Professional Documents
Culture Documents
TABLE OF CONTENTS
SCENARIO ................................................................................................................................... 2
IMPLEMENTATION STEPS .......................................................................................................... 2
PREREQUISITES .......................................................................................................................... 3
1. CONFIGURE ADMINISTRATOR FOR THE SECURE LOGIN ADMINISTRATION CONSOLE ...... 4
2. SECURE LOGIN SERVER INITIALIZATION ............................................................................. 6
3. ENABLE SPNEGO BASED SINGLE SIGN-ON USING SECURE LOGIN SERVER ........................ 9
3.1. CONFIGURE A SERVICE USER FOR SPNEGO IN THE MICROSOFT ACTIVE DIRECTORY .... 9
3.2 CONFIGURE SPNEGO AUTHENTICATION FOR THE SECURE LOGIN SERVER ................. 12
3.3 SSL CONFIGURATION BASED ON CERTIFICATE SIGNED BY SECURE LOGIN SERVER ..... 14
3.4 SECURE LOGIN CLIENT CONFIGURATION...................................................................... 19
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
SCENARIO
Your company is using Secure Login Server for issuing short lived X.509 client certificates for authentication to
the SAP and non-SAP business systems across your landscape. Your company is also using Microsoft Active
Directory and now you want to re-use Kerberos tokens, issued by the MS Domain Controller (KDC), for the
Single Sign-On with Secure Login Server X.509 client certificates.
After implementing this scenario, your domain users will have to authenticate only once, using their Microsoft
Active Directory credentials, and they will be authenticated automatically to any SAP and non-SAP system, that
requires short lived X.509 client certificates, where these users have been granted authorizations.
IMPLEMENTATION STEPS
2
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
PREREQUISITES
1. You have your SAP Application Server JAVA installed and configured with running SSL.
For more details how to install SAP Application Server JAVA, see:
INSTALLATION & IMPLEMENTATION SAP NETW EAVER 7.5
For more details how to configure SSL see:
CONFIGURING THE USE OF SSL ON THE AS JAVA
2. Secure Login Server (SLS) installed. For more details how to install Secure Login Server see:
SECURE LOGIN SERVER INSTALLATION
Note: Always refer to the PRODUCT AVAILABILITY MATRIX FOR SAP SSO 3.0 for more information about currently
supported components and platforms.
3. Secure Login Client (SLC) installed on the user machine. For more details how to install Secure Login Client
see:
SECURE LOGIN CLIENT INSTALLATION
3
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
Explanation Screenshot
1. Log on to SAP
NetWeaver Administrator
at https://<host>:<port>/nwa.
4
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
5
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
Explanation Screenshot
6
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
7
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
8
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
Explanation Screenshot
Step 1: Create a Service User for SPNEGO in the Microsoft Active Directory
19. Open the tool “Active Directory
Users and Computers” on the
Active Directory Server (ADS) and
go to the “Users” branch.
9
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
10
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
11
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
12
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
13
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
14
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
15
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
16
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
17
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
18
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
19
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
As an alternative of this installation (Option 1) you can perform also these two types of installations:
Option 2: Distribute Secure Login Server Root CA Certificates Using Microsoft Group Policies. For more
details see:
DISTRIBUTE SECURE LOGIN SERVER ROOT CA CERTIFICATES USING MICROSOFT GROUP POLICIES
Option 3: Installing Root CA Certificates on a Windows Client. For more details see:
INSTALLING ROOT CA CERTIFICATES ON A WINDOWS CLIENT
20
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
21
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
22
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
23
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
24
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
No part of this publication may be reproduced or transmitted in any form or for any purpose without the
express permission of SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by
SAP SE and its distributors contain proprietary software components of other software vendors. National
product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without
representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and
services are those that are set forth in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined
in this document or any related presentation, or to develop or release any functionality mentioned therein. This
document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be
changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in
this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to
differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-
looking statements, and they should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks
or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other
product and service names mentioned are the trademarks of their respective companies.
See http://global.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and
notices.
25