Single Sign-On from Windows to the AS Java with SPNego
SAP NetWeaver Application Server (AS) Java enables you to use the Simple and Protected GSS API Negotiation Mechanism (SPNego) to negotiate Kerberos authentication with Web clients, such as Web browsers.
SAP uses two solutions for implementing SPNego:
- An SAP proprietary solution
- GSS-API delivered with the Java SDK
We recommend you use SAP's proprietary solution as it offers additional capabilities not currently offered in the Java SDK, such as encryption options other than DES, support for multiple realms, and an improved configuration wizard.
SAP's Properietary Solution
SAP intends to make this the default solution.
Useful Blog
New SPNego login module - just around the corner
Related Notes
Note 1396724 - SPNEGO fails with Vista SP3, Windows 7, Windows Server 2008 R2
Note 1457499 - SPNego add-on
GSS-API from the Java SDK
Useful Blogs
Configuring and troubleshooting SPNego -- Part 1
Configuring and troubleshooting SPNego -- Part 2
Configuring and troubleshooting SPNego -- Part 3
Configuring SPNego with ABAP datasource
SAP Network Blog: Windows Integrated Authentication with SPNego
SAP Network Blog: kerberos implementation with ADS made easy
SAP Network Blog: Unlashed: Kerberos ticket based single-sign-on with SAP J2EE engine
SAP Network Blog: Windows Integrated Authentication via Kerberos on an LDAP data source
Related Notes
Note 968191 - SPNego: Central Note
Note 994791 - SPNego Wizard
Note 1082560 - SAP AS Java can not start after running SPNego wizard
Note 958107 - Using Diagtool for Troubleshooting Kerberos
Note 957666 - Diagtool for Troubleshooting Security Configuration
Note 1045019 - Web diagtool for collecting traces
Note 934138 - IE browser sends NTLM token instead of Kerberos
Note 1130190 - SPNego fails with "Failed to find any Kerberos Key"
Note 1057474 - NullPointerException in KRB5LoginMoulex
Note 1079609 - SPNego token cannot be decrypted
Note 956833 - Password logon and Kerberos authentication
Note 982044 - SPNego succeeds but overall logon fails
Note 1073458 - GSS exception during SPNego authentication
Note 986060 - Kerberos service user has userPassword LDAP attribute
Note 935644 - Configuring Kerberos on NW04 against Database User Store
Note 1005209 - Double Logon Screen
Pages on help.sap.com
Using Kerberos Authentication for Single Sign-On
External Pages dealing with SPNego
Kerberos: The Network Authentication Protocol
Understanding Kerberos Credential Delegation in Windows 2000 Using the TktViewtility
JavaDoc Class Krb5LoginModule
JavaDoc for Java 6
Sun SPNego Troubleshooting
Configuration
Refer to SAP Help for configuration: Wizard-based configuration (SAP Help)
Troubleshooting
Refer to SAP Help for troubleshooting: link
Other tips & tricks
- Synchronize the clocks on the LDAP host, the AS Java host, and the client host.