SPNego for Kerberos Authentication on the Netweaver Application Server Java
SAP NetWeaver Application Server (AS) Java supports Kerberos authentication for Web-based access with the Simple and Protected GSS API Negotiation Mechanism (SPNego). SPNego enables you to use Kerberos authentication without an intermediary web server and independently of the underlying operating system (OS) of the SAP NetWeaver host.
The following image and steps provide an overview of the communication flow and the systems involved in Kerberos authentication with SAP NetWeaver AS Java (source:help.sap.com)
- The Web client accesses an AS Java resource with a GET request.
- The AS Java returns a 401 response code (unauthorized) with a request to initiate SPNego authentication.
- The Web client recognizes that the host of the AS Java is a member of the Kerberos realm and procures a ticket from the KDC.
- The Web client then sends the ticket to the AS Java wrapped as a SPNego token
- The SPNegoLoginModule reads the token and authenticates the user.
AS Java SPNego versions
The original or as commonly referred to, ‘old’ or ‘legacy’ implementation of SPNego for Kerberos authentication was introduced with J2EE Engine 640 SP 15 and made use of the Krb5LoginModule from SUN/Oracle Due to a limitation in the JDK only Data Encryption Standard (DES) was supported in the legacy SPNego implementation Part of the authentication process required direct communication between the AS Java and the Kerberos Distribution Centre. .
The ‘new’ implementation of SPNego for Kerberos authentication supports DES and RC4-HMAC (and AES in 7.20 and above) and was introduced with the following release and SP levels:
SAP NetWeaver Web AS 2004 (6.40) SP27
SAP NetWeaver Web AS 2004S (7.00) SP23
SAP NetWeaver Web AS 2004S EhP1 (7.01) SP08
SAP NetWeaver Web AS 2004S EhP2 (7.02) SP06
SAP NetWeaver Web AS 710 SP15
SAP NetWeaver Web AS 711 EhP1 (7.11) SP10
SAP NetWeaver Web AS 720 SP2
SAP NetWeaver Web AS 730 SP1
SAP NetWeaver Web AS 731 SP1
SAP NetWeaver Web AS 740 SP1
During client authentication no communication between the AS Java and the KDC takes place.
If a system is updated to one of the above SP levels and it was previously using legacySPNego, migration of the configuration to the new SPNego implementation is possible.
The new SPNego implementation offers more user resolution flexibility and is considerably easier to configure than the legacy version. It can also be disabled using a request parameter.
For more information on the new SPNego implementation refer to SAP note 1488409 - New SPNego Implementation and the guide attached to it.
To allow 6.40 and 7.0x systems not yet updated to SP levels where the New SPNego was available to support RC4-HMAC the so called SPNego add-on was made available via SAP note 1457499 - SPNego add-on as a deployable solution.
SAP Note 994791 - SPNego Wizard
SAP note 1488409 - New SPNego Implementation. Refer to the guide attached to the note for information configuring the new SPNego implementation and migrating existing configuration
SAP note 1457499 - SPNego add-on
SAP KBA 1938645 - Troubleshooting kerberos authentication user resolution issues (New SPNego, Add-on)
SAP Note 1313880 - SPNego with DNS aliases
Holger Bruchelt's SCN blog SSO with SPNego not working on Windows 7 / Windows 2008 R2 (Legacy only)
SAP Note 1082560 - SAP AS Java can not start after running SPNego wizard (Legacy only)
SAP Note 1641301 - KDC has no support for encryption type (Legacy only)