20

SPNEGO CONFIGURATION GUIDE

Applies To:
SAP NetWeaver Engine
NetWeaver 04 (6.40)
NetWeaver 04S (7.00)
NetWeaver 04S EhP1 (7.01)
NetWeaver 04S EhP2 (7.02)

Summary:
This document contains detailed instructions on installation and configuration of the new
SPNego add-on.

Author: Dimitar Dimkin

Company: SAP AG
2010

Table of Contents
1. Introduction ........................... 3
2. Prerequisites ....... 4
3. Deployment . 9
4. Access to the user interface 10
5. Creating a new realm 11
6. Configuring the user mapping . 12
7. Configuring the encryption keys .. 16
8. Enabling the realm . 17
9. Adjusting the policy configuration 18
10. Troubleshooting 19

SAP AG 2007

1. INTRODUCTION
The SPNego add-ons purpose is to provide a possible solution to problems caused by the
new releases of Windows platforms (Windows Vista, Windows 7, Windows 2008 R2) which no
longer support DES as the default encryption mechanism. This causes the old
SPNegoLoginModule login module to fail because it cannot decrypt the Kerberos token received in
the request. The current solution supports both DES and RC4-HMAC encryption algorithms.
A workaround provided by Microsoft exists which enables DES encryption on the Domain
Controller and forces it to behave in the same way as in the older Windows versions. More
information can be found in SAP Note 1396724.
This document is targeted specifically at the add-on solution, but chapters 5 through 9 can
be used for configuring the new SPNego in its official release when it becomes available.

SAP AG 2007

2. PREREQUISITES
Depending on whether you have a working configuration of the old SPNegoLoginModule or
not, there can be several prerequisites that must be met before the new configuration can be
finished successfully.

I. A working configuration exists

In this case all the prerequisites have already been met. When configuring the realm in the
configuration UI, you can select the already existing keytab file while configuring the encryption
keys (located on your central instance under /usr/sap/<SID>/SYS/global/kerberos) (if you used the
SPNego Wizard to configure the old SPNego authentication).

II. A working configuration does not exist

In this case you must make sure you follow several procedures in order to configure the
other parties in the SPNego mechanism properly.
1. Service user you must create a valid service user in the Active Directory. A service user
is considered to be valid when:
a) The password of this user never expires
b) The URL of the J2EE engine which is to use SPNego authentication is registered
as an SPN (Service Principal Name) with this user. For example, if the name of the user is
"sapdemo" and the URL of the J2EE engine is "testspnego.sap.com", you can set the SPN by
execuring the Active Directory command
"setspn -A HTTP/testspnego.sap.com sapdemo".
c) All of the user's SPNs are unique whithin the whole Active Directory (i.e. only this
user has them). You can check if this is true by executing the Active Directory command
"ldifde -r (serviceprincipalname=HTTP/<alias>) -f out.txt".
The output must contain only one entry the service user which has this SPN registered to them.
In addition, if you want to use DES as encryption mechanism, you must select the Use DES
encryption check in the service users properties.
2. Keytab file you must create a valid keytab file which contains encryption keys for the
realm you are going to configure. A new keytab file must be created every time the service user is
changed, therefore it is a good idea to keep the number of such changes as low as possible.
The two Kerberos configuration files created by the old SPNego wizard are no longer
needed. You do not need to keep anything in \usr\sap\<SID>\SYS\global\kerberos. The purpose

SAP AG 2007

of the keytab file is to transport the encryption keys from the domain controller to the J2EE engine
and once it is uploaded in the new Configuration UI, the file is no longer needed.
Keytab files are created via tools provided by the specific Active Directory vendor, for more
information contact your Active Directory administrator. One tool provided by the JDK itself has
been tested to work. It is called ktab and you can use the following syntax:
ktab a <principal_name>@<REALM> -k <keytab_file_name>
For more information on its full syntax, you can run
ktab help
This tool creates encryption keys for all encryption mechanisms that it supports. If you want
to create a key for DES, you must use ktab provided by JDK1.5 or higher. If you need a key for
RC4-HMAC, you have to use the tool that comes with JDK1.6.
3. Browser the browser must be configured so that it can communicate with the Key
Distribution Center and obtain a valid Kerberos token from it

SAP AG 2007

a) Internet Explorer
enable "Windows Integrated Authentication" Tools -> Internet Options
-> Advanced -> Security

SAP AG 2007

enable automatic logon in intranet zone Tools -> Internet Options ->
Security -> Local Intranet -> Custom level -> "Automatic logon only in Intranet Zone"

SAP AG 2007

add the J2EE engine host name to the list of local intranet sites Tools > Internet Options -> Security -> Local Intranet -> Sites -> Advanced

bypass the proxy server (if present) for the J2EE engine Tools ->
Internet Options -> Connections -> LAN Settings -> Proxy server -> Advanced -> Exceptions

SAP AG 2007

b) Mozilla Firefox
bypass the proxy server (if present) for the J2EE engine Tools ->
Options -> Advanced -> Network -> Settings -> "No proxy for:"

adjust the negotiation properties for integrated authentication:

o enter the URL "about:config" in the address bar
o filter the properties using "nego"
o set the values of the properties "network.negotiate-auth.delegationuris" and "network.negotiate-auth.trusted-uris" to
"http://<server_alias>"

SAP AG 2007

10

3. DEPLOYMENT
There are three deployable components:
spnego.cfg.sda - This is a J2EE library which contains basic functionality
needed by the login module and the configuration UI
spnego.lm.sda - This is a J2EE library which contains the
SPNEGOLoginModule
sap.com~spnego.cfg.wd.ear - This is a WebDynpro application which is used
for configuration of the new SPNEGOLoginModule
The three archives have internal dependencies, but they are only available runtime, not
deploy-time. That's why they must be deployed in a strict order:
1. Firstly, deploy spnego.cfg.sda
2. Secondly, deploy spnego.lm.sda
3. Lastly, deploy sap.com~spnego.cfg.wd.ear
NB! When deploying, do not select all of the archives. Deployment will fail if the
components are not selected as specified above.
These components are deployed online and do not require a server restart.

SAP AG 2007

11

4. ACCESS TO THE USER INTERFACE

The configuration UI is accessible under:
http://<host>:<port>/spnego2/cfg
If for some reason this does not work, you can also use the whole URL:
http://<host>:<port>/webdynpro/dispatcher/sap.com/spnego.cfg.wd/SPNEGO
You must log in with a user with administrator privileges.

SAP AG 2007

12

5. CREATING A NEW REALM

Click the "Add" button and fill in the name and the description of the realm you want to add.
The names of all realms must be unique. The description field is not mandatory.

This creates a new realm which is not configured and is inactive. If you want to use it you
must configure its user mapping and encryption keys and then activate it.

SAP AG 2007

13

6. CONFIGURING THE USER MAPPING

This step corresponds to the resolution mode definition in the old SPNego configuration UI.
Make sure the realm you want to modify is selected and click the "Edit" button. The "User
Mapping" tab below the realms table becomes active. You must select both a user mapping mode
and a user mapping source - the combination of the two determines the user mapping for the
selected realm. Do not forget to save the changes when done.

You can define the namespace of a user attribute if applicable. Should you choose to omit it,
the default UME attribute namespace will be used.
Suppose we have a user named "sapdemo" that belongs to the domain
"SPNEGO.SAP.COM". This user will be used in the examples below.
Possible user mappings:

I. Mode = "principal only", Source = "logon id"

This means that the user in the user store must have their "logonid" attribute equal to
"sapdemo"

SAP AG 2007

14

II. Mode = "principal only", Source = "logon alias"

This means that the user in the user store must have their "logonalias" attribute equal to
"sapdemo". This mapping can be used when the data source is ABAP or LDAP

III. Mode = "principal only", Source = "user attribute"

In this case you must specify the user attribute which is to contain the name of the user. This
attribute refers to the data source configuration file and not the actual user store - meaning that you
either have to map this attribute to a physical one, or leave it as it is and fill it in for every single
user manually.
For instance, if we specify "email" as the user attribute, this means that the user in the user
store must have their "email" (or mapped) attribute equal to "sapdemo"

IV. Mode = "principal@REALM", Source = "logon id"

This means that the user in the user store must have their "logonid" attribute equal to
sapdemo@SPNEGO.SAP.COM"

SAP AG 2007

15

V. Mode = "principal@REALM", Source = "logon alias"

This means that the user in the user store must have their "logonalias" attribute equal to
"sapdemo@SPNEGO.SAP.COM". This mapping can be used when the data source is ABAP or
LDAP

VI. Mode = "principal@REALM ", Source = "user attribute"

In this case you must specify the user attribute which is to contain the name of the user. This
attribute refers to the data source configuration file and not the actual user store - meaning that you
either have to map it to a physical one, or leave it as it is and fill it in for every single user manually.
For instance, if we specify "email" as the user attribute, this means that the user in the user
store must have their "email" (or mapped) attribute equal to sapdemo@SPNEGO.SAP.COM

VII. Mode = " principal and REALM", Source = "ADS Data Source"
This mapping can be used when the data source is LDAP. By default the data source
configuration files provided by SAP contain two user account attributes named "principal" and
"realm". The first one is mapped to the physical attribute "samaccountname" and the second one to nothing. This can be changed, but if you choose not to map any attribute to a physical user
attribute, you are going to have to maintain the value of this attribute manually for every single
user.
This means that the user in the user store must have their "principal" (or mapped) attribute
equal to "sapdemo" and their "realm" (or mapped) attribute equal to "SPNEGO.SAP.COM"

SAP AG 2007

16

VIII. Mode = " principal and REALM", Source = "user attributes"

In this case you must specify the user attributes which are to contain the principal and the
realm of the user. These attribute refers to the data source configuration file and not the actual user
store - meaning that you either have to map them to physical ones, or leave them as it is and fill
them in for every single user manually.
For instance, if we specify "email" as the user attribute for the principal and "city" as the user
attribute for the realm, this means that the user in the user store must have their "email" (or
mapped) attribute equal to "sapdemo" and their "city" (or mapped) attribute equal to
"SPNEGO.SAP.COM"

SAP AG 2007

17

7. CONFIGURING THE ENCRYPTION KEYS

This step is new compared to the old SPNego configuration UI, but it eliminates the need to
create a connection to the KDC.
Make sure the realm you want to modify is selected and click the "Edit" button. The "Keys"
tab below the realms table becomes active. Navigate to a valid keytab file that contains encryption
keys for the selected realm and upload it. You will be presented with a list of all the valid encryption
keys available in this keytab file. Select the ones you want and click the "OK" button. Do not forget
to save the changes when done.

Note that if you used to have a working SPNego configuration which was completed with the
help of the SPNego Wizard, you can take the keytab file created by the Wizard. It is located on
your central instance under /usr/sap/<SID>/SYS/global/kerberos.

SAP AG 2007

18

8. ENABLING THE REALM

Once you configure the realms user mapping and encryption keys, you have to activate it in
order to use it. If you do not activate the realm it will not be used during authentication even though
the rest of its configuration might be correct.
Make sure the realm you want to enable is selected and click the "Edit" button, followed by
the Enable button. Do not forget to save the changes when done.

SAP AG 2007

19

9. ADJUSTING THE POLICY CONFIGURATION

As with the old SPNegoLoginModule, if you want certain applications to use Kerberos
authentication, you have to adjust their policy configurations. In order to configure the new
SPNEGOLoginModule for the Portal and all WebDynpro applications, do the following:
1. Log on to the Visual Administrator
2. Navigate to ServerXXX -> Services -> Security Provider
3. Select the "ticket" template and make sure it does not have a reference to another policy
configuration
4. Add the SPNEGOLoginModule login module to the list of login modules
4.1. If the old SPNegoLoginModule is present, remove it and put the new
SPNEGOLoginModule in its position. Normally its flag should be OPTIONAL
4.2. If the old SPNegoLoginModule is not present, simply add the new
SPNEGOLoginModule to the list. Normally its position should be 2 and its flag
OPTIONAL. You also need to add the CreateTicketLoginModule module right after
it - with position 3 and flag SUFFICIENT

In case you want to use Kerberos authentication for a specific application, you have to find
its policy configuration and add the module there as well.

SAP AG 2007

20

10. TROUBLESHOOTING

Deploy the Web diagtool from SAP Note 1045019 on the J2EE server, run it and perform the
following steps:
1.
2.
3.
4.
5.

Select "Component" = "security" and "Activity" = "all"

Click the "Go" button, followed by the "Add All" button
Select "Component" = "All" and in the "Search pattern" field write "com.sap.security.spnego"
Click the "Go" button, followed by the "Add All" button
Start the tool

Then reproduce the problem and stop the tool. The generated zip file will contain traces that
might help you figure out what is going wrong. If you are unable to do so, report a message in the
BC-JAS-SEC component and attach this archive. Don't forget to include details about how you
reproduce the problem along with the exact version of your engine.

SAP AG 2007