Spnego Single Sign-On Using Secure Login Server X.509 Client Certificates

SPNEGO SINGLE SIGN-ON USING
SECURE LOGIN SERVER X.509

CLIENT CERTIFICATES
TABLE OF CONTENTS
SCENARIO ................................................................................................................................... 2
IMPLEMENTATION STEPS .......................................................................................................... 2
PREREQUISITES .......................................................................................................................... 3
1. CONFIGURE ADMINISTRATOR FOR THE SECURE LOGIN ADMINISTRATION CONSOLE ...... 4
2. SECURE LOGIN SERVER INITIALIZATION ............................................................................. 6
3. ENABLE SPNEGO BASED SINGLE SIGN-ON USING SECURE LOGIN SERVER ........................ 9
3.1. CONFIGURE A SERVICE USER FOR SPNEGO IN THE MICROSOFT ACTIVE DIRECTORY .... 9
3.2 CONFIGURE SPNEGO AUTHENTICATION FOR THE SECURE LOGIN SERVER ................. 12
3.3 SSL CONFIGURATION BASED ON CERTIFICATE SIGNED BY SECURE LOGIN SERVER ..... 14
3.4 SECURE LOGIN CLIENT CONFIGURATION...................................................................... 19
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
SCENARIO
Your company is using Secure Login Server for issuing short lived X.509 client certificates for authentication to
the SAP and non-SAP business systems across your landscape. Your company is also using Microsoft Active
Directory and now you want to re-use Kerberos tokens, issued by the MS Domain Controller (KDC), for the
Single Sign-On with Secure Login Server X.509 client certificates.
After implementing this scenario, your domain users will have to authenticate only once, using their Microsoft
Active Directory credentials, and they will be authenticated automatically to any SAP and non-SAP system, that
requires short lived X.509 client certificates, where these users have been granted authorizations.
IMPLEMENTATION STEPS
2
PREREQUISITES
1. You have your SAP Application Server JAVA installed and configured with running SSL.
For more details how to install SAP Application Server JAVA, see:
INSTALLATION & IMPLEMENTATION SAP NETW EAVER 7.5
For more details how to configure SSL see:
CONFIGURING THE USE OF SSL ON THE AS JAVA
2. Secure Login Server (SLS) installed. For more details how to install Secure Login Server see:
SECURE LOGIN SERVER INSTALLATION
Note: Always refer to the PRODUCT AVAILABILITY MATRIX FOR SAP SSO 3.0 for more information about currently
supported components and platforms.
3. Secure Login Client (SLC) installed on the user machine. For more details how to install Secure Login Client
see:
SECURE LOGIN CLIENT INSTALLATION
3
1. CONFIGURE ADMINISTRATOR FOR THE SECURE LOGIN

ADMINISTRATION CONSOLE
Explanation Screenshot
1. Log on to SAP
NetWeaver Administrator
at https://<host>:<port>/nwa.
2. Navigate to Configuration >

Identity Management > Click
“Create User”.
3. Provide a Logon ID (for example

“SLAC_ADMIN”), password and
Last Name for the user.
4
4. Navigate to tab “Assigned Roles”

and search in the “Available
Roles” (on the left side) for the role
“SLAC_SUPERADMIN”.
5. Select the role and click “Add” to
assign this role to the
SLAC_ADMIN user.
6. Click “Save” to save the info about
“SLAC_ADMIN” UserID.
7. As a result you will have a new

administrative user with access to
the Secure Login Administration
Console (SLAC).
5
2. SECURE LOGIN SERVER INITIALIZATION
8. Log on to Secure Login

Administration Console (SLAC)
at https://<host>:<port>/slac
using the new administrative
account “SLAC_ADMIN”.
Note: The system will require a

reset of the initial password if this
is the first time you are logging in
with this user.
9. Start the “Initialization” with option

“Manual”.
Note: If the default option for your
Secure Login Server installation is
“Automatic”, you will get a
confirmation message. Click
“Yes” to confirm that you want to
proceed with this change.
10. On the “Root CA” step provide the

Country Name (in our example
“DE”) and the Organizational
Name (in our example “ABC”).
11. Click “Next”.
6
12. On the step “User CA” click

“Next”.
13. On the step “SAP CA” click “Next”.
14. On the step “SSL CA” click “Next”.
7
15. On the step “User Certificate

Configuration” provide the
“Country Name” (in our example
“DE”).
16. Click “Finish”.
17. After finishing the configuration

the initialization will start and
when it is completed you will
receive the following message:
“Secure Login Server has been
initialized”.
18. Click “Go” button.
8
3. ENABLE SPNEGO BASED SINGLE SIGN-ON USING SECURE LOGIN

SERVER
3.1. CONFIGURE A SERVICE USER FOR SPNEGO IN THE MICROSOFT ACTIVE
DIRECTORY
Step 1: Create a Service User for SPNEGO in the Microsoft Active Directory
19. Open the tool “Active Directory
Users and Computers” on the
Active Directory Server (ADS) and
go to the “Users” branch.
20. Click the right mouse button to

create “New” > “User”.
9
21. Provide for the new user “First

Name” (example “Kerberos”),
“Last Name” (example “A01”) and
“User logon name” (example
“KerberosA01”, where A01 is
your Application Server SID).
23. Provide a password for the new

user.
24. Select “User cannot change
password” and “Password never
expires”.
26. To complete the creation of the

new user click “Finish”.
10
Step 2: Setup servicePrincipalName for the New Service User

27. Find your new user (example
“Kerberos A01”) in the list with
users and double click to open
the user properties.
28. Go to the tab “Attribute Editor”
Note: If you don’t see the
“Attribute Editor” tab, alternatively
you may start adsiedit.msc in the
start menu of Microsoft Windows.
29. Search for the attribute with

name “servicePrincipalName”,
select it and click “Edit”.
30. Add as new value “HTTP/<fully
qualified name of the Application
Server Java>” (example
HTTP/mo-
1339aa6dc.mo.sap.corp). Click
“Add” and the value will appear in
the list with “Values”.
31. Click “OK” to save the new
setting.
11
3.2 CONFIGURE SPNEGO AUTHENTICATION FOR THE SECURE

LOGIN SERVER
32. Log on to SAP

at https://<host>:<port>/nwa
33. Navigate to “Configuration” >

“Authentication and Single Sign-
On” > tab “SPNEGO”.
34. Click “Add” and select “Manually”
to add a new KeyTab.
Enter the realm name of your

Microsoft Active Directory
domain (example
CI1.SAPSSO.DEV).
36. Provide the “Principal Name” and

the password of the service user,
created previously in the
Microsoft Active Directory domain
(in our example “KerberosA01”).
12
38. Choose from the drop-down list

of the “Mapping Mode” the value
“Principal@REALM” and select
“virtual user” as a “Source” value.
39. Click “Finish”.
40. Click “Enable” for your new

Service User KeyTab.
41. Your Service User KeyTab is

now activated.
13
3.3 SSL CONFIGURATION BASED ON CERTIFICATE SIGNED BY

SECURE LOGIN SERVER
Step 1: Check the Host Name of the Client Authentication Profile

using the administrative account
(“SLAC_ADMIN”).
43. Navigate to “ Authentication

Profiles”.
44. Select Authentication Profile
“Windows Authentication
(SPNEGO)”
45. Go to tab “Secure Login Client
Settings” and make sure that the
host name of the “Enrollment
URL” is the fully qualified name
(example mo-
1339aa6dc.mo.sap.corp) and
that the “Port” is correct (in our
example 443).
14
Step 2: Generate SSL Server Certificate

46. Navigate to “Certificate
Management” tab and make sure
that the status of your “Root CA”
is green.
47. Expand “Root CA” and select

“SSL Sub CA”
48. Click on “Issue Entry” button.
49. Provide as an “Entry Name” the
fully qualified name of the
Application Server Java.
(for example mo-
1339aa6dc.mo.sap.corp)
50. Set this fully qualified name of
the Application Server Java also
as “DNS Name” (for example mo-
1339aa6dc.mo.sap.corp) in the
“Subject Alternative Names”.
52. On the step with “Subject

Properties” setup provide
“Country Name” (for example
”DE”) and “Common Name” – the
fully qualified name of the
Application Server Java
(for example mo-
1339aa6dc.mo.sap.corp).
53. Click “Next.
15
54. Click “Finish” to complete the

certificate generation.
55. Your certificate will appear under

the “SSL Sub CA” and it will be of
type “SSL SERVER”.
16
Step 3: Import Secure Login Server Certificate to the SSL Configuration

56. Log on again to SAP
at https://<host>:<port>/nwa
57. Navigate to Configuration>SSL

Configuration. Click “Edit”
58. Go to the “Details of port xxxx”.

59. Click “Copy Entry”.
60. Select from the drop-down list of

the “Form View” the value
“SecureLoginServer”.
61. Select from the drop-down list of
the “From Entry” the respective
certificate created in the SLAC
under “SSL Sub CA” (in our
example mo-
1339aa6dc.mo.sap.corp).
62. Make sure that the “To Entry” will
be the one from the selected
SAP Java Instance.
63. Click “Import”.
64. Select and delete the default

identity “ssl-credentials”.
65. Click “OK” to confirm the
deletion.
17
66. Click “Save” to confirm the

configuration.
67. A restart is required. Click

“Restart Now” (You can also
select “Restart Later” if it is
necessary but your configuration
will be completed only after the
restart).
68. You have to wait for the restart to

finish and afterwards your SSL
configuration will be ready.
18
3.4 SECURE LOGIN CLIENT CONFIGURATION

Step 1: Export Root CA certificate from the Secure Logon Server

(“SLAC_ADMIN”).
70. Navigate to “Certificate

Management”. Select “Root CA”
and click “Export Entry”.
71. Choose the export format “X.509

Certificate”. The dialog box
displays the file name, type, size,
and the download link.
72. Choose “Download” button and
save it in a location of your
choice (for example in a folder on
your Domain Controller).
(Optional: Rename the file so
that it indicates the origin of the
root CA certificate).
19
Step 2: Installing Root CA Certificates on a Windows Client

To ensure secure communication and a trust relationship, you should install root CA certificates on Windows
clients. There are three options how to perform this step:
Option 1: Distribute the Secure

Login Server root CA certificates on
Microsoft Domain Server:
73. Log on as an administrator to
your Domain Controller and start
command prompt in Microsoft
Windows.
74. Use the following command:
certutil –dsPublish –f
<root_CA_file> RootCA
75. You will get as a result:
“CertUtil: -dsPublish command
completed successfully.”
76. Restart your client. (After a
restart the group policies are
updated. This pushes the
certificates to the client. To do so,
you can also use the command
gpupdate/force.)
As an alternative of this installation (Option 1) you can perform also these two types of installations:
Option 2: Distribute Secure Login Server Root CA Certificates Using Microsoft Group Policies. For more
details see:
DISTRIBUTE SECURE LOGIN SERVER ROOT CA CERTIFICATES USING MICROSOFT GROUP POLICIES
Option 3: Installing Root CA Certificates on a Windows Client. For more details see:
INSTALLING ROOT CA CERTIFICATES ON A WINDOWS CLIENT
Step 3: Setup Policy Update Interval

If there are any changes in the profiles, the most recent configuration is automatically updated in the Secure
Login Client after a defined time – “Policy Update Interval” configurable in minutes. The default value for the
Policy Update Interval is 0. You can change it for example to 480 minutes (8 hours) and this setting will force
the profile to be refreshed (downloaded) on your Secure Login Clients at intervals of 8 hours.

(“SLAC_ADMIN”).
20
78. Navigate to the List of Profile

Groups. Select the respective
profile group and click “Edit” to
change the details of the group.
79. Change the “Policy Update
Interval (minutes)” value to the
number of minutes you need (in
our example 480 minutes).
80. Check the “IP Address/Host
Name” field – it must contain the
correct fully-qualified name of the
server (in our example mo-
1339aa6dc.mo.sap.corp). Click
“Save”.
Step 4: Download Profile Group Policy

(“SLAC_ADMIN”).
21
82. Navigate to Profile Management

>User Profile Groups.
83. Select the Profile Group that you
want to distribute to Secure Login
Clients. Click “Download Policy”
84. Download the Registry File with
the Policy URL that specifies the
resource file, which includes the
latest configuration of all client
authentication profiles in the
group (in our example
ProfileDownloadPolicy_SecureLo
ginDefaultGroup.reg). Save the
file in a location of your choice on
the client machine.
Step 5: Import Profile Group Policy on the client machine

85. Make sure that the registry file,
downloaded on the previous
step, is available on the client
machine, where Secure Login
Client is installed.
86. Double click on the registry file.
87. Click “Yes” to the message in
order to confirm the change on
the computer.
88. Click “Yes” to confirm again and

to add the policy to the registry.
89. Click “OK” to the confirmation

message, informing that the *.reg
file has been successfully
imported to the registry.
Note: Alternatively, a
companywide group policy can
be use to deploy the profile
groups.
22
Step 6: Restart the Secure Login Service

90. On the client machine navigate to
“Computer Management” >
“Services and
Applications”>”Services”.
91. Search for “Secure Login
Service”. Double click on this
service to display the service
properties.
92. Click “Stop” to stop the service.
93. Wait for Windows to stop the

service.
94. Click “Start” to start the service

again.
23
95. Wait for Windows to start the

service.
96. Now when you open the Secure

Login Client you will have the
certificate issued by the Secure
Login Server.
Note: Alternatively a machine
restart or workstation re-login
may be needed to upload the
profile group.
24
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the
express permission of SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by
SAP SE and its distributors contain proprietary software components of other software vendors. National
product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without
representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and
services are those that are set forth in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined
in this document or any related presentation, or to develop or release any functionality mentioned therein. This
document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be
changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in
this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to
differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-
looking statements, and they should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks
or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other
product and service names mentioned are the trademarks of their respective companies.
See http://global.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and
notices.
25

Spnego Single Sign-On Using Secure Login Server X.509 Client Certificates

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Spnego Single Sign-On Using Secure Login Server X.509 Client Certificates

Uploaded by

Copyright:

Available Formats

SPNEGO SINGLE SIGN-ON USING

SECURE LOGIN SERVER X.509

1. CONFIGURE ADMINISTRATOR FOR THE SECURE LOGIN

2. Navigate to Configuration >

3. Provide a Logon ID (for example

4. Navigate to tab “Assigned Roles”

7. As a result you will have a new

2. SECURE LOGIN SERVER INITIALIZATION

8. Log on to Secure Login

Note: The system will require a

9. Start the “Initialization” with option

10. On the “Root CA” step provide the

12. On the step “User CA” click

13. On the step “SAP CA” click “Next”.

14. On the step “SSL CA” click “Next”.

15. On the step “User Certificate

17. After finishing the configuration

3. ENABLE SPNEGO BASED SINGLE SIGN-ON USING SECURE LOGIN

20. Click the right mouse button to

21. Provide for the new user “First

23. Provide a password for the new

26. To complete the creation of the

Step 2: Setup servicePrincipalName for the New Service User

29. Search for the attribute with

3.2 CONFIGURE SPNEGO AUTHENTICATION FOR THE SECURE

32. Log on to SAP

33. Navigate to “Configuration” >

Enter the realm name of your

36. Provide the “Principal Name” and

37. Click “Next”.

38. Choose from the drop-down list

40. Click “Enable” for your new

41. Your Service User KeyTab is

3.3 SSL CONFIGURATION BASED ON CERTIFICATE SIGNED BY

Step 1: Check the Host Name of the Client Authentication Profile

43. Navigate to “ Authentication

Step 2: Generate SSL Server Certificate

47. Expand “Root CA” and select

52. On the step with “Subject

54. Click “Finish” to complete the

55. Your certificate will appear under

Step 3: Import Secure Login Server Certificate to the SSL Configuration

57. Navigate to Configuration>SSL

58. Go to the “Details of port xxxx”.

60. Select from the drop-down list of

64. Select and delete the default

66. Click “Save” to confirm the

67. A restart is required. Click

68. You have to wait for the restart to

3.4 SECURE LOGIN CLIENT CONFIGURATION

Step 1: Export Root CA certificate from the Secure Logon Server

70. Navigate to “Certificate

71. Choose the export format “X.509

Step 2: Installing Root CA Certificates on a Windows Client

Option 1: Distribute the Secure

Step 3: Setup Policy Update Interval

77. Log on to Secure Login

78. Navigate to the List of Profile

Step 4: Download Profile Group Policy

82. Navigate to Profile Management

Step 5: Import Profile Group Policy on the client machine

88. Click “Yes” to confirm again and

89. Click “OK” to the confirmation