Java uses SPNego to identify itself as a member of a Kerberos realm, determine a shared authentication mechanism and negotiate its use for establishing a security context for further communication with the client.

For information about configuring Kerberos authentication for SAP NetWeaver systems, see Using Kerberos Authentication on SAP NetWeaver Application Server Java .