Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://go.sap.com/community.html
Thank you,
The SAP Community team.
The SAP Community wiki will be closed to new content submissions from December 7 6:00 p.m. CET to December 11 6:00 p.m. CET.
We apologize for the inconvenience, but we need to take the system offline while we improve the platform. Please plan your tasks accordingly.
Skip to end of metadata
Go to start of metadata

Single Sign-On from Windows to the AS Java with SPNego

SAP NetWeaver Application Server (AS) Java enables you to use the Simple and Protected GSS API Negotiation Mechanism (SPNego) to negotiate Kerberos authentication with Web clients, such as Web browsers.

SAP uses two solutions for implementing SPNego:

  • An SAP proprietary solution
  • GSS-API delivered with the Java SDK

We recommend you use SAP's proprietary solution as it offers additional capabilities not currently offered in the Java SDK, such as encryption options other than DES, support for multiple realms, and an improved configuration wizard.

SAP's Properietary Solution

SAP intends to make this the default solution.

Useful Blog

New SPNego login module - just around the corner

Related Notes

Note 1396724 - SPNEGO fails with Vista SP3, Windows 7, Windows Server 2008 R2
Note 1457499 - SPNego add-on

GSS-API from the Java SDK

Useful Blogs

Configuring and troubleshooting SPNego -- Part 1
Configuring and troubleshooting SPNego -- Part 2
Configuring and troubleshooting SPNego -- Part 3
Configuring SPNego with ABAP datasource
SAP Network Blog: Windows Integrated Authentication with SPNego
SAP Network Blog: kerberos implementation with ADS made easy
SAP Network Blog: Unlashed: Kerberos ticket based single-sign-on with SAP J2EE engine
SAP Network Blog: Windows Integrated Authentication via Kerberos on an LDAP data source

Related Notes

Note 968191 - SPNego: Central Note

Note 994791 - SPNego Wizard
Note 1082560 - SAP AS Java can not start after running SPNego wizard

Note 958107 - Using Diagtool for Troubleshooting Kerberos
Note 957666 - Diagtool for Troubleshooting Security Configuration
Note 1045019 - Web diagtool for collecting traces

Note 934138 - IE browser sends NTLM token instead of Kerberos
Note 1130190 - SPNego fails with "Failed to find any Kerberos Key"
Note 1057474 - NullPointerException in KRB5LoginMoulex
Note 1079609 - SPNego token cannot be decrypted
Note 956833 - Password logon and Kerberos authentication
Note 982044 - SPNego succeeds but overall logon fails
Note 1073458 - GSS exception during SPNego authentication
Note 986060 - Kerberos service user has userPassword LDAP attribute
Note 935644 - Configuring Kerberos on NW04 against Database User Store
Note 1005209 - Double Logon Screen

Pages on help.sap.com

Using Kerberos Authentication for Single Sign-On

External Pages dealing with SPNego

Kerberos: The Network Authentication Protocol

Understanding Kerberos Credential Delegation in Windows 2000 Using the TktViewtility

Kerberos Infrastructure HOWTO

JavaDoc Class Krb5LoginModule
JavaDoc for Java 6
Sun SPNego Troubleshooting

Configuration

Refer to SAP Help for configuration: Wizard-based configuration (SAP Help)

Troubleshooting

Refer to SAP Help for troubleshooting: link

Other tips & tricks

  • Synchronize the clocks on the LDAP host, the AS Java host, and the client host.