SIM301 Integrating Microsoft Active Directory With The SAP J2EE Engine PDF

SIM301
Integrating Microsoft
Active Directory With
the SAP J2EE Engine
Disclaimer
This presentation outlines our general product direction and should

not be relied on in making a purchase decision. This presentation is
not subject to your license agreement or any other agreement with
SAP. SAP has no obligation to pursue any course of business
outlined in this presentation or to develop or release any
functionality mentioned in this presentation. This presentation and
SAP’s strategy and possible future developments are subject to
change and may be changed by SAP at any time for any reason
without notice. This document is provided without a warranty of any
kind, either express or implied, including but not limited to, the
implied warranties of merchantability, fitness for a particular
purpose, or non-infringement. SAP assumes no responsibility for
errors or omissions in this document, except if such damages were
caused by SAP intentionally or grossly negligent.
© SAP AG 2007, SAP TechEd ’07 / SIM301 / 2

Contributing Speakers
Dong Pan
SAP America
Michael Sambeth
SAP AG

Learning Objectives
As a result of this workshop, you will be able to:

Learn how to use ADS as the user persistence store of the J2EE
engine
Understand how to achieve Single Sign-On in a multi-domain
environment
Learn how to maintain a secure and highly-available LDAP
connection to ADS
Understand how SAP J2EE engine supports Kerberos
authentication in different scenarios, including a multi-domain
environment

Introduction
J2EE User Persistence With ADS
SPNego Authentication With ADS
Wrap-Up
What End Users Want …

What Administrators Want …
Central User Management

Single point of administration
Assign user rights in various applications with one keystroke
Central user repository

What Are the Prerequisites …
Integrated cross-application user management

Central storage of user information
Group assignment
Basic user data
Application specific user data
Standard Access & Authentication protocol
Solution: Microsoft Active Directory

Active Directory (AD) serves as central repository for user master data
Access to the directory service is provided by the standardized
Lightweight Directory Access Protocol (LDAP)
Active Directory provides Kerberos authentication service to facilitate
Single Sign-On (SSO)

The Big Picture

Introduction
Wrap-Up
Connect J2EE Engine to ADS
Connect J2EE Engine to Multiple ADS Domains
LDAP Groups
User ID Resolution and Single Sign-On
Connect J2EE Engine to ADAM
Connect J2EE Engine to ADS via SSL
Maintain a Highly Available LDAP Connection
Determine Your LDAP Structure – Deep Hierarchy
Main characteristic
Users are entries below the group of which they are a member
Disadvantage
Users can only appear at one point in the directory tree and can
therefore only be members of one group and its super groups

Determine Your LDAP Structure – Flat Hierarchy
DIT has separate branches for user and group data. There are
2 possibilities:
– Each group has an attribute that lists the members of that group
– Each user has an attribute listing the groups of which the user is
a member
Advantage: A user can be a member of more than one group.
Disadvantage: New users are not assigned to any groups

automatically

Connect J2EE Engine to a Single ADS Domain/Forest

LDAP Groups
Configuration Steps
Define LDAP Connection Properties in UME Data Source Configuration
XML File
Maintain service user password in UME property
ume.ldap.access.additional_password.n (n=1-5)
Limitations
Can connect only up to 5 domains due to performance concerns
LDAP groups cannot span across multiple domains

Connect J2EE Engine to Global Catalog
Pros
Single connection to the whole Active Directory
forest – no limitation on the number of domains
Better search performance, esp. in multi-domain environment
Cons
Global Catalog is always read-only, i.e.,
– No creation of users/groups by J2EE engine
– No password modification by J2EE engine
Only Universal and Global groups are visible

LDAP Groups
LDAP Group Visibility
Blocked Groups
Group Administrators, Guests in the LDAP server are not visible by
default: Ume.ldap.blocked_groups=Administrators, Guests
When connecting to Global Catalog

Pro: LDAP groups can span across multiple domains
Con: Only Universal and Global Groups are visible
When connecting to Domain Controller
Pro: All groups are visible

Con: Groups can only contain users from the same domain

Large LDAP Groups
Do NOT use built-in group ”Domain User”

– All users in Active Directory are automatically assigned to Domain User
group by its PrimaryGroupID, instead of its memberof attribute/Domain User
group’s members attribute
Search users in large LDAP groups

– ADS default maximum result page size = 1000
– UME does not support paged result
– Role-Group-User assignment still works.
No significant performance degradation with large LDAP groups

– Unlike some other LDAP products, users in ADS have memberof attribute by
default

LDAP Groups
User ID Resolution
samAccountName can be duplicated in a multi-domain environment

– what can be used to identify a unique user account?
Any unique LDAP attribute of the user account, if it does not exceed 240 characters:
User Principal Name, e.g.. domainuser@mycompany.com
Custom-defined unique attribute, e.g., sapusername
Modify the data source configuration XML file to change the user id resolution method
Map the j_user attribute of the User object to User Principal Name (UPN)
<attribute name="j_user">
<physicalAttribute name="userprincipalname"/>
</attribute>
Map the uniquename attribute of Account object to User Principal Name

<attribute name="uniquename">
</attribute>

Single Sign On with UPN to ABAP Backend
Problem
SSO with SAP Logon Ticket based on UPN is not accepted by SAP
ABAP backend systems
Solution
The SAP Logon Ticket can carry an additional R/3 user ID
Define SAP Reference System, and then define User Mapping for
the SAP Reference System
If you have an SAP-centric environment, you can use Central User

Administration (CUA)/LDAP tools to maintain the sapusername
LDAP attribute:
– Make sure the UME datasource configuration file defines
REFERENCE_SYSTEM_USER
– Set ume.usermapping.refsys.mapping.type = attribute

Single Sign On with UPN to J2EE Backend
Problem
SSO with SAP Logon Ticket based on UPN is not accepted by J2EE
backend system whose user store is an SAP ABAP system
Solution
Define an SAP Reference System
Maintain User Mapping for the SAP Reference System
Set login.ticket_portalid = no on the target J2EE backend system

LDAP Groups
Introduction to Active Directory Application Mode (ADAM)
Application-Specific Directory Service

Ease of deployment
Reduced infrastructure costs
Increased security
Increased flexibility
Reliability and scalability

Adapting UME Data Source Config for ADAM
<attribute name="j_user">
<physicalAttribute name=“uid"/>
</attribute>
<attribute name="uniquename">
<physicalAttribute name=“uid"/>
</attribute>
...
<privateSection>
<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.auxiliary_naming_at
tribute.uacc>
<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.auxiliary_naming_at
tribute.uacc>
</privateSection>

LDAP Groups
Why Use LDAP Over SSL?
Why use LDAPS?

ADS requires LDAPS protocol to create users
To secure LDAP communication between J2EE and Domain
Controllers/Global Catalog
Prerequisite
Administrator, Guest and service users should not be stored in LDAP
Restrictions
SSL with Client Certificate Authentication is not supported

Obtain Root Certificate of Domain Controller
SSL ports used by ADS

Domain Controller: 636
Global Catalog: 3269
Test if your ADS is SSL-enabled (ldp.exe)

Import Root Certificate to Trusted Root Certification Authorities store of
local computer
Test with ldp.exe should display the following:
ld = ldap_sslinit("philadelphia.pennsylvania.com", 636, 1);
...
Host supports SSL, SSL cipher strength = 128 bits
Established connection to domaincontroller1.mycompany.com.
Verify the Common Name of the Server Certificate

Test https://<FQDN_DC>:636 or https://<FQDN_GC>:3269 with Web
Browser
Download the root certificate

Steps to Connect J2EE to ADS With LDAPS
Download and install Java Cryptography Extension (JCE) Unlimited

Strength Jurisdiction Policy Files from Sun/IBM
Download and deploy the full SAP Java Cryptographic Toolkit
Import LDAP Root Certificate into the J2EE engine’s TrustedCAs store
Change the UME configuration to enable LDAP over SSL

– Make sure the LDAP server name exactly matches the Common Name!

Connecting to ADS With LDAPS

LDAP Groups
Highly Available LDAP Connection to Single Domain/Forest
Sample UME configuration:

ume.ldap.access.server_name= p66192,p66193,p66194,p66195, p66196
ume.ldap.access.server_port=389,389,389,389,389
ume.ldap.access.default_switch=30
ume.ldap.access.action_retrial = 2
Special consideration for ADS:

ume.ldap.connection_pool.connect_timeout=5000
ume.ldap.connection_pool.connector_enabled=true
In High Load scenarios, keep the value of ume.ldap.access.action_retrial

and ume.ldap.connection_pool.connect_timeout low to avoid J2EE
application thread outage situation!

Highly Available Connection to Multiple Domains/Forests
Sample snippet of the XML configuration file:

<dataSource id="CORP_LDAP1"…….. >
<ume.ldap.access.server_name>ldapserver1_1,ldapserver1_2</ume.ldap.acce
ss.server_name>
<ume.ldap.access.server_port>389,389</ume.ldap.access.server_port>
<ume.ldap.connection_pool.connect_timeout>5000
</ume.ldap.connection_pool.connect_timeout>
...
<dataSource id="CORP_LDAP2"……..>
<ume.ldap.access.server_name>ldapserver2_1,ldapserver2_2</ume.ldap.acce
ss.server_name>
<ume.ldap.access.server_port>389,389</ume.ldap.access.server_port>
<ume.ldap.connection_pool.connect_timeout>3000
</ume.ldap.connection_pool.connect_timeout>
<ume.ldap.connection_pool.connector_enabled>true</ume.ldap.connection_pool.connec
tor_enabled>
…….
Maintain higher connect_timeout value for domain controllers off-site

Introduction
Wrap-Up
SPNego Introduction
DEMO SPNego Setup With Single Domain/Forest
DEMO SPNego Setup With Multiple Domain/Forest
Key Configurations
Common Problems
Kerberos Authentication
Kerberos authentication is based on a shared secret between the client

and server
Fundamental principle of Kerberos authentication:

– If a secret is known by only two parties, either party can verify the
identity of the other by confirming that the other party knows the
secret.
Kerberos authentication is a mutual authentication
The two parties show the knowledge of the secret by

encrypting/decrypting authenticators with a symmetric cryptographic
key
Key Distribution Center (KDC) distributes the secret (session key) to

clients
Kerberos is a three-headed dog in Greek mythology who kept living

intruders from entering the underworld

Kerberos authentication is based on a shared secret between the client

and server
Fundamental principle of Kerberos authentication:

– If a secret is known by only two parties, either party can verify the
identity of the other by confirming that the other party knows the
secret.
Kerberos authentication is a mutual authentication
The two parties show the knowledge of the secret by

encrypting/decrypting authenticators with a symmetric cryptographic
key
Key Distribution Center (KDC) distributes the secret (session key) to

clients
Kerberos is a three-headed dog in Greek mythology who kept living

intruders from entering the underworld

Key Distribution
Mutual Authentication
Kerberos relies on synchronized clocks between KDC,

client and server!

Simple and Protected GSSAPI Negotiation Mechanism
(SPNego) – How Does it Work

SPNego Introduction
Key Configurations
Common Problems
SPNego Introduction
Key Configurations
Common Problems
SPNego Introduction
Key Configurations
Common Problems
Java Generic Security Service (JGSS) Authentication
Template – Multiple Domains/Forests

Krb5LoginModule Options
Option Description
useKeyTab=true The login module will get the principal's key from
the keyTab. If keyTab is not set then the module
will locate the keyTab from the krb5 config file
keyTab=/usr/sap/.../ke Path to the keyTab file
ytab
doNotPrompt=true Do not prompt for password if credentials cannot
be obtained from ticketCache or keyTab
storeKey=true Store the principal's key in the Subject's private
credentials.
principal=j2e_f38_pen The name of the principal that should be used
n@PENNSYLVANIA.C when there are credentials for multiple principals
OM in the keyTab
useTicketCache=true Obtain the TGT from the ticket cache
debug = true Output debug messages

Java Virtual Machine (JVM) Parameters

Krb5.conf File

Key Table File – Multiple Domains/Forests
Inspect keyTab file with klist tool:

%java_home%\bin\klist -e -f -k -K keytab
Key tab: keytab, 2 entries found.
[1] Service principal: j2e_f38_md@MARYLAND.COM
KVNO: 1
Key type: 3
Key: 0x3725dcb5b1a139d
[2] Service principal: j2e_f38_penn@PENNSYLVANIA.COM
KVNO: 1
Key type: 3
Key: 0xa7a268a23d32515d

Krb5LoginModule Options
The yield of Kerberos authentication is the user’s KPN—how should UME

resolve the KPN to the user account?
User Resolution Mode ”None”
Applicable If the user’s uniquename attribute and account’s j_user

attribute are mapped to the User Principal Name
User Resolution Mode ”simple”
Applicable if the UPN is identical to KPN (by default)
User Resolution Mode ”prefixbased”

User ID Resolution – Prefix-Based
Prefix-based Resolution Process

1. Kerberos authentication yields Kerberos principal name
johndoe@IT.CUSTOMER.DE.
2. SPNegoLoginModule splits the KPN into the parts johndoe and

IT.CUSTOMER.DE and performs a search in UME after a user with
kpnprefix=johndoe. If result is unique, we’re done
3. If result is not unique, sort out by their attribute distinguishedName all

those users who are not in the domain IT.CUSTOMER.DE.
kpnprefix may not be the user id!!!!!

SPNego Introduction
Key Configurations
Common Problems
Common Problems
SPNego stops working after changing DNS alias of the

J2EE/reverse proxy
Update the Service Principal Name (SPN) of the J2EE server/reverse
proxy
If the browser always tries to use NTLM to authenticate to

the J2EE
The J2EE server is not in the Trusted Sites or Local Intranet zone
The browser is using a DNS alias of the J2EE server which does not
have a corresponding SPN
Some users cannot logon to the J2EE server intermittently

Make sure the system clocks are synchronized, especially when the
J2EE server and end users are in different forests

Summary
The SAP J2EE engine provides extensive support for MS Active

Directory
By integrating the Kerberos authentication service of Active
Directory, the SAP J2EE engine serves as an end-to-end SSO
solution
Always connect to Global Catalog in a multi-domain ADS for
better performance, if possible
Try to avoid using User Principal Name as user ID to simplify
Single Sign-On
Consider using ADAM if you need a flexible LDAP solution
Always maintain a highly available connection to your ADS
SAP J2EE engine supports SPNego authentication with multiple
ADS forests

Further Information
Î SAP Public Web

LDAP Directory as UME Data Source
http://help.sap.com/saphelp_nw2004s/helpdata/en/48/d1d13f7fb44c21
e10000000a1550b0/frameset.htm
SPNego Central Note 968191
https://service.sap.com/notes
Î Related Resources
Introduction to Active Directory
http://www.microsoft.com/windowsserver2003/technologies/directory/activedire
ctory/default.mspx
Active Directory Application Mode
http://www.microsoft.com/windowsserver2003/adam/default.mspx
How the Kerberos Version 5 Authentication Protocol Works
http://technet2.microsoft.com/WindowsServer/en/library/4a1daa3e-b45c-44ea-
a0b6-fe8910f92f281033.mspx?mfr=true
HTTP-Based Cross-Platform Authentication via the Negotiate Protocol
http://msdn2.microsoft.com/en-gb/library/ms995329.aspx

SAP NetWeaver, Development Subscription
The SAP NetWeaver, Development Subscription offers a cost

effective total solution for developers to build applications for
the SAP NetWeaver platform
Subscription gives you one year access to …
SAP NetWeaver platform software, patches, and updates
Development license for SAP NetWeaver to evaluate, develop and test
Standard software maintenance
Online sessions from SAP TechEd
Access to SAP Enterprise Services Workplace for testing
Premium presence in forums
Purchase the SAP NetWeaver, Development Subscription

today at the TechEd Community Clubhouse, or online at
https://www.sdn.sap.com/irj/sdn/subscriptions
Show us you are a subscriber and get a reward!

Q&A
THANK YOU FOR YOUR

ATTENTION !
QUESTIONS – SUGGESTIONS – DISCUSSION

Feedback
Please complete your session evaluation.
Be courteous — deposit your trash,

and do not take the handouts for the following session.
Thank You !

Appendix 1: Details in UME Configuration for ADS
Define the mapping between UME objects and LDAP objects
Special customization LDAP user accounts and LDAP Groups

created by UME
Attribute-based Data Partitioning
Defining LDAP connection parameters for single-domain and

multi-domain environments
Tools in setting up LDAP over SSL connection

Mapping between UME Objects and LDAP Objects
Flat Hierarchy
UME Object LDAP Object

User Object User Object
Account Object User Object
Group Object Group Object
Deep Hierarchy
UME Object LDAP Object

User Object User Object
Account Object User Object
Group Object Organizational Unit

Mapping of UME Attributes to LDAP Attributes – Flat
User and Account Attribute LDAP Attribute

uniquename samaccountname
PRINCIPAL_RELATION_PARENT_ATTRIBUTE memberof
REFERENCE_SYSTEM_USER sapusername
j_user samaccountname
logonalias samaccountname
j_password unicodepwd
Group Attribute LDAP Attribute

uniquename cn
PRINCIPAL_RELATION_MEMBER_ATTRIBUTE member
PRINCIPAL_RELATION_PARENT_ATTRIBUTE memberof

Mapping of UME Attributes to LDAP Attributes – Deep
User and Account Attribute LDAP Attribute

uniquename samaccountname
PRINCIPAL_RELATION_PARENT_ATTRIBUTE *null*
REFERENCE_SYSTEM_USER sapusername
j_user samaccountname
logonalias samaccountname
j_password unicodepwd
Group Attribute LDAP Attribute

uniquename ou
PRINCIPAL_RELATION_MEMBER_ATTRIBUTE *null*
PRINCIPAL_RELATION_PARENT_ATTRIBUTE *null*

Creating LDAP Users
UserAccountControl Description
Attribute
2 (0x2) ACCOUNTDISABLE
512 (0x200) NORMAL_ACCOUNT

65536 (0x10000) DONT_EXPIRE_PASSWORD
2097152 (0x200000) USE_DES_KEY_ONLY
By default UME creates normal user account

ume.ldap.access.msads.control_attribute=userAccountControl
ume.ldap.access.msads.control_value=512

Creating Users to ADAM
Creating users from J2EE engine to ADAM
SSL connection required (as in Active Directory)
By default, created users are locked. To create normal users, set the
following UME properties:
ume.ldap.access.msads.control_attribute=msds-useraccountdisabled
ume.ldap.access.msads.control_value=FALSE

Creating LDAP Groups (Flat Hierarchy)
Group-Type Description
Attribute
2 Specifies a group with global scope
4 Specifies a group with domain local scope

8 Specifies a group with universal scope
2147483648 Specifies a security group. If this flag is not set, then

(0x80000000) the group is a distribution group

Creating LDAP Groups
To create global security groups, set
ume.ldap.access.msads.grouptype.attribute=none
To create local security groups, set
ume.ldap.access.msads.grouptype.attribute=grouptype
ume.ldap.access.msads.grouptype.value= 2147483652 (0x80000004)
For Deep Hierarchy, always set
ume.ldap.access.msads.grouptype.attribute=

Attribute-Based Data Partitioning
I want to store some application-specific attributes

for users, but my AD policy does not allow schema
extension. What can I do?

Attribute-Based Data Partitioning
I want to store some application-specific attributes

for users, but my AD policy does not allow schema
extension. What can I do?

Define Connection Parameters
Parameters Value
ume.persistence.data_source_configuration dataSourceConfiguration_ads
_readonly_db.xml
ume.ldap.access.server_name <LDAP Server Name>
ume.ldap.access.server_port 389/3268
ume.ldap.access.user <LDAP communication user>
ume.ldap.access.password <LDAP Password>
ume.ldap.access.base_path.user DC=company,DC=com
ume.ldap.access.base_path.grup DC=company,DC=com

Sample UME Data Source Config File for Multi-Domain
<privateSection>
...
<ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>
<ume.ldap.access.server_name>Domain1_Controller</ume.ldap.access.server_na
me>
<ume.ldap.access.server_port>389</ume.ldap.access.server_port>
<ume.ldap.access.user>CN=serviceuser1,CN=Users,DC=Domain1,DC=com</ume.
ldap.access.user>
<ume.ldap.access.password>$ume.ldap.access.additional_password.1</ume.ldap
.access.password>
<ume.ldap.access.base_path.user>USERPATH</ume.ldap.access.base_path.user
>
<ume.ldap.access.base_path.grup>GROUPPATH</ume.ldap.access.base_path.gr
up>
...
</privateSection>

Setting Communication Users’ Passwords for Multi-Domain

Verify LDAPS Connection

Verify Common Name of Domain Controller’s Certificate

Appendix 2: SPNego Configuration
DEMO – SPNego Setup with Single Domain/Forest
DEMO – SPNego Setup with Multiple Domain/Forest
SPNego Tokens

SPNego Tokens
Step1: Create a Service User on Active Directory



Step 2: Add Service Principal Name for the Service User
Use upper-case "HTTP" to match the way Internet

Explorer builds SPNs!

Step 2: Add Service Principal Name for the Service User

Step 3: Configure LDAP Datasource for the J2EE Engine

<attribute name="krb5principalname">
</attribute>
<attribute name="kpnprefix">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="dn">
<physicalAttribute name="distinguishedname"/>
</attribute>


Step 4:
Configure SPNego Authentication With SPNego Wizard

Step 4:

Step 4:

Step 4:

Step 4:

Step 5: Configure Ticket Authentication Stack to Use
SPNego Authentication Template

Configuration Behind the Scene:
JGSS Authentication Template

Configuration Behind the Scene: JVM Parameters Added

Configuration Behind the Scene: Krb5.conf Created

Step 6: Browser Configuration



SPNego Tokens
Adding multiple Kerberos Realms

Referring to Multiple JGSS Names in SPNegoLoginModule

Multiple Forests Configured in the Wizard

Behind the Scene: Multiple Krb5LoginModoles Placed in

Behind the Scene: Multiple Krb5LoginModoles Placed in

SPNego Tokens
SPNego Request Token (NegTokenInit)
Section Description
mechTypes The Security Mechanisms supported by the
client, e.g., 1.2.840.113554.1.2.2 for Kerberos V5
reqFlags Token flags
mechToken initial MechToken (Kerberos Ticket)
MechListMIC Message Integrity value
HTTP Request Header

Authorization: Negotiate YIIGUQY<remainder of base64 encoded
string>

SPNego Response Token (NegTokenTarg)
Section Description
negResult Negotiation Result: accept_completed,
accept_incomplete or rejected
supportedMech A single supported mechanism (Kerberos)
responseToken Response MechToken
MechListMIC Message Integrity value
HTTP Response Header

WWW-Authenticate: Negotiate oYIBLj<remainder of base64 encoded
string>

SAP Certifications Related to SAP TechEd Topics
Topic Exam Level Certificate Title Solution Basis

ABAP Professional SAP Certified Development Professional - ABAP System Interfaces with SAP NetWeaver 7.0
SAP NetWeaver 7.0
ABAP Professional SAP Certified Development Professional - ABAP System Interfaces with SAP NetWeaver 7.0
SAP NetWeaver 7.0
ABAP Associate SAP Certified Development Consultant – ABAP Dev with NetWeaver 2004 SAP NetWeaver 2004
ABAP Associate SAP Certified Development Associate – ABAP with SAP NetWeaver 7.0 SAP NetWeaver 7.0
ADM Professional SAP Certified Technology Professional – NetWeaver 7.0 Platform SAP NetWeaver 7.0
ADM Professional SAP Certified Technology Professional – NetWeaver 7.0 Security SAP NetWeaver 7.0
ADM Associate SAP Certified Technology Associate – SAP Web AS Platform with Oracle SAP NetWeaver 2004
ADM Associate SAP Certified Technology Consultant – NetWeaver 7.0 SysAd with Oracle SAP NetWeaver 7.0
BI Associate Solution Consultant SAP NetWeaver ’04s – SAP BI SAP NetWeaver 7.0
E2E Associate SAP Certified E2E Application Management Expert – Change Control Mgmt SAP NetWeaver 7.0
E2E Associate SAP Certified E2E Application Management Expert – Root Cause Analysis SAP NetWeaver 7.0
Java Professional SAP Certified Development Professional – JAVA with NetWeaver 7.0 SAP NetWeaver 7.0
Java Associate SAP Certified Development Associate – JAVA with NetWeaver 7.0 SAP NetWeaver 7.0
MDM Associate SAP Certified Application Associate – Master Data Management 5.5 (SP04) SAP NetWeaver 2004
SM Associate Solution Consultant SAP Solution Manager 4.0 – Implementation Tools SAP NetWeaver 7.0
SOA Associate SAP Certified Associate Enterprise Architect Enterprise SOA
XI Associate Certification Development Consultant SAP NetWeaver 2004s SAP NetWeaver 7.0
For a complete listing of certifications, please go to

www.sap.com/services/education/certification

Copyright 2007 SAP AG. All Rights Reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be
changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p,
System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are
trademarks or registered trademarks of IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies.
Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior
written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments,
and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this
document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items
contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability,
fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This
limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in
these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

SIM301 Integrating Microsoft Active Directory With The SAP J2EE Engine PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SIM301 Integrating Microsoft Active Directory With The SAP J2EE Engine PDF

Uploaded by

Copyright:

Available Formats

SIM301

This presentation outlines our general product direction and should

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 2

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 3

As a result of this workshop, you will be able to:

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 4

J2EE User Persistence With ADS

SPNego Authentication With ADS

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 6

Central User Management

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 7

Integrated cross-application user management

Solution: Microsoft Active Directory

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 8

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 9

J2EE User Persistence With ADS

SPNego Authentication With ADS

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 12

 Advantage: A user can be a member of more than one group.

 Disadvantage: New users are not assigned to any groups

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 13

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 14

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 16

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 17

When connecting to Global Catalog

When connecting to Domain Controller

Pro: All groups are visible

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 19

 Do NOT use built-in group ”Domain User”

 Search users in large LDAP groups

 No significant performance degradation with large LDAP groups

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 20

samAccountName can be duplicated in a multi-domain environment

 Map the uniquename attribute of Account object to User Principal Name

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 22

The SAP Logon Ticket can carry an additional R/3 user ID

 If you have an SAP-centric environment, you can use Central User

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 23

 Define an SAP Reference System

 Maintain User Mapping for the SAP Reference System

 Set login.ticket_portalid = no on the target J2EE backend system

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 24

Application-Specific Directory Service

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 26

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 27

Why use LDAPS?

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 29

SSL ports used by ADS

Test if your ADS is SSL-enabled (ldp.exe)

Verify the Common Name of the Server Certificate

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 30

 Download and install Java Cryptography Extension (JCE) Unlimited

 Download and deploy the full SAP Java Cryptographic Toolkit

 Change the UME configuration to enable LDAP over SSL

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 31

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 32

 Sample UME configuration:

 Special consideration for ADS:

 In High Load scenarios, keep the value of ume.ldap.access.action_retrial

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 34

 Sample snippet of the XML configuration file:

 Maintain higher connect_timeout value for domain controllers off-site

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 35

Advantage: A user can be a member of more than one group.

Disadvantage: New users are not assigned to any groups

Do NOT use built-in group ”Domain User”

Search users in large LDAP groups

No significant performance degradation with large LDAP groups

Map the uniquename attribute of Account object to User Principal Name

If you have an SAP-centric environment, you can use Central User

Define an SAP Reference System

Maintain User Mapping for the SAP Reference System

Set login.ticket_portalid = no on the target J2EE backend system

Download and install Java Cryptography Extension (JCE) Unlimited

Download and deploy the full SAP Java Cryptographic Toolkit

Change the UME configuration to enable LDAP over SSL

Sample UME configuration:

Special consideration for ADS:

In High Load scenarios, keep the value of ume.ldap.access.action_retrial

Sample snippet of the XML configuration file:

Maintain higher connect_timeout value for domain controllers off-site

Kerberos authentication is based on a shared secret between the client

Fundamental principle of Kerberos authentication:

Kerberos authentication is a mutual authentication

The two parties show the knowledge of the secret by

Key Distribution Center (KDC) distributes the secret (session key) to

Kerberos is a three-headed dog in Greek mythology who kept living

Kerberos authentication is based on a shared secret between the client

Fundamental principle of Kerberos authentication:

Kerberos authentication is a mutual authentication

The two parties show the knowledge of the secret by

Key Distribution Center (KDC) distributes the secret (session key) to

Kerberos is a three-headed dog in Greek mythology who kept living

Kerberos relies on synchronized clocks between KDC,

User Resolution Mode ”None”

User Resolution Mode ”simple”

User Resolution Mode ”prefixbased”

The SAP J2EE engine provides extensive support for MS Active

Define the mapping between UME objects and LDAP objects

Special customization LDAP user accounts and LDAP Groups

Attribute-based Data Partitioning

Defining LDAP connection parameters for single-domain and

Tools in setting up LDAP over SSL connection