Using Kerberos Authentication for Single
Sign-On
Purpose
The SAP Web AS Java uses the Simple and Protected GSS API Negotiation Mechanism (SPNego) to negotiate Kerberos authentication with Web clients. SPNego is a standard mechanism to determine shared authentication mechanisms, select one and establish a security context for communication.
The SPNego functions on the J2EE Engine are available with the JAAS login module SPNegoLoginModule. With this login module, you can use Kerberos authentication without an intermediary Web server. In addition, the use of Kerberos authentication is not tied to a specific operating system for the J2EE Engine host.
Implementation Considerations
When you use Kerberos, authentication is performed by several systems, which negotiate the outcome of the authentication process transparently for the user. At a minimum, Kerberos authentication involves the following systems:
· Web client – the Web client requests a service or a resource from the J2EE Engine and authenticates against the Kerberos Key Distribution Center.
· Kerberos Key Distribution Center (KDC) – the KDC authenticates the Web client and grants a Kerberos Client/Server Session Ticket that is used for the communication between the J2EE Engine and the Web client. To authenticate the Web client, the KDC uses a Kerberos user data store, which can also be the UME data store of the J2EE Engine.
· SAP Web AS Java – the J2EE Engine of the SAP Web AS Java uses the User Management Engine (UME) to retrieve the identity management information for the authenticated the Web client request. Subsequently, the J2EE Engine provides access to the services or resources requested by the Web client.
For more information about the Kerberos systems landscape and infrastructure, see Kerberos V5 Administrator’s Guide, available from web.mit.edu
The systems involved in the Kerberos authentication process share user information. Therefore, to authenticate J2EE Engine access requests with Kerberos you have to configure several systems including the KDC, the J2EE Engine and its UME, as well as the Web client. In addition, the J2EE Engine uses Kerberos functions available from your Java Development Kit (JDK) and the actual J2EE Engine configuration depends on the underlying JDK you use.
Integration
The SPNegoLoginModule enables the use of the Kerberos authentication functions on the J2EE Engine that are an integral part of the Microsoft Windows 2000 and higher operating systems. The Kerberos functions can be used for Windows Integrated Authentication in a Windows Domain, which makes use of a Microsoft Windows Domain Controller (DC) that acts as a KDC. For information about the integration of non-Windows server components in the Microsoft Kerberos Infrastructure, see the documents available from the Microsoft Developer Network (MSDN) at msdn.microsoft.com.
Kerberos authentication with the J2EE Engine has been tested with the following platforms:
· SAP NetWeaver Web Application Server Java Release:
¡ J2EE Engine 640 SP 12 or higher
· Java Development Kits (JDKs):
¡ Sun JDK 1.4 on Windows
¡ Sun JDK 1.4 on SuSE Linux Enterprise Server SLES9
¡ Sun JDK 1.4 on Sun Solaris
¡ IBM JDK 1.4 on AIX
¡ Sun JDK 1.4 on HP UX
· Windows Kerberos Environment:
¡ Microsoft Windows Server 2000 Active Directory
¡ Microsoft Windows Server 2003 Active Directory
Features
For information about configuring Kerberos authentication with the J2EE Engine, see the following topics:
· Kerberos Key Distribution Center Configuration
Information about required configuration settings on the KDC, such as creating a service user and a Kerberos keytab for the J2EE Engine.
· J2EE Engine Configuration for Kerberos
Information about required modifications to the login module stacks, importing required Kerberos files from the KDC and the required configuration for the J2EE Engine and the UME.
· Accessing J2EE Engine Resources with Kerberos Authentication
Information about Web client configuration for using Kerberos authentication.
Constraints
SPNego
does not provide transport layer security. Therefore, we recommend that you
use transport layer security mechanisms, such as SSL, for the SPNego
communication with the J2EE Engine. For more information, see 
Network and Transport
Layer Security.
Example
For an example of the Kerberos authentication process, see the figure below:
Example of Kerberos authentication with the J2EE Engine
...
1. The Web client accesses a J2EE Engine resource with a GET request.
2. The J2EE Engine sends back a 401 response code with a http header variable “WWW-Authenticate: Negotiate”.
3. The Web client recognizes that the J2EE Engine host is a member of the Kerberos Realm and procures a Kerberos Client/Server Session Ticket for the J2EE Engine from the KDC.
4. The Web client then sends the Kerberos Client/Server Session Ticket wrapped as a SPNego token in the HTTP authorization header of subsequent requests to the J2EE Engine.
5. The SPNegoLoginModule reads the token from the HTTP request and feeds the Kerberos implementation of the JDK with it.
6. The result is either successful client authentication or failure when the client request is rejected or another roundtrip to the KDC is necessary. In the case of failure, the Kerberos JDK implementation of the J2EE Engine generates and sends back to the Web client an output token. The output token is wrapped as a SPNego token and sent in the HTTP authorization header.
See also: