Show TOC

Using Kerberos AuthenticationLocate this document in the navigation structure

Use

SAP NetWeaver Application Server (AS) Java supports Kerberos with Simple and Protected GSS API Negotiation Mechanism (SPNego) enabling authentication with Web clients, such as Web browsers. In addition, the use of SPNego authentication is not tied to the specific operating system of the AS Java host.

SPNego functions on the AS Java are available with the JAAS login module SPNegoLoginModule.

Recommendation

SPNego does not provide transport layer security. We recommend that you use transport layer security mechanisms, such as SSL to increased security for the SPNego communication with the AS Java.

For more information, see Configuring the Use of SSL on the AS Java.

Integration

Kerberos authentication requires several systems in your landscape, which negotiate the outcome transparently for the user:

  • Web client

    The Web client requests a service or a resource from the AS Java and authenticates against the Kerberos Key Distribution Center. For example, users use a Web browser for a Web client to access Web applications running on the AS Java.

  • Kerberos Key Distribution Center (KDC)

    The SPNegoLoginModule uses the Single Sign-On (SSO) authentication mechanism, integrated in Microsoft Windows 2000 and higher operating systems. Microsoft Windows Domain Controller (DC) acts as a KDC enabling Windows Integrated Authentication in a Windows Domain. It authenticates the user and grants a ticket that is used for the communication between the AS Java and the user's Web client.

    For information about the integration of non-Windows server components in the Microsoft Kerberos Infrastructure, see the documents available from the Microsoft Developer Network (MSDN) at http://msdn.microsoft.comInformation published on non-SAP site.

  • AS Java

    The AS Java uses a proprietary API to acquire the negotiated security context from the Kerberos ticket issuer, and uses the user management engine (UME) to retrieve the identity management information for the authenticated user. The AS Java provides access to the services or resources requested by the Web client.

Kerberos authentication with the AS Java has been tested with the following platforms:

  • Java Development Kit (JDK) 5.0

  • Windows Kerberos Environment:

    • Microsoft Windows Server 2000 Active Directory

    • Microsoft Windows Server 2003 Active Directory

For more information about the Kerberos systems landscape and infrastructure, see documents available from http://web.mit.eduInformation published on non-SAP site

More Information

SAP Note 968191 Information published on SAP site