Using Kerberos Authentication on SAP NetWeaver Application Server ABAP

SAP NetWeaver Application Server (SAP NetWeaver AS) ABAP supports Kerberos with Simple and Protected GSS API Negotiation Mechanism (SPNego) enabling authentication with web clients, such as web browsers.

In addition, the use of SPNego authentication is not tied to the specific operating system of the SAP NetWeaver Application Server ABAP host.

SPNego does not provide transport layer security. We recommend that you use transport layer security mechanisms, such as SSL to increased security for the SPNego communication with SAP NetWeaver Application Server ABAP.

Kerberos authentication requires several systems in your landscape, which negotiate the outcome transparently for the user:

• Web client

  The web client requests a service or a resource from SAP NetWeaver Application Server ABAP and authenticates against the Kerberos Key Distribution Center. For example, users use a web browser for a web client to access web applications running on SAP NetWeaver Application Server ABAP.

• Kerberos Key Distribution Center (KDC)

  SAP NetWeaver Application Server ABAP uses the Single Sign-On (SSO) authentication mechanism, integrated in Microsoft Windows 2003 and higher operating systems. Microsoft Windows Domain Controller (DC) acts as a KDC enabling Windows Integrated Authentication in a Windows Domain. It authenticates the user and grants a ticket that is used for the communication between SAP NetWeaver Application Server ABAP and the user's web client.

  For information about the integration of non-Windows server components in the Microsoft Kerberos Infrastructure, see the documents available from the Microsoft Developer Network (MSDN) at http://msdn.microsoft.com.

• SAP NetWeaver Application Server ABAP

Kerberos authentication with SAP NetWeaver Application Server ABAP has been tested with Microsoft Windows Server 2008 Active Directory.

Configuring the AS ABAP for Supporting SSL

SAP Note 1732610