Skip to end of metadata
Go to start of metadata

This page deals with Single Sign On to the J2EE Engine / Portal from Windows. Some time ago SAP offered and support the IISProxy module to use an IIS as a proxy that would authenticate the user. Then the username would be put in the HTTP Header and sent to the J2EE Engine. The engine would trust the IIS and create a SAPLogonTicket and let the user log in without having to enter the username / password again.

The IISProxy is no longer supported, but there are several alternatives available.

Using Kerberos / SPNego

Now SAP supports SPNego / Kerberos for authentication. SPNego has (among other reasons) the advantage, that you do not need an IIS. The authentication can be done directly on the J2EE Engine. Setting up SPNego can be a little complicated. The following pages will try to help in setting SPNego up.

    Blogs that deal with SPNego
    Configuring and troubleshooting SPNego -- Part 1
    Configuring and troubleshooting SPNego -- Part 2
    Configuring and troubleshooting SPNego -- Part 3    
    SAP Network Blog: Windows Integrated Authentication with SPNego    
    SAP Network Blog: kerberos implementation with ADS made easy
    SAP Network Blog: Unlashed: Kerberos ticket based single-sign-on with SAP J2EE engine
    SAP Network Blog: Windows Integrated Authentication via Kerberos on an LDAP data source 

    Notes that deal with SPNego
    Note 968191 - SPNego: Central Note

    Note 994791 - SPNego Wizard
    Note 1082560 - SAP AS Java can not start after running SPNego wizard

    Note 958107 - Using Diagtool for Troubleshooting Kerberos
    Note 957666 - Diagtool for Troubleshooting Security Configuration
    Note 1045019 - Web diagtool for collecting traces

    Note 934138 - IE browser sends NTLM token instead of Kerberos
    Note 1130190 - SPNego fails with "Failed to find any Kerberos Key"
    Note 1057474 - NullPointerException in KRB5LoginMoulex
    Note 1079609 - SPNego token cannot be decrypted
    Note 956833 - Password logon and Kerberos authentication
    Note 982044 - SPNego succeeds but overall logon fails
    Note 1073458 - GSS exception during SPNego authentication
    Note 986060 - Kerberos service user has userPassword LDAP attribute
    Note 935644 - Configuring Kerberos on NW04 against Database User Store
    Note 1005209 - Double Logon Screen

    Pages on
    Using Kerberos Authentication for Single Sign-On 

    External Pages that deal with SPNego / Kerberos
    Kerberos: The Network Authentication Protocol

    Understanding Kerberos Credential Delegation in Windows 2000 Using the TktView Utility

    Kerberos Infrastructure HOWTO



On the following pages errors (and hopefully solutions) that were not mentioned in the blogs are listed:  Troubleshooting

  • No labels