Show TOC Start of Content Area

Function documentation Key Distribution Center Configuration  Locate the document in its SAP Library structure

Use

The Kerberos authentication process uses a Key Distribution Center (KDC) to authenticate a client and to issue the Kerberos Client/Server Session Ticket, which is used for the communication between the Web client and the AS Java. For this reason, the KDC maintains a directory of the users that can access AS Java resources for a Kerberos Realm.

You can use this topic for information about the KDC configuration requirements that have to be in place to use SPNego for Kerberos authentication with the AS Java.

Features

The configuration steps are specific to the KDC that you use. For more information, see the documentation provided by your KDC vendor.

Note

If you use a Sun JDK to run the AS Java and the KDC is a Windows 2000 Domain Controller with ADS, you also have to disable delegation in the ADS to avoid errors during ticket verification.

Activities

       1.      Create a service user to identify the AS Java instance on the KDC. We recommend that you choose a naming convention for these users to help you identify them with their corresponding AS Java instances. For example, if your instance is called JD1 and this instance resides on a host named hades then you could name the service user jee-jd1-hades.

The service user represents a AS Java instance running on a specific host and must meet the following requirements:

                            a.      The password of the service user must never expire.

Caution

We recommend that you choose a strong password for the service user. For example, use a minimum length of 12 characters, with at least one digit, one special character and one uppercase letter.

                            b.      Use Data Encryption Standard (DES) for this account.

       2.      Register a Service Principal Name (SPN) for each of the DNS aliases that you use to access the AS Java.

Note

When using a reverse proxy or an application level gateway to access the AS Java from the Web client, you have to add an SPN for the physical host name and each DNS alias of the reverse proxy or application level gateway. For this scenario, the Web client procures a Kerberos ticket from the KDC for the reverse proxy or application level gateway host and not for the AS Java host.

Example

The following example shows the configuration steps when the KDC is a Microsoft Windows 2000 Domain Controller (DC) that uses an Active Directory Server (ADS) for a user store.

Assumptions

For the purpose of this example we assume that:

·         The KDC is a Microsoft Windows 2000 Active Directory Server

·         The Windows Domain Name is IT.CUSTOMER.DE

·         The fully qualified host name of the AS Java is hades.customer.de.

·         The AS Java has an additional alias su3x24.customer.de.

Configuration steps on the DC

...

       1.      Create a service user jee-jd1-hades. Enable the Password Never Expires option for this user.

       2.      In the options for the user account, choose the option Use DES encryption types for this account.

       3.      From a command line, enter the following command to register service principal names (SPNs) for the AS Java host name and alias and map them to the service user jee-jd1-hades.

setspn –A HTTP/hades.customer.de jee-jd1-hades

setspn –A HTTP/su3x24.customer.de jee-jd1-hades

In this case both aliases hades.customer.de and su3x24.customer.de is registered as SPNs and associated with the AS Java service user on the Windows DC.

Result

To check the result of the configuration, enter the following command line for each SPN you registered:

ldifde -r serviceprincipalname=HTTP/hades.customer.de -f out.ldf

The output of this command is one entry which points to the previously created service user.

End of Content Area