We apologize for the inconvenience, but we need to take the system offline while we improve the platform. Please plan your tasks accordingly.
Single Sign-On from Windows to the AS Java with SPNego
SAP NetWeaver Application Server (AS) Java enables you to use the Simple and Protected GSS API Negotiation Mechanism (SPNego) to negotiate Kerberos authentication with Web clients, such as Web browsers.
SAP uses two solutions for implementing SPNego:
- An SAP proprietary solution
- GSS-API delivered with the Java SDK
We recommend you use SAP's proprietary solution as it offers additional capabilities not currently offered in the Java SDK, such as encryption options other than DES, support for multiple realms, and an improved configuration wizard.
SAP's Properietary Solution
SAP intends to make this the default solution.
GSS-API from the Java SDK
Configuring and troubleshooting SPNego -- Part 1
Configuring and troubleshooting SPNego -- Part 2
Configuring and troubleshooting SPNego -- Part 3
Configuring SPNego with ABAP datasource
SAP Network Blog: Windows Integrated Authentication with SPNego
SAP Network Blog: kerberos implementation with ADS made easy
SAP Network Blog: Unlashed: Kerberos ticket based single-sign-on with SAP J2EE engine
SAP Network Blog: Windows Integrated Authentication via Kerberos on an LDAP data source
Note 934138 - IE browser sends NTLM token instead of Kerberos
Note 1130190 - SPNego fails with "Failed to find any Kerberos Key"
Note 1057474 - NullPointerException in KRB5LoginMoulex
Note 1079609 - SPNego token cannot be decrypted
Note 956833 - Password logon and Kerberos authentication
Note 982044 - SPNego succeeds but overall logon fails
Note 1073458 - GSS exception during SPNego authentication
Note 986060 - Kerberos service user has userPassword LDAP attribute
Note 935644 - Configuring Kerberos on NW04 against Database User Store
Note 1005209 - Double Logon Screen
Pages on help.sap.com
External Pages dealing with SPNego
Refer to SAP Help for configuration: Wizard-based configuration (SAP Help)
Refer to SAP Help for troubleshooting: link
Other tips & tricks
- Synchronize the clocks on the LDAP host, the AS Java host, and the client host.