Kerberos technology.

Similar Messages

• Issue with parallel operation of SAP NW SSO 2.0 and SNC Client Encryption (Logon Groups)

  Hi!
  One of our customers is using the SNC Client Encryption solution to ensure encryption using SNC (based on Kerberos Technology) for their SAP GUI Dialog connections. They have lots of SAP backends DEV, QAS, PRD all with the SNC Client Encryption SNC Lib installed. The profile parameter snc/identity/as contains the following value: p:CN=SAP/<ServiceAccount>@<DOMAIN>.
  Example: p:CN=SAP/[email protected]
  The customer is using one AD Service Account "SNCServiceUser" with one registered SPN "SAP/SNCServiceUser" for all systems (yes, this is not recommended... but the case).
  Important: All users use group entries in the SAP Logon (saplogin.ini). Means, for SAP logon the SNC name can not be manually configured on the SAP Front End. With group logons, the application server's SNC name is dynamically requested by the message server each time a SAP GUI connection is started. The SNC Name is greyed out in this case as dynamically obtained from the applications servers profile parameter snc/identity/as.
  Now our customer implements SAP NetWeaver Single Sign-On 2.0 within his landscape. Based on the Secure Login Server 2.0 (SP3) he likes to use X.509 based authentication to his AS ABAP backends using SAP GUI SNC while others still use SNC Client Encryption.
  Replacing the SNC Library on the AS ABAP
  The Secure Login Library 2.0 (SP3) has been installed on one of the ABAP systems and the SNC Client Encryption SNC Library (which is based on SSO 1.0) is no longer used, thus we changed the parameter snc/gssapi_lib to point to the new SNC library. We removed the old PSE.ZIP containing the keytab and created the new SAPSNCSKERB.PSE incl. the keytab and proper credentials. To ensure parallel operation, we kept the snc/identity/as value as is =  p:CN=SAP/[email protected].
  After restarting the system with initialized Secure Login Library 2.0, still the SNC client encryption works fine for existing users.
  The problem
  We created on the Secure Login Server an SNC certificate for the AS ABAP which has the following X.509 Distinguised Name Fomat: CN=SAP/[email protected] This is to avoid having to change the snc/identity/as to an "real" X.509 DN which would lead to non-working SNC Client Encryption for all the other users using SAP GUI and logon groups.
  As soon as we install the PSE via STRUST on the system the SNC Client Encryption solution stops working with error „Server refuses kerberos key exchange“.
  As part of an pilot implementation we have installed Secure Login Client 2.0 (SP3) on some test PCs. The test PC with SLC is able to perform Single Sign-On with SNC based on X.509 (incl. Encryption) to the ABAP system.
  Seems the SAP System now only tries to do X.509 based authentication thus key exchange fails. The problem is, we cannot change the snc/identity/as value because of the logon groups. If we were able to do so, we would in any case set the server identity to X.509 DN and in addition create the SAPSNCSKERB.PSE incl. keytab. This should work, as confirmed by SAP see this post.  
  Any ideas how to solve this and have both solutions in parallel?
  Appreciate any help.
  Regards,
  Carsten

  Hi all,
  we was able to fix the issue. It was an issue with the customers cluster configuration and the  $SECUDIR variable. This tricky issue leads to non working or sporadic working SNC Client Encryption...
  This was how the configuration looks before:
  Environment variable $SECUDIR is defined:
  "/ABCDEF<SID>/usr/sap/<SID>/DVEBMGSxx/sec“
  sapgenpse seclogin -l -v
  running seclogin with USER="<SID>adm"
  Credentials for username '<SID>adm':
  0 (LPS:OFF):
           (LPS:OFF): /ABCDEF<SID>/usr/sap/<SID>/DVEBMGSxx/sec/SAPSNCSKERB.pse
  1 (LPS:OFF):
           (LPS:OFF): /usr/sap/<SID>/DVEBMGSxx/sec/SAPSNCS.pse
  After changing the $SECUDIR to "/usr/sap/<SID>/DVEBMGSxx/sec“ and re-creating the credentials, it worked like a charm.
  As a result of this we can confirm, this configuration and SNC Client Encryption works with CommonCryptoLib in parallel to the SSO configuration.
  And Valerie was right with 2. SLC starting from V. 1.0 SP2 PL3 was able to convert the CN= part of the SNC Name into an SPN, was my mistake. In addition SNC Client Encryption starting from Version 1 SP1 PL1 does this also.. just to make this clear
  Thread closed hope this helps someone
  Carsten

• Secure Login library

  Hi All,
  I want to implement single sign on using secure login. Secure login provides 3 components: secure login server,secure login library and secure login client.
  In installation guide it says that it is not necessary to install all components.This depends upon the use case scenarios.
  In my case it will be active directory using kerberos technology. So I have to install login library and login client. or any one of them.
  Please let me know.
  Regards,
  Josh

  Hi,
  please do the below steps
  Step1: Install SAP library on your local P.C.
  Step 2: Configure the sapdoc.ini
  Configure file sapdoc.ini with the entry as shown. This file exists on C:\Windows. If it is not found, create it using your favorite text editor.
  HtmlHelpFilePath-EN=<C:\Program Files\SAP\SAP ERP Central Component 5.0 English\HELPDATA\EN> : Path of SAP help where you installed it on your P.C.
  u2014-
  Step3: logon to sap dev system
              u2013> Execute the tcode SR13
              u2013> Click on the tab HtmlHelp file
              u2013 >Click on New entries Enter variant name (ECC5 if u r using SAP ECC5)
              -->Platform =Win32 if you are using xp
              -->Area =IWBHELP
              -->Path = http://help.sap.com Or path of the your server where SAP library is installed.
               Save it. Request Dialog prompts you to create request. Create Request.
              Transport the request to Quality & Production.
  Note: Entries in the file sapdoc.ini overwrites the settings present in SR13, if SAP library is not available on your local
  system, it starts from central location.
  Do you  want more details for this issue please find  below link
  http://www.scribd.com/doc/6213550/How-to-Setup-Sap-Library
  Regards,
  K.Ramamoorthy

• Kerberos problems: "Failed to find KerberosKDC node"

  I'm running 10.7.1 on a Macbook. Something's wrong with my Kerberos installation. My Console is filled with messages like:
  Sep 23 09:56:13 macbook digest-service[658]:krb5_kdc_set_dbinfo: Failed to find KerberosKDC node
  Sep 23 09:56:13 macbook com.apple.launchd[1] (com.apple.Kerberos.digest-service[658]): Exited with code: 1
  Sep 23 09:56:13 macbook com.apple.launchd[1] (com.apple.Kerberos.digest-service): Throttling respawn: Will start in 10 seconds
  I know almost nothing about Kerberos and am having trouble finding clear explanations of its configuration. Any suggestions on how to fix this?

  Hi
  Kerberos is used extensively in Single Sign On (SSO) environments. This would typically be medium-to-large Coporate or Educational institutions running instances of Windows Active Directory and possibly Apple's Open Directory or even a mixture of the two. There are other manufacturers that offer their own bespoke offering such as Novell but I'm seeing less and less of this now-a-days. Regardless, all of these technologies have one thing in common; they are based on Open Source OpenLDAP:
  http://www.openldap.org/
  http://www.openldap.org/project/
  At its simplest LDAP (Lightweight Directory Access Protocol) is a database (or series of databases) that can 'contain' information about all sorts of things which can be easily distributed or shared.
  If you're not in any of these types of environments and your laptop has not been bound and/or joined to a networked domain and essentially you're in a single user, residential home environment I would ignore it.
  FWIW I see this 'error' also even in 10.6 and like a lot of things that are logged by the OS it does not necessarily mean there's anything wrong. For some things Console can be overly verbose and may 'frighten' the unwary into thinking there's something wrong when actually there isn't.
  Having said all that and apart from what is being logged, are you actually having any problems?
  HTH?
  Tony

• Kerberos and Alternative UPN's

  I have a single on premesis W2K8 domain forest which exists within a Disjointed Namespace. I have added an alternative UPN to the domain to accomodate Office 365 federation. My understanding is that although users can logon to my domain with the alternative
  UPN of [email protected] access to services will fall back on NTLM because the Kerberos service tickets will be issued for
  [email protected] Is it possible and how do I resolve this situation? I need users to logon to our domain with thier alterantive UPN's and have Kerberos issue tickets to services with thier alternative.
  Domain Namespace: mydomain.ac.uk
  AD Domain: mail.mydomain.ac.uk
  Alternative UPN: live.mydomain.ac.uk

  Hi,
  The UPN suffix is used for resolving to a corresponding zone in DNS, which means, it’s used to find the Domain Controller which can process the logon request, that’s why I gave the example about Office 365 in my last reply.
  If you have specified an alternative UPN when you created the user account, then a DNS server (zone) should be set up to resolve the suffix which is different than the default one, no matter the domain is in an on-premises network
  or a branch office with less secure network. Otherwise, the user can’t use the alternative UPN to log on, I have tested this, and the user can’t log on using alternative UPN without the extra DNS server (zone). You can try to test this in your environment,
  too.
  As I mentioned before, when it comes to Kerberos authentication, it doesn’t issue tickets based-on UPN, the Kerberos authentication mechanism issues ticket to the user account. Because these parameters, UPN/suffix/NetBIOS Name,
  are used to determine the Domain Controller which is used to process logon requests, once determined, tickets are associated with user account, could be bind to SID or GUID or both.
  More information for you:
  Technologies for Federating Multiple Forests
  http://technet.microsoft.com/en-us/library/dd560679(v=WS.10).aspx
  How the Kerberos Version 5 Authentication Protocol Works
  http://technet.microsoft.com/en-us/library/cc772815(v=WS.10).aspx
  Best Regards,
  Amy

• How can I get permission to use Apple's Airplay Technology for new and innovative Speaker System?

  Hi there!
  I want to integrate Airplay technology in a new and innovative Speaker System.
  I've searched the internet, but couldn't find anything.
  Does anybody know how to get the permission to use it?

  Apple
  1 Infinite Loop
  Cupertino, CA 95014
  408.996.1010
  ...ask to speak to someone about licen$ing.

• My G-Technology External Drive is no longer recognised by my MacBook Pro. How do i repair this?

  Following months of straightforward backing-up (using Time Machine) my 1TB G-Technology External Drive no longer appears on my screen when powered up and connected to my machine. I have read that this can happen after updates are downloaded onto the MacBook Pro (or indeed any other Mac product) but with update downloads being inevitable this cannot be avoided. Apple tentatively admit this is a problem but offer no solution that I can find! Even more annoyingly the drive itself is designed for use with Mac products and was the simplest plug'n play device I have ever used. Ideas please?
  AB@isis

  Contact the manufacturer for their trouble shooting support. In any case when updating the OS unmount and unplug external hardrives.

• Adobe Rich Web Experts Speaking at India's Biggest Independent Technology Event

  Great Indian Developer Summit is India's Biggest Polyglot Conference for IT Professionals
  Bangalore, March 25, 2010: At the 2010 edition of Great Indian Developer Summit learn how browser and rich web technologies such as AJAX, DHTML, Mashups, Web 2.0, Enterprise 2.0 technologies, and Rich UI technologies are making money and gaining market-share for some of the leading businesses in the world. On 21st and 23rd April 1010, Rich Web experts from Adobe will speak about the changing face of web applications, enriching cloud applications with Adobe Flash, agile interaction design, developing multi-screen applications on Flash, building enterprise RIAs with Flex and Java, building data centric applications and killer RIAs with PHP and Flex. The summit will be held at the Indian Institute of Science in Bangalore.
  Ramesh Srinivasaraghavan, who leads the Adobe Flash Platform Evangelism initiatives of Adobe India, will keynote on the state of art in web application development and identify trends that could transform the way we create and use web applications. He will also conduct a separate session exploring the role that RIA technologies play in the new paradigm of developing applications for the cloud.
  The ubiquity of Adobe's Flash Player and AIR spans the spectrum of Web, Desktop, Mobile and devices such as set top boxes. Flash Engineer Hemanth Sharma will lead attendees through the development workflow for building multi-screen applications. In a separate session, Sujit Reddy explains model-driven and code-driven development approaches to build data-centric applications with Adobe Flex and Java. Also discover how you can migrate your existing J2EE applications to Adobe Flex based RIA's easily. Computer Scientist Harish Sivaramakrishnan, popularly known as flexgeek, will lead attendees on a whirlwind tour of Adobe Flash Catalyst - a sparkling new tool which he says is the best thing that happened to the designer-developer collaboration after sliced bread.
  On 23rd April while Prashant Singh conducts a 180-minute workshop on Data Centric Development features of Flash Builder and how to use them to create a Rich Internet Application powered by Java, Shyamaprasad will teach how to build PHP powered rich Internet applications using Flex. Starting off by setting up the Zend framework he will demonstrate how to build a complete Flex application that connects to a PHP server, using version 4 of Flash Builder.
  On 21st and 23rd April 2010, at GIDS.WEB Conference & Workshops learn how browser and rich web technologies such as AJAX, DHTML, mashups, Web 2.0, Enterprise 2.0 technologies, and Rich UI technologies are making money and gaining market-share for some of the leading businesses in the world.
  About Great Indian Developer Summit
  Great Indian Developer Summit is the gold standard for India's software developer ecosystem for gaining exposure to and evaluating new projects, tools, services, platforms, languages, software and standards. Packed with premium knowledge, action plans and advise from been-there-done-it veterans, creators, and visionaries, the 2010 edition of Great Indian Developer Summit features focused sessions, case studies, workshops and power panels that will transform you into a force to reckon with. Featuring 3 co-located conferences: GIDS.NET, GIDS.Web, GIDS.Java and an exclusive day of in-depth tutorials - GIDS.Workshops, from 20 April to 24 April at the IISc campus in Bangalore.
  At GIDS you'll participate in hundreds of sessions encompassing the full range of Microsoft computing, Java, Agile, RIA, Rich Web, open source/standards, languages, frameworks and platforms, practical tutorials that deep dive into technical skill and best practices, inspirational keynote presentations, an Expo Hall featuring dozens of the latest projects and products activities, engaging networking events, and the interact with the best and brightest of speakers from around the world.
  For further information on GIDS 2010, please visit the summit on the web http://www.developersummit.com/
  A Saltmarch Media Press Release
  E: [email protected]
  Ph: +91 80 4005 1000

  Im not sure if this is the right place to post this, but anyway thanks for the info :)

• Confused about wheather to use session or some other technology

  i have two jsp pages one is index.jsp and other one is display.jsp,from index.jsp i am passing a string value and collecting it in display.jsp ,after collecting it i am making use of that value in a sql query to display the result from the data base,and i am getting one line (row) of display ,when i repeat the process again that row is over written which i do not want , what i want is as long as i keep sending strings from index.jsp tp disply.jsp the number of rows should be added (as a display in display.jsp)
  and i wanted to do that in jsp environment only as i am not aware of struts and some other technology.some sample code of display.jsp is as follows
  String INDENT_NUMBER = request.getParameter("indent_number");
  query1="select some data from some tables where a.INDENT_NUMBER = '"+INDENT_NUMBER+"'";
  while(rs.next){
  get some values here to display
  like
  String item_name =rs1.getString("item_name");
  String INDENT_QUANTITY=rs1.getString("INDENT_QUANTITY");
  here i want to display row wise data
  and now close the while loop
  please get me the idea if possible with sample code,i'll be greatfull to u,
  thanx

  I would add the String you get from the DB to an ArrayList, and store that ArrayList in the session. Then, at time of display, just iterate over the List. I would also look into putting the SQL into a JavaBean that does the work. Take as much of that code out of the JSP as possible.

• SSO using Kerberos with SAP Logon Tickets

  Hi,
  I am creating a Repository Manager for the Portal Knowledge Management System and I want to use SSO to a backend IIS application and I have a few questions here. 
  I have a three tiered architecture. 
  A.  The presentation tier (SAP Portal which has my Repository Manager implementation)
  B.  ASP.NET web service data layer.
  C.  Backend document management system which runs on IIS. 
  I have installed the ISAPI filter on my ASP.NET application server and have enabled this HOST account for delegation in MSAD 2003.   Server B will use Kerberos constrained delegation to access Server C, which is an IIS backend server. 
  My question is how do I pass an SAP Logon Ticket to an ASP.NET web service request from my Repository Manager implementation?  Basically how do I just make an HTTP request to an ASP.NET application from some portal iView or WebDynPro code and pass along the SAP Logon Ticket in the request so it can be interpreted by the ISAPI filter on the IIS server.  Does anyone have any sample code or an application here that does this?
  Thanks,
  Scott

  Hi Scott
  Did you managed to find out anything regarding how to pass SAP Logon ticket to ASP.NET Webservice. Can you share it with me?
  regards
  ram

• Error Kerberos

  Post Author: hqcire
  CA Forum: Authentication
  I'm running Windows server 2003 + IIS 6.0 + windows AD + SSO and I try to used the Kerberos Token. But I Have this error I did those SETSPN: SETSPN -A BOBJCentralMS/aaaa.dev.bbbb.qc.ca dev\user123 SETSPN -A BOBJCentralMS/ aaaa dev\user123 SETSPN -A HTTP/aaaa.dev.bbbb.qc.ca dev\user123 ERROR 1 A Kerberos Error Message was received: on logon session Client Time: Server Time: 15:23:8.0000 2/26/2008 Z Error Code: 0xd KDC_ERR_BADOPTION Extended Error: 0xc00000bb KLIN(0) Client Realm: Client Name: Server Realm: DEV.bbbb.QC.CA Server Name: host/aaaa.dev.bbbb.qc.ca Target Name: host/aaaa.dev.bbbb.qc.ca @DEV.bbbb.QC.CA Error Text: File: 9 Line: ae0 Error Data is in record data. ERROR 2 A Kerberos Error Message was received: on logon session Client Time: Server Time: 15:22:32.0000 2/26/2008 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: Client Realm: Client Name: Server Realm: DEV.bbbb.QC.CA Server Name: cccc.dev.bbbb.qc.ca Target Name:cccc.dev.bbbb.qc.ca @DEV.bbbb.QC.CA Error Text: File: 9 Line: ae0 Error Data is in record data. ERROR 3 A Kerberos Error Message was received: on logon session Client Time: Server Time: 15:22:30.0000 2/26/2008 Z Error Code: 0x34 KRB_ERR_RESPONSE_TOO_BIG Extended Error: Client Realm: Client Name: Server Realm: DEV.bbbb.QC.CA Server Name: host/aaaa.dev.bbbb.qc.ca Target Name: host/aaaa.dev.bbbb.qc.ca @DEV.bbbb.QC.CA Error Text: File: 9 Line: ae0 Error Data is in record data. What is my problem ?

  Post Author: hqcire
  CA Forum: Authentication
  I used WFETCH to have more information.  There's whta I have
  started....WWWConnect::Connect("placebo","443")\nsource port: 3055\r\nISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE set\nSEC_I_CONTINUE_NEEDED\nREQUEST: **************\nGET D:\SystProd\BOE\BusinessObjects Enterprise 11.5\Web Content HTTP/1.1\r\nHost: placebo\r\nAccept: /\r\nConnection: Keep-Alive\r\nAuthorization: Kerberos YIIMAQYJKoZIhvcSAQICAQBuggvwMIIL7KADAgEFoQMCAQ6iBwMFACAAAACjggsUYYILEDCCCwygAwIBBaERGw9ERVYuSFlEUk8uUUMuQ0GiGjAYoAMCAQKhETAPGwRIVFRQGwdwbGFjZWJvo4IK1DCCCtCgAwIBF6EDAgECooIKwgSCCr4k5OSUJ9fiV7KWJvAfjdWHY8Sl6cRMt7KXeR7D2LmgAZXHnWAZBdd2TXjVYCCQ2OIOPZKOnJmuvIy9pzXc/mzgUJuB9O999aQjNPBUEf6bss8cE8FPOceFXH1oYLhUFXidns7ykFTGB/iC2sxzeYBUZL0xXALbd5zprZQxg3WRaOcCJe0v8BsrKglV56cnKdSDWHcBuvbfxKYS2nUnnVYApoMjzqZKilHMXtfcDCsdn66e99U483TYxbqMJcQqiJEuntGdc/w/eGqKVsPC9iTZAJmPCBE88zxmTdcQtt9ZsHkxOmuHrJILH2vf1j/xP9pzFIZOf7Y5sRNYKwn74Ee7fHbY5CwVnPpM3wCnBsyYGWZ3e90BtF7Z2xklT/Gmvw7yHCKrIwAZvnc6yVMsrMhqsqJUHimFRlzddUzoH/L5HPDX5TDUoeuBeO4X6zLteIMIOGcQ1C47W59R3qscwZDWWJL4T/R7TjpY3PLsQcaHv/fUuo6lv8gRzYaS9tljJQMr6BwFgw4xS2TyyZZBaKqdbYuH/Y1wksu1XDIwTYpkgLex7xsZC5CCP1FJP7TKQA3V1fpZbdAgOZRCdFCTzl0UbYt2qrIKB4a7bKVsfmJefDHVHoLf7LBQC8/fKA696Qxdph6/PRYh4KwhwEMWM3nGkNnB2MpLqhVXxhDio0bhiZtEmFUVjylZepikLEP9AfC2j4IoiVPu2BujhW79/SR9Gl2HQrSlpXnHzhtCT7hSoKH8Zm99jnofpiBJk6tD4LsbRuDeWYf4X3Mw5qns7/SD6umCHMs2eNtgt/H2d6cJxBEc81nbdoU3fIErlC2jSsjo7Tv4xeiLNbi7nH7woXvzFYIGlRrVILRRbteoA5269Ju8rB1UKestiPsvxo9sz265eEKgotDVNUIBn7f6TXd4Bjr1lOhzq2zY9v7kK21y95cxHHqKaNBGVnbz7Y9EYaxyGQrEG7oXf8/herH/IRTfmabKSU8JBHOt7RBwgCh46Qmt6DisyIr0dkLH2m1xlS6dbtELLjRj0EXxAUMxt7ufFcmE3hEK9JRmGhuwi5SFKCcUKNlJbgWwf6Od/oySbXoaBamoh0w1t/98XGFUR8JCn5V7x5oAxG9oCABmCKdq6cy7XR9F8PKcqbtbZC2EM7Bcyvpk4HJSZKTL7YCbtzwWTDbEZmm1wQvroCu7JXU1qhpWLvJPzfm9Hi2xU5UYgIMfdcqK8uNOys2QPkCdFqcHrLUDQH/dQ9PksFnk2oJORbjR0L94FJgtTowurn3xt13j9wq5solwcSJnTWTiX4g7Xx2ciBTcE1fJfIN/LaPGFq1hQfM7f0pIgwQH/Up0BGHPiOfTBe9VGWswoQaygXxb4aD3aLPahP4BrkfcnIRv61Y7xS6yWgGvkizY5oVwgpi6l8kRkui7L8s3PLJfDZ28CBO3eoxeCbtMcjijKI1mQ0me5VFoEfpUVdkaOFBlX2Lb1qgR7BA/eIXCcToTmXCk7lPHkt8wIUzzl4g8950lLn0o0WPpMm1V+5/ab11ySSlF5n6s3kNvrLOSRcrCJ4sXWPAYbI7pqHgDah7iJtZsSaMFglSpKAV734pWSx7fybUuxxvL48ELGSGogaeCutKpOoabvA3nz1J471cRwrBVQXnFMt2b3Z1rCnDYC6B2L30gu3IASvpWZZAnn4Jzq64CD/RhtgUxYQW5cJX0B01xlLZRZ9ANruTmO8B/Ui/ZWLJYb3A8sSzKtA7Q0QNCXPk2sXvC6RWiEJUsKz/rYWdgNGkqhNKVFyLaxvFNYPDI2P4bf5fbOwuYbIyYrXfO8pZU8GqlOTXzVANOxPpaVyD22Q5o2wcVeShg0f0YILFaSD5CF31KGo5KTR5AyP8WRMH9Kvjs7hq8RG7DkLHdGannsLXll5DIuaPARVvoVF06PjktDHOaQnjYDnnnOw6V0QKq8oItDEemeWw7gQwgFIzGtRvzK6yX6zrNqTGOOhc2P/GZtN03Afe7DxNmIC2FNMT0aaVBnvoysQyqGEnUyp4PrhhDhkLDHLDiSJgWf/u82IzdMcBkJisBdswu0jVTyWnowX2b8GI8F1aCzD0cxcahhYNgxA58ouFzmmoeRhf0vFMqpv2GQlE2eKIMmCQ50jDHHfABw5KUiIr68NV1mqzUxan9QwKHvFrPVnIxsS4K0c95KMX1/NaYNpoBC2iVsRljj0LiQZs0rRYe/aM7IFY71Zqw8vuIxuE64QOMsBNGs8pDQBNhPzy2sKG01JjU5nSsh4Rv6kX4HGh2aV6Nb6bsJ59EOQa7IkVsZkJ9TPgglRiSdHq0G4PHB/asfEHZkVZB2aJzPMiUYVYpu6s/zX37S08U9fYl6ygHKiR1gQU0gWlDA/A4I4r5S8t1jaTlrmDqAe64bd56P/Fhr7zpYz/1FZ98TOTHh7DHWnm5tzj6JyPrUcY7OtJrQVGObWCM0/g1pv13ektbgw7b/evAcahKnTRiJnjvwFj16G0057c88EV7T5ivVGhD9viKqR7hKJuxvmCVbhSvY7jRbVTNrR52FUIEFkk0FVkU6VkfdpCZTsDrmeQ/Rhad79jtKeudzO6vLKY8vdC7YE51o/Pid2Ebi6UbuznKONKGVBxEa2KArVc/UDbbT9YSPN9kfPlzgxSB/lc2zDr6bWaRiuL6xfxP36ofoWhyeybtFGjwjormCUEmkf1uxoMRKRzJEtFlGrN/B8DMxmZSobeOsObyjTDZ6XSMOjGUNnJwojiQ5ptzLf1iEQ1aYs4BJPnvjHYsBwZFr6wkN1wIDFNgm1IRX4lXTvrJwjumKCLRLN97DJGqR3m7R8WophOotAUfT0ccWY0DOcUJgArVDQvwrMr1UdPk2Wp5WPS8utwRahSFt4xCWhbd25ST5I81zRpQt8RGjaCwvW3c4YoaSJ3Zd20ZQJ3kmGbV1T9jpozMpEned7TthohNde0GTS7QwCb6oPCJLmlc00sB3SIDk6pdhQJf9u15ydrQFxeAWvKWjpRRQ2f8W/h281twvOkNJLbEBs66ZJPQlDcZdpSswin4h6nGiuBGf9X/i2GoxZ2yaDVPfdazPtin6O3MPtIxPilKHIBwsQXLPV4Tjs0YeFKGJkAezCOMA8mo9iGwEOmTC73heKApyyRKpE2CKNWTWwXXMsyObpGOkmQI3hFt4uj6TOjFOFIqliRMBm9OSnPaWenbJD3MJ23jmszEDmPhJgayK2JGwuYzp9RLwALP1UhDEGbVtpR1NquSapaXxuAJcoJ7c9OZ63Jz2mWXJWqcOu6gb4qHNfi4tS/4oLEKcPAfOpxTnhCvXOPks1DM2TclPxkZd9J9fHMxdfsXozcVrA98169EILHoa4yeoJ/iPhD9qyNnTI95eDjaVcngdSrNmw6VX5IUbGV8Jg3mf8XMzOPa/Iyp5OYTMktL7SL3UNIOPafPte3wMfsxNE/ZOuw2KeDAQtNlm2qy0/UmFNurlbAKtINZDcq6rVEBO79DDq53WNBXNm/RYIAuze1mt6UGusSed0HjdckLhIEX12dklM8fpspULrItbmjjBqDzeCq0EJHtqepgbV5I8417DKPoUjtSqmmsAoVEAN9HfX6i4cxZgtubL1QtByI6SBvjCBu6ADAgEXooGzBIGw6nOV/0EFjDnf1MK8uSeNUehzQRkQNR/DSLJIm2G49hJeW7q5V3RVIZf243qJwgonLr0v1cPh/BJE3bij6WlECbnA8LhCsY9poQQd8/JIJpxU/MFlMUAFllBZFrn0CUdzhxDcSbDoTOFQDKCxCc0GwNk7VGVNkKVBaKgWciqVPfdCmVVCwazCczfjodTlhyqRXpv1ufuF1ZGIw7e2676wYfyWjWiDwwqTDMlEMhVL8=\r\n\r\nRESPONSE: **************\nHTTP/1.1 400 Bad Request\r\nContent-Type: text/html\r\nDate: Thu, 28 Feb 2008 14:45:39 GMT\r\nConnection: close\r\nContent-Length: 20\r\n\r\n<h1>Bad Request</h1>WWWConnect::Close("placebo","443")\nclosed source port: 3055\r\nfinished.

• Configuring Windows XP to use IIS w/ Kerberos

  I need to build a Windows XP SSO solution using IIS 5.1 with Integrated Windows Authentication using Kerberos protocol. IIS will then pass the request over to another application which will need to use a Kerberos JAAS module to authenticate the respective users to the application.
  Does anyone have any instructions or tips on accomplishing these set of tasks? I have very limited experience with Kerberos. Any help would be much appreciated.
  Note: I've gotten this to work using NTLM, so I would like to know the level of difficulty in making the switch over to Kerberos.
  Thanks a lot in advance!
  Message was edited by:
  YvesG

  Because in SAP Help on topics <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm">Single Sign-On with Microsoft Kerberos SSP</a> and
  <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm">Configuring the Application Server</a>, tell to copyt the gsskrb5.dll file(see SAP Note 595341), to the following directory on the central instance: Drive:\%windir%\system32.
  This text let me think that central instance is installed on a Windows Server, but on SAP Help docs I didn't found the specific information that the central instance must be installed on a Windows Server.

• Portal Drive Single Sign On and Kerberos Authentication

  Hi,
  We are using NW2004s SP10 Portal and we have successfully configured Kerberos authentication with Windows Active Directory 2003. To access the KM Content in windows explorer format, we are using Portal Drive but Portal Drive still asks for authentication i.e. SSO is not working for Portal Drive. I have understood from the forums and sap help site that SSO from portal drive will work only for NTLM authentication and client certificates. Can you please help regarding below questions.
  1. Can Kerberos and NTLM authentication be configured together.
  2. If yes, what are the steps to configure NTLM authentication for NW2004s SAP Portal and Active Directory 2003.
  3. Any other approach to make Portal Drive SSO work.
  Helpful answers will be rewarded.
  Regards,
  Chandra

  Hi Gregor,
  I did two things:
  first i made a change in the portalapp.xml in the PAR file "com.sap.km.cm.par". In the section authentication scheme for "docs" I changed the authentication scheme to "default" to make sure that documents are opened using the default authentication scheme (SPNego) instead of basic authentication
  second, I used the SPNego wizard to configure SPNego. So I didn't adjust anything in the Visual Admin or the authentication template apart from adding the Template to the Ticket policy configuration.
  Again, this only worked after installing the latest vesion.
  Hope this helps
  Marcel

• Kerberos Single Sign On and Query Designer for BI forcing user to log in

  Hello experts,
  Our company just implemented SSO using Kerberos for Portal and BI.  However when a user trying to open a query using the Query Designer to connect to the portal, they have to log in again.  Anyone know why?

  Is this for every user or only to certain user?
  also check the browser authentication.  --> Tools --> Internet Options --> Advanced --> Under Security --> Enable Integrated windows authentication.
  /padmanaban

• BO XI Release 2 - NLTM versus Kerberos Authentication

  Hello,
  I have some problem with Authentication. At first time I set up only in CMS Kerberos Authentication, but now I would like to change it to NLTM, but if I clear the Use Kerberos authentication and I mark off Use NTLM authentication and I set up update, it doesn´t work.
  Authentication Options
  Use NTLM authentication 
  Use Kerberos authentication
           Cache security context (required for SSO to database) 
         Service principal name:  
  Thank you very much for your answer,
  unhappy:( Marika

  You can set up kerberos for both, it's required for java. .net will support both kerberos and NTLM although unless you are trying to delegate credentials all the way to your DB, then it usually isn't desired in .net because the configuration is far more complex
  You can simple look at your logon url to figure out if you are hitting IIS (urls end in aspx and no port #) or tomcat(urls end in .do and port 8080).
  Regards,
  Tim