In this blog I will explain how you can use the Kerberos protocol to set up "single sign-on" from an SAP NetWeaver Application Server Java (AS Java) to both SAP and non-SAP backends, including Microsoft Sharepoint.
How to solve Server-to-Server Authentication
Many companies today have very specific requirements regarding authentication and single sign-on. For client-to-server authentication and Single Sign-On, SAP NetWeaver Single Sign-On provides a variety of different options taylored to meet your needs. To find the best solution for you, check out the Overview on SAP NetWeaver Single Sign-On.
However, if a server (in many cases this is an SAP NetWeaver Application Server Java) needs to access another backend server on behalf of the user, many customers use a generic service user with extensive authorizations. This can cause issues from both a security and a compliance point of view, as the logs only show the service user.
What can you do, if you want to use the appropriate authorizations and the correct audit entries in the backend system?
And if you want your solution to work across different platforms for both SAP and non-SAP systems?
Kerberos Constrained Delegation
Support Package 2 for SAP NetWeaver Single Sign-On 2.0 offers a solution: Kerberos Constrained Delegation using the SSO Extensions Library (SSOEXT). This solution works for all backend applications that support the Kerberos authentication standard.
How Does it Work?
In a nutshell, SAP NetWeaver AS Java uses the component SSOEXT to request a Kerberos ticket from the Key Distribution Center (KDC) on behalf of the user who has logged on to the AS Java. The KDC is part of Microsoft Active Directory. For the connection between the two servers, this Kerberos ticked is used for authentication to the backend server. This works for all backend applications that support the Kerberos authentication protocol, such as Microsoft Sharepoint.
Configuring the Scenario
You will find the documentation on how to configure, use and troubleshoot the scenario together with more background information here:
SSO Start page on SCN --> Documentation Release 2.0 --> Single Sign-On Extensions Library
A step-by-step configuration guide is part of the document series on how to connect SAP Mobile Documents (running on AS Java) to Microsoft Sharepoint.
- You need a product license for SAP NetWeaver Single Sign-On in order to download the component
- The extension for Kerberos constrained delegation must be installed on SAP NetWeaver Application Server
(AS) Java 7.30 or higher